redline | e617bab38bb18c308c0d60855c0534888915f9f964fa238b3ccec660ffb3167d

Analysis

max time kernel
166s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e617bab38bb18c308c0d60855c0534888915f9f964fa238b3ccec660ffb3167d.exe
Size

1.5MB
MD5

7f3bed5e43878f146d5b56b25f384209
SHA1

057e7f92a12294866b19c7e91bf3c28f54caf48a
SHA256

e617bab38bb18c308c0d60855c0534888915f9f964fa238b3ccec660ffb3167d
SHA512

34d093ee2c716df07cfd63695a286d090c143f2b03894be2c17007acdc83a1677604f45702100c1bb205ab6c87da718885841c71e601c8120abeaa3adad68246
SSDEEP

24576:iycYxnPWUDZkNuK3ij6QpQ+kR4vqVtboHW1Ld8iqryvDhUvCogczVOTzkaS6A6J:JcYgNuK3SIxkqVpoHAxrJFUvCykTTSE

Score

10^/10

redline most discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4356-169-0x000000000B020000-0x000000000B638000-memory.dmp	redline_stealer
behavioral2/memory/4356-177-0x000000000B760000-0x000000000B7C6000-memory.dmp	redline_stealer
behavioral2/memory/4356-179-0x000000000BCC0000-0x000000000BE82000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1052	i66762167.exe
2648	i62698498.exe
1112	i01089409.exe
2792	i48345309.exe
4356	a32120836.exe
4480	b56668927.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i66762167.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i62698498.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i01089409.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i48345309.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i01089409.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i48345309.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e617bab38bb18c308c0d60855c0534888915f9f964fa238b3ccec660ffb3167d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e617bab38bb18c308c0d60855c0534888915f9f964fa238b3ccec660ffb3167d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i66762167.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i62698498.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1312	4480	WerFault.exe	97
3136	4480	WerFault.exe	97
3840	4480	WerFault.exe	97
2776	4480	WerFault.exe	97

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4356	a32120836.exe
4356	a32120836.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	a32120836.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 1052	2972	e617bab38bb18c308c0d60855c0534888915f9f964fa238b3ccec660ffb3167d.exe	84
PID 2972 wrote to memory of 1052	2972	e617bab38bb18c308c0d60855c0534888915f9f964fa238b3ccec660ffb3167d.exe	84
PID 2972 wrote to memory of 1052	2972	e617bab38bb18c308c0d60855c0534888915f9f964fa238b3ccec660ffb3167d.exe	84
PID 1052 wrote to memory of 2648	1052	i66762167.exe	85
PID 1052 wrote to memory of 2648	1052	i66762167.exe	85
PID 1052 wrote to memory of 2648	1052	i66762167.exe	85
PID 2648 wrote to memory of 1112	2648	i62698498.exe	86
PID 2648 wrote to memory of 1112	2648	i62698498.exe	86
PID 2648 wrote to memory of 1112	2648	i62698498.exe	86
PID 1112 wrote to memory of 2792	1112	i01089409.exe	87
PID 1112 wrote to memory of 2792	1112	i01089409.exe	87
PID 1112 wrote to memory of 2792	1112	i01089409.exe	87
PID 2792 wrote to memory of 4356	2792	i48345309.exe	88
PID 2792 wrote to memory of 4356	2792	i48345309.exe	88
PID 2792 wrote to memory of 4356	2792	i48345309.exe	88
PID 2792 wrote to memory of 4480	2792	i48345309.exe	97
PID 2792 wrote to memory of 4480	2792	i48345309.exe	97
PID 2792 wrote to memory of 4480	2792	i48345309.exe	97

C:\Users\Admin\AppData\Local\Temp\e617bab38bb18c308c0d60855c0534888915f9f964fa238b3ccec660ffb3167d.exe
"C:\Users\Admin\AppData\Local\Temp\e617bab38bb18c308c0d60855c0534888915f9f964fa238b3ccec660ffb3167d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i66762167.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i66762167.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i62698498.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i62698498.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i01089409.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i01089409.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i48345309.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i48345309.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a32120836.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a32120836.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b56668927.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b56668927.exe
        6⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 696
        7⤵
        Program crash
        
        PID:1312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 780
        7⤵
        Program crash
        
        PID:3136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 856
        7⤵
        Program crash
        
        PID:3840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 952
        7⤵
        Program crash
        
        PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4480 -ip 4480
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4480 -ip 4480
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4480 -ip 4480
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4480 -ip 4480
1⤵
PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i66762167.exe

Filesize
1.3MB

MD5
15bed758f518975ff0a970c1f3bac60a

SHA1
fe7848d279a7de31081f4843a242ca70bfa52a88

SHA256
a3f695be242e5534fe90033ce0be5c61ec101994eec88458d3f845c710b50f01

SHA512
4156df5d9a5bde6c8d45aa92af7437c1043ba3a6a42faf7529d9940916a1d0ba3be0e8a24e22be5dbadd6f7980631067b9519b5b51a47f24380fd28ac636625c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i66762167.exe

Filesize
1.3MB

MD5
15bed758f518975ff0a970c1f3bac60a

SHA1
fe7848d279a7de31081f4843a242ca70bfa52a88

SHA256
a3f695be242e5534fe90033ce0be5c61ec101994eec88458d3f845c710b50f01

SHA512
4156df5d9a5bde6c8d45aa92af7437c1043ba3a6a42faf7529d9940916a1d0ba3be0e8a24e22be5dbadd6f7980631067b9519b5b51a47f24380fd28ac636625c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i62698498.exe

Filesize
1014KB

MD5
6d975f91459decef2a269c9c1481c621

SHA1
6c8883365c438d26a44d87a2b350368d068a6c30

SHA256
a24cf8c550866e1b6d308270e88bb71c15cdd013746d38c5d5d77deb04ba77b7

SHA512
4cdbc46c358954b91433bc3c1bd42e87c00fd34e5bddf03a94cc1a000830cf91168769e6ab85865ce7acdcf2c38fc434b9387153d5a17e779e4ce57c71eab5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i62698498.exe

Filesize
1014KB

MD5
6d975f91459decef2a269c9c1481c621

SHA1
6c8883365c438d26a44d87a2b350368d068a6c30

SHA256
a24cf8c550866e1b6d308270e88bb71c15cdd013746d38c5d5d77deb04ba77b7

SHA512
4cdbc46c358954b91433bc3c1bd42e87c00fd34e5bddf03a94cc1a000830cf91168769e6ab85865ce7acdcf2c38fc434b9387153d5a17e779e4ce57c71eab5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i01089409.exe

Filesize
842KB

MD5
dc817d3d5db1a0574195f324604bdfc0

SHA1
7e0a6ad37010151f171f458a956d741ca9699bcd

SHA256
baa4c4166f4b37fece501fb687aa04b21cbcd61449c9aeaab62804989db52caf

SHA512
9274380e1c80770b5e586c3431e66ae5f6446192e183488d618b5d141d10b50f60b2e99b4ae9776ad066bff2035627a968a4a8c8c57a68570e290492b957a09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i01089409.exe

Filesize
842KB

MD5
dc817d3d5db1a0574195f324604bdfc0

SHA1
7e0a6ad37010151f171f458a956d741ca9699bcd

SHA256
baa4c4166f4b37fece501fb687aa04b21cbcd61449c9aeaab62804989db52caf

SHA512
9274380e1c80770b5e586c3431e66ae5f6446192e183488d618b5d141d10b50f60b2e99b4ae9776ad066bff2035627a968a4a8c8c57a68570e290492b957a09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i48345309.exe

Filesize
370KB

MD5
1cf2fe22adda199a9fe39ed695571d42

SHA1
0f61b2aeda3f38c9b1bf6a1aea4090a9544a4ef6

SHA256
1f54e75c760470daf8d5cad82ff0049d6fbff20d16770677063415fd6eecfe88

SHA512
aa816f78e29c09763a5a8fd7281cbeba50f3c10d81df6f03e8a64a4c1cad1c1f67bc4ebb41a0b111e38c38b8e0ec95b0add3e3ff55dc273c5a117afdfc15989e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i48345309.exe

Filesize
370KB

MD5
1cf2fe22adda199a9fe39ed695571d42

SHA1
0f61b2aeda3f38c9b1bf6a1aea4090a9544a4ef6

SHA256
1f54e75c760470daf8d5cad82ff0049d6fbff20d16770677063415fd6eecfe88

SHA512
aa816f78e29c09763a5a8fd7281cbeba50f3c10d81df6f03e8a64a4c1cad1c1f67bc4ebb41a0b111e38c38b8e0ec95b0add3e3ff55dc273c5a117afdfc15989e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a32120836.exe

Filesize
169KB

MD5
6953461095993e2bdb8a880b2f1c24f4

SHA1
380421b3f24a6681a07e0db991cf5a3fa426bdcd

SHA256
050e5ef8c71d7b3f9bd06c4791553bda2318e0fe7d123e6b89b51e88aadee244

SHA512
d90491ace450ef575fa37023c34fc23abdf2bc6c9a02f3c2e6229b1750d7a51432e70db2ecf2a3004825509a4e40b842fff9a05b65644f9927d1d101385683c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a32120836.exe

Filesize
169KB

MD5
6953461095993e2bdb8a880b2f1c24f4

SHA1
380421b3f24a6681a07e0db991cf5a3fa426bdcd

SHA256
050e5ef8c71d7b3f9bd06c4791553bda2318e0fe7d123e6b89b51e88aadee244

SHA512
d90491ace450ef575fa37023c34fc23abdf2bc6c9a02f3c2e6229b1750d7a51432e70db2ecf2a3004825509a4e40b842fff9a05b65644f9927d1d101385683c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b56668927.exe

Filesize
369KB

MD5
984e48b4193d346707d81297d0172b66

SHA1
7286e3d9acf1ce472197699dbda16b1a80664071

SHA256
8826a84a5e995ad6b3fee20339e0480fdc4998b99b23933086464a61ef16a103

SHA512
cca07f18872ae5f4152f53de6552ff78f05993195327b95a609d1b9daeffec3b8412fddd672d9495f10bc224a1153fc8866a55fda88a7fbec2ca60f04c44026a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b56668927.exe

Filesize
369KB

MD5
984e48b4193d346707d81297d0172b66

SHA1
7286e3d9acf1ce472197699dbda16b1a80664071

SHA256
8826a84a5e995ad6b3fee20339e0480fdc4998b99b23933086464a61ef16a103

SHA512
cca07f18872ae5f4152f53de6552ff78f05993195327b95a609d1b9daeffec3b8412fddd672d9495f10bc224a1153fc8866a55fda88a7fbec2ca60f04c44026a

Download Submit
memory/4356-172-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/4356-177-0x000000000B760000-0x000000000B7C6000-memory.dmp

Filesize
408KB

Download
memory/4356-170-0x000000000AB80000-0x000000000AC8A000-memory.dmp

Filesize
1.0MB

Download
memory/4356-173-0x000000000AB10000-0x000000000AB4C000-memory.dmp

Filesize
240KB

Download
memory/4356-174-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/4356-175-0x000000000B640000-0x000000000B6B6000-memory.dmp

Filesize
472KB

Download
memory/4356-176-0x000000000B6C0000-0x000000000B752000-memory.dmp

Filesize
584KB

Download
memory/4356-171-0x000000000AAB0000-0x000000000AAC2000-memory.dmp

Filesize
72KB

Download
memory/4356-178-0x000000000BF80000-0x000000000C524000-memory.dmp

Filesize
5.6MB

Download
memory/4356-179-0x000000000BCC0000-0x000000000BE82000-memory.dmp

Filesize
1.8MB

Download
memory/4356-180-0x000000000CA60000-0x000000000CF8C000-memory.dmp

Filesize
5.2MB

Download
memory/4356-181-0x000000000BAF0000-0x000000000BB40000-memory.dmp

Filesize
320KB

Download
memory/4356-169-0x000000000B020000-0x000000000B638000-memory.dmp

Filesize
6.1MB

Download
memory/4356-168-0x0000000000C00000-0x0000000000C30000-memory.dmp

Filesize
192KB

Download
memory/4480-187-0x0000000000B80000-0x0000000000BB5000-memory.dmp

Filesize
212KB

Download
memory/4480-188-0x0000000000400000-0x0000000000801000-memory.dmp

Filesize
4.0MB

Download