redline | a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2023 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe
Size

572KB
MD5

12564dba5b3178c75a6a96a582f94c5b
SHA1

003817ee6dac145edf947b062bc9b25653d32613
SHA256

a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a
SHA512

5402ce66c56b8612887a1f28e1f5bf695867b1993d61b8d2d03c01d8c01fb1f270b101e85358c65ed27fc7f037f780b1290cac010c107f8339e3393e3157e5b9
SSDEEP

12288:PMrcy90ic73VvlgFq5RMdM3pxSu2TaQIXpQSIimiD:3ynitggNZI3KdIx8

Score

10^/10

redline duza infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

duza

83.97.73.129:19071

Attributes

auth_value
787a4e3bbc78fd525526de1098cb0621

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 3 IoCs

Processes:

x5268627.exex3887218.exef5282036.exe

pid process

1924 x5268627.exe
2932 x3887218.exe
2756 f5282036.exe

pid	process
1924	x5268627.exe
2932	x3887218.exe
2756	f5282036.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

x3887218.exea299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exex5268627.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3887218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3887218.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5268627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5268627.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exex5268627.exex3887218.exe

description	pid	process	target process
PID 4272 wrote to memory of 1924	4272	a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe	x5268627.exe
PID 4272 wrote to memory of 1924	4272	a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe	x5268627.exe
PID 4272 wrote to memory of 1924	4272	a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe	x5268627.exe
PID 1924 wrote to memory of 2932	1924	x5268627.exe	x3887218.exe
PID 1924 wrote to memory of 2932	1924	x5268627.exe	x3887218.exe
PID 1924 wrote to memory of 2932	1924	x5268627.exe	x3887218.exe
PID 2932 wrote to memory of 2756	2932	x3887218.exe	f5282036.exe
PID 2932 wrote to memory of 2756	2932	x3887218.exe	f5282036.exe
PID 2932 wrote to memory of 2756	2932	x3887218.exe	f5282036.exe

C:\Users\Admin\AppData\Local\Temp\a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe
"C:\Users\Admin\AppData\Local\Temp\a299032783c88dab7cdf4b36b26ee3caf35b9b629e8140cdbb022ab7eabf151a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4272

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5268627.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5268627.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3887218.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3887218.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5282036.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5282036.exe
4⤵
- Executes dropped EXE
PID:2756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5268627.exe
Filesize
471KB

MD5
7c2022b431992b87c9bfe56acd958b2d

SHA1
2251d216822746bfdfb08845860f2ba964212301

SHA256
bc98d50724270445861a310c2a15ffec6f1f2d5cbe72e3114757394920bae858

SHA512
e9f8e2575a88cb669369fc0268e5d695a1e0e2778b8940fcc66b854150f71aa61d907948e545d3701036b13237f68d1bdb563e372c1c2e4d5891525c99e9a427

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5268627.exe
Filesize
471KB

MD5
7c2022b431992b87c9bfe56acd958b2d

SHA1
2251d216822746bfdfb08845860f2ba964212301

SHA256
bc98d50724270445861a310c2a15ffec6f1f2d5cbe72e3114757394920bae858

SHA512
e9f8e2575a88cb669369fc0268e5d695a1e0e2778b8940fcc66b854150f71aa61d907948e545d3701036b13237f68d1bdb563e372c1c2e4d5891525c99e9a427

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3887218.exe
Filesize
277KB

MD5
a4abe97444471186b3406386fd6c7d2f

SHA1
f0ba26aabd9d72f31d96a05ef7978245c34c34aa

SHA256
56fbf1992e5615f8894f56738ed59770882115b07b77bee4ff0f16388f80f86c

SHA512
746ec9f0a931371889ec09d8997287d2c9b2aec7844ba536037d9f6bcec575f6e05e3e1e62e8219969e91456d4f4042713a24016b89e020e13267fa74ee62762

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3887218.exe
Filesize
277KB

MD5
a4abe97444471186b3406386fd6c7d2f

SHA1
f0ba26aabd9d72f31d96a05ef7978245c34c34aa

SHA256
56fbf1992e5615f8894f56738ed59770882115b07b77bee4ff0f16388f80f86c

SHA512
746ec9f0a931371889ec09d8997287d2c9b2aec7844ba536037d9f6bcec575f6e05e3e1e62e8219969e91456d4f4042713a24016b89e020e13267fa74ee62762

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5282036.exe
Filesize
173KB

MD5
a8a80fd5138a0bada9ae3f72f8daf7af

SHA1
bbf4b9f3bc0099bea935f3fd1387bb524ab94b6b

SHA256
aac3a769d9afeb55271d1e03ccb5d75bcabf125c2acd238f6993096d6382633c

SHA512
af6f1949f52d7ddaee3a46b6d23550d47756d448ab80666699b4cb8e103382c4133cd015316d9d05f9591907d1a429a0a04007fa0ea1d36b4a46bf1b2c81d74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5282036.exe
Filesize
173KB

MD5
a8a80fd5138a0bada9ae3f72f8daf7af

SHA1
bbf4b9f3bc0099bea935f3fd1387bb524ab94b6b

SHA256
aac3a769d9afeb55271d1e03ccb5d75bcabf125c2acd238f6993096d6382633c

SHA512
af6f1949f52d7ddaee3a46b6d23550d47756d448ab80666699b4cb8e103382c4133cd015316d9d05f9591907d1a429a0a04007fa0ea1d36b4a46bf1b2c81d74a

Download Submit
memory/2756-154-0x0000000000D30000-0x0000000000D60000-memory.dmp

Filesize
192KB

Download
memory/2756-155-0x000000000AFF0000-0x000000000B608000-memory.dmp

Filesize
6.1MB

Download
memory/2756-156-0x000000000AB70000-0x000000000AC7A000-memory.dmp

Filesize
1.0MB

Download
memory/2756-157-0x000000000AAB0000-0x000000000AAC2000-memory.dmp

Filesize
72KB

Download
memory/2756-158-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/2756-159-0x000000000AB10000-0x000000000AB4C000-memory.dmp

Filesize
240KB

Download
memory/2756-160-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download