redline | ad204399c025f009a9aeac4c927cb7515a6878c3109124b0944912c9f955f817

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad204399c025f009a9aeac4c927cb7515a6878c3109124b0944912c9f955f817.exe
Size

1.2MB
MD5

58c2cdbc2aa7bffde6da05e41849ab6a
SHA1

e32ae8e0d906647aa3d405b3e9d1596d879a1a29
SHA256

ad204399c025f009a9aeac4c927cb7515a6878c3109124b0944912c9f955f817
SHA512

7b1d1341f6629e243655122d680e5ff08cd75805daf38485157baf720a2dc5b1354c616493e3332effce0b046a650256606f20eb19a615c38c484509831f1d1c
SSDEEP

24576:VyCiCrc9T+lxqsRy2xyagZPQNkOZfP3rHmQef41YVfDadmT07m:wJCrcV+lxqSxyjcFZf/KQefyabadmT

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4168-2331-0x000000000B130000-0x000000000B748000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s69877547.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	s69877547.exe

Executes dropped EXE 6 IoCs

Processes:

z78404625.exez14593748.exez90540759.exes69877547.exe1.exet61265919.exe

pid process

2800 z78404625.exe
3916 z14593748.exe
3716 z90540759.exe
3740 s69877547.exe
4168 1.exe
376 t61265919.exe

pid	process
2800	z78404625.exe
3916	z14593748.exe
3716	z90540759.exe
3740	s69877547.exe
4168	1.exe
376	t61265919.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z90540759.exead204399c025f009a9aeac4c927cb7515a6878c3109124b0944912c9f955f817.exez78404625.exez14593748.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z90540759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z90540759.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ad204399c025f009a9aeac4c927cb7515a6878c3109124b0944912c9f955f817.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ad204399c025f009a9aeac4c927cb7515a6878c3109124b0944912c9f955f817.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z78404625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z78404625.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z14593748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z14593748.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4980 3740 WerFault.exe s69877547.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s69877547.exe

description pid process

Token: SeDebugPrivilege 3740 s69877547.exe

pid	pid_target	process	target process
4980	3740	WerFault.exe	s69877547.exe

description	pid	process
Token: SeDebugPrivilege	3740	s69877547.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ad204399c025f009a9aeac4c927cb7515a6878c3109124b0944912c9f955f817.exez78404625.exez14593748.exez90540759.exes69877547.exe

description	pid	process	target process
PID 1788 wrote to memory of 2800	1788	ad204399c025f009a9aeac4c927cb7515a6878c3109124b0944912c9f955f817.exe	z78404625.exe
PID 1788 wrote to memory of 2800	1788	ad204399c025f009a9aeac4c927cb7515a6878c3109124b0944912c9f955f817.exe	z78404625.exe
PID 1788 wrote to memory of 2800	1788	ad204399c025f009a9aeac4c927cb7515a6878c3109124b0944912c9f955f817.exe	z78404625.exe
PID 2800 wrote to memory of 3916	2800	z78404625.exe	z14593748.exe
PID 2800 wrote to memory of 3916	2800	z78404625.exe	z14593748.exe
PID 2800 wrote to memory of 3916	2800	z78404625.exe	z14593748.exe
PID 3916 wrote to memory of 3716	3916	z14593748.exe	z90540759.exe
PID 3916 wrote to memory of 3716	3916	z14593748.exe	z90540759.exe
PID 3916 wrote to memory of 3716	3916	z14593748.exe	z90540759.exe
PID 3716 wrote to memory of 3740	3716	z90540759.exe	s69877547.exe
PID 3716 wrote to memory of 3740	3716	z90540759.exe	s69877547.exe
PID 3716 wrote to memory of 3740	3716	z90540759.exe	s69877547.exe
PID 3740 wrote to memory of 4168	3740	s69877547.exe	1.exe
PID 3740 wrote to memory of 4168	3740	s69877547.exe	1.exe
PID 3740 wrote to memory of 4168	3740	s69877547.exe	1.exe
PID 3716 wrote to memory of 376	3716	z90540759.exe	t61265919.exe
PID 3716 wrote to memory of 376	3716	z90540759.exe	t61265919.exe
PID 3716 wrote to memory of 376	3716	z90540759.exe	t61265919.exe

C:\Users\Admin\AppData\Local\Temp\ad204399c025f009a9aeac4c927cb7515a6878c3109124b0944912c9f955f817.exe
"C:\Users\Admin\AppData\Local\Temp\ad204399c025f009a9aeac4c927cb7515a6878c3109124b0944912c9f955f817.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z78404625.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z78404625.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z14593748.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z14593748.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z90540759.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z90540759.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3716

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s69877547.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s69877547.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1528
6⤵
- Program crash
PID:4980

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t61265919.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t61265919.exe
5⤵
- Executes dropped EXE
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3740 -ip 3740
1⤵
PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z78404625.exe

Filesize
1.0MB

MD5
879b0a50147e1e9a3decf89ae0350c02

SHA1
f074104b0779110d6c674ed14b8b3bd92dd8e5ad

SHA256
ecb76ab7a34a1df10fa05551096bce599d78a049bbb094d2521fb3989fe63838

SHA512
8160d6957a557344eb360a378d2441b45b567968a0a212e39cb5617b8b4cd0b29202281963db3c4a4dd8352adc041984007b9ad73f5cef8a37a807877e1f97c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z78404625.exe

Filesize
1.0MB

MD5
879b0a50147e1e9a3decf89ae0350c02

SHA1
f074104b0779110d6c674ed14b8b3bd92dd8e5ad

SHA256
ecb76ab7a34a1df10fa05551096bce599d78a049bbb094d2521fb3989fe63838

SHA512
8160d6957a557344eb360a378d2441b45b567968a0a212e39cb5617b8b4cd0b29202281963db3c4a4dd8352adc041984007b9ad73f5cef8a37a807877e1f97c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z14593748.exe

Filesize
764KB

MD5
80a220a96174c1fa4b0996649474d4cd

SHA1
7a51b6d7808297a0860580ff0928ea08138738c7

SHA256
0af2fd47a480254c2ea2ec97da0cc53b414ae07629a6c68c00163e9bf3ed95a2

SHA512
e06fa051d1f5a0c877fb651f19105c437577572df31aaebbabe162e86612dd2c8b8a998df620315dd9092163148e949cb769f464a99659fb49a093cd893d8e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z14593748.exe

Filesize
764KB

MD5
80a220a96174c1fa4b0996649474d4cd

SHA1
7a51b6d7808297a0860580ff0928ea08138738c7

SHA256
0af2fd47a480254c2ea2ec97da0cc53b414ae07629a6c68c00163e9bf3ed95a2

SHA512
e06fa051d1f5a0c877fb651f19105c437577572df31aaebbabe162e86612dd2c8b8a998df620315dd9092163148e949cb769f464a99659fb49a093cd893d8e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z90540759.exe

Filesize
581KB

MD5
99c27bd29e627a6fc6c7611755b78f00

SHA1
810338d5243ae43fad071f791cd57c8916dbfb13

SHA256
99c47d5237aa3c79bb3364365402539a6561a129be24b327d570153ae9e4154c

SHA512
2081cb63ff00820fb03684fc7fd29207c6ae87c050a92631b1f0db568ad09d50d174b0ab05910dd55a97bf317e06e4ed3240136c6deb2844fdd3874765e61a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z90540759.exe

Filesize
581KB

MD5
99c27bd29e627a6fc6c7611755b78f00

SHA1
810338d5243ae43fad071f791cd57c8916dbfb13

SHA256
99c47d5237aa3c79bb3364365402539a6561a129be24b327d570153ae9e4154c

SHA512
2081cb63ff00820fb03684fc7fd29207c6ae87c050a92631b1f0db568ad09d50d174b0ab05910dd55a97bf317e06e4ed3240136c6deb2844fdd3874765e61a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s69877547.exe

Filesize
580KB

MD5
207d74c1f1c2506dfeee45a6ead56277

SHA1
177c2305f147e4e0eed875b1e19abd47bc5af11e

SHA256
9bd45d66822d7a20e2c4be4f80dc8c8e6ffedac69542438fce80887fc274addb

SHA512
3cf54c746222a7f3d10d679b95e6f791617ab51ee5a5f8a22d9015c0e65e6f34069c8fe8f37e8a54961237dc1b6bc8f1a5c5e0074da6598f860ac7e75282bae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s69877547.exe

Filesize
580KB

MD5
207d74c1f1c2506dfeee45a6ead56277

SHA1
177c2305f147e4e0eed875b1e19abd47bc5af11e

SHA256
9bd45d66822d7a20e2c4be4f80dc8c8e6ffedac69542438fce80887fc274addb

SHA512
3cf54c746222a7f3d10d679b95e6f791617ab51ee5a5f8a22d9015c0e65e6f34069c8fe8f37e8a54961237dc1b6bc8f1a5c5e0074da6598f860ac7e75282bae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t61265919.exe

Filesize
169KB

MD5
c60d145a33947e8e046b940462d8ce51

SHA1
6de6b488e05bb8f6bd042154e5caf55e8c00e68e

SHA256
bfda175770dcf20c818da9926ce735887bc0a852091926c8d1924b06302abedb

SHA512
0f280b6cb45139fde34ac65d9b03ddb96b588d9e79c15be9edd48d2aecd2df6e3ca471dd443441d4ba3a0c210b201e6c472dcd87634fac4c1c09e0fca7af9bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t61265919.exe

Filesize
169KB

MD5
c60d145a33947e8e046b940462d8ce51

SHA1
6de6b488e05bb8f6bd042154e5caf55e8c00e68e

SHA256
bfda175770dcf20c818da9926ce735887bc0a852091926c8d1924b06302abedb

SHA512
0f280b6cb45139fde34ac65d9b03ddb96b588d9e79c15be9edd48d2aecd2df6e3ca471dd443441d4ba3a0c210b201e6c472dcd87634fac4c1c09e0fca7af9bab

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/376-2343-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/376-2341-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/376-2340-0x0000000000070000-0x000000000009E000-memory.dmp

Filesize
184KB

Download
memory/3740-194-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-212-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-170-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3740-172-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3740-167-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3740-171-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-174-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-176-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-178-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-180-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-182-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-184-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-186-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-188-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-190-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-192-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-165-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-196-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-198-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-200-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-202-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-206-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-208-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-204-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-210-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-168-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-214-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-216-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-218-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-220-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-222-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-224-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-226-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-228-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-230-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/3740-2292-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3740-2290-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3740-2294-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3740-2318-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3740-162-0x0000000002210000-0x000000000226B000-memory.dmp

Filesize
364KB

Download
memory/3740-163-0x0000000004F10000-0x00000000054B4000-memory.dmp

Filesize
5.6MB

Download
memory/3740-164-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/4168-2333-0x000000000AB50000-0x000000000AB62000-memory.dmp

Filesize
72KB

Download
memory/4168-2332-0x000000000AC20000-0x000000000AD2A000-memory.dmp

Filesize
1.0MB

Download
memory/4168-2331-0x000000000B130000-0x000000000B748000-memory.dmp

Filesize
6.1MB

Download
memory/4168-2334-0x000000000ABB0000-0x000000000ABEC000-memory.dmp

Filesize
240KB

Download
memory/4168-2335-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/4168-2342-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/4168-2330-0x0000000000DE0000-0x0000000000E0E000-memory.dmp

Filesize
184KB

Download