redline | bea9d815054a72d101f5f456ef2d46abfb0d115ee64c2bb19b9a41086813a36f

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bea9d815054a72d101f5f456ef2d46abfb0d115ee64c2bb19b9a41086813a36f.exe
Size

1.5MB
MD5

705dc42258c1a1c3a649eeaccd48e7bb
SHA1

7d6212f6f4bc4d4995474135bc15c20b60a3230c
SHA256

bea9d815054a72d101f5f456ef2d46abfb0d115ee64c2bb19b9a41086813a36f
SHA512

27f7b007b15b747a603c0e03c3dc322a1d4a80a9478ef3154e4db4c30df1dcbb3565fb880b609c40d490e87afa7babec27537c423ee6e02c00ec82d35ec1ada1
SSDEEP

24576:py5YzwhjAlZBNR6YMHpem5m8EQjy1kd8WwzHgeLM7k9+tP6P1uBVgGTtnYhDMISI:cmcInNR6Jpem5oQjy1kmWwzAZ2+tyP1f

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2680-169-0x000000000ADB0000-0x000000000B3C8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1200	i80733066.exe
4504	i85101411.exe
2516	i30760267.exe
2088	i00496059.exe
2680	a20459365.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i85101411.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i30760267.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i00496059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i00496059.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bea9d815054a72d101f5f456ef2d46abfb0d115ee64c2bb19b9a41086813a36f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bea9d815054a72d101f5f456ef2d46abfb0d115ee64c2bb19b9a41086813a36f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i80733066.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i80733066.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i85101411.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i30760267.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 1200	3968	bea9d815054a72d101f5f456ef2d46abfb0d115ee64c2bb19b9a41086813a36f.exe	84
PID 3968 wrote to memory of 1200	3968	bea9d815054a72d101f5f456ef2d46abfb0d115ee64c2bb19b9a41086813a36f.exe	84
PID 3968 wrote to memory of 1200	3968	bea9d815054a72d101f5f456ef2d46abfb0d115ee64c2bb19b9a41086813a36f.exe	84
PID 1200 wrote to memory of 4504	1200	i80733066.exe	85
PID 1200 wrote to memory of 4504	1200	i80733066.exe	85
PID 1200 wrote to memory of 4504	1200	i80733066.exe	85
PID 4504 wrote to memory of 2516	4504	i85101411.exe	86
PID 4504 wrote to memory of 2516	4504	i85101411.exe	86
PID 4504 wrote to memory of 2516	4504	i85101411.exe	86
PID 2516 wrote to memory of 2088	2516	i30760267.exe	87
PID 2516 wrote to memory of 2088	2516	i30760267.exe	87
PID 2516 wrote to memory of 2088	2516	i30760267.exe	87
PID 2088 wrote to memory of 2680	2088	i00496059.exe	88
PID 2088 wrote to memory of 2680	2088	i00496059.exe	88
PID 2088 wrote to memory of 2680	2088	i00496059.exe	88

C:\Users\Admin\AppData\Local\Temp\bea9d815054a72d101f5f456ef2d46abfb0d115ee64c2bb19b9a41086813a36f.exe
"C:\Users\Admin\AppData\Local\Temp\bea9d815054a72d101f5f456ef2d46abfb0d115ee64c2bb19b9a41086813a36f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i80733066.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i80733066.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i85101411.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i85101411.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30760267.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30760267.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i00496059.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i00496059.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a20459365.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a20459365.exe
        6⤵
        Executes dropped EXE
        
        PID:2680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i80733066.exe

Filesize
1.3MB

MD5
67feb175d2b13d0f45ce1942678388d1

SHA1
f331bc185d2615bf56e332bbd03193d20c434d30

SHA256
38401d84bb020c016f09074995d66c21687deae4fdaa41f32ad847b193bdaa8e

SHA512
10236c013107f7440226a3576713e754aaa5a38184ea04d9d34592406faae53c59556a4efb5b77a341bda73635104a5148a0370daef13ee699005e8fb92ab82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i80733066.exe

Filesize
1.3MB

MD5
67feb175d2b13d0f45ce1942678388d1

SHA1
f331bc185d2615bf56e332bbd03193d20c434d30

SHA256
38401d84bb020c016f09074995d66c21687deae4fdaa41f32ad847b193bdaa8e

SHA512
10236c013107f7440226a3576713e754aaa5a38184ea04d9d34592406faae53c59556a4efb5b77a341bda73635104a5148a0370daef13ee699005e8fb92ab82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i85101411.exe

Filesize
1001KB

MD5
dc7c7eab811af6a9e7ceb2ee7ee1f33f

SHA1
2a285abcd82d6bce6075a196585ca2e18b589126

SHA256
e70e786f464b325558ef5c1dddf43d996b7a11ec0086ec944dda236247cf57d2

SHA512
3c4331d641fe2ac92eaebef2da769176078eca4bedeb612dbfdb2a2642c80aaccb799c4ee6c4b4bf6ef1fb030760d62d9670457d941c64b49d2842066d6af57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i85101411.exe

Filesize
1001KB

MD5
dc7c7eab811af6a9e7ceb2ee7ee1f33f

SHA1
2a285abcd82d6bce6075a196585ca2e18b589126

SHA256
e70e786f464b325558ef5c1dddf43d996b7a11ec0086ec944dda236247cf57d2

SHA512
3c4331d641fe2ac92eaebef2da769176078eca4bedeb612dbfdb2a2642c80aaccb799c4ee6c4b4bf6ef1fb030760d62d9670457d941c64b49d2842066d6af57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30760267.exe

Filesize
828KB

MD5
e2436f5ac0a77d84bc3ff2c7d2168705

SHA1
29875c1e28265c8ee116d9354cc435a743c0f5c6

SHA256
eddcea0a795589714594d7592e01d01f102817d31df52cc22e82b1f525869886

SHA512
ca45916ce3d4809ffd211730c49aa3ef9498fbdfa6073aa21dbbbbd23ed12ab169d01f849fb54cb80fdd33c49a1c4038d1d4ec91e4700a939157aade9376b05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30760267.exe

Filesize
828KB

MD5
e2436f5ac0a77d84bc3ff2c7d2168705

SHA1
29875c1e28265c8ee116d9354cc435a743c0f5c6

SHA256
eddcea0a795589714594d7592e01d01f102817d31df52cc22e82b1f525869886

SHA512
ca45916ce3d4809ffd211730c49aa3ef9498fbdfa6073aa21dbbbbd23ed12ab169d01f849fb54cb80fdd33c49a1c4038d1d4ec91e4700a939157aade9376b05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i00496059.exe

Filesize
363KB

MD5
0874597a85a6684dfffc8ff90de138e4

SHA1
be3d82792e88924b361960db36ed5bfb285636f2

SHA256
1e166a6ca1c8aee76b1ad58ddf250318308065bc3c9ebecc5b8d17b2addd13d0

SHA512
b8e345f7f5111f964b86d2beeae566c9250ff77b44847b3ef9bad14f2d6dff4de7aaf38b1cc11f2cea3c66edd52c10f5cfc2b5cb8ad7312ff8ee20f0f2c37ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i00496059.exe

Filesize
363KB

MD5
0874597a85a6684dfffc8ff90de138e4

SHA1
be3d82792e88924b361960db36ed5bfb285636f2

SHA256
1e166a6ca1c8aee76b1ad58ddf250318308065bc3c9ebecc5b8d17b2addd13d0

SHA512
b8e345f7f5111f964b86d2beeae566c9250ff77b44847b3ef9bad14f2d6dff4de7aaf38b1cc11f2cea3c66edd52c10f5cfc2b5cb8ad7312ff8ee20f0f2c37ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a20459365.exe

Filesize
170KB

MD5
74573d16bee67c7f52c761003d016dfd

SHA1
7e758ca568e6e047a475c2460eeb11e3355e8458

SHA256
96da327c09948e9909243c13bd1ea40de2f82378b3c89797639a3a52f77ab5ad

SHA512
1f2628692d38e7e2ae41602e40ac5faa84369928466981e68bedcaa0ee34a6dcffab94e6a92230c47a7a41ec77cf70d9faccd8e05c0128c27e0b185e725d4b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a20459365.exe

Filesize
170KB

MD5
74573d16bee67c7f52c761003d016dfd

SHA1
7e758ca568e6e047a475c2460eeb11e3355e8458

SHA256
96da327c09948e9909243c13bd1ea40de2f82378b3c89797639a3a52f77ab5ad

SHA512
1f2628692d38e7e2ae41602e40ac5faa84369928466981e68bedcaa0ee34a6dcffab94e6a92230c47a7a41ec77cf70d9faccd8e05c0128c27e0b185e725d4b27

Download Submit
memory/2680-168-0x0000000000990000-0x00000000009C0000-memory.dmp

Filesize
192KB

Download
memory/2680-169-0x000000000ADB0000-0x000000000B3C8000-memory.dmp

Filesize
6.1MB

Download
memory/2680-170-0x000000000A910000-0x000000000AA1A000-memory.dmp

Filesize
1.0MB

Download
memory/2680-171-0x000000000A840000-0x000000000A852000-memory.dmp

Filesize
72KB

Download
memory/2680-172-0x000000000A8A0000-0x000000000A8DC000-memory.dmp

Filesize
240KB

Download
memory/2680-173-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/2680-174-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download