redline | bd3662440e73d7dd29e478ab0b55769b8a0a180bc045a616a7234bbb1a38d2d1

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd3662440e73d7dd29e478ab0b55769b8a0a180bc045a616a7234bbb1a38d2d1.exe
Size

1.2MB
MD5

38aac11235319af2ef9cbe91c6fdf94b
SHA1

1bc4150993e975b55b2d02e6a3ae1db79216b850
SHA256

bd3662440e73d7dd29e478ab0b55769b8a0a180bc045a616a7234bbb1a38d2d1
SHA512

db16f7bca1a6fa811e870a8227604c7fe7d4f309561d2b19edd111efb1dd9a65446afdb6865efeac879887751682ede3126c8248ded5e536cd99dbda99668105
SSDEEP

24576:0ywe3iRbyfjnIUiYHkz0KT62/754+IdAhEnDJto0B980:DNiA7ntEn1jy+Id31to0B

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/1520-2328-0x0000000005B50000-0x0000000006168000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s93248478.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s93248478.exe

Executes dropped EXE 6 IoCs

Processes:

z62279301.exez58211983.exez83466640.exes93248478.exe1.exet70278517.exe

pid process

2932 z62279301.exe
1144 z58211983.exe
3452 z83466640.exe
3176 s93248478.exe
1520 1.exe
4476 t70278517.exe

pid	process
2932	z62279301.exe
1144	z58211983.exe
3452	z83466640.exe
3176	s93248478.exe
1520	1.exe
4476	t70278517.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bd3662440e73d7dd29e478ab0b55769b8a0a180bc045a616a7234bbb1a38d2d1.exez62279301.exez58211983.exez83466640.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bd3662440e73d7dd29e478ab0b55769b8a0a180bc045a616a7234bbb1a38d2d1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z62279301.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z62279301.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z58211983.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z58211983.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z83466640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z83466640.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bd3662440e73d7dd29e478ab0b55769b8a0a180bc045a616a7234bbb1a38d2d1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4092 3176 WerFault.exe s93248478.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s93248478.exe

description pid process

Token: SeDebugPrivilege 3176 s93248478.exe

pid	pid_target	process	target process
4092	3176	WerFault.exe	s93248478.exe

description	pid	process
Token: SeDebugPrivilege	3176	s93248478.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

bd3662440e73d7dd29e478ab0b55769b8a0a180bc045a616a7234bbb1a38d2d1.exez62279301.exez58211983.exez83466640.exes93248478.exe

description	pid	process	target process
PID 4112 wrote to memory of 2932	4112	bd3662440e73d7dd29e478ab0b55769b8a0a180bc045a616a7234bbb1a38d2d1.exe	z62279301.exe
PID 4112 wrote to memory of 2932	4112	bd3662440e73d7dd29e478ab0b55769b8a0a180bc045a616a7234bbb1a38d2d1.exe	z62279301.exe
PID 4112 wrote to memory of 2932	4112	bd3662440e73d7dd29e478ab0b55769b8a0a180bc045a616a7234bbb1a38d2d1.exe	z62279301.exe
PID 2932 wrote to memory of 1144	2932	z62279301.exe	z58211983.exe
PID 2932 wrote to memory of 1144	2932	z62279301.exe	z58211983.exe
PID 2932 wrote to memory of 1144	2932	z62279301.exe	z58211983.exe
PID 1144 wrote to memory of 3452	1144	z58211983.exe	z83466640.exe
PID 1144 wrote to memory of 3452	1144	z58211983.exe	z83466640.exe
PID 1144 wrote to memory of 3452	1144	z58211983.exe	z83466640.exe
PID 3452 wrote to memory of 3176	3452	z83466640.exe	s93248478.exe
PID 3452 wrote to memory of 3176	3452	z83466640.exe	s93248478.exe
PID 3452 wrote to memory of 3176	3452	z83466640.exe	s93248478.exe
PID 3176 wrote to memory of 1520	3176	s93248478.exe	1.exe
PID 3176 wrote to memory of 1520	3176	s93248478.exe	1.exe
PID 3176 wrote to memory of 1520	3176	s93248478.exe	1.exe
PID 3452 wrote to memory of 4476	3452	z83466640.exe	t70278517.exe
PID 3452 wrote to memory of 4476	3452	z83466640.exe	t70278517.exe
PID 3452 wrote to memory of 4476	3452	z83466640.exe	t70278517.exe

C:\Users\Admin\AppData\Local\Temp\bd3662440e73d7dd29e478ab0b55769b8a0a180bc045a616a7234bbb1a38d2d1.exe
"C:\Users\Admin\AppData\Local\Temp\bd3662440e73d7dd29e478ab0b55769b8a0a180bc045a616a7234bbb1a38d2d1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z62279301.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z62279301.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z58211983.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z58211983.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z83466640.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z83466640.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3452

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s93248478.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s93248478.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 1508
6⤵
- Program crash
PID:4092

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t70278517.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t70278517.exe
5⤵
- Executes dropped EXE
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3176 -ip 3176
1⤵
PID:4720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z62279301.exe
Filesize
1.0MB

MD5
e6eaefba038fa98fef19ec9cab4105f2

SHA1
8fb3fd1c0266245a17d988440fbb4d6c6e5fe442

SHA256
d59f61a21f4a32245bc072d8941a099960e1a13e4cb45902ffb42a6abd631f9d

SHA512
8d9ce6a0ee0566174d5a3509dc3ef1d404f18e6a0db604e4d82449bb54922b6b3f102dae50dc4241057100d7e686a4fa18ce56be69e322712f3ebd795238212e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z62279301.exe
Filesize
1.0MB

MD5
e6eaefba038fa98fef19ec9cab4105f2

SHA1
8fb3fd1c0266245a17d988440fbb4d6c6e5fe442

SHA256
d59f61a21f4a32245bc072d8941a099960e1a13e4cb45902ffb42a6abd631f9d

SHA512
8d9ce6a0ee0566174d5a3509dc3ef1d404f18e6a0db604e4d82449bb54922b6b3f102dae50dc4241057100d7e686a4fa18ce56be69e322712f3ebd795238212e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z58211983.exe
Filesize
759KB

MD5
c8787e730b23d8f5353e8545def6a84b

SHA1
55b6b413fdc792dcd60128e3b646a3b37185e1db

SHA256
7f076da4decbc0069441af62cb4274d0477d389ece12e78cd69a2a91d498956f

SHA512
7453ee32874f26507d37a0d44439439d0efbec74fc4074c828081192f9895fb26329c8971f6add544f8ec2e31aaa53920dccef7573b97dbd4def9023c0149f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z58211983.exe
Filesize
759KB

MD5
c8787e730b23d8f5353e8545def6a84b

SHA1
55b6b413fdc792dcd60128e3b646a3b37185e1db

SHA256
7f076da4decbc0069441af62cb4274d0477d389ece12e78cd69a2a91d498956f

SHA512
7453ee32874f26507d37a0d44439439d0efbec74fc4074c828081192f9895fb26329c8971f6add544f8ec2e31aaa53920dccef7573b97dbd4def9023c0149f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z83466640.exe
Filesize
577KB

MD5
d17c8e4ecfc068ae90cf199415957e30

SHA1
f17aeb81bf4aa88810dc8aac16e95bc0344f5ffb

SHA256
4a08ec2926d1dc8eed67097293b678985331f624d81f7a85257f83e3fba207fe

SHA512
b86db2cc7a764ea2941b5e4f729bdbe58e5ce4eed675b542d64bc6e15270a53c73908944704598dd37cee6ed132e5159c647135253ea171b55743b4bd89db3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z83466640.exe
Filesize
577KB

MD5
d17c8e4ecfc068ae90cf199415957e30

SHA1
f17aeb81bf4aa88810dc8aac16e95bc0344f5ffb

SHA256
4a08ec2926d1dc8eed67097293b678985331f624d81f7a85257f83e3fba207fe

SHA512
b86db2cc7a764ea2941b5e4f729bdbe58e5ce4eed675b542d64bc6e15270a53c73908944704598dd37cee6ed132e5159c647135253ea171b55743b4bd89db3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s93248478.exe
Filesize
574KB

MD5
f5d31d4f1404cf91c6f5f56b92e77311

SHA1
3058ef824762cc0fcd144662605d9abf55cfeabc

SHA256
3b4882da504ddc0a902d3af50cc8082e80426e3a9218d0bbbe6e0d140d09036d

SHA512
9d5f9023676cf4ba14db23d9378410c8cc863ec694b4a36e4dbb26d711e184b3cc2d60785c132e48524bb89f0528d4edca1dda6c65b1a61b1cd6b6112ec7ce12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s93248478.exe
Filesize
574KB

MD5
f5d31d4f1404cf91c6f5f56b92e77311

SHA1
3058ef824762cc0fcd144662605d9abf55cfeabc

SHA256
3b4882da504ddc0a902d3af50cc8082e80426e3a9218d0bbbe6e0d140d09036d

SHA512
9d5f9023676cf4ba14db23d9378410c8cc863ec694b4a36e4dbb26d711e184b3cc2d60785c132e48524bb89f0528d4edca1dda6c65b1a61b1cd6b6112ec7ce12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t70278517.exe
Filesize
169KB

MD5
1829eafa393541e72191c4d585ac8e9b

SHA1
0d609fdee5047604f4beb4fa08be85dd0378c654

SHA256
ed2b149c030a54b4999071abf5f22de6ccdc3ae536d2393d9db0feae674ed4f3

SHA512
49068f5293518de05fe88a4508b43e54d9712fa6e975e8d5f443dd7f3591764571bd71a6ae80e8d4de0c0025891b9cef0d7d8ade3c6eeb8e44a2c438ab55866e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t70278517.exe
Filesize
169KB

MD5
1829eafa393541e72191c4d585ac8e9b

SHA1
0d609fdee5047604f4beb4fa08be85dd0378c654

SHA256
ed2b149c030a54b4999071abf5f22de6ccdc3ae536d2393d9db0feae674ed4f3

SHA512
49068f5293518de05fe88a4508b43e54d9712fa6e975e8d5f443dd7f3591764571bd71a6ae80e8d4de0c0025891b9cef0d7d8ade3c6eeb8e44a2c438ab55866e

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/1520-2339-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/1520-2332-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/1520-2331-0x0000000005550000-0x000000000558C000-memory.dmp

Filesize
240KB

Download
memory/1520-2330-0x0000000005530000-0x0000000005542000-memory.dmp

Filesize
72KB

Download
memory/1520-2329-0x0000000005640000-0x000000000574A000-memory.dmp

Filesize
1.0MB

Download
memory/1520-2328-0x0000000005B50000-0x0000000006168000-memory.dmp

Filesize
6.1MB

Download
memory/1520-2325-0x0000000000BD0000-0x0000000000BFE000-memory.dmp

Filesize
184KB

Download
memory/3176-200-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-226-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-184-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-186-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-188-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-190-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-192-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-194-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-196-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-198-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-180-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-202-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-204-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-206-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-208-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-210-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-212-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-214-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-216-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-218-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-220-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-182-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-224-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-228-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-222-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-230-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-178-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-175-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/3176-176-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-173-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/3176-2327-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/3176-172-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-169-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-170-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/3176-168-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/3176-166-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-164-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-163-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3176-162-0x0000000004F40000-0x00000000054E4000-memory.dmp

Filesize
5.6MB

Download
memory/4476-2338-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/4476-2337-0x0000000000090000-0x00000000000BE000-memory.dmp

Filesize
184KB

Download
memory/4476-2340-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download