redline | a9a47dde2478a5c1e5f73617b08429c185670f8c44e2194c784a2495a99a40e9

Analysis

max time kernel
133s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9a47dde2478a5c1e5f73617b08429c185670f8c44e2194c784a2495a99a40e9.exe
Size

1.2MB
MD5

909b83401e5f0c0bb21e929ba608d830
SHA1

2c2ccb0414d80e35716d91b3d8523ed9b83c755f
SHA256

a9a47dde2478a5c1e5f73617b08429c185670f8c44e2194c784a2495a99a40e9
SHA512

8d86850b3e8045037a83a6f6f66dbfb852830e8a1039b31485a51b6e51b76c2faaf5dc8a9a08445410eb8e2161d05b4018d41b4914bbc3c91d198ae303d4f5c2
SSDEEP

24576:Cy5NfhuiaMZF02b7Hv4pT49KjVG/QhemYqgcRogJ5RfzekEFXlw:pm40M7Axdso0Fqg0o4Tezj

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/1344-2331-0x0000000005B60000-0x0000000006178000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s47972195.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	s47972195.exe

Executes dropped EXE 6 IoCs

Processes:

z43717420.exez71111320.exez10003077.exes47972195.exe1.exet84352872.exe

pid process

3204 z43717420.exe
2116 z71111320.exe
224 z10003077.exe
3952 s47972195.exe
1344 1.exe
1064 t84352872.exe

pid	process
3204	z43717420.exe
2116	z71111320.exe
224	z10003077.exe
3952	s47972195.exe
1344	1.exe
1064	t84352872.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z71111320.exez10003077.exea9a47dde2478a5c1e5f73617b08429c185670f8c44e2194c784a2495a99a40e9.exez43717420.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z71111320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z71111320.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z10003077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z10003077.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a9a47dde2478a5c1e5f73617b08429c185670f8c44e2194c784a2495a99a40e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a9a47dde2478a5c1e5f73617b08429c185670f8c44e2194c784a2495a99a40e9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z43717420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z43717420.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4264 3952 WerFault.exe s47972195.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s47972195.exe

description pid process

Token: SeDebugPrivilege 3952 s47972195.exe

pid	pid_target	process	target process
4264	3952	WerFault.exe	s47972195.exe

description	pid	process
Token: SeDebugPrivilege	3952	s47972195.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

a9a47dde2478a5c1e5f73617b08429c185670f8c44e2194c784a2495a99a40e9.exez43717420.exez71111320.exez10003077.exes47972195.exe

description	pid	process	target process
PID 3624 wrote to memory of 3204	3624	a9a47dde2478a5c1e5f73617b08429c185670f8c44e2194c784a2495a99a40e9.exe	z43717420.exe
PID 3624 wrote to memory of 3204	3624	a9a47dde2478a5c1e5f73617b08429c185670f8c44e2194c784a2495a99a40e9.exe	z43717420.exe
PID 3624 wrote to memory of 3204	3624	a9a47dde2478a5c1e5f73617b08429c185670f8c44e2194c784a2495a99a40e9.exe	z43717420.exe
PID 3204 wrote to memory of 2116	3204	z43717420.exe	z71111320.exe
PID 3204 wrote to memory of 2116	3204	z43717420.exe	z71111320.exe
PID 3204 wrote to memory of 2116	3204	z43717420.exe	z71111320.exe
PID 2116 wrote to memory of 224	2116	z71111320.exe	z10003077.exe
PID 2116 wrote to memory of 224	2116	z71111320.exe	z10003077.exe
PID 2116 wrote to memory of 224	2116	z71111320.exe	z10003077.exe
PID 224 wrote to memory of 3952	224	z10003077.exe	s47972195.exe
PID 224 wrote to memory of 3952	224	z10003077.exe	s47972195.exe
PID 224 wrote to memory of 3952	224	z10003077.exe	s47972195.exe
PID 3952 wrote to memory of 1344	3952	s47972195.exe	1.exe
PID 3952 wrote to memory of 1344	3952	s47972195.exe	1.exe
PID 3952 wrote to memory of 1344	3952	s47972195.exe	1.exe
PID 224 wrote to memory of 1064	224	z10003077.exe	t84352872.exe
PID 224 wrote to memory of 1064	224	z10003077.exe	t84352872.exe
PID 224 wrote to memory of 1064	224	z10003077.exe	t84352872.exe

C:\Users\Admin\AppData\Local\Temp\a9a47dde2478a5c1e5f73617b08429c185670f8c44e2194c784a2495a99a40e9.exe
"C:\Users\Admin\AppData\Local\Temp\a9a47dde2478a5c1e5f73617b08429c185670f8c44e2194c784a2495a99a40e9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z43717420.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z43717420.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z71111320.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z71111320.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z10003077.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z10003077.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s47972195.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s47972195.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
      - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        6⤵
        Executes dropped EXE
        
        PID:1344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1376
        6⤵
        Program crash
        
        PID:4264
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t84352872.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t84352872.exe
        5⤵
        Executes dropped EXE
        
        PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3952 -ip 3952
1⤵
PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z43717420.exe

Filesize
1.0MB

MD5
7789657f9d58adee0a9980e22fbd5cb6

SHA1
4fbeb3da09018f5171e24041ef7a0026ff839dd3

SHA256
7d9e8f57f354f7f0e5fd9855f494f58ef8bd66c9b71fc6014b176c33a7338fb7

SHA512
efbf76f9db481f87faedb7eaa0aaf61b72a0900a56cc59ddf129eb566feef039f1706451cc3184dd8bc6148df581f2f07b31f990f537270738b91ea0120233ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z43717420.exe

Filesize
1.0MB

MD5
7789657f9d58adee0a9980e22fbd5cb6

SHA1
4fbeb3da09018f5171e24041ef7a0026ff839dd3

SHA256
7d9e8f57f354f7f0e5fd9855f494f58ef8bd66c9b71fc6014b176c33a7338fb7

SHA512
efbf76f9db481f87faedb7eaa0aaf61b72a0900a56cc59ddf129eb566feef039f1706451cc3184dd8bc6148df581f2f07b31f990f537270738b91ea0120233ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z71111320.exe

Filesize
759KB

MD5
21747ae23d8c0f691da743283f4787e0

SHA1
b644420f844cc2088d0ff33b3d59e08a1cf03b1f

SHA256
0d7d09faaba1fdcc1c8e5e9bef5c12e0ecaf0270664b3fa814c82d50e1729d57

SHA512
634b734b59d470f13994fa0172ccf6f30e7678f26468805e54b1244062d856a30deda94ce959f7d8148fca65d2f9120f694fc18e580b623b2894cc57303a58f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z71111320.exe

Filesize
759KB

MD5
21747ae23d8c0f691da743283f4787e0

SHA1
b644420f844cc2088d0ff33b3d59e08a1cf03b1f

SHA256
0d7d09faaba1fdcc1c8e5e9bef5c12e0ecaf0270664b3fa814c82d50e1729d57

SHA512
634b734b59d470f13994fa0172ccf6f30e7678f26468805e54b1244062d856a30deda94ce959f7d8148fca65d2f9120f694fc18e580b623b2894cc57303a58f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z10003077.exe

Filesize
577KB

MD5
a8717dc72e1772e5de13395b4593e0f3

SHA1
e512801bcef986c7bebd111055946f1e66998ec4

SHA256
8125897122048ccc538d42cf36a3211d7df47e0db540d9557b60f0ee6346aefb

SHA512
1bba99c264725e24bdd2dc57f1c090ee4fb0ae5a7f62817915b1121c59a7e13770a8d0b56b19f003498766cdab49db151e6fb7e5e58c758ea139e73aa564262b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z10003077.exe

Filesize
577KB

MD5
a8717dc72e1772e5de13395b4593e0f3

SHA1
e512801bcef986c7bebd111055946f1e66998ec4

SHA256
8125897122048ccc538d42cf36a3211d7df47e0db540d9557b60f0ee6346aefb

SHA512
1bba99c264725e24bdd2dc57f1c090ee4fb0ae5a7f62817915b1121c59a7e13770a8d0b56b19f003498766cdab49db151e6fb7e5e58c758ea139e73aa564262b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s47972195.exe

Filesize
574KB

MD5
91d6b5a91ddb55fb8e7469d24e397db1

SHA1
518df02e3fb16f074672b5f6c4390920757371c8

SHA256
a39322b9052dfec1ec859a8119e5fc03fab8e274318318c77bba73bd7cafd503

SHA512
90bdfb34a600944eef8a73fa70afd47bceb12e0776400c58bf0a9a7445c7ca5194caa858bb26944d2b1bfe26789e082c2873310693169a6cc72144e56583f5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s47972195.exe

Filesize
574KB

MD5
91d6b5a91ddb55fb8e7469d24e397db1

SHA1
518df02e3fb16f074672b5f6c4390920757371c8

SHA256
a39322b9052dfec1ec859a8119e5fc03fab8e274318318c77bba73bd7cafd503

SHA512
90bdfb34a600944eef8a73fa70afd47bceb12e0776400c58bf0a9a7445c7ca5194caa858bb26944d2b1bfe26789e082c2873310693169a6cc72144e56583f5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t84352872.exe

Filesize
169KB

MD5
5b2bf9b18a8b4747ead9c2348384071d

SHA1
e58a71b964e9f83ef5c81adcb214ebab1dc5772b

SHA256
fd939956a425a1873bc7b8a4dbe05becf0fd556525a6b01b8b394fe50d47d932

SHA512
3486fbe2f92cb612889d507adc1a404062caf87bdd9ae1c9c09502d3189b3fbb9d68c4f3cb91d10242cb6e6ab939cfa8c16cb86c64cbe726b1b70a5bbcc2962a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t84352872.exe

Filesize
169KB

MD5
5b2bf9b18a8b4747ead9c2348384071d

SHA1
e58a71b964e9f83ef5c81adcb214ebab1dc5772b

SHA256
fd939956a425a1873bc7b8a4dbe05becf0fd556525a6b01b8b394fe50d47d932

SHA512
3486fbe2f92cb612889d507adc1a404062caf87bdd9ae1c9c09502d3189b3fbb9d68c4f3cb91d10242cb6e6ab939cfa8c16cb86c64cbe726b1b70a5bbcc2962a

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/1064-2341-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/1064-2340-0x0000000000490000-0x00000000004BE000-memory.dmp

Filesize
184KB

Download
memory/1064-2343-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/1344-2334-0x0000000005580000-0x00000000055BC000-memory.dmp

Filesize
240KB

Download
memory/1344-2333-0x00000000053E0000-0x00000000053F2000-memory.dmp

Filesize
72KB

Download
memory/1344-2332-0x0000000005650000-0x000000000575A000-memory.dmp

Filesize
1.0MB

Download
memory/1344-2331-0x0000000005B60000-0x0000000006178000-memory.dmp

Filesize
6.1MB

Download
memory/1344-2329-0x0000000000BA0000-0x0000000000BCE000-memory.dmp

Filesize
184KB

Download
memory/1344-2339-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/1344-2342-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/3952-203-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-227-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-189-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-191-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-193-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-195-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-197-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-199-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-201-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-185-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-205-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-207-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-209-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-211-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-213-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-215-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-217-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-219-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-221-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-223-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-225-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-187-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-229-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-410-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3952-2316-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3952-2317-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3952-183-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-181-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-179-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-177-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-175-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-173-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-172-0x0000000000400000-0x0000000000835000-memory.dmp

Filesize
4.2MB

Download
memory/3952-167-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-170-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-168-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3952-166-0x0000000005050000-0x00000000055F4000-memory.dmp

Filesize
5.6MB

Download
memory/3952-165-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3952-164-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3952-163-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3952-162-0x0000000000920000-0x000000000097B000-memory.dmp

Filesize
364KB

Download