redline | d0cb653f1500fb14cc780d660b1d5f11db8f60170a02ec6af05a8894a5610c26

Analysis

max time kernel
148s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0cb653f1500fb14cc780d660b1d5f11db8f60170a02ec6af05a8894a5610c26.exe
Size

1.2MB
MD5

04382ba1c334b7c869f7b303f7adc9b9
SHA1

5e49402983192ebe9489b699e330c9ec06be7f8a
SHA256

d0cb653f1500fb14cc780d660b1d5f11db8f60170a02ec6af05a8894a5610c26
SHA512

2c27a9000352eb18f3dbb2bddfa70e5526b17812edbde228970627354181f766e5de07ea30197339591a5026088e568719629ac212b33271f2b5bd244ee06aca
SSDEEP

24576:Jy28hQ6DAUJ1WKgnn6Mm99skcUHwi4Qt3g5xLnuIhogOtI4kw:82WB3WDnn6MgV3tNoxKAog

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/2304-2337-0x00000000052B0000-0x00000000058C8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s45237992.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	s45237992.exe

Executes dropped EXE 6 IoCs

Processes:

z16875320.exez24187184.exez24541790.exes45237992.exe1.exet71153423.exe

pid process

448 z16875320.exe
3096 z24187184.exe
2968 z24541790.exe
2032 s45237992.exe
2304 1.exe
4928 t71153423.exe

pid	process
448	z16875320.exe
3096	z24187184.exe
2968	z24541790.exe
2032	s45237992.exe
2304	1.exe
4928	t71153423.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d0cb653f1500fb14cc780d660b1d5f11db8f60170a02ec6af05a8894a5610c26.exez16875320.exez24187184.exez24541790.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d0cb653f1500fb14cc780d660b1d5f11db8f60170a02ec6af05a8894a5610c26.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z16875320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z16875320.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z24187184.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z24187184.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z24541790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z24541790.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d0cb653f1500fb14cc780d660b1d5f11db8f60170a02ec6af05a8894a5610c26.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3416 2032 WerFault.exe s45237992.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s45237992.exe

description pid process

Token: SeDebugPrivilege 2032 s45237992.exe

pid	pid_target	process	target process
3416	2032	WerFault.exe	s45237992.exe

description	pid	process
Token: SeDebugPrivilege	2032	s45237992.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

d0cb653f1500fb14cc780d660b1d5f11db8f60170a02ec6af05a8894a5610c26.exez16875320.exez24187184.exez24541790.exes45237992.exe

description	pid	process	target process
PID 4648 wrote to memory of 448	4648	d0cb653f1500fb14cc780d660b1d5f11db8f60170a02ec6af05a8894a5610c26.exe	z16875320.exe
PID 4648 wrote to memory of 448	4648	d0cb653f1500fb14cc780d660b1d5f11db8f60170a02ec6af05a8894a5610c26.exe	z16875320.exe
PID 4648 wrote to memory of 448	4648	d0cb653f1500fb14cc780d660b1d5f11db8f60170a02ec6af05a8894a5610c26.exe	z16875320.exe
PID 448 wrote to memory of 3096	448	z16875320.exe	z24187184.exe
PID 448 wrote to memory of 3096	448	z16875320.exe	z24187184.exe
PID 448 wrote to memory of 3096	448	z16875320.exe	z24187184.exe
PID 3096 wrote to memory of 2968	3096	z24187184.exe	z24541790.exe
PID 3096 wrote to memory of 2968	3096	z24187184.exe	z24541790.exe
PID 3096 wrote to memory of 2968	3096	z24187184.exe	z24541790.exe
PID 2968 wrote to memory of 2032	2968	z24541790.exe	s45237992.exe
PID 2968 wrote to memory of 2032	2968	z24541790.exe	s45237992.exe
PID 2968 wrote to memory of 2032	2968	z24541790.exe	s45237992.exe
PID 2032 wrote to memory of 2304	2032	s45237992.exe	1.exe
PID 2032 wrote to memory of 2304	2032	s45237992.exe	1.exe
PID 2032 wrote to memory of 2304	2032	s45237992.exe	1.exe
PID 2968 wrote to memory of 4928	2968	z24541790.exe	t71153423.exe
PID 2968 wrote to memory of 4928	2968	z24541790.exe	t71153423.exe
PID 2968 wrote to memory of 4928	2968	z24541790.exe	t71153423.exe

C:\Users\Admin\AppData\Local\Temp\d0cb653f1500fb14cc780d660b1d5f11db8f60170a02ec6af05a8894a5610c26.exe
"C:\Users\Admin\AppData\Local\Temp\d0cb653f1500fb14cc780d660b1d5f11db8f60170a02ec6af05a8894a5610c26.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z16875320.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z16875320.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:448

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z24187184.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z24187184.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3096

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z24541790.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z24541790.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s45237992.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s45237992.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1388
6⤵
- Program crash
PID:3416

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t71153423.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t71153423.exe
5⤵
- Executes dropped EXE
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2032 -ip 2032
1⤵
PID:4804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z16875320.exe
Filesize
1.0MB

MD5
8c8ef315b712276ed61793e90c2e7463

SHA1
aa17aef2637b6ad8c63932b636c80e1745d93b7a

SHA256
cfed48926e27cbedfe3c2c9714c870cf826477194259a485387b4f4635086724

SHA512
454d92ea5cf16af1d8d59a731eada5158594d265e9e4132e80b0ce5140450d8c0d926a8b057bca48f57116d1446947df092b955a15e9a54e60e581c875ff0e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z16875320.exe
Filesize
1.0MB

MD5
8c8ef315b712276ed61793e90c2e7463

SHA1
aa17aef2637b6ad8c63932b636c80e1745d93b7a

SHA256
cfed48926e27cbedfe3c2c9714c870cf826477194259a485387b4f4635086724

SHA512
454d92ea5cf16af1d8d59a731eada5158594d265e9e4132e80b0ce5140450d8c0d926a8b057bca48f57116d1446947df092b955a15e9a54e60e581c875ff0e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z24187184.exe
Filesize
759KB

MD5
43e5ed0f0f9e88d2f3fac8ebe00f229c

SHA1
3efabac9f8c6ed0a34fcebce97dba34ce3e9536a

SHA256
f811f8a36ac9f14244f0ca1822458f1b4a4abfc5cd5d6efd218278ca52e16093

SHA512
4e97b527cb6dcaee534198eb147a21223cf651d16ed5093ea854b7f15255b4e91ea45238f88017e2267107d77f8cbd2f9ba622be8f4d2939ee15b5570f234aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z24187184.exe
Filesize
759KB

MD5
43e5ed0f0f9e88d2f3fac8ebe00f229c

SHA1
3efabac9f8c6ed0a34fcebce97dba34ce3e9536a

SHA256
f811f8a36ac9f14244f0ca1822458f1b4a4abfc5cd5d6efd218278ca52e16093

SHA512
4e97b527cb6dcaee534198eb147a21223cf651d16ed5093ea854b7f15255b4e91ea45238f88017e2267107d77f8cbd2f9ba622be8f4d2939ee15b5570f234aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z24541790.exe
Filesize
577KB

MD5
46e73738598ec7f7aa74522481dd540b

SHA1
4c900a0f110775448ce68719fa162dcde5937f87

SHA256
36148e7882c9fbff4ddab31d9b95a9042a47a2a5e486b367c4a2d228fd63990b

SHA512
ea1ea95d21a228023e8b5b1e69398ab9c8942c0e877e25608a24dfbe3113544f8f650d264daabad9a52015bab8d4f4b3fbc9d6c1c5938c74fae1a75111cd1abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z24541790.exe
Filesize
577KB

MD5
46e73738598ec7f7aa74522481dd540b

SHA1
4c900a0f110775448ce68719fa162dcde5937f87

SHA256
36148e7882c9fbff4ddab31d9b95a9042a47a2a5e486b367c4a2d228fd63990b

SHA512
ea1ea95d21a228023e8b5b1e69398ab9c8942c0e877e25608a24dfbe3113544f8f650d264daabad9a52015bab8d4f4b3fbc9d6c1c5938c74fae1a75111cd1abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s45237992.exe
Filesize
574KB

MD5
c64b93ce5d4fc9fdcb76070e04842cd2

SHA1
3a77ae2b39e83daedca4e865acd421c4f8aa2d58

SHA256
5351fff84e4ae17b359ee878643ca43de02a1927f2ec6fff7c2ca9b3bf4f13ef

SHA512
42b81a7793ac2eb99a1ed0ba275279cfeaafea017b04dd49349a6cd8e6d75dc82c31fa4b51190da683677e37ff31dba4810920929e16e690f9ab96fb8e213306

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s45237992.exe
Filesize
574KB

MD5
c64b93ce5d4fc9fdcb76070e04842cd2

SHA1
3a77ae2b39e83daedca4e865acd421c4f8aa2d58

SHA256
5351fff84e4ae17b359ee878643ca43de02a1927f2ec6fff7c2ca9b3bf4f13ef

SHA512
42b81a7793ac2eb99a1ed0ba275279cfeaafea017b04dd49349a6cd8e6d75dc82c31fa4b51190da683677e37ff31dba4810920929e16e690f9ab96fb8e213306

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t71153423.exe
Filesize
169KB

MD5
ee81b3b872abc81c16daa90b5c10c28c

SHA1
2d6899dddaa3e9e0ce5f06b0dde20633cb254ac6

SHA256
480aaa42c7b87021d773d77a8774479e7483215796a1fd99a3a7e19c3ea70c35

SHA512
e0b2a50326e6b7a77540d942500eb4237f3f712e58c07a779c9bde26a103b5b60eb67fcc6ac1393a8c4655c90222cf2f3fd3ace215ac07e9099d35793a069a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t71153423.exe
Filesize
169KB

MD5
ee81b3b872abc81c16daa90b5c10c28c

SHA1
2d6899dddaa3e9e0ce5f06b0dde20633cb254ac6

SHA256
480aaa42c7b87021d773d77a8774479e7483215796a1fd99a3a7e19c3ea70c35

SHA512
e0b2a50326e6b7a77540d942500eb4237f3f712e58c07a779c9bde26a103b5b60eb67fcc6ac1393a8c4655c90222cf2f3fd3ace215ac07e9099d35793a069a0b

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/2032-198-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-214-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-166-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-169-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-171-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-173-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-175-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-179-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-177-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-182-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-184-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2032-186-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2032-185-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-188-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-181-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2032-190-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-192-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-194-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-196-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-165-0x00000000050A0000-0x0000000005644000-memory.dmp

Filesize
5.6MB

Download
memory/2032-200-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-202-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-204-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-206-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-208-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-210-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-212-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-167-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-216-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-218-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-220-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-222-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-224-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-226-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-228-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-230-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/2032-2316-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2032-2317-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2032-2318-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2032-2322-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2032-2336-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2032-162-0x0000000000A60000-0x0000000000ABB000-memory.dmp

Filesize
364KB

Download
memory/2032-163-0x0000000000400000-0x0000000000835000-memory.dmp

Filesize
4.2MB

Download
memory/2304-2338-0x0000000004DA0000-0x0000000004EAA000-memory.dmp

Filesize
1.0MB

Download
memory/2304-2339-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/2304-2340-0x0000000004D30000-0x0000000004D6C000-memory.dmp

Filesize
240KB

Download
memory/2304-2342-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2304-2337-0x00000000052B0000-0x00000000058C8000-memory.dmp

Filesize
6.1MB

Download
memory/2304-2334-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2304-2349-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4928-2347-0x0000000000BD0000-0x0000000000BFE000-memory.dmp

Filesize
184KB

Download
memory/4928-2348-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/4928-2350-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download