redline | e56b9ed4a396ecf342133c8b4dffbc259845962cdd2a4c9699044cd6dd710741

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab61f8eec6552709a30b7be2680b637c649e711394fc55bb607d919efb9c3c0c.exe
Size

1.2MB
MD5

bd4dc0cf8ed8e06f4fb6bc06b62aecd1
SHA1

6aa23b176fa7f8544422121d976e228a16b48d2d
SHA256

ab61f8eec6552709a30b7be2680b637c649e711394fc55bb607d919efb9c3c0c
SHA512

6e300075abc0e8675f61acbe736756ea76989a7beb03aa266d1a82e720a17009cf2c79aa58afa22738d428717f308de0d653e41b90a30ad6934212d8b7e899e0
SSDEEP

24576:iyhaBb6G1K0zChckgEotr6cDxRy4pvCIr23egMWTpLjnsQ6:JYBbb1K0mhcPx7lvCIFeTlAQ

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/772-2327-0x00000000058C0000-0x0000000005ED8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s08083808.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s08083808.exe

Executes dropped EXE 6 IoCs

Processes:

z92636741.exez93861579.exez91191651.exes08083808.exe1.exet73838859.exe

pid process

1352 z92636741.exe
3656 z93861579.exe
4332 z91191651.exe
2508 s08083808.exe
772 1.exe
4492 t73838859.exe

pid	process
1352	z92636741.exe
3656	z93861579.exe
4332	z91191651.exe
2508	s08083808.exe
772	1.exe
4492	t73838859.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z92636741.exez93861579.exez91191651.exeab61f8eec6552709a30b7be2680b637c649e711394fc55bb607d919efb9c3c0c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z92636741.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z92636741.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z93861579.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z93861579.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z91191651.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z91191651.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ab61f8eec6552709a30b7be2680b637c649e711394fc55bb607d919efb9c3c0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ab61f8eec6552709a30b7be2680b637c649e711394fc55bb607d919efb9c3c0c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4956 2508 WerFault.exe s08083808.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s08083808.exe

description pid process

Token: SeDebugPrivilege 2508 s08083808.exe

pid	pid_target	process	target process
4956	2508	WerFault.exe	s08083808.exe

description	pid	process
Token: SeDebugPrivilege	2508	s08083808.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ab61f8eec6552709a30b7be2680b637c649e711394fc55bb607d919efb9c3c0c.exez92636741.exez93861579.exez91191651.exes08083808.exe

description	pid	process	target process
PID 2672 wrote to memory of 1352	2672	ab61f8eec6552709a30b7be2680b637c649e711394fc55bb607d919efb9c3c0c.exe	z92636741.exe
PID 2672 wrote to memory of 1352	2672	ab61f8eec6552709a30b7be2680b637c649e711394fc55bb607d919efb9c3c0c.exe	z92636741.exe
PID 2672 wrote to memory of 1352	2672	ab61f8eec6552709a30b7be2680b637c649e711394fc55bb607d919efb9c3c0c.exe	z92636741.exe
PID 1352 wrote to memory of 3656	1352	z92636741.exe	z93861579.exe
PID 1352 wrote to memory of 3656	1352	z92636741.exe	z93861579.exe
PID 1352 wrote to memory of 3656	1352	z92636741.exe	z93861579.exe
PID 3656 wrote to memory of 4332	3656	z93861579.exe	z91191651.exe
PID 3656 wrote to memory of 4332	3656	z93861579.exe	z91191651.exe
PID 3656 wrote to memory of 4332	3656	z93861579.exe	z91191651.exe
PID 4332 wrote to memory of 2508	4332	z91191651.exe	s08083808.exe
PID 4332 wrote to memory of 2508	4332	z91191651.exe	s08083808.exe
PID 4332 wrote to memory of 2508	4332	z91191651.exe	s08083808.exe
PID 2508 wrote to memory of 772	2508	s08083808.exe	1.exe
PID 2508 wrote to memory of 772	2508	s08083808.exe	1.exe
PID 2508 wrote to memory of 772	2508	s08083808.exe	1.exe
PID 4332 wrote to memory of 4492	4332	z91191651.exe	t73838859.exe
PID 4332 wrote to memory of 4492	4332	z91191651.exe	t73838859.exe
PID 4332 wrote to memory of 4492	4332	z91191651.exe	t73838859.exe

C:\Users\Admin\AppData\Local\Temp\ab61f8eec6552709a30b7be2680b637c649e711394fc55bb607d919efb9c3c0c.exe
"C:\Users\Admin\AppData\Local\Temp\ab61f8eec6552709a30b7be2680b637c649e711394fc55bb607d919efb9c3c0c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z92636741.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z92636741.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z93861579.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z93861579.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3656

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z91191651.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z91191651.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4332

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s08083808.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s08083808.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 1196
6⤵
- Program crash
PID:4956

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t73838859.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t73838859.exe
5⤵
- Executes dropped EXE
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2508 -ip 2508
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z92636741.exe
Filesize
1.0MB

MD5
8fa11ddf94005162d9ee2b9ce3b45c52

SHA1
04731b9588c11d1780ae62a9ee6fd13291726709

SHA256
aa73f6b2b03895b5e631a80eb22a5e1d7531a4fd8bd7dd76dc4cfcb152281472

SHA512
faa2088686a5369e3e6d5b166965797898a85c14a974e34f58c0ca01f514218a6071825ee8e688bff9c8429c2385ccce7b353a0ea394ee2a03ce2d02cb446005

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z92636741.exe
Filesize
1.0MB

MD5
8fa11ddf94005162d9ee2b9ce3b45c52

SHA1
04731b9588c11d1780ae62a9ee6fd13291726709

SHA256
aa73f6b2b03895b5e631a80eb22a5e1d7531a4fd8bd7dd76dc4cfcb152281472

SHA512
faa2088686a5369e3e6d5b166965797898a85c14a974e34f58c0ca01f514218a6071825ee8e688bff9c8429c2385ccce7b353a0ea394ee2a03ce2d02cb446005

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z93861579.exe
Filesize
760KB

MD5
1074a55c41d987fab9c21e545a5a4859

SHA1
985417f1bd38a23927a694b6fc0440d42ba75641

SHA256
80d35bbd5472c35897f1a1443634326fd44fbadf06c45c347a64879ed06c1c92

SHA512
fe05c5a22c503d25ba4b8fb848aa750b0352a13fb1bfe06edf21296ffd8cbdbb7431863a0ceb78ee086e0008749dee94ec10d3be901a9cef61efc4077c0162ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z93861579.exe
Filesize
760KB

MD5
1074a55c41d987fab9c21e545a5a4859

SHA1
985417f1bd38a23927a694b6fc0440d42ba75641

SHA256
80d35bbd5472c35897f1a1443634326fd44fbadf06c45c347a64879ed06c1c92

SHA512
fe05c5a22c503d25ba4b8fb848aa750b0352a13fb1bfe06edf21296ffd8cbdbb7431863a0ceb78ee086e0008749dee94ec10d3be901a9cef61efc4077c0162ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z91191651.exe
Filesize
578KB

MD5
0dcf6150c6dfecf560948f2dff8047eb

SHA1
a042f38966e4cc5590a27747779deba393c29d72

SHA256
6ce8631c89057924ee29fec1c437a96ad6205da632cff1ffeaa3d4129aab0ffc

SHA512
50510a41191d2ee961f9675f590e32ab5676d857caf3bb0a097fdb1a9b125c1671b3af76af708f34bbdedfc4f1922a2e5e14b0b520175bcec012ff83a8028e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z91191651.exe
Filesize
578KB

MD5
0dcf6150c6dfecf560948f2dff8047eb

SHA1
a042f38966e4cc5590a27747779deba393c29d72

SHA256
6ce8631c89057924ee29fec1c437a96ad6205da632cff1ffeaa3d4129aab0ffc

SHA512
50510a41191d2ee961f9675f590e32ab5676d857caf3bb0a097fdb1a9b125c1671b3af76af708f34bbdedfc4f1922a2e5e14b0b520175bcec012ff83a8028e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s08083808.exe
Filesize
502KB

MD5
b4e51c6adcc8fb1b7624edc8df6e9e55

SHA1
769da8e1e5c47dbe142e6ce7e311765a8a799061

SHA256
c3d468fbfdfacc750366de89a2a60e4e7f07248fa8e5c8528830f7aed04e8106

SHA512
75e68963b4ccf26aeae4a646e8391fb102eecac254af469c646cbe6fd261e95b26204c8e5dc8b57d92ceae5ba42e7e2f9496875a595206ee787998c21019ab43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s08083808.exe
Filesize
502KB

MD5
b4e51c6adcc8fb1b7624edc8df6e9e55

SHA1
769da8e1e5c47dbe142e6ce7e311765a8a799061

SHA256
c3d468fbfdfacc750366de89a2a60e4e7f07248fa8e5c8528830f7aed04e8106

SHA512
75e68963b4ccf26aeae4a646e8391fb102eecac254af469c646cbe6fd261e95b26204c8e5dc8b57d92ceae5ba42e7e2f9496875a595206ee787998c21019ab43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t73838859.exe
Filesize
169KB

MD5
4ea7b47da0a32256b398856128781f82

SHA1
516b534d2f17d9cd90166d57faacc9ebac03eb30

SHA256
6c1aea1052431f1e043f3906997c3ad6c0d7289263d727c3d6e899e1c2215e98

SHA512
5395725958bf0c7b5ca8b86e12dc0e76081ed06fe94f64a7a47ed843e11da7adac804116105114eca45a821ebb38c10736e36566c08779c9f2c563325f0dd12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t73838859.exe
Filesize
169KB

MD5
4ea7b47da0a32256b398856128781f82

SHA1
516b534d2f17d9cd90166d57faacc9ebac03eb30

SHA256
6c1aea1052431f1e043f3906997c3ad6c0d7289263d727c3d6e899e1c2215e98

SHA512
5395725958bf0c7b5ca8b86e12dc0e76081ed06fe94f64a7a47ed843e11da7adac804116105114eca45a821ebb38c10736e36566c08779c9f2c563325f0dd12a

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/772-2334-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/772-2330-0x0000000005340000-0x000000000537C000-memory.dmp

Filesize
240KB

Download
memory/772-2329-0x00000000052E0000-0x00000000052F2000-memory.dmp

Filesize
72KB

Download
memory/772-2328-0x00000000053B0000-0x00000000054BA000-memory.dmp

Filesize
1.0MB

Download
memory/772-2327-0x00000000058C0000-0x0000000005ED8000-memory.dmp

Filesize
6.1MB

Download
memory/772-2341-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/772-2325-0x0000000000990000-0x00000000009BE000-memory.dmp

Filesize
184KB

Download
memory/2508-173-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-223-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-185-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-187-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-189-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-191-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-193-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-195-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-197-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-201-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-199-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-203-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-205-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-207-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-209-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-211-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-213-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-215-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-217-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-219-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-221-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-183-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-225-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-227-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-229-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-2313-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2508-181-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-179-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-177-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-175-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-171-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-169-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-167-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-166-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/2508-2332-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2508-2333-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2508-2331-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2508-165-0x0000000004F00000-0x00000000054A4000-memory.dmp

Filesize
5.6MB

Download
memory/2508-164-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2508-163-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2508-162-0x0000000000900000-0x000000000095B000-memory.dmp

Filesize
364KB

Download
memory/4492-2340-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/4492-2339-0x0000000000140000-0x000000000016E000-memory.dmp

Filesize
184KB

Download
memory/4492-2342-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download