redline | da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb

Analysis

max time kernel
228s
max time network
285s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe
Size

1.5MB
MD5

e151f1b1bcf6a54cce98e1ddc76a2bfe
SHA1

1975670e187659e6b145f5fd02271d6778131b8c
SHA256

da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb
SHA512

7b08d520483e6595c5a7a142e9d93f0736a50472c62dc766823f20dc8c83d30d3809f07587fe34df85dbadbaeb514e4edf6c8cc5eac75a40784f59662cf26d0d
SSDEEP

24576:xyUA3zBAhj3Z8cn5RvogpsAwVmJXG0sj0gmRz4CJTAIj0aP2uq5Y:kUADBAhN8c5lobAwVm5W9CJ340

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4708-169-0x0000000005340000-0x0000000005958000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2040	i83059884.exe
3044	i04947957.exe
4748	i93713933.exe
3868	i71634808.exe
4708	a20582316.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i83059884.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i93713933.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i71634808.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i83059884.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i04947957.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i04947957.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i93713933.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i71634808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2040	2092	da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe	80
PID 2092 wrote to memory of 2040	2092	da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe	80
PID 2092 wrote to memory of 2040	2092	da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe	80
PID 2040 wrote to memory of 3044	2040	i83059884.exe	81
PID 2040 wrote to memory of 3044	2040	i83059884.exe	81
PID 2040 wrote to memory of 3044	2040	i83059884.exe	81
PID 3044 wrote to memory of 4748	3044	i04947957.exe	82
PID 3044 wrote to memory of 4748	3044	i04947957.exe	82
PID 3044 wrote to memory of 4748	3044	i04947957.exe	82
PID 4748 wrote to memory of 3868	4748	i93713933.exe	83
PID 4748 wrote to memory of 3868	4748	i93713933.exe	83
PID 4748 wrote to memory of 3868	4748	i93713933.exe	83
PID 3868 wrote to memory of 4708	3868	i71634808.exe	84
PID 3868 wrote to memory of 4708	3868	i71634808.exe	84
PID 3868 wrote to memory of 4708	3868	i71634808.exe	84

C:\Users\Admin\AppData\Local\Temp\da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe
"C:\Users\Admin\AppData\Local\Temp\da72f2cb6f684fb1e0b20d1f48fa218eed5742f3288a4cda9b45ef4dc0503ceb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i83059884.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i83059884.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04947957.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04947957.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93713933.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93713933.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i71634808.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i71634808.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3868
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a20582316.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a20582316.exe
        6⤵
        Executes dropped EXE
        
        PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i83059884.exe

Filesize
1.3MB

MD5
75e2e8a68f3e169ca335ced472c76eb2

SHA1
13a26523dcb297127a80440db2f7fbef9ca28e96

SHA256
099ff1a452fd989eeca271c8ff3f4a403dd873d799339f3bfd0a6e1f0dd0f22f

SHA512
dca86ab91577a033cafbee40098a0ecabbbfd4cc3952525bcf3ca663beadb83a79ac414fda16f581f50bb63084e715d6f75ee350f240ae45bcaf6b95d401b397

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i83059884.exe

Filesize
1.3MB

MD5
75e2e8a68f3e169ca335ced472c76eb2

SHA1
13a26523dcb297127a80440db2f7fbef9ca28e96

SHA256
099ff1a452fd989eeca271c8ff3f4a403dd873d799339f3bfd0a6e1f0dd0f22f

SHA512
dca86ab91577a033cafbee40098a0ecabbbfd4cc3952525bcf3ca663beadb83a79ac414fda16f581f50bb63084e715d6f75ee350f240ae45bcaf6b95d401b397

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04947957.exe

Filesize
1016KB

MD5
2888bcf1c957d110fce19b396aa4b7c1

SHA1
378836ee5a12eeb76d8024c10a8bd592b80295ff

SHA256
aeb2045004143e7d484345a685c6ef3f68ac8245da91017f946e408ce745d4dc

SHA512
97efa9c030c6ea95ded5c58346112188f1e46657c0138ec056a4826999a8d7dd5e7ab1fb37c779c8ca1bf5236382147897f4ef1fe831afbf9e17d8ca5bfdb523

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04947957.exe

Filesize
1016KB

MD5
2888bcf1c957d110fce19b396aa4b7c1

SHA1
378836ee5a12eeb76d8024c10a8bd592b80295ff

SHA256
aeb2045004143e7d484345a685c6ef3f68ac8245da91017f946e408ce745d4dc

SHA512
97efa9c030c6ea95ded5c58346112188f1e46657c0138ec056a4826999a8d7dd5e7ab1fb37c779c8ca1bf5236382147897f4ef1fe831afbf9e17d8ca5bfdb523

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93713933.exe

Filesize
844KB

MD5
80c5e9c28271e21d5a6b88fa6c819c00

SHA1
31fb791a8f63c7821bc475788b12e96dfbb933fe

SHA256
52f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0

SHA512
83862d521f563c7afd58429b2ce8e35308cc433608af84eb27a008c79d4b40454624321a1cd1b05c7c213160a39c22f3f3a21365f9543386d34ec3e80de4ab24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93713933.exe

Filesize
844KB

MD5
80c5e9c28271e21d5a6b88fa6c819c00

SHA1
31fb791a8f63c7821bc475788b12e96dfbb933fe

SHA256
52f765844623c2f90315854ca382dca7f7ef1a177e87f482fcb7998f540406e0

SHA512
83862d521f563c7afd58429b2ce8e35308cc433608af84eb27a008c79d4b40454624321a1cd1b05c7c213160a39c22f3f3a21365f9543386d34ec3e80de4ab24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i71634808.exe

Filesize
371KB

MD5
861b034b9d1fd6977a2cabb72044a6a8

SHA1
810f628adbef8b54735883617f67a585ee7eb1bf

SHA256
f43694e668258003a175a2f86c35fbf4b1724a99d0baba7474ad90c92692041b

SHA512
5170e2f1f9b333b33575438b95fcd71ee83f7865f0f42a1532582df4eab4ca0828ca72354e2a5cc498465f64adc63485d65f9b2ab3e4c4e0cb4971f7b21cdd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i71634808.exe

Filesize
371KB

MD5
861b034b9d1fd6977a2cabb72044a6a8

SHA1
810f628adbef8b54735883617f67a585ee7eb1bf

SHA256
f43694e668258003a175a2f86c35fbf4b1724a99d0baba7474ad90c92692041b

SHA512
5170e2f1f9b333b33575438b95fcd71ee83f7865f0f42a1532582df4eab4ca0828ca72354e2a5cc498465f64adc63485d65f9b2ab3e4c4e0cb4971f7b21cdd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a20582316.exe

Filesize
169KB

MD5
e3910c70876d2cf8e33d1949f9aa09f2

SHA1
f338e8b564e8a8b4ac6b33ab8287e000e4f3ea19

SHA256
2d715e490c801611472e9935c22561689f25957aafaa11d0e7ea6a61ddf060bb

SHA512
c576861d4c9d52c974f1a8cdbad766e599970c0f27aa014abd83ccca0e347d9d005cf3f3d002653d9f2bcf3b77f5ad3475e332ce68f40975d71c9ba705bcadf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a20582316.exe

Filesize
169KB

MD5
e3910c70876d2cf8e33d1949f9aa09f2

SHA1
f338e8b564e8a8b4ac6b33ab8287e000e4f3ea19

SHA256
2d715e490c801611472e9935c22561689f25957aafaa11d0e7ea6a61ddf060bb

SHA512
c576861d4c9d52c974f1a8cdbad766e599970c0f27aa014abd83ccca0e347d9d005cf3f3d002653d9f2bcf3b77f5ad3475e332ce68f40975d71c9ba705bcadf8

Download Submit
memory/4708-168-0x0000000000320000-0x0000000000350000-memory.dmp

Filesize
192KB

Download
memory/4708-169-0x0000000005340000-0x0000000005958000-memory.dmp

Filesize
6.1MB

Download
memory/4708-170-0x0000000004E30000-0x0000000004F3A000-memory.dmp

Filesize
1.0MB

Download
memory/4708-171-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/4708-172-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4708-173-0x0000000004BC0000-0x0000000004BFC000-memory.dmp

Filesize
240KB

Download
memory/4708-174-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download