redline | 9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479

Analysis

max time kernel
139s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe
Size

1.5MB
MD5

3db91fe92a84431d50f05a683476924e
SHA1

2422d232d17ae36c372eade0cd8c2eb7660db6bd
SHA256

9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479
SHA512

817e40559190a1dbeb27d723593c345cfb798cb6e2cb5d16eb03c6dfbf3ed77840e29314d8687a7dfe1b8a675fec0ea87974e518291002aa681997c8ae80b3b9
SSDEEP

24576:/ywwKtM+h9o9iZwbkQN7MdFHBULets2t5686TEY11aiQ+BoK9o/8n4yJDPYFp:KwwV+hug2kQCdFHBgeChQG19BJ9o64yK

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2004-169-0x0000000005DE0000-0x00000000063F8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1480	i51586027.exe
4680	i93222704.exe
1400	i36802728.exe
2056	i83708562.exe
2004	a09079283.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i93222704.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i36802728.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i83708562.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i51586027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i51586027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i93222704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i36802728.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i83708562.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 1480	3524	9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe	84
PID 3524 wrote to memory of 1480	3524	9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe	84
PID 3524 wrote to memory of 1480	3524	9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe	84
PID 1480 wrote to memory of 4680	1480	i51586027.exe	85
PID 1480 wrote to memory of 4680	1480	i51586027.exe	85
PID 1480 wrote to memory of 4680	1480	i51586027.exe	85
PID 4680 wrote to memory of 1400	4680	i93222704.exe	86
PID 4680 wrote to memory of 1400	4680	i93222704.exe	86
PID 4680 wrote to memory of 1400	4680	i93222704.exe	86
PID 1400 wrote to memory of 2056	1400	i36802728.exe	87
PID 1400 wrote to memory of 2056	1400	i36802728.exe	87
PID 1400 wrote to memory of 2056	1400	i36802728.exe	87
PID 2056 wrote to memory of 2004	2056	i83708562.exe	88
PID 2056 wrote to memory of 2004	2056	i83708562.exe	88
PID 2056 wrote to memory of 2004	2056	i83708562.exe	88

C:\Users\Admin\AppData\Local\Temp\9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe
"C:\Users\Admin\AppData\Local\Temp\9e5423d5a22997091e63297a8975fc23157e1f1556b44f5bc0f83c624eb3a479.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51586027.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51586027.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93222704.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93222704.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i36802728.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i36802728.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i83708562.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i83708562.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a09079283.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a09079283.exe
        6⤵
        Executes dropped EXE
        
        PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51586027.exe

Filesize
1.3MB

MD5
92ff1faca59d0c2c5b7047c4bd9a6149

SHA1
0f9647c842c8d55857ddc629c838a808dd7943ae

SHA256
b6d046cce3920274be2274468d092b926536175a1b9605900f7535004951093f

SHA512
15620178bdac9d7ba4564772e2a93b8495c8ed54d951983fd3b65471c87f1fdfb041f7bb0477298812e5bcad7bb4f9cdb31615b414f66748223c2bbafd4ec472

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51586027.exe

Filesize
1.3MB

MD5
92ff1faca59d0c2c5b7047c4bd9a6149

SHA1
0f9647c842c8d55857ddc629c838a808dd7943ae

SHA256
b6d046cce3920274be2274468d092b926536175a1b9605900f7535004951093f

SHA512
15620178bdac9d7ba4564772e2a93b8495c8ed54d951983fd3b65471c87f1fdfb041f7bb0477298812e5bcad7bb4f9cdb31615b414f66748223c2bbafd4ec472

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93222704.exe

Filesize
1015KB

MD5
6898c2c23a64f1df58669b0d82b489a4

SHA1
0546eeeb56584a009146f6bba5212647f398ee7d

SHA256
85d6d197a0783739124b48ce9657059ebb9bda5a4955f2eb4ea081a8d02de66d

SHA512
ea5881f1c6e664b60df241a8f9223cfdf213b030f705bf843916db07396692cb5de1758d748a2db1f70771b679c7c36906bf1db0615cd9bf19c9d4fea1751b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i93222704.exe

Filesize
1015KB

MD5
6898c2c23a64f1df58669b0d82b489a4

SHA1
0546eeeb56584a009146f6bba5212647f398ee7d

SHA256
85d6d197a0783739124b48ce9657059ebb9bda5a4955f2eb4ea081a8d02de66d

SHA512
ea5881f1c6e664b60df241a8f9223cfdf213b030f705bf843916db07396692cb5de1758d748a2db1f70771b679c7c36906bf1db0615cd9bf19c9d4fea1751b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i36802728.exe

Filesize
843KB

MD5
74e1865e51b7489b783dfe27a934ec86

SHA1
4f7d83de413453c4b10fa28dc46a941b3aa1a253

SHA256
b2cebed7e13489f590d5157a5c9e0ccd297b2f2737828a157a928415bff18ebb

SHA512
a8110077a3bb9e03e9a15bd9dc141a259569432c38918ea8eeab7b3516d75eb96927cfd39ad1fbfe01df65cb9dec01fa232fc403e08a8a8f426e5938343e1364

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i36802728.exe

Filesize
843KB

MD5
74e1865e51b7489b783dfe27a934ec86

SHA1
4f7d83de413453c4b10fa28dc46a941b3aa1a253

SHA256
b2cebed7e13489f590d5157a5c9e0ccd297b2f2737828a157a928415bff18ebb

SHA512
a8110077a3bb9e03e9a15bd9dc141a259569432c38918ea8eeab7b3516d75eb96927cfd39ad1fbfe01df65cb9dec01fa232fc403e08a8a8f426e5938343e1364

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i83708562.exe

Filesize
371KB

MD5
d404ab9472cf2c42dfae5d00cd35c51d

SHA1
9d1eafd7fb04288a2626d847f39c4376b4e9e4cc

SHA256
ecf2f2baaec3b7e542bdc0b59f713378c3d0a5b256b5f2e0ab121bd141fa0814

SHA512
064a01671880f2607b5da4ffe7a105b16b7d183b99f0273213a87eb550c9f94dc69266b85e634e278a320cd6b6a6790f483d3b2a027a9ba3434ba0451a8dbfe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i83708562.exe

Filesize
371KB

MD5
d404ab9472cf2c42dfae5d00cd35c51d

SHA1
9d1eafd7fb04288a2626d847f39c4376b4e9e4cc

SHA256
ecf2f2baaec3b7e542bdc0b59f713378c3d0a5b256b5f2e0ab121bd141fa0814

SHA512
064a01671880f2607b5da4ffe7a105b16b7d183b99f0273213a87eb550c9f94dc69266b85e634e278a320cd6b6a6790f483d3b2a027a9ba3434ba0451a8dbfe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a09079283.exe

Filesize
169KB

MD5
38dcb8b35fb471a9c3e6922ba0cd2508

SHA1
64b987bae828dbae078382687613f93444c936fc

SHA256
c40ba34c44a29d88b5362200495d1bbd5fa4a520c0676ea11b06388c950f9488

SHA512
e26968136f83ae8a922e676e4fe6f0741174843bff4a796a4fa5c5b26cb3a1d1abc385ac0f8ebb8129e33b28cb2fad1e31bb234af32db0367d8bfb4f4c868dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a09079283.exe

Filesize
169KB

MD5
38dcb8b35fb471a9c3e6922ba0cd2508

SHA1
64b987bae828dbae078382687613f93444c936fc

SHA256
c40ba34c44a29d88b5362200495d1bbd5fa4a520c0676ea11b06388c950f9488

SHA512
e26968136f83ae8a922e676e4fe6f0741174843bff4a796a4fa5c5b26cb3a1d1abc385ac0f8ebb8129e33b28cb2fad1e31bb234af32db0367d8bfb4f4c868dcd

Download Submit
memory/2004-168-0x0000000000D60000-0x0000000000D90000-memory.dmp

Filesize
192KB

Download
memory/2004-169-0x0000000005DE0000-0x00000000063F8000-memory.dmp

Filesize
6.1MB

Download
memory/2004-170-0x00000000058D0000-0x00000000059DA000-memory.dmp

Filesize
1.0MB

Download
memory/2004-171-0x00000000057F0000-0x0000000005802000-memory.dmp

Filesize
72KB

Download
memory/2004-172-0x0000000005850000-0x000000000588C000-memory.dmp

Filesize
240KB

Download
memory/2004-173-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/2004-174-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download