redline | ea021e5be282b702d702cbac7e6f8a23dc6c3d58614446a93d24037141a0a751

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea021e5be282b702d702cbac7e6f8a23dc6c3d58614446a93d24037141a0a751.exe
Size

1.2MB
MD5

d003f6e1414d9a4436af62d1e4f91e6a
SHA1

8030059ad95b52d34af7dedd4f7f14cd0f55ecb2
SHA256

ea021e5be282b702d702cbac7e6f8a23dc6c3d58614446a93d24037141a0a751
SHA512

e8c07668e2ddbd566713b92281cf46dd9da6df2c770c2aa87055b8d8649a14387f07cc0e1f47e7dd7b7685cd27ba08475ff1e89260ac1a947465d338839da86e
SSDEEP

24576:MyTt2FJAwO+USUecIhJ6HCjz9Anw2liKUYJwTo0AaFbd3r:7Tt2gneyiPOnzliMO0aFbd

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4952-2337-0x0000000005CC0000-0x00000000062D8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s83165117.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	s83165117.exe

Executes dropped EXE 6 IoCs

Processes:

z88502600.exez33935109.exez61032565.exes83165117.exe1.exet21404294.exe

pid process

2320 z88502600.exe
1676 z33935109.exe
1960 z61032565.exe
3740 s83165117.exe
4952 1.exe
2384 t21404294.exe

pid	process
2320	z88502600.exe
1676	z33935109.exe
1960	z61032565.exe
3740	s83165117.exe
4952	1.exe
2384	t21404294.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z61032565.exeea021e5be282b702d702cbac7e6f8a23dc6c3d58614446a93d24037141a0a751.exez88502600.exez33935109.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z61032565.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z61032565.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ea021e5be282b702d702cbac7e6f8a23dc6c3d58614446a93d24037141a0a751.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ea021e5be282b702d702cbac7e6f8a23dc6c3d58614446a93d24037141a0a751.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z88502600.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z88502600.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z33935109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z33935109.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2968 3740 WerFault.exe s83165117.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s83165117.exe

description pid process

Token: SeDebugPrivilege 3740 s83165117.exe

pid	pid_target	process	target process
2968	3740	WerFault.exe	s83165117.exe

description	pid	process
Token: SeDebugPrivilege	3740	s83165117.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ea021e5be282b702d702cbac7e6f8a23dc6c3d58614446a93d24037141a0a751.exez88502600.exez33935109.exez61032565.exes83165117.exe

description	pid	process	target process
PID 2164 wrote to memory of 2320	2164	ea021e5be282b702d702cbac7e6f8a23dc6c3d58614446a93d24037141a0a751.exe	z88502600.exe
PID 2164 wrote to memory of 2320	2164	ea021e5be282b702d702cbac7e6f8a23dc6c3d58614446a93d24037141a0a751.exe	z88502600.exe
PID 2164 wrote to memory of 2320	2164	ea021e5be282b702d702cbac7e6f8a23dc6c3d58614446a93d24037141a0a751.exe	z88502600.exe
PID 2320 wrote to memory of 1676	2320	z88502600.exe	z33935109.exe
PID 2320 wrote to memory of 1676	2320	z88502600.exe	z33935109.exe
PID 2320 wrote to memory of 1676	2320	z88502600.exe	z33935109.exe
PID 1676 wrote to memory of 1960	1676	z33935109.exe	z61032565.exe
PID 1676 wrote to memory of 1960	1676	z33935109.exe	z61032565.exe
PID 1676 wrote to memory of 1960	1676	z33935109.exe	z61032565.exe
PID 1960 wrote to memory of 3740	1960	z61032565.exe	s83165117.exe
PID 1960 wrote to memory of 3740	1960	z61032565.exe	s83165117.exe
PID 1960 wrote to memory of 3740	1960	z61032565.exe	s83165117.exe
PID 3740 wrote to memory of 4952	3740	s83165117.exe	1.exe
PID 3740 wrote to memory of 4952	3740	s83165117.exe	1.exe
PID 3740 wrote to memory of 4952	3740	s83165117.exe	1.exe
PID 1960 wrote to memory of 2384	1960	z61032565.exe	t21404294.exe
PID 1960 wrote to memory of 2384	1960	z61032565.exe	t21404294.exe
PID 1960 wrote to memory of 2384	1960	z61032565.exe	t21404294.exe

C:\Users\Admin\AppData\Local\Temp\ea021e5be282b702d702cbac7e6f8a23dc6c3d58614446a93d24037141a0a751.exe
"C:\Users\Admin\AppData\Local\Temp\ea021e5be282b702d702cbac7e6f8a23dc6c3d58614446a93d24037141a0a751.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z88502600.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z88502600.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z33935109.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z33935109.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z61032565.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z61032565.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s83165117.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s83165117.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1384
6⤵
- Program crash
PID:2968

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t21404294.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t21404294.exe
5⤵
- Executes dropped EXE
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3740 -ip 3740
1⤵
PID:3204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z88502600.exe
Filesize
1.0MB

MD5
b067cca1d07ba8f41af87bf68eeb9de1

SHA1
ce7563915b4c8802141193183ad4b1c853f5191b

SHA256
d335ba93c4f4b976bcb895f2b8156ef99c12bb71443040a6be384eda674a8a0b

SHA512
e60b8cc54a3527c9951efa6ad6f7b1034071b38bf7f03256f4f3e7a9767582d9baa5743270b93a01dfdee6cdac8157798ce06cd59652068fda551b0ad358ef95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z88502600.exe
Filesize
1.0MB

MD5
b067cca1d07ba8f41af87bf68eeb9de1

SHA1
ce7563915b4c8802141193183ad4b1c853f5191b

SHA256
d335ba93c4f4b976bcb895f2b8156ef99c12bb71443040a6be384eda674a8a0b

SHA512
e60b8cc54a3527c9951efa6ad6f7b1034071b38bf7f03256f4f3e7a9767582d9baa5743270b93a01dfdee6cdac8157798ce06cd59652068fda551b0ad358ef95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z33935109.exe
Filesize
759KB

MD5
0d6d80ccffd9a21074997baa238f73bd

SHA1
5addaf8a29782ef2f706adc3a30d2953d02168d6

SHA256
496d8e72cf7da7ddc42d6dd2f6a480366ca7eec0a4553d19d481783789c5f16e

SHA512
96d4dc5e26824dda6d082b2745273be2b85485b5b9b170888b767c2026bdaaecbf2da36e8c45b9f2ee430fec9e024a9673d3c4cf41d871564d468ffa62c39635

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z33935109.exe
Filesize
759KB

MD5
0d6d80ccffd9a21074997baa238f73bd

SHA1
5addaf8a29782ef2f706adc3a30d2953d02168d6

SHA256
496d8e72cf7da7ddc42d6dd2f6a480366ca7eec0a4553d19d481783789c5f16e

SHA512
96d4dc5e26824dda6d082b2745273be2b85485b5b9b170888b767c2026bdaaecbf2da36e8c45b9f2ee430fec9e024a9673d3c4cf41d871564d468ffa62c39635

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z61032565.exe
Filesize
577KB

MD5
78e3c47530436cba6b62afcbd669fc3f

SHA1
020a81e1bc44dc52595a2704f34ae27e850a8fd8

SHA256
c3ec6ccce0432d57960b72715fdff5e41cdf2acff0850e3b19bbcbcf8e6eca21

SHA512
402cc4f276fe5d003a7437bd27e8090960c0fb02317a9011f2bca0250f30e104fbb45886d6acb6e83153432772a426858ba4e350c87f8afa616b57ba837463b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z61032565.exe
Filesize
577KB

MD5
78e3c47530436cba6b62afcbd669fc3f

SHA1
020a81e1bc44dc52595a2704f34ae27e850a8fd8

SHA256
c3ec6ccce0432d57960b72715fdff5e41cdf2acff0850e3b19bbcbcf8e6eca21

SHA512
402cc4f276fe5d003a7437bd27e8090960c0fb02317a9011f2bca0250f30e104fbb45886d6acb6e83153432772a426858ba4e350c87f8afa616b57ba837463b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s83165117.exe
Filesize
574KB

MD5
976d1614a2812b19fd8e9f15ee753f0f

SHA1
727de837371c6d9169e4e0685480c2fd0ec5684e

SHA256
7b396f006586f56d4f26a64debefb6f125ab9781963185b348956bf83d409108

SHA512
6ee8beb7de44cf7d4071b23e5938cf606ca8389f2895b1cf1744ab5ccf2609d2de936e31fa0698293f4abfa24b785a20c073f615e4aaf16da6a7bc2dc55c2bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s83165117.exe
Filesize
574KB

MD5
976d1614a2812b19fd8e9f15ee753f0f

SHA1
727de837371c6d9169e4e0685480c2fd0ec5684e

SHA256
7b396f006586f56d4f26a64debefb6f125ab9781963185b348956bf83d409108

SHA512
6ee8beb7de44cf7d4071b23e5938cf606ca8389f2895b1cf1744ab5ccf2609d2de936e31fa0698293f4abfa24b785a20c073f615e4aaf16da6a7bc2dc55c2bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t21404294.exe
Filesize
169KB

MD5
d2faa20e1bb6b98a656529b7fef8b05a

SHA1
2e181634b55be9d3bf9c08c014bd2d9b1902ce9a

SHA256
38bb12040d118889bb8c970620e04ef96496af70614dc4f94e87738f19af704c

SHA512
b0fe5f8dfdd8d994376e61a0454c716d2bb1e5a1238fbfa7e255ca809c0f4e84ff6d8546971e261a1f10de26e0f2bf1321529e1db6e8eef35b75b61899c71dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t21404294.exe
Filesize
169KB

MD5
d2faa20e1bb6b98a656529b7fef8b05a

SHA1
2e181634b55be9d3bf9c08c014bd2d9b1902ce9a

SHA256
38bb12040d118889bb8c970620e04ef96496af70614dc4f94e87738f19af704c

SHA512
b0fe5f8dfdd8d994376e61a0454c716d2bb1e5a1238fbfa7e255ca809c0f4e84ff6d8546971e261a1f10de26e0f2bf1321529e1db6e8eef35b75b61899c71dda

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/2384-2343-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2384-2341-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2384-2340-0x000000000A280000-0x000000000A2BC000-memory.dmp

Filesize
240KB

Download
memory/2384-2336-0x00000000004B0000-0x00000000004DE000-memory.dmp

Filesize
184KB

Download
memory/3740-195-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-209-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-168-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-169-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-171-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-173-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-175-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-177-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-179-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-181-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-183-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-185-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-187-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-189-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-191-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-166-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/3740-197-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-193-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-199-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-201-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-203-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-205-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-207-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-167-0x0000000004F80000-0x0000000005524000-memory.dmp

Filesize
5.6MB

Download
memory/3740-211-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-213-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-215-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-217-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-219-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-221-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-223-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-225-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-227-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-229-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/3740-890-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/3740-1785-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/3740-2071-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/3740-165-0x0000000000400000-0x0000000000835000-memory.dmp

Filesize
4.2MB

Download
memory/3740-2319-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/3740-162-0x0000000000A50000-0x0000000000AAB000-memory.dmp

Filesize
364KB

Download
memory/3740-163-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/3740-164-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/4952-2339-0x0000000004FE0000-0x0000000004FF2000-memory.dmp

Filesize
72KB

Download
memory/4952-2338-0x00000000057B0000-0x00000000058BA000-memory.dmp

Filesize
1.0MB

Download
memory/4952-2337-0x0000000005CC0000-0x00000000062D8000-memory.dmp

Filesize
6.1MB

Download
memory/4952-2342-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4952-2331-0x0000000000CE0000-0x0000000000D0E000-memory.dmp

Filesize
184KB

Download
memory/4952-2344-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download