redline | e05c4d9dadcfa5c0d523845f3c837c72c7a4b9d48a9eac0b518e9305e81a9a02

Analysis

max time kernel
196s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 18:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e05c4d9dadcfa5c0d523845f3c837c72c7a4b9d48a9eac0b518e9305e81a9a02.exe
Size

1.5MB
MD5

6d7dead0242672c46da13388b164b99d
SHA1

a0d3f024169929332b65121eba476413ed3d667c
SHA256

e05c4d9dadcfa5c0d523845f3c837c72c7a4b9d48a9eac0b518e9305e81a9a02
SHA512

e6caf2b37599dd1c10ed389a33f3f04a07fec19ce6ccb8bb9a7bebab9e01e4ac9f1c03bbb96db9958de690c3bc38c6f21b763ed0064e2f2e8431b9276a3b6d48
SSDEEP

24576:xysOvTniDe6bzjc95+KMkxH+JIhtIZZwnTbDIPUcLvwGqw2VhG:kXmDDzcj+KMFJIrJrxcwGkV

Score

10^/10

redline most discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/856-169-0x000000000B1F0000-0x000000000B808000-memory.dmp	redline_stealer
behavioral2/memory/856-177-0x000000000B810000-0x000000000B876000-memory.dmp	redline_stealer
behavioral2/memory/856-179-0x000000000C540000-0x000000000C702000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
2244	i08391543.exe
4656	i41854155.exe
3356	i40621999.exe
220	i41966186.exe
856	a45001049.exe
4544	b78567678.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e05c4d9dadcfa5c0d523845f3c837c72c7a4b9d48a9eac0b518e9305e81a9a02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e05c4d9dadcfa5c0d523845f3c837c72c7a4b9d48a9eac0b518e9305e81a9a02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i41854155.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i40621999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i41966186.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i08391543.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i08391543.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i41854155.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i40621999.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i41966186.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2412	4544	WerFault.exe	94
4560	4544	WerFault.exe	94
4356	4544	WerFault.exe	94
2784	4544	WerFault.exe	94
864	4544	WerFault.exe	94
4588	4544	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
856	a45001049.exe
856	a45001049.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	a45001049.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 2244	992	e05c4d9dadcfa5c0d523845f3c837c72c7a4b9d48a9eac0b518e9305e81a9a02.exe	83
PID 992 wrote to memory of 2244	992	e05c4d9dadcfa5c0d523845f3c837c72c7a4b9d48a9eac0b518e9305e81a9a02.exe	83
PID 992 wrote to memory of 2244	992	e05c4d9dadcfa5c0d523845f3c837c72c7a4b9d48a9eac0b518e9305e81a9a02.exe	83
PID 2244 wrote to memory of 4656	2244	i08391543.exe	84
PID 2244 wrote to memory of 4656	2244	i08391543.exe	84
PID 2244 wrote to memory of 4656	2244	i08391543.exe	84
PID 4656 wrote to memory of 3356	4656	i41854155.exe	85
PID 4656 wrote to memory of 3356	4656	i41854155.exe	85
PID 4656 wrote to memory of 3356	4656	i41854155.exe	85
PID 3356 wrote to memory of 220	3356	i40621999.exe	86
PID 3356 wrote to memory of 220	3356	i40621999.exe	86
PID 3356 wrote to memory of 220	3356	i40621999.exe	86
PID 220 wrote to memory of 856	220	i41966186.exe	87
PID 220 wrote to memory of 856	220	i41966186.exe	87
PID 220 wrote to memory of 856	220	i41966186.exe	87
PID 220 wrote to memory of 4544	220	i41966186.exe	94
PID 220 wrote to memory of 4544	220	i41966186.exe	94
PID 220 wrote to memory of 4544	220	i41966186.exe	94

C:\Users\Admin\AppData\Local\Temp\e05c4d9dadcfa5c0d523845f3c837c72c7a4b9d48a9eac0b518e9305e81a9a02.exe
"C:\Users\Admin\AppData\Local\Temp\e05c4d9dadcfa5c0d523845f3c837c72c7a4b9d48a9eac0b518e9305e81a9a02.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08391543.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08391543.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41854155.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41854155.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i40621999.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i40621999.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3356
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41966186.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41966186.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:220
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a45001049.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a45001049.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b78567678.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b78567678.exe
        6⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 696
        7⤵
        Program crash
        
        PID:2412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 752
        7⤵
        Program crash
        
        PID:4560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 824
        7⤵
        Program crash
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 832
        7⤵
        Program crash
        
        PID:2784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 976
        7⤵
        Program crash
        
        PID:864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 964
        7⤵
        Program crash
        
        PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4544 -ip 4544
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4544 -ip 4544
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4544 -ip 4544
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4544 -ip 4544
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4544 -ip 4544
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4544 -ip 4544
1⤵
PID:3244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08391543.exe

Filesize
1.3MB

MD5
cfc56b13811944b2ad3e792a3009921c

SHA1
b60420460c0ef254c5c4dbf3a6f9dae242f7f647

SHA256
0dcd5fe5f11ebfa68eab9a29f6a0733c6100e86aa1bdd9a07cee60140eab1c5a

SHA512
f5f3bc026a4f11f6f7cc39f0267f569b83dce3f7e98d4cf9f3b9b1bc1f3c1e6a60160523ceb1b5b3e1064477c52c0740ccf88c8113acbbad1f0dc287e9b8032c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08391543.exe

Filesize
1.3MB

MD5
cfc56b13811944b2ad3e792a3009921c

SHA1
b60420460c0ef254c5c4dbf3a6f9dae242f7f647

SHA256
0dcd5fe5f11ebfa68eab9a29f6a0733c6100e86aa1bdd9a07cee60140eab1c5a

SHA512
f5f3bc026a4f11f6f7cc39f0267f569b83dce3f7e98d4cf9f3b9b1bc1f3c1e6a60160523ceb1b5b3e1064477c52c0740ccf88c8113acbbad1f0dc287e9b8032c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41854155.exe

Filesize
1016KB

MD5
d95698e1b967a53c5d7e0285905637ad

SHA1
272aa1d8a474c5255058ef0e149483dcf92d625f

SHA256
5f26b43d2cf7a51230ba783acd46570ad69b49fd4c5c4134f6f99dba616623cd

SHA512
c7851cc7388b536eb1baf0b113b3ff81b91745d16ce39f11a4107b1965de89cc0866e3710dbcec9839bd4e43d302672ffb4ecf3b5dbd836b3c1b6705aec55197

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41854155.exe

Filesize
1016KB

MD5
d95698e1b967a53c5d7e0285905637ad

SHA1
272aa1d8a474c5255058ef0e149483dcf92d625f

SHA256
5f26b43d2cf7a51230ba783acd46570ad69b49fd4c5c4134f6f99dba616623cd

SHA512
c7851cc7388b536eb1baf0b113b3ff81b91745d16ce39f11a4107b1965de89cc0866e3710dbcec9839bd4e43d302672ffb4ecf3b5dbd836b3c1b6705aec55197

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i40621999.exe

Filesize
844KB

MD5
91e42fd4d875392d8eac5e5c394c8b40

SHA1
bf06a56e3cc10ec90898d5cf605bfe50279f4774

SHA256
8b50deb26e5cb5905d0373d817ac96d874697eb0d347467635ac7b2a22ba52c7

SHA512
3df76bc337580de346e2fce6e7996063e687ade4fec5eec2987b7919afdec8711269439c0e61867f2e6cfddf516df1ea435bafe6426044181025b1a00e24acab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i40621999.exe

Filesize
844KB

MD5
91e42fd4d875392d8eac5e5c394c8b40

SHA1
bf06a56e3cc10ec90898d5cf605bfe50279f4774

SHA256
8b50deb26e5cb5905d0373d817ac96d874697eb0d347467635ac7b2a22ba52c7

SHA512
3df76bc337580de346e2fce6e7996063e687ade4fec5eec2987b7919afdec8711269439c0e61867f2e6cfddf516df1ea435bafe6426044181025b1a00e24acab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41966186.exe

Filesize
371KB

MD5
9e53698ccfc0ba9a90fa53ace01b1a0b

SHA1
55fa2ddffcaa675a9c01d4055c9b8f77888eb234

SHA256
0472b2cd8e603487fc3a67fbb46012307287d2a1f12d100558aca4d4fffc3919

SHA512
ddda3d6bdba51365afea7963321f88daad17a793cc279e5f431b19f285bf79f949b0c0d26cffea61857729b7bfb0722e32e6ed69cb64e33199068f541d442c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41966186.exe

Filesize
371KB

MD5
9e53698ccfc0ba9a90fa53ace01b1a0b

SHA1
55fa2ddffcaa675a9c01d4055c9b8f77888eb234

SHA256
0472b2cd8e603487fc3a67fbb46012307287d2a1f12d100558aca4d4fffc3919

SHA512
ddda3d6bdba51365afea7963321f88daad17a793cc279e5f431b19f285bf79f949b0c0d26cffea61857729b7bfb0722e32e6ed69cb64e33199068f541d442c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a45001049.exe

Filesize
169KB

MD5
71a950929f0689a45313cec7a85ddd33

SHA1
1f2f15e7e10d88f9072e4b8b601108fa402f913f

SHA256
367e427ae3665cd5493fdde0d3ed1337372c198247f965f333cfff1433fea29e

SHA512
815dbb849b92c32ffe02064d1ef938cd9f69221351b1fea0a3ed91523f5aecd689e82e618478b1cbd84364001b6ec130349a6ce10815a9dcf74610797e36637e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a45001049.exe

Filesize
169KB

MD5
71a950929f0689a45313cec7a85ddd33

SHA1
1f2f15e7e10d88f9072e4b8b601108fa402f913f

SHA256
367e427ae3665cd5493fdde0d3ed1337372c198247f965f333cfff1433fea29e

SHA512
815dbb849b92c32ffe02064d1ef938cd9f69221351b1fea0a3ed91523f5aecd689e82e618478b1cbd84364001b6ec130349a6ce10815a9dcf74610797e36637e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b78567678.exe

Filesize
374KB

MD5
92f318d5079115d01d8a698b4dd89aae

SHA1
ffd2a5242584842039359561cd6dd5aa9df86be5

SHA256
c8ece7e1e35a7cebc0296ae11cf923f4fcc61508b9d89cff83747e3f4c90cd5e

SHA512
561966afcd303fd2811bc81ce9e2cdb9ffb9c9f3c57cfb730fd8231bd5c3f80d4def5bb6c96fe5faec0bcdffac99971b0c188ad5db640056c588cd38ee0a17a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b78567678.exe

Filesize
374KB

MD5
92f318d5079115d01d8a698b4dd89aae

SHA1
ffd2a5242584842039359561cd6dd5aa9df86be5

SHA256
c8ece7e1e35a7cebc0296ae11cf923f4fcc61508b9d89cff83747e3f4c90cd5e

SHA512
561966afcd303fd2811bc81ce9e2cdb9ffb9c9f3c57cfb730fd8231bd5c3f80d4def5bb6c96fe5faec0bcdffac99971b0c188ad5db640056c588cd38ee0a17a1

Download Submit
memory/856-172-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/856-179-0x000000000C540000-0x000000000C702000-memory.dmp

Filesize
1.8MB

Download
memory/856-170-0x000000000ACE0000-0x000000000ADEA000-memory.dmp

Filesize
1.0MB

Download
memory/856-173-0x000000000ABF0000-0x000000000AC2C000-memory.dmp

Filesize
240KB

Download
memory/856-174-0x000000000AF30000-0x000000000AFA6000-memory.dmp

Filesize
472KB

Download
memory/856-175-0x000000000B050000-0x000000000B0E2000-memory.dmp

Filesize
584KB

Download
memory/856-176-0x000000000BDC0000-0x000000000C364000-memory.dmp

Filesize
5.6MB

Download
memory/856-177-0x000000000B810000-0x000000000B876000-memory.dmp

Filesize
408KB

Download
memory/856-178-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/856-171-0x000000000ABD0000-0x000000000ABE2000-memory.dmp

Filesize
72KB

Download
memory/856-180-0x000000000CC40000-0x000000000D16C000-memory.dmp

Filesize
5.2MB

Download
memory/856-181-0x000000000BD20000-0x000000000BD70000-memory.dmp

Filesize
320KB

Download
memory/856-169-0x000000000B1F0000-0x000000000B808000-memory.dmp

Filesize
6.1MB

Download
memory/856-168-0x0000000000D10000-0x0000000000D40000-memory.dmp

Filesize
192KB

Download
memory/4544-187-0x0000000000810000-0x0000000000845000-memory.dmp

Filesize
212KB

Download
memory/4544-188-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4544-189-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4544-190-0x0000000000810000-0x0000000000845000-memory.dmp

Filesize
212KB

Download