redline | c3e52ff29acfe7d1ddaecc5da10715c86672cc274c9ecbfe1fc1cba7d1fcaa90

Analysis

max time kernel
148s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3e52ff29acfe7d1ddaecc5da10715c86672cc274c9ecbfe1fc1cba7d1fcaa90.exe
Size

1.2MB
MD5

049bef1fc4462ad39b94752f4b7bddb6
SHA1

5cc85884d54fa899b84493df251e6db9591c3042
SHA256

c3e52ff29acfe7d1ddaecc5da10715c86672cc274c9ecbfe1fc1cba7d1fcaa90
SHA512

024f28033a7827aceb843412abddee1f4353de4bbdafa2e9455732acaf0290057daf5c81acbb9b56c8ecbd3c4049ea7824e77521169ea3ebde27b9408d131d0d
SSDEEP

24576:kydVqhtSVsjDuKDpB1g5XZCBGAARrsiei22RBpc6FMVNDY2p+:zih6sfbvICR4z2rJp

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/3740-2333-0x0000000005B70000-0x0000000006188000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s18283132.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	s18283132.exe

Executes dropped EXE 6 IoCs

Processes:

z76804493.exez39002671.exez12290969.exes18283132.exe1.exet17222800.exe

pid process

2364 z76804493.exe
3716 z39002671.exe
4812 z12290969.exe
228 s18283132.exe
3740 1.exe
1920 t17222800.exe

pid	process
2364	z76804493.exe
3716	z39002671.exe
4812	z12290969.exe
228	s18283132.exe
3740	1.exe
1920	t17222800.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z39002671.exez12290969.exec3e52ff29acfe7d1ddaecc5da10715c86672cc274c9ecbfe1fc1cba7d1fcaa90.exez76804493.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z39002671.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z12290969.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z12290969.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c3e52ff29acfe7d1ddaecc5da10715c86672cc274c9ecbfe1fc1cba7d1fcaa90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c3e52ff29acfe7d1ddaecc5da10715c86672cc274c9ecbfe1fc1cba7d1fcaa90.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z76804493.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z76804493.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z39002671.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3916 228 WerFault.exe s18283132.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s18283132.exe

description pid process

Token: SeDebugPrivilege 228 s18283132.exe

pid	pid_target	process	target process
3916	228	WerFault.exe	s18283132.exe

description	pid	process
Token: SeDebugPrivilege	228	s18283132.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

c3e52ff29acfe7d1ddaecc5da10715c86672cc274c9ecbfe1fc1cba7d1fcaa90.exez76804493.exez39002671.exez12290969.exes18283132.exe

description	pid	process	target process
PID 1376 wrote to memory of 2364	1376	c3e52ff29acfe7d1ddaecc5da10715c86672cc274c9ecbfe1fc1cba7d1fcaa90.exe	z76804493.exe
PID 1376 wrote to memory of 2364	1376	c3e52ff29acfe7d1ddaecc5da10715c86672cc274c9ecbfe1fc1cba7d1fcaa90.exe	z76804493.exe
PID 1376 wrote to memory of 2364	1376	c3e52ff29acfe7d1ddaecc5da10715c86672cc274c9ecbfe1fc1cba7d1fcaa90.exe	z76804493.exe
PID 2364 wrote to memory of 3716	2364	z76804493.exe	z39002671.exe
PID 2364 wrote to memory of 3716	2364	z76804493.exe	z39002671.exe
PID 2364 wrote to memory of 3716	2364	z76804493.exe	z39002671.exe
PID 3716 wrote to memory of 4812	3716	z39002671.exe	z12290969.exe
PID 3716 wrote to memory of 4812	3716	z39002671.exe	z12290969.exe
PID 3716 wrote to memory of 4812	3716	z39002671.exe	z12290969.exe
PID 4812 wrote to memory of 228	4812	z12290969.exe	s18283132.exe
PID 4812 wrote to memory of 228	4812	z12290969.exe	s18283132.exe
PID 4812 wrote to memory of 228	4812	z12290969.exe	s18283132.exe
PID 228 wrote to memory of 3740	228	s18283132.exe	1.exe
PID 228 wrote to memory of 3740	228	s18283132.exe	1.exe
PID 228 wrote to memory of 3740	228	s18283132.exe	1.exe
PID 4812 wrote to memory of 1920	4812	z12290969.exe	t17222800.exe
PID 4812 wrote to memory of 1920	4812	z12290969.exe	t17222800.exe
PID 4812 wrote to memory of 1920	4812	z12290969.exe	t17222800.exe

C:\Users\Admin\AppData\Local\Temp\c3e52ff29acfe7d1ddaecc5da10715c86672cc274c9ecbfe1fc1cba7d1fcaa90.exe
"C:\Users\Admin\AppData\Local\Temp\c3e52ff29acfe7d1ddaecc5da10715c86672cc274c9ecbfe1fc1cba7d1fcaa90.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z76804493.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z76804493.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z39002671.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z39002671.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3716

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z12290969.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z12290969.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4812

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s18283132.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s18283132.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1464
6⤵
- Program crash
PID:3916

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t17222800.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t17222800.exe
5⤵
- Executes dropped EXE
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 228 -ip 228
1⤵
PID:3204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z76804493.exe
Filesize
1.0MB

MD5
fbbb371c66cf381041cdce332cc3215c

SHA1
2ca6b720edc0430fcf9982a068e744bb5bfd0a11

SHA256
86a1576d931499bcc5322af391c7621b62ec0631cf74ec3dad3e1ecc441847ab

SHA512
5a90c78d32d1cede2493ea65e23ef196a3da3290bf0b788fd2e4970af1f9ef313d2a852509311df2427bec62b36c0584f0f1dce4ed5d93d894478e56b0d53a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z76804493.exe
Filesize
1.0MB

MD5
fbbb371c66cf381041cdce332cc3215c

SHA1
2ca6b720edc0430fcf9982a068e744bb5bfd0a11

SHA256
86a1576d931499bcc5322af391c7621b62ec0631cf74ec3dad3e1ecc441847ab

SHA512
5a90c78d32d1cede2493ea65e23ef196a3da3290bf0b788fd2e4970af1f9ef313d2a852509311df2427bec62b36c0584f0f1dce4ed5d93d894478e56b0d53a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z39002671.exe
Filesize
760KB

MD5
83712540f6b50e802d1f2525b8be394f

SHA1
6df13a6a73d4f75d55c4629bd02a828297b61640

SHA256
74ba0765a7f718964bec0a4671f7576c675b815424786fe54b1cfad9247911b3

SHA512
3dd8cca538775ff5877b6ca0edee0358a5b7e6214093296b659b1639a67b7319733ba17fea73a9efda890f5f7f1a3488d543dd7b966a23b8b5bc81361526d257

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z39002671.exe
Filesize
760KB

MD5
83712540f6b50e802d1f2525b8be394f

SHA1
6df13a6a73d4f75d55c4629bd02a828297b61640

SHA256
74ba0765a7f718964bec0a4671f7576c675b815424786fe54b1cfad9247911b3

SHA512
3dd8cca538775ff5877b6ca0edee0358a5b7e6214093296b659b1639a67b7319733ba17fea73a9efda890f5f7f1a3488d543dd7b966a23b8b5bc81361526d257

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z12290969.exe
Filesize
577KB

MD5
20ad85068b596c621736a3525b384ef6

SHA1
8868e9e2d853aefe085d8f4ef5575c193736e151

SHA256
dae1f92b2265226b059050320eafb6c90640334246d7f8fa75c720a54e65b497

SHA512
c939055591622e44a38d2d078963067ae7cd295320dfa56904317d98ab66121857a97942d5955bb21fc79104310c9f7d900c0911d170d530b5ee026f0b9cc329

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z12290969.exe
Filesize
577KB

MD5
20ad85068b596c621736a3525b384ef6

SHA1
8868e9e2d853aefe085d8f4ef5575c193736e151

SHA256
dae1f92b2265226b059050320eafb6c90640334246d7f8fa75c720a54e65b497

SHA512
c939055591622e44a38d2d078963067ae7cd295320dfa56904317d98ab66121857a97942d5955bb21fc79104310c9f7d900c0911d170d530b5ee026f0b9cc329

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s18283132.exe
Filesize
502KB

MD5
d46c984f9f1bdb2d0dc299797c496c0d

SHA1
f1ed885161690c72e4e7e7e250238ecfa0632272

SHA256
99ed517120973269632aac2c2f10ae60d5427a42ca5784ca6fda4a0804da4739

SHA512
681b7c94664e3c1bc665dcc19af3fb6b6f75cc43717615604688264548cdb5137c290af5eccb45895e843aa7459704f646971bb0a0967837fe68f819c7b8d8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s18283132.exe
Filesize
502KB

MD5
d46c984f9f1bdb2d0dc299797c496c0d

SHA1
f1ed885161690c72e4e7e7e250238ecfa0632272

SHA256
99ed517120973269632aac2c2f10ae60d5427a42ca5784ca6fda4a0804da4739

SHA512
681b7c94664e3c1bc665dcc19af3fb6b6f75cc43717615604688264548cdb5137c290af5eccb45895e843aa7459704f646971bb0a0967837fe68f819c7b8d8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t17222800.exe
Filesize
169KB

MD5
4468e50cc0d8b3758a944020d0a157e1

SHA1
201dab6e9da777a47c8e14818dc3f3263a85a951

SHA256
433e9951af6c204489357573fec0d30b9834f6a57af681bc9d2551fd72c4c3f5

SHA512
50eb65cf30fdac0b59204aa33c2c8d57c5ece27cb18c3f983b54815db4747190bd5b26c8b095a04bee5cbbc95bc58a4d964128d7f1c9ee042c7b3f2dceb5f24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t17222800.exe
Filesize
169KB

MD5
4468e50cc0d8b3758a944020d0a157e1

SHA1
201dab6e9da777a47c8e14818dc3f3263a85a951

SHA256
433e9951af6c204489357573fec0d30b9834f6a57af681bc9d2551fd72c4c3f5

SHA512
50eb65cf30fdac0b59204aa33c2c8d57c5ece27cb18c3f983b54815db4747190bd5b26c8b095a04bee5cbbc95bc58a4d964128d7f1c9ee042c7b3f2dceb5f24b

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/228-192-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-210-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-164-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/228-165-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/228-166-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/228-167-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-168-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-170-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-172-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-174-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-176-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-178-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-180-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-184-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-182-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-186-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-188-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-190-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-194-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-162-0x0000000000900000-0x000000000095B000-memory.dmp

Filesize
364KB

Download
memory/228-196-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-198-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-200-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-202-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-204-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-206-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-208-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-163-0x0000000005070000-0x0000000005614000-memory.dmp

Filesize
5.6MB

Download
memory/228-212-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-214-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-216-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-218-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-220-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-222-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-224-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-226-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-228-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-230-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/228-2316-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/228-2323-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/228-2324-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/228-2325-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/228-2327-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/1920-2342-0x0000000000650000-0x000000000067E000-memory.dmp

Filesize
184KB

Download
memory/1920-2343-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1920-2345-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/3740-2332-0x0000000000C20000-0x0000000000C4E000-memory.dmp

Filesize
184KB

Download
memory/3740-2333-0x0000000005B70000-0x0000000006188000-memory.dmp

Filesize
6.1MB

Download
memory/3740-2334-0x0000000005660000-0x000000000576A000-memory.dmp

Filesize
1.0MB

Download
memory/3740-2335-0x0000000005570000-0x0000000005582000-memory.dmp

Filesize
72KB

Download
memory/3740-2336-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/3740-2337-0x00000000055D0000-0x000000000560C000-memory.dmp

Filesize
240KB

Download
memory/3740-2344-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download