redline | ea7e4f34dfe29203c6f0a3e08e4fa01546378f4f7d76394bd9b99f87d94d8905

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea7e4f34dfe29203c6f0a3e08e4fa01546378f4f7d76394bd9b99f87d94d8905.exe
Size

1.2MB
MD5

738834f9303df4c0389a0aed898a091c
SHA1

824409db6a45be8a3bcbad5820b246a2b71130c1
SHA256

ea7e4f34dfe29203c6f0a3e08e4fa01546378f4f7d76394bd9b99f87d94d8905
SHA512

6e626d8eb9c9e824e0f4379f926c512089acc35a80b2b9132ee45260752834d2152b33273e788244b4d91dc47489ed79fb6ea07c93ebdf1186a574ad6a7e9e14
SSDEEP

24576:kyB+J0sVQ09bihUCswpQkK6fm/nTyAGxgJwWR7kupIvyYUIeuUrT:zYJ0b09PCsFZ/uAGmwWRQuevyXIeuM

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4892-2335-0x0000000005320000-0x0000000005938000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s77913626.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	s77913626.exe

Executes dropped EXE 6 IoCs

Processes:

z42584363.exez60915733.exez52109570.exes77913626.exe1.exet52714763.exe

pid process

848 z42584363.exe
1368 z60915733.exe
1772 z52109570.exe
2352 s77913626.exe
4892 1.exe
2168 t52714763.exe

pid	process
848	z42584363.exe
1368	z60915733.exe
1772	z52109570.exe
2352	s77913626.exe
4892	1.exe
2168	t52714763.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z52109570.exeea7e4f34dfe29203c6f0a3e08e4fa01546378f4f7d76394bd9b99f87d94d8905.exez42584363.exez60915733.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z52109570.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ea7e4f34dfe29203c6f0a3e08e4fa01546378f4f7d76394bd9b99f87d94d8905.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ea7e4f34dfe29203c6f0a3e08e4fa01546378f4f7d76394bd9b99f87d94d8905.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z42584363.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z42584363.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z60915733.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z60915733.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z52109570.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4712 2352 WerFault.exe s77913626.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s77913626.exe

description pid process

Token: SeDebugPrivilege 2352 s77913626.exe

pid	pid_target	process	target process
4712	2352	WerFault.exe	s77913626.exe

description	pid	process
Token: SeDebugPrivilege	2352	s77913626.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ea7e4f34dfe29203c6f0a3e08e4fa01546378f4f7d76394bd9b99f87d94d8905.exez42584363.exez60915733.exez52109570.exes77913626.exe

description	pid	process	target process
PID 444 wrote to memory of 848	444	ea7e4f34dfe29203c6f0a3e08e4fa01546378f4f7d76394bd9b99f87d94d8905.exe	z42584363.exe
PID 444 wrote to memory of 848	444	ea7e4f34dfe29203c6f0a3e08e4fa01546378f4f7d76394bd9b99f87d94d8905.exe	z42584363.exe
PID 444 wrote to memory of 848	444	ea7e4f34dfe29203c6f0a3e08e4fa01546378f4f7d76394bd9b99f87d94d8905.exe	z42584363.exe
PID 848 wrote to memory of 1368	848	z42584363.exe	z60915733.exe
PID 848 wrote to memory of 1368	848	z42584363.exe	z60915733.exe
PID 848 wrote to memory of 1368	848	z42584363.exe	z60915733.exe
PID 1368 wrote to memory of 1772	1368	z60915733.exe	z52109570.exe
PID 1368 wrote to memory of 1772	1368	z60915733.exe	z52109570.exe
PID 1368 wrote to memory of 1772	1368	z60915733.exe	z52109570.exe
PID 1772 wrote to memory of 2352	1772	z52109570.exe	s77913626.exe
PID 1772 wrote to memory of 2352	1772	z52109570.exe	s77913626.exe
PID 1772 wrote to memory of 2352	1772	z52109570.exe	s77913626.exe
PID 2352 wrote to memory of 4892	2352	s77913626.exe	1.exe
PID 2352 wrote to memory of 4892	2352	s77913626.exe	1.exe
PID 2352 wrote to memory of 4892	2352	s77913626.exe	1.exe
PID 1772 wrote to memory of 2168	1772	z52109570.exe	t52714763.exe
PID 1772 wrote to memory of 2168	1772	z52109570.exe	t52714763.exe
PID 1772 wrote to memory of 2168	1772	z52109570.exe	t52714763.exe

C:\Users\Admin\AppData\Local\Temp\ea7e4f34dfe29203c6f0a3e08e4fa01546378f4f7d76394bd9b99f87d94d8905.exe
"C:\Users\Admin\AppData\Local\Temp\ea7e4f34dfe29203c6f0a3e08e4fa01546378f4f7d76394bd9b99f87d94d8905.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:444

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z42584363.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z42584363.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z60915733.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z60915733.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z52109570.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z52109570.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s77913626.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s77913626.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1520
6⤵
- Program crash
PID:4712

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t52714763.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t52714763.exe
5⤵
- Executes dropped EXE
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2352 -ip 2352
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z42584363.exe
Filesize
1.0MB

MD5
5070b51828389a3ae864642c639d2486

SHA1
e134bc409b15c040e718d216f6eb98d79c0c32c1

SHA256
cf7bb15d53d14915173106bb959db9def6b2a47a426a840ce2f6613a12f17ca8

SHA512
2b7dcb72318e91ab3f1add9f7902f12e861c016ff144d08eae51ced8c1468c7249ade2131d3ad34837ff226ec59505dd125d8ffb26ca31fb3350e18a833298b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z42584363.exe
Filesize
1.0MB

MD5
5070b51828389a3ae864642c639d2486

SHA1
e134bc409b15c040e718d216f6eb98d79c0c32c1

SHA256
cf7bb15d53d14915173106bb959db9def6b2a47a426a840ce2f6613a12f17ca8

SHA512
2b7dcb72318e91ab3f1add9f7902f12e861c016ff144d08eae51ced8c1468c7249ade2131d3ad34837ff226ec59505dd125d8ffb26ca31fb3350e18a833298b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z60915733.exe
Filesize
759KB

MD5
cc537fc24253cdd7593ad1c2fad771be

SHA1
5937041f77cf86b5388901168c0f40eb77f065ab

SHA256
5f63c2cceb1ee50332bf609f72dc06a88b88d9efed8eb2a0c809daf96faaed88

SHA512
858e8ce9e90ae0772ba9ef1aabfe4eb71d6007b0946fec379a44072f26c3fde880348d119003db94730ca62ce633eb77561319e8f83a9448bc2d479825e33db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z60915733.exe
Filesize
759KB

MD5
cc537fc24253cdd7593ad1c2fad771be

SHA1
5937041f77cf86b5388901168c0f40eb77f065ab

SHA256
5f63c2cceb1ee50332bf609f72dc06a88b88d9efed8eb2a0c809daf96faaed88

SHA512
858e8ce9e90ae0772ba9ef1aabfe4eb71d6007b0946fec379a44072f26c3fde880348d119003db94730ca62ce633eb77561319e8f83a9448bc2d479825e33db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z52109570.exe
Filesize
577KB

MD5
777cd39f14de0fdc12e5d97d963bb07e

SHA1
7edbee6e4b7227b508fcdaabea1c988495920385

SHA256
d98b02e9d2c07a73abe9559874add20bae5827e6ffff9dbab1aa2aacdc5346fa

SHA512
6000f85ce750efad8e973837985be82b79ab8a7687aa4be5b5a89f8fcc2a4be766a9ee0a9df594c97e3cee053728a95abe49d1f41d313b28dd7a8b7d70aee131

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z52109570.exe
Filesize
577KB

MD5
777cd39f14de0fdc12e5d97d963bb07e

SHA1
7edbee6e4b7227b508fcdaabea1c988495920385

SHA256
d98b02e9d2c07a73abe9559874add20bae5827e6ffff9dbab1aa2aacdc5346fa

SHA512
6000f85ce750efad8e973837985be82b79ab8a7687aa4be5b5a89f8fcc2a4be766a9ee0a9df594c97e3cee053728a95abe49d1f41d313b28dd7a8b7d70aee131

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s77913626.exe
Filesize
574KB

MD5
fe0609bec688412bc8c20f89c7ec078b

SHA1
5091fff098f4fcb996ebd06753a55d480d9eae0e

SHA256
aafba5eae3d9cc0d61e20fb51b339c10d260b9cdf168c3f1dda29fba423c4ed8

SHA512
8c45f005de478bdcab19db4d444e697cb5d1be44ced9404606d5a73cf8f0056c643a3a9b3f9871cd270cf43d3c10c62bfc3b769b82dcde99c58ad5a7b24b95cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s77913626.exe
Filesize
574KB

MD5
fe0609bec688412bc8c20f89c7ec078b

SHA1
5091fff098f4fcb996ebd06753a55d480d9eae0e

SHA256
aafba5eae3d9cc0d61e20fb51b339c10d260b9cdf168c3f1dda29fba423c4ed8

SHA512
8c45f005de478bdcab19db4d444e697cb5d1be44ced9404606d5a73cf8f0056c643a3a9b3f9871cd270cf43d3c10c62bfc3b769b82dcde99c58ad5a7b24b95cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t52714763.exe
Filesize
169KB

MD5
71efc80df3006fd3875ef4505f4acaf2

SHA1
cd2a475241497d2717c694a83fcdc3465880a6e2

SHA256
f7ac5f4d1f3457e6fe0af4b30f26714587b1a4420c7308eeb8ef881e8d12e3fe

SHA512
75124d477e8eff04b570e9b618cd99321873e0190a8e92b64e3f41fdb6f3e2042c90eb732ccf20a137f3eba25155f567af38787ba93923c28a3def2228922d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t52714763.exe
Filesize
169KB

MD5
71efc80df3006fd3875ef4505f4acaf2

SHA1
cd2a475241497d2717c694a83fcdc3465880a6e2

SHA256
f7ac5f4d1f3457e6fe0af4b30f26714587b1a4420c7308eeb8ef881e8d12e3fe

SHA512
75124d477e8eff04b570e9b618cd99321873e0190a8e92b64e3f41fdb6f3e2042c90eb732ccf20a137f3eba25155f567af38787ba93923c28a3def2228922d36

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/2168-2345-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2168-2344-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/2168-2347-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2352-172-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-222-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-176-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-178-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-180-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-182-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-184-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-186-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-188-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-190-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-192-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-194-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-196-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-198-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-200-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-202-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-204-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-206-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-208-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-210-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-212-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-214-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-216-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-218-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-220-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-174-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-224-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-226-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-228-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-230-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-2315-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/2352-170-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-168-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-167-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/2352-162-0x0000000000A70000-0x0000000000ACB000-memory.dmp

Filesize
364KB

Download
memory/2352-2328-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/2352-2329-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/2352-2330-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/2352-2332-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/2352-163-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/2352-164-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/2352-165-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/2352-166-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/4892-2339-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/4892-2338-0x0000000004AA0000-0x0000000004ADC000-memory.dmp

Filesize
240KB

Download
memory/4892-2337-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/4892-2336-0x0000000004E10000-0x0000000004F1A000-memory.dmp

Filesize
1.0MB

Download
memory/4892-2335-0x0000000005320000-0x0000000005938000-memory.dmp

Filesize
6.1MB

Download
memory/4892-2346-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/4892-2327-0x00000000001C0000-0x00000000001EE000-memory.dmp

Filesize
184KB

Download