redline | b86555a3c95e07c52b37cef092cf957147aa29665ce3eb76882fad6568203062

Analysis

max time kernel
141s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b86555a3c95e07c52b37cef092cf957147aa29665ce3eb76882fad6568203062.exe
Size

1.5MB
MD5

6f9d8f5d72975f9b70ccf136fa90bcf1
SHA1

149131a65e0f586ea3ea39cb4ce8453e068521d4
SHA256

b86555a3c95e07c52b37cef092cf957147aa29665ce3eb76882fad6568203062
SHA512

f72d681eec86d22daceb4094049f28295924d5d0a22032e07f7708f84fc14816b4adf372e1de4680de731107048772c4ea969366e237f68669de6a41e3d6a7e9
SSDEEP

24576:RyUdj9brqROXi0rW+8SDygyNm2n0DaWvhoeo0L7sU1EYEonihnEkT9E:EWJ6siqW+XDy82n0fIUyREkT

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1376-169-0x000000000AAE0000-0x000000000B0F8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1564	i80028725.exe
3248	i33546651.exe
1184	i95682886.exe
876	i08177316.exe
1376	a79313029.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i80028725.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i33546651.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i95682886.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b86555a3c95e07c52b37cef092cf957147aa29665ce3eb76882fad6568203062.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i80028725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i33546651.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i95682886.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i08177316.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i08177316.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b86555a3c95e07c52b37cef092cf957147aa29665ce3eb76882fad6568203062.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 1564	4808	b86555a3c95e07c52b37cef092cf957147aa29665ce3eb76882fad6568203062.exe	84
PID 4808 wrote to memory of 1564	4808	b86555a3c95e07c52b37cef092cf957147aa29665ce3eb76882fad6568203062.exe	84
PID 4808 wrote to memory of 1564	4808	b86555a3c95e07c52b37cef092cf957147aa29665ce3eb76882fad6568203062.exe	84
PID 1564 wrote to memory of 3248	1564	i80028725.exe	85
PID 1564 wrote to memory of 3248	1564	i80028725.exe	85
PID 1564 wrote to memory of 3248	1564	i80028725.exe	85
PID 3248 wrote to memory of 1184	3248	i33546651.exe	86
PID 3248 wrote to memory of 1184	3248	i33546651.exe	86
PID 3248 wrote to memory of 1184	3248	i33546651.exe	86
PID 1184 wrote to memory of 876	1184	i95682886.exe	87
PID 1184 wrote to memory of 876	1184	i95682886.exe	87
PID 1184 wrote to memory of 876	1184	i95682886.exe	87
PID 876 wrote to memory of 1376	876	i08177316.exe	88
PID 876 wrote to memory of 1376	876	i08177316.exe	88
PID 876 wrote to memory of 1376	876	i08177316.exe	88

C:\Users\Admin\AppData\Local\Temp\b86555a3c95e07c52b37cef092cf957147aa29665ce3eb76882fad6568203062.exe
"C:\Users\Admin\AppData\Local\Temp\b86555a3c95e07c52b37cef092cf957147aa29665ce3eb76882fad6568203062.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i80028725.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i80028725.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i33546651.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i33546651.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i95682886.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i95682886.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i08177316.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i08177316.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:876
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a79313029.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a79313029.exe
        6⤵
        Executes dropped EXE
        
        PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i80028725.exe

Filesize
1.3MB

MD5
b963819ce36862b2362f503b23f39ba6

SHA1
4f05fa171b433e2640848abc15311a7dcdfe0e7b

SHA256
3fc879c66eec7d5b17eb732171e00c3580e7de4120e0b7d18bb8d9bb78a46a58

SHA512
2a63e81ae7ea0125cb507ab54f00e28ba548fcca7b72181929b450ebf00a15bebbecf60a6be079d57d5b69c7b344f2c78757a9f9d7c689f73e1e63aced6c9c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i80028725.exe

Filesize
1.3MB

MD5
b963819ce36862b2362f503b23f39ba6

SHA1
4f05fa171b433e2640848abc15311a7dcdfe0e7b

SHA256
3fc879c66eec7d5b17eb732171e00c3580e7de4120e0b7d18bb8d9bb78a46a58

SHA512
2a63e81ae7ea0125cb507ab54f00e28ba548fcca7b72181929b450ebf00a15bebbecf60a6be079d57d5b69c7b344f2c78757a9f9d7c689f73e1e63aced6c9c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i33546651.exe

Filesize
1015KB

MD5
800d62d321640d91ee92117a29b2a7c8

SHA1
4f61f1d72e783a31b2c90c51da6a31983435d408

SHA256
f1bdf8edae5672280a5663b5b8bd4fa8a68f7519821a3db45bbe6104d1ab8be1

SHA512
2d4824bebd0d49ca323c8d003274303d60c2ad8cf98a39d4caebdc119860c84f16f39150dc81792601e709fc8c59301dc77efddd86dc763246d62e4f92cbae40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i33546651.exe

Filesize
1015KB

MD5
800d62d321640d91ee92117a29b2a7c8

SHA1
4f61f1d72e783a31b2c90c51da6a31983435d408

SHA256
f1bdf8edae5672280a5663b5b8bd4fa8a68f7519821a3db45bbe6104d1ab8be1

SHA512
2d4824bebd0d49ca323c8d003274303d60c2ad8cf98a39d4caebdc119860c84f16f39150dc81792601e709fc8c59301dc77efddd86dc763246d62e4f92cbae40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i95682886.exe

Filesize
843KB

MD5
d9e9faa87d2b4d2f82b2f9842306b5d0

SHA1
b4d495e739080745ef74ca474b8c722f4f5ae82c

SHA256
715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1

SHA512
cba05534a4ccbbb7be1428c785d55bf94726a50977e85963effcd3b831cdee2cb2b2702993c7e74dcce5e96811a9855d0bb4d559e5df65c877909711b379e75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i95682886.exe

Filesize
843KB

MD5
d9e9faa87d2b4d2f82b2f9842306b5d0

SHA1
b4d495e739080745ef74ca474b8c722f4f5ae82c

SHA256
715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1

SHA512
cba05534a4ccbbb7be1428c785d55bf94726a50977e85963effcd3b831cdee2cb2b2702993c7e74dcce5e96811a9855d0bb4d559e5df65c877909711b379e75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i08177316.exe

Filesize
371KB

MD5
ee33710c8057acb64e9ca7c1f9e07673

SHA1
2b06e4119398dd8f16674341e5adf95ba9f70375

SHA256
28a46b6b121e238b2c07f77a4281c23fe21d24fa8e3561647f3f681386ded443

SHA512
2d379c140ca31aebc88627cb45535eb11678e0548ecc07b6d49dc3e3c8fe611e9121e60283aa7a0f3adc340430edac5957b5738cc3ae81796843aeafd5df17dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i08177316.exe

Filesize
371KB

MD5
ee33710c8057acb64e9ca7c1f9e07673

SHA1
2b06e4119398dd8f16674341e5adf95ba9f70375

SHA256
28a46b6b121e238b2c07f77a4281c23fe21d24fa8e3561647f3f681386ded443

SHA512
2d379c140ca31aebc88627cb45535eb11678e0548ecc07b6d49dc3e3c8fe611e9121e60283aa7a0f3adc340430edac5957b5738cc3ae81796843aeafd5df17dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a79313029.exe

Filesize
169KB

MD5
b9dbcf7dc0ebc9b366d7f0c3f1bc1f61

SHA1
04ccea00069151a3dd221b7e9acdcdff642a0e14

SHA256
9d10117658b96e7f6245411deab4faee01910d330722bde839f39b57436d020e

SHA512
291d302bad96d6ebefe769490f6c966bd96d4478a63fc8c7462c6d7bfb415929cfc74d6fd19bb63ced349543b812076cb7f6ead37dd26b5ed444126025b3a7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a79313029.exe

Filesize
169KB

MD5
b9dbcf7dc0ebc9b366d7f0c3f1bc1f61

SHA1
04ccea00069151a3dd221b7e9acdcdff642a0e14

SHA256
9d10117658b96e7f6245411deab4faee01910d330722bde839f39b57436d020e

SHA512
291d302bad96d6ebefe769490f6c966bd96d4478a63fc8c7462c6d7bfb415929cfc74d6fd19bb63ced349543b812076cb7f6ead37dd26b5ed444126025b3a7f5

Download Submit
memory/1376-168-0x00000000006E0000-0x0000000000710000-memory.dmp

Filesize
192KB

Download
memory/1376-169-0x000000000AAE0000-0x000000000B0F8000-memory.dmp

Filesize
6.1MB

Download
memory/1376-170-0x000000000A660000-0x000000000A76A000-memory.dmp

Filesize
1.0MB

Download
memory/1376-171-0x000000000A590000-0x000000000A5A2000-memory.dmp

Filesize
72KB

Download
memory/1376-172-0x000000000A5F0000-0x000000000A62C000-memory.dmp

Filesize
240KB

Download
memory/1376-173-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1376-174-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download