redline | a9bbefc570671766ef0264122052058ad93b4f444218d54e2c5d7d0806b7c281

Analysis

max time kernel
165s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9bbefc570671766ef0264122052058ad93b4f444218d54e2c5d7d0806b7c281.exe
Size

1.5MB
MD5

d42d8f7dc72626c7b9f5155186011f52
SHA1

89ea28299983b57a1e113eb67e0fb82d02078516
SHA256

a9bbefc570671766ef0264122052058ad93b4f444218d54e2c5d7d0806b7c281
SHA512

f9d9a28bf1700c5e7056936c57a39b8dcddc41c019104203442e985ddb92a70fee7f8e7e2732cb8c67459ba530ef54b484c04518f0d562fc40e8b0b748354a11
SSDEEP

24576:uyQeTGPU6HMF5y824JDlvPgg2a3NWRvUKFH4JwNHkFqPFea6HeSPyAWDRmb9O:9QAGPU0MTyt4JDlH+a9cvPFH4iNHIKFM

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4128-169-0x000000000AE80000-0x000000000B498000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
428	i66179928.exe
3880	i82805676.exe
1872	i64971805.exe
5048	i66799969.exe
4128	a09353419.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i82805676.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i64971805.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i66799969.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a9bbefc570671766ef0264122052058ad93b4f444218d54e2c5d7d0806b7c281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a9bbefc570671766ef0264122052058ad93b4f444218d54e2c5d7d0806b7c281.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i66179928.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i66179928.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i82805676.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i64971805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i66799969.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 428	448	a9bbefc570671766ef0264122052058ad93b4f444218d54e2c5d7d0806b7c281.exe	83
PID 448 wrote to memory of 428	448	a9bbefc570671766ef0264122052058ad93b4f444218d54e2c5d7d0806b7c281.exe	83
PID 448 wrote to memory of 428	448	a9bbefc570671766ef0264122052058ad93b4f444218d54e2c5d7d0806b7c281.exe	83
PID 428 wrote to memory of 3880	428	i66179928.exe	84
PID 428 wrote to memory of 3880	428	i66179928.exe	84
PID 428 wrote to memory of 3880	428	i66179928.exe	84
PID 3880 wrote to memory of 1872	3880	i82805676.exe	85
PID 3880 wrote to memory of 1872	3880	i82805676.exe	85
PID 3880 wrote to memory of 1872	3880	i82805676.exe	85
PID 1872 wrote to memory of 5048	1872	i64971805.exe	86
PID 1872 wrote to memory of 5048	1872	i64971805.exe	86
PID 1872 wrote to memory of 5048	1872	i64971805.exe	86
PID 5048 wrote to memory of 4128	5048	i66799969.exe	87
PID 5048 wrote to memory of 4128	5048	i66799969.exe	87
PID 5048 wrote to memory of 4128	5048	i66799969.exe	87

C:\Users\Admin\AppData\Local\Temp\a9bbefc570671766ef0264122052058ad93b4f444218d54e2c5d7d0806b7c281.exe
"C:\Users\Admin\AppData\Local\Temp\a9bbefc570671766ef0264122052058ad93b4f444218d54e2c5d7d0806b7c281.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i66179928.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i66179928.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i82805676.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i82805676.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i64971805.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i64971805.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66799969.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66799969.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5048
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a09353419.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a09353419.exe
        6⤵
        Executes dropped EXE
        
        PID:4128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i66179928.exe

Filesize
1.3MB

MD5
60b28e80014374d64a8b1f600ffc86c7

SHA1
77651f84499879e929e5f1d0e4fc43c61e4f0feb

SHA256
139c62b54ea2fddfcc6611dac15ec35a4bbe851347119e579a1bcf7643d7a043

SHA512
7f3863b0c7960a130bc54b1f6cdc07fa01ab78a5d44a9a96d02a9a69daef9b4859e6c3ff193bce1cce27eb125f3af5826b4426e7894130929adb98e289814953

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i66179928.exe

Filesize
1.3MB

MD5
60b28e80014374d64a8b1f600ffc86c7

SHA1
77651f84499879e929e5f1d0e4fc43c61e4f0feb

SHA256
139c62b54ea2fddfcc6611dac15ec35a4bbe851347119e579a1bcf7643d7a043

SHA512
7f3863b0c7960a130bc54b1f6cdc07fa01ab78a5d44a9a96d02a9a69daef9b4859e6c3ff193bce1cce27eb125f3af5826b4426e7894130929adb98e289814953

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i82805676.exe

Filesize
1014KB

MD5
0f5a4ccc2c86759f1ebadb589fd640d6

SHA1
25dbcfa0ca14946779fbf21cbd476d9b30841d4e

SHA256
b598b6a159d4834170c7759c9bc61029ee27b54f28a2d796d12222c1379f9914

SHA512
0c8a6b3f215c052a14b26ff8bb462a28e6e2a80261c9bbaad266d7d0349d0aba860ae79995b4f560fb625365d3ad17c8c1f70be43620eb78467d7f563af7a9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i82805676.exe

Filesize
1014KB

MD5
0f5a4ccc2c86759f1ebadb589fd640d6

SHA1
25dbcfa0ca14946779fbf21cbd476d9b30841d4e

SHA256
b598b6a159d4834170c7759c9bc61029ee27b54f28a2d796d12222c1379f9914

SHA512
0c8a6b3f215c052a14b26ff8bb462a28e6e2a80261c9bbaad266d7d0349d0aba860ae79995b4f560fb625365d3ad17c8c1f70be43620eb78467d7f563af7a9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i64971805.exe

Filesize
842KB

MD5
b7c880939b40e86b90782ee60f6a6808

SHA1
9f909eae093f9b1c5996dfea8dcc6da50ba8aaa2

SHA256
de801cbcfd353bb3f5c6553a5e51d75938501578599fe9c5aacc2e54ed34007a

SHA512
9fc8f1690a685a5d95c8ddaf7b2487ca78456eef7cfef80b04aaf069382d5b8e50ae43189f3f6059d48db05b664ff50e6af1a6a2c9d137f1d6f25c9d15ebecb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i64971805.exe

Filesize
842KB

MD5
b7c880939b40e86b90782ee60f6a6808

SHA1
9f909eae093f9b1c5996dfea8dcc6da50ba8aaa2

SHA256
de801cbcfd353bb3f5c6553a5e51d75938501578599fe9c5aacc2e54ed34007a

SHA512
9fc8f1690a685a5d95c8ddaf7b2487ca78456eef7cfef80b04aaf069382d5b8e50ae43189f3f6059d48db05b664ff50e6af1a6a2c9d137f1d6f25c9d15ebecb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66799969.exe

Filesize
370KB

MD5
76b1da333b59597e425251fb48882e40

SHA1
e00fe7c7c2dddf887b2e8b5abbeae1474b9179c5

SHA256
dfe6b99419d337bcc5ba69c1857d10e528df084d63ed8af10e19acc9292b7973

SHA512
7d971d364b3c999a4f70c67bd3f8e6360b8f61100ccdabfd361fcf56b81cbe674b3c92c3b44c9b247f6a5dc4478684ed5a89f186889eec4c5634b2dfff52cb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66799969.exe

Filesize
370KB

MD5
76b1da333b59597e425251fb48882e40

SHA1
e00fe7c7c2dddf887b2e8b5abbeae1474b9179c5

SHA256
dfe6b99419d337bcc5ba69c1857d10e528df084d63ed8af10e19acc9292b7973

SHA512
7d971d364b3c999a4f70c67bd3f8e6360b8f61100ccdabfd361fcf56b81cbe674b3c92c3b44c9b247f6a5dc4478684ed5a89f186889eec4c5634b2dfff52cb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a09353419.exe

Filesize
169KB

MD5
504ef8fde21d9ff331661cba0ad928f0

SHA1
975cd2a47b9b498ec57504c606cdf3600486d911

SHA256
2994644612e5f9a76ac0bc31ddae8fb62219633b600c949f4a8410ef08a6d245

SHA512
f29d01ba7ebd9de0c191e3dc70d8e09bcf46bfd2e0970d85fd0c1f9fa6fe60a65920f64c8b87df410b09cd2da908b25cee68ff08723a1bddcad9dc0a7173c10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a09353419.exe

Filesize
169KB

MD5
504ef8fde21d9ff331661cba0ad928f0

SHA1
975cd2a47b9b498ec57504c606cdf3600486d911

SHA256
2994644612e5f9a76ac0bc31ddae8fb62219633b600c949f4a8410ef08a6d245

SHA512
f29d01ba7ebd9de0c191e3dc70d8e09bcf46bfd2e0970d85fd0c1f9fa6fe60a65920f64c8b87df410b09cd2da908b25cee68ff08723a1bddcad9dc0a7173c10a

Download Submit
memory/4128-168-0x00000000009D0000-0x0000000000A00000-memory.dmp

Filesize
192KB

Download
memory/4128-169-0x000000000AE80000-0x000000000B498000-memory.dmp

Filesize
6.1MB

Download
memory/4128-170-0x000000000A970000-0x000000000AA7A000-memory.dmp

Filesize
1.0MB

Download
memory/4128-171-0x000000000A880000-0x000000000A892000-memory.dmp

Filesize
72KB

Download
memory/4128-172-0x000000000A8E0000-0x000000000A91C000-memory.dmp

Filesize
240KB

Download
memory/4128-173-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/4128-174-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download