redline | a714ae161319bab7c2b8fa0324e5d581ff2566ca47d6997de4ba99afff9f9343

Analysis

max time kernel
136s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a714ae161319bab7c2b8fa0324e5d581ff2566ca47d6997de4ba99afff9f9343.exe
Size

1.5MB
MD5

5786f8c92a6d7d4f32809152fc022605
SHA1

36de3ffa3fbf932a8b412726e049ac9cbd82cb29
SHA256

a714ae161319bab7c2b8fa0324e5d581ff2566ca47d6997de4ba99afff9f9343
SHA512

1a9222edfe2077ad59992fc4775895d3a98bb6e2ac86645b428d8463b8d85db3083c67c1a3fd19bec8f05bc373a31f7949400315af0686c9522b944b30b3d171
SSDEEP

24576:iykOa284IijsbgcikGN9bJ1w9zAj+ciYRsGL+fDQkFNKBMT4qQn2qckR+DD4CfR:J/aH49jsbVs/GrmTKLQkLSMT2n2qjR+5

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4124-169-0x000000000A7C0000-0x000000000ADD8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3584	i32835088.exe
3752	i95486578.exe
4628	i28073277.exe
1468	i61756428.exe
4124	a03346381.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i32835088.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i95486578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i28073277.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i61756428.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i28073277.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i61756428.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a714ae161319bab7c2b8fa0324e5d581ff2566ca47d6997de4ba99afff9f9343.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a714ae161319bab7c2b8fa0324e5d581ff2566ca47d6997de4ba99afff9f9343.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i32835088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i95486578.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 3584	1924	a714ae161319bab7c2b8fa0324e5d581ff2566ca47d6997de4ba99afff9f9343.exe	82
PID 1924 wrote to memory of 3584	1924	a714ae161319bab7c2b8fa0324e5d581ff2566ca47d6997de4ba99afff9f9343.exe	82
PID 1924 wrote to memory of 3584	1924	a714ae161319bab7c2b8fa0324e5d581ff2566ca47d6997de4ba99afff9f9343.exe	82
PID 3584 wrote to memory of 3752	3584	i32835088.exe	83
PID 3584 wrote to memory of 3752	3584	i32835088.exe	83
PID 3584 wrote to memory of 3752	3584	i32835088.exe	83
PID 3752 wrote to memory of 4628	3752	i95486578.exe	84
PID 3752 wrote to memory of 4628	3752	i95486578.exe	84
PID 3752 wrote to memory of 4628	3752	i95486578.exe	84
PID 4628 wrote to memory of 1468	4628	i28073277.exe	85
PID 4628 wrote to memory of 1468	4628	i28073277.exe	85
PID 4628 wrote to memory of 1468	4628	i28073277.exe	85
PID 1468 wrote to memory of 4124	1468	i61756428.exe	86
PID 1468 wrote to memory of 4124	1468	i61756428.exe	86
PID 1468 wrote to memory of 4124	1468	i61756428.exe	86

C:\Users\Admin\AppData\Local\Temp\a714ae161319bab7c2b8fa0324e5d581ff2566ca47d6997de4ba99afff9f9343.exe
"C:\Users\Admin\AppData\Local\Temp\a714ae161319bab7c2b8fa0324e5d581ff2566ca47d6997de4ba99afff9f9343.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i32835088.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i32835088.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i95486578.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i95486578.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28073277.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28073277.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i61756428.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i61756428.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1468
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a03346381.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a03346381.exe
        6⤵
        Executes dropped EXE
        
        PID:4124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i32835088.exe

Filesize
1.3MB

MD5
5bcf77c0980d038883c5fb184c170cb6

SHA1
f1829d2f4dc1480dae6475ad500f91f44c30fbd4

SHA256
d4eb480a5a1513c31f0fda8b3dbe5c27282697289ee98d712e9747fdf49ef38b

SHA512
12bd8cb4b529b63e8752706d5c8cb981188db9fe7f7d8d8111322486b99b4d08197a32c6d657e6105b77d9ffb70d901c177e36e42680f2a04c9c65cc10d65515

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i32835088.exe

Filesize
1.3MB

MD5
5bcf77c0980d038883c5fb184c170cb6

SHA1
f1829d2f4dc1480dae6475ad500f91f44c30fbd4

SHA256
d4eb480a5a1513c31f0fda8b3dbe5c27282697289ee98d712e9747fdf49ef38b

SHA512
12bd8cb4b529b63e8752706d5c8cb981188db9fe7f7d8d8111322486b99b4d08197a32c6d657e6105b77d9ffb70d901c177e36e42680f2a04c9c65cc10d65515

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i95486578.exe

Filesize
1014KB

MD5
77ef1489466e80b47233347a8788fa2d

SHA1
6035401d9fe36bbd0c4f20ce337dcb5c09d23a07

SHA256
cd30f5ce4b60da55ba3de5d92923997d4dac918672c80765dbe6c46e41b17460

SHA512
854f5773186d38e4b32de4657edb3e541fcda2e2e380c45dbde8c9790001b9f4595209958d204fe3e283ddff0da6c90b9cae64253761b9bab8a9e296128a08e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i95486578.exe

Filesize
1014KB

MD5
77ef1489466e80b47233347a8788fa2d

SHA1
6035401d9fe36bbd0c4f20ce337dcb5c09d23a07

SHA256
cd30f5ce4b60da55ba3de5d92923997d4dac918672c80765dbe6c46e41b17460

SHA512
854f5773186d38e4b32de4657edb3e541fcda2e2e380c45dbde8c9790001b9f4595209958d204fe3e283ddff0da6c90b9cae64253761b9bab8a9e296128a08e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28073277.exe

Filesize
843KB

MD5
bb757be0dbe563d5cc1d17e6452b0dc0

SHA1
d2fa08838f6795b73383f7c75e8d26ddc8d94e70

SHA256
39666f5ca49de43d948aa95b6e6a3ae26d579fdbc7e9adb1964d2ce03736db7e

SHA512
a042614955c3ee78787a1b17f621c58b8f77a779bc3f018033588ccde7939d56dd89fd146089dfcd81f45ec9838318efbeb58712052eb9688e403c0e258a1b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28073277.exe

Filesize
843KB

MD5
bb757be0dbe563d5cc1d17e6452b0dc0

SHA1
d2fa08838f6795b73383f7c75e8d26ddc8d94e70

SHA256
39666f5ca49de43d948aa95b6e6a3ae26d579fdbc7e9adb1964d2ce03736db7e

SHA512
a042614955c3ee78787a1b17f621c58b8f77a779bc3f018033588ccde7939d56dd89fd146089dfcd81f45ec9838318efbeb58712052eb9688e403c0e258a1b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i61756428.exe

Filesize
371KB

MD5
e9ccce1bddae5baf46fa72cac0a7fb9c

SHA1
f5a96332fff358b6c3b842d1ad7ac5ca10b1ace6

SHA256
a53decad989d60fde02694bdc5618ef8619c66bbeda8f215fc559c3165296605

SHA512
9345eab4ed0dd3845b4b18e74e42d3193ff8417fa7cbfd7caaba81bd4ba0ca75895ffbbef9a9a7efc731764839b088789d75022410202f9dfc1e41086db4e687

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i61756428.exe

Filesize
371KB

MD5
e9ccce1bddae5baf46fa72cac0a7fb9c

SHA1
f5a96332fff358b6c3b842d1ad7ac5ca10b1ace6

SHA256
a53decad989d60fde02694bdc5618ef8619c66bbeda8f215fc559c3165296605

SHA512
9345eab4ed0dd3845b4b18e74e42d3193ff8417fa7cbfd7caaba81bd4ba0ca75895ffbbef9a9a7efc731764839b088789d75022410202f9dfc1e41086db4e687

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a03346381.exe

Filesize
169KB

MD5
5f0af4353146e0737531d8dd25f5d82d

SHA1
92edca4acaf7b982b128305e7dd7e4ccbee55f7b

SHA256
9313c3091f144b72da31529dc2fe7493981b244b4479eba9258ba1e584489b5d

SHA512
ed2dd653d9585d62bdde4809fe22912f9b01286a8a8a8d9fafafa850120bd4c353ce78eef236be7ccbfc78b93f7fd8a51a15df42dc39816805d54e6a0047b893

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a03346381.exe

Filesize
169KB

MD5
5f0af4353146e0737531d8dd25f5d82d

SHA1
92edca4acaf7b982b128305e7dd7e4ccbee55f7b

SHA256
9313c3091f144b72da31529dc2fe7493981b244b4479eba9258ba1e584489b5d

SHA512
ed2dd653d9585d62bdde4809fe22912f9b01286a8a8a8d9fafafa850120bd4c353ce78eef236be7ccbfc78b93f7fd8a51a15df42dc39816805d54e6a0047b893

Download Submit
memory/4124-168-0x00000000004E0000-0x0000000000510000-memory.dmp

Filesize
192KB

Download
memory/4124-169-0x000000000A7C0000-0x000000000ADD8000-memory.dmp

Filesize
6.1MB

Download
memory/4124-170-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/4124-171-0x000000000A250000-0x000000000A262000-memory.dmp

Filesize
72KB

Download
memory/4124-172-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/4124-173-0x000000000A2B0000-0x000000000A2EC000-memory.dmp

Filesize
240KB

Download
memory/4124-174-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download