redline | c48e4dbf21f94d03920891481baec3249e8d7fd7cbdfd63b120263550905963c

Analysis

max time kernel
135s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c48e4dbf21f94d03920891481baec3249e8d7fd7cbdfd63b120263550905963c.exe
Size

1.2MB
MD5

1834f313a286065667d76c9de1a69b41
SHA1

0a9a942965eb9ffa45b73513fdf5b93b2ff53e27
SHA256

c48e4dbf21f94d03920891481baec3249e8d7fd7cbdfd63b120263550905963c
SHA512

8b273fce4db10ffb9523753689cabf6ca0e17095c32c024205d3d8f56ffb9da10402341d28aa436d466726cf7bc52c159de82bcfe9d13ec205e787e0dff2723b
SSDEEP

24576:vyA1nnwYE4v/+Swxelb1NncDLPKUcx/YyLU5cOyQRfMuOmvUyj11:6gnnwp5gNncDLSXAqich6kuOs

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/3772-2331-0x00000000053C0000-0x00000000059D8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s75780694.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	s75780694.exe

Executes dropped EXE 6 IoCs

Processes:

z64254853.exez39823445.exez82619506.exes75780694.exe1.exet89059745.exe

pid process

3984 z64254853.exe
4344 z39823445.exe
1072 z82619506.exe
976 s75780694.exe
3772 1.exe
2756 t89059745.exe

pid	process
3984	z64254853.exe
4344	z39823445.exe
1072	z82619506.exe
976	s75780694.exe
3772	1.exe
2756	t89059745.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z64254853.exez39823445.exez82619506.exec48e4dbf21f94d03920891481baec3249e8d7fd7cbdfd63b120263550905963c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z64254853.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z64254853.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z39823445.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z39823445.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z82619506.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z82619506.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c48e4dbf21f94d03920891481baec3249e8d7fd7cbdfd63b120263550905963c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c48e4dbf21f94d03920891481baec3249e8d7fd7cbdfd63b120263550905963c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4524 976 WerFault.exe s75780694.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s75780694.exe

description pid process

Token: SeDebugPrivilege 976 s75780694.exe

pid	pid_target	process	target process
4524	976	WerFault.exe	s75780694.exe

description	pid	process
Token: SeDebugPrivilege	976	s75780694.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

c48e4dbf21f94d03920891481baec3249e8d7fd7cbdfd63b120263550905963c.exez64254853.exez39823445.exez82619506.exes75780694.exe

description	pid	process	target process
PID 4884 wrote to memory of 3984	4884	c48e4dbf21f94d03920891481baec3249e8d7fd7cbdfd63b120263550905963c.exe	z64254853.exe
PID 4884 wrote to memory of 3984	4884	c48e4dbf21f94d03920891481baec3249e8d7fd7cbdfd63b120263550905963c.exe	z64254853.exe
PID 4884 wrote to memory of 3984	4884	c48e4dbf21f94d03920891481baec3249e8d7fd7cbdfd63b120263550905963c.exe	z64254853.exe
PID 3984 wrote to memory of 4344	3984	z64254853.exe	z39823445.exe
PID 3984 wrote to memory of 4344	3984	z64254853.exe	z39823445.exe
PID 3984 wrote to memory of 4344	3984	z64254853.exe	z39823445.exe
PID 4344 wrote to memory of 1072	4344	z39823445.exe	z82619506.exe
PID 4344 wrote to memory of 1072	4344	z39823445.exe	z82619506.exe
PID 4344 wrote to memory of 1072	4344	z39823445.exe	z82619506.exe
PID 1072 wrote to memory of 976	1072	z82619506.exe	s75780694.exe
PID 1072 wrote to memory of 976	1072	z82619506.exe	s75780694.exe
PID 1072 wrote to memory of 976	1072	z82619506.exe	s75780694.exe
PID 976 wrote to memory of 3772	976	s75780694.exe	1.exe
PID 976 wrote to memory of 3772	976	s75780694.exe	1.exe
PID 976 wrote to memory of 3772	976	s75780694.exe	1.exe
PID 1072 wrote to memory of 2756	1072	z82619506.exe	t89059745.exe
PID 1072 wrote to memory of 2756	1072	z82619506.exe	t89059745.exe
PID 1072 wrote to memory of 2756	1072	z82619506.exe	t89059745.exe

C:\Users\Admin\AppData\Local\Temp\c48e4dbf21f94d03920891481baec3249e8d7fd7cbdfd63b120263550905963c.exe
"C:\Users\Admin\AppData\Local\Temp\c48e4dbf21f94d03920891481baec3249e8d7fd7cbdfd63b120263550905963c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z64254853.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z64254853.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z39823445.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z39823445.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z82619506.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z82619506.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s75780694.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s75780694.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1384
6⤵
- Program crash
PID:4524

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t89059745.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t89059745.exe
5⤵
- Executes dropped EXE
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 976 -ip 976
1⤵
PID:4948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z64254853.exe
Filesize
1.0MB

MD5
24d1443d9561a85399c66482ff190968

SHA1
a975b7a3d111030bdba2071bf1c2463682b72b34

SHA256
4c0942608cb854b33d06914d1bfe4a27a1c5c6c9bf50a29207d51242d02ccd30

SHA512
aeb1e4e1b59f1411930d6d83400feeefe18b3730822a2105709e74fc9d5fc9e9eaa8667a21967aed820b7867a0f701557a16072dead49c77ae60b7dd78d2814a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z64254853.exe
Filesize
1.0MB

MD5
24d1443d9561a85399c66482ff190968

SHA1
a975b7a3d111030bdba2071bf1c2463682b72b34

SHA256
4c0942608cb854b33d06914d1bfe4a27a1c5c6c9bf50a29207d51242d02ccd30

SHA512
aeb1e4e1b59f1411930d6d83400feeefe18b3730822a2105709e74fc9d5fc9e9eaa8667a21967aed820b7867a0f701557a16072dead49c77ae60b7dd78d2814a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z39823445.exe
Filesize
759KB

MD5
26954866eb5d05977b983ac5d89a2138

SHA1
c424c468f98a8e9ff10606a139c22ef012340409

SHA256
2f70c9648b7920ccb9c13eb1896d3d67b1bc2be321ae880f5109d86f3eef7103

SHA512
082626942a743e1baa47e83524635ea7ec269dd81040369f9e0d4a8564d02fda6e382c744e6c132aa14c24191c3aaa32d35a13ce1a6e3a03b9b39569ba0e9b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z39823445.exe
Filesize
759KB

MD5
26954866eb5d05977b983ac5d89a2138

SHA1
c424c468f98a8e9ff10606a139c22ef012340409

SHA256
2f70c9648b7920ccb9c13eb1896d3d67b1bc2be321ae880f5109d86f3eef7103

SHA512
082626942a743e1baa47e83524635ea7ec269dd81040369f9e0d4a8564d02fda6e382c744e6c132aa14c24191c3aaa32d35a13ce1a6e3a03b9b39569ba0e9b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z82619506.exe
Filesize
577KB

MD5
0bf1ebfcd0d2f1fcd2e27238284139a0

SHA1
5db0e716e5691db2d033e6937852b8fcf7dff402

SHA256
491a13cd80745ca3f3a4d05094cfdd94bc699ba747c2adebd282365e34ce5653

SHA512
bb326a07f5c63828256c5ac444d56a3d4f73b496c1a69f44ee2703612787044478a7c431a34375282e19e8ab1a106cecab7781ff46a93048be0cb62e53e07fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z82619506.exe
Filesize
577KB

MD5
0bf1ebfcd0d2f1fcd2e27238284139a0

SHA1
5db0e716e5691db2d033e6937852b8fcf7dff402

SHA256
491a13cd80745ca3f3a4d05094cfdd94bc699ba747c2adebd282365e34ce5653

SHA512
bb326a07f5c63828256c5ac444d56a3d4f73b496c1a69f44ee2703612787044478a7c431a34375282e19e8ab1a106cecab7781ff46a93048be0cb62e53e07fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s75780694.exe
Filesize
574KB

MD5
49fc36603b1d20061e623ad59c097a35

SHA1
1585c143b229fe5e73950ba46c4c922abe7edeaa

SHA256
47866656d4de7659be5e1b0e565e876bce883879a906b82c1545f195b38aa328

SHA512
889a63737f383b7b830191ee45610086d6cf01bd6d8e29e466ccefdbff4e46084cbe17bd4d36bae8365ed2dcc5cf9dc8e2469e015db099450aee85571076f7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s75780694.exe
Filesize
574KB

MD5
49fc36603b1d20061e623ad59c097a35

SHA1
1585c143b229fe5e73950ba46c4c922abe7edeaa

SHA256
47866656d4de7659be5e1b0e565e876bce883879a906b82c1545f195b38aa328

SHA512
889a63737f383b7b830191ee45610086d6cf01bd6d8e29e466ccefdbff4e46084cbe17bd4d36bae8365ed2dcc5cf9dc8e2469e015db099450aee85571076f7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t89059745.exe
Filesize
169KB

MD5
840056702534617e8f93b522104ceb91

SHA1
48e27a6b3196276076e3aeebebbc7f0112a046b9

SHA256
0afbbc6fb60a9a398fac7f4e3c39227a55ef57a5beb2b05a27b2f4af7277c2b0

SHA512
12f29f4d11e29c7ec97b2f3a5fa41a7bc0cffc615414ce6029cfec830eb8aaf82e7938433bd6958021181420b69562c6273ed7fb98d62aba44236d4734ce8749

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t89059745.exe
Filesize
169KB

MD5
840056702534617e8f93b522104ceb91

SHA1
48e27a6b3196276076e3aeebebbc7f0112a046b9

SHA256
0afbbc6fb60a9a398fac7f4e3c39227a55ef57a5beb2b05a27b2f4af7277c2b0

SHA512
12f29f4d11e29c7ec97b2f3a5fa41a7bc0cffc615414ce6029cfec830eb8aaf82e7938433bd6958021181420b69562c6273ed7fb98d62aba44236d4734ce8749

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/976-194-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-206-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-164-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-165-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-167-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-169-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-171-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-173-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-175-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-177-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-179-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-181-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-183-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-185-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-188-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-187-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/976-189-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/976-192-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-191-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/976-162-0x0000000000980000-0x00000000009DB000-memory.dmp

Filesize
364KB

Download
memory/976-196-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-198-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-200-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-202-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-204-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-163-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/976-208-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-210-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-212-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-214-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-216-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-218-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-220-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-222-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-224-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-228-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-226-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-230-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/976-2313-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/976-2314-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/976-2316-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/976-2318-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/2756-2339-0x0000000000540000-0x000000000056E000-memory.dmp

Filesize
184KB

Download
memory/2756-2341-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/2756-2343-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/3772-2330-0x00000000003E0000-0x000000000040E000-memory.dmp

Filesize
184KB

Download
memory/3772-2331-0x00000000053C0000-0x00000000059D8000-memory.dmp

Filesize
6.1MB

Download
memory/3772-2332-0x0000000004EB0000-0x0000000004FBA000-memory.dmp

Filesize
1.0MB

Download
memory/3772-2333-0x0000000004D20000-0x0000000004D32000-memory.dmp

Filesize
72KB

Download
memory/3772-2334-0x0000000004DA0000-0x0000000004DDC000-memory.dmp

Filesize
240KB

Download
memory/3772-2340-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3772-2342-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download