redline | d28d00ac49919f88a1f46eb249c899f2145c11b89e06c6db00218576a563fb65

Analysis

max time kernel
169s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d28d00ac49919f88a1f46eb249c899f2145c11b89e06c6db00218576a563fb65.exe
Size

1.2MB
MD5

7dc54ba4289f8aabd5cd666fdb4ccf1b
SHA1

3bdcc1de9fc41eceb5466682dea894bc25217686
SHA256

d28d00ac49919f88a1f46eb249c899f2145c11b89e06c6db00218576a563fb65
SHA512

0831bf993bfc5e8fe8afff4193934aebcd392dd53514424a95c95a58105dd8a05cb27109e718dd5d614f5a2beea6f69d1e13a7478530e0b821a7f7869f54d133
SSDEEP

24576:3y0K3nslFQnoQbN+wJIMXSyyEZzK3uhDxj2ANHcl9FSbw86MpfsC:C0KXwQoQbwIhXSszfhBx8lHFYp

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/5064-2338-0x000000000A880000-0x000000000AE98000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	s84119517.exe

Executes dropped EXE 6 IoCs

pid	Process
1428	z01991906.exe
452	z25771750.exe
3528	z92181661.exe
4540	s84119517.exe
3756	1.exe
5064	t47123272.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d28d00ac49919f88a1f46eb249c899f2145c11b89e06c6db00218576a563fb65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d28d00ac49919f88a1f46eb249c899f2145c11b89e06c6db00218576a563fb65.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z01991906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z01991906.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z25771750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z25771750.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z92181661.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z92181661.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	s84119517.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 1428	3236	d28d00ac49919f88a1f46eb249c899f2145c11b89e06c6db00218576a563fb65.exe	81
PID 3236 wrote to memory of 1428	3236	d28d00ac49919f88a1f46eb249c899f2145c11b89e06c6db00218576a563fb65.exe	81
PID 3236 wrote to memory of 1428	3236	d28d00ac49919f88a1f46eb249c899f2145c11b89e06c6db00218576a563fb65.exe	81
PID 1428 wrote to memory of 452	1428	z01991906.exe	82
PID 1428 wrote to memory of 452	1428	z01991906.exe	82
PID 1428 wrote to memory of 452	1428	z01991906.exe	82
PID 452 wrote to memory of 3528	452	z25771750.exe	83
PID 452 wrote to memory of 3528	452	z25771750.exe	83
PID 452 wrote to memory of 3528	452	z25771750.exe	83
PID 3528 wrote to memory of 4540	3528	z92181661.exe	84
PID 3528 wrote to memory of 4540	3528	z92181661.exe	84
PID 3528 wrote to memory of 4540	3528	z92181661.exe	84
PID 4540 wrote to memory of 3756	4540	s84119517.exe	88
PID 4540 wrote to memory of 3756	4540	s84119517.exe	88
PID 4540 wrote to memory of 3756	4540	s84119517.exe	88
PID 3528 wrote to memory of 5064	3528	z92181661.exe	89
PID 3528 wrote to memory of 5064	3528	z92181661.exe	89
PID 3528 wrote to memory of 5064	3528	z92181661.exe	89

C:\Users\Admin\AppData\Local\Temp\d28d00ac49919f88a1f46eb249c899f2145c11b89e06c6db00218576a563fb65.exe
"C:\Users\Admin\AppData\Local\Temp\d28d00ac49919f88a1f46eb249c899f2145c11b89e06c6db00218576a563fb65.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z01991906.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z01991906.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z25771750.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z25771750.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z92181661.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z92181661.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s84119517.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s84119517.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
      - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        6⤵
        Executes dropped EXE
        
        PID:3756
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t47123272.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t47123272.exe
        5⤵
        Executes dropped EXE
        
        PID:5064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z01991906.exe

Filesize
1.0MB

MD5
4aa5071cb7953af1280a4aee909bee8b

SHA1
78a327f132ee69cdd1ccba6db408030bd5055cb3

SHA256
8bd496ece307b856d28c995f551ae1ebaaecb24e9c624c4d49232b8bcaf52bc6

SHA512
96682c24f22e3e698c7daad16d65063d435b712258fb7f1f21c9cbfdca0bdc7807f37fc2599cd4f63920adbe95346cbbfda4eb3afbd4ccdb5c520ebac0c7e59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z01991906.exe

Filesize
1.0MB

MD5
4aa5071cb7953af1280a4aee909bee8b

SHA1
78a327f132ee69cdd1ccba6db408030bd5055cb3

SHA256
8bd496ece307b856d28c995f551ae1ebaaecb24e9c624c4d49232b8bcaf52bc6

SHA512
96682c24f22e3e698c7daad16d65063d435b712258fb7f1f21c9cbfdca0bdc7807f37fc2599cd4f63920adbe95346cbbfda4eb3afbd4ccdb5c520ebac0c7e59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z25771750.exe

Filesize
764KB

MD5
2ceb786e59a0ab52b332ca5a7998848e

SHA1
0e01f31ccbd1d3f34d5a992e813af54329d26128

SHA256
fc2f62bb354d3e94422bb6169ce6e1620c329f56d9933f356a477865f38ac654

SHA512
8585e8e55e5c0573bbdbc5d64298084a9582db6b47e49d0a3b2877d14d64cf3e380e1586a315596fce99f20ad6d0057ad5e896866b42c8a7dc2abeba9709853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z25771750.exe

Filesize
764KB

MD5
2ceb786e59a0ab52b332ca5a7998848e

SHA1
0e01f31ccbd1d3f34d5a992e813af54329d26128

SHA256
fc2f62bb354d3e94422bb6169ce6e1620c329f56d9933f356a477865f38ac654

SHA512
8585e8e55e5c0573bbdbc5d64298084a9582db6b47e49d0a3b2877d14d64cf3e380e1586a315596fce99f20ad6d0057ad5e896866b42c8a7dc2abeba9709853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z92181661.exe

Filesize
582KB

MD5
3bf30ca03a27c45cda01da2b8c95cb60

SHA1
8cc7f89b887ab3b09cf660f0c1cb2fbda01e30c5

SHA256
8bf76f42c1ee962865cd1d4b340057e1c476e690ae053834c2b850d03115353c

SHA512
a9b78de2b9b6a5d14015c715cb2aeb9eaf6f3257117d9e333b4b83cd99db4abe2f620bac654ce8bd8a8506cd9902776fc5d68fb36ca32583e9a843253be63213

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z92181661.exe

Filesize
582KB

MD5
3bf30ca03a27c45cda01da2b8c95cb60

SHA1
8cc7f89b887ab3b09cf660f0c1cb2fbda01e30c5

SHA256
8bf76f42c1ee962865cd1d4b340057e1c476e690ae053834c2b850d03115353c

SHA512
a9b78de2b9b6a5d14015c715cb2aeb9eaf6f3257117d9e333b4b83cd99db4abe2f620bac654ce8bd8a8506cd9902776fc5d68fb36ca32583e9a843253be63213

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s84119517.exe

Filesize
582KB

MD5
d4858f3e987ae74527d0f3f517abec80

SHA1
f7548ba5998ce9d70daa967816b78a5ebf4ef129

SHA256
f3d74d234e78422396115e91baeb83730cf241c6e7cc60f79cf0186b9bf39ea0

SHA512
7d20a218495870daef65f24ef70848de56fcb6e48e310dc87970c237efa171db1c58fd9a7572b8865d13259c661c372078d7ce913d3cfc6d6db06a6d0f800480

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s84119517.exe

Filesize
582KB

MD5
d4858f3e987ae74527d0f3f517abec80

SHA1
f7548ba5998ce9d70daa967816b78a5ebf4ef129

SHA256
f3d74d234e78422396115e91baeb83730cf241c6e7cc60f79cf0186b9bf39ea0

SHA512
7d20a218495870daef65f24ef70848de56fcb6e48e310dc87970c237efa171db1c58fd9a7572b8865d13259c661c372078d7ce913d3cfc6d6db06a6d0f800480

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t47123272.exe

Filesize
169KB

MD5
7e4f569d0a9b9617de36d08b3feda3fb

SHA1
b53bc5129bf6158568adadb5183e135a0325c60d

SHA256
d050a5be444943bbbc874a1f2e039d8a5c7f65b94dfaff2597798bacafd766e2

SHA512
996b489e685668c297fe087a1fa4f7b8add7ebe16aabffe4de44a5cf29d1fe72e37d138bc2d9f8a519ad7ad1e2e043787283117f188bf9db6dad2306d7098bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t47123272.exe

Filesize
169KB

MD5
7e4f569d0a9b9617de36d08b3feda3fb

SHA1
b53bc5129bf6158568adadb5183e135a0325c60d

SHA256
d050a5be444943bbbc874a1f2e039d8a5c7f65b94dfaff2597798bacafd766e2

SHA512
996b489e685668c297fe087a1fa4f7b8add7ebe16aabffe4de44a5cf29d1fe72e37d138bc2d9f8a519ad7ad1e2e043787283117f188bf9db6dad2306d7098bbb

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/3756-2333-0x00000000006F0000-0x000000000071E000-memory.dmp

Filesize
184KB

Download
memory/3756-2345-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/3756-2343-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/3756-2340-0x0000000004F30000-0x0000000004F42000-memory.dmp

Filesize
72KB

Download
memory/4540-194-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-210-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-171-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-173-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-176-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/4540-178-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/4540-175-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-180-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-179-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/4540-182-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-184-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-186-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-188-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-190-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-192-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-167-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-196-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-198-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-200-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-202-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-204-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-206-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-208-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-169-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-212-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-214-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-216-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-218-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-220-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-222-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-224-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-226-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-228-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-230-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-2314-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/4540-2315-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/4540-2316-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/4540-2319-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/4540-162-0x0000000000960000-0x00000000009BB000-memory.dmp

Filesize
364KB

Download
memory/4540-165-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/4540-163-0x00000000051B0000-0x0000000005754000-memory.dmp

Filesize
5.6MB

Download
memory/4540-164-0x00000000050C0000-0x0000000005120000-memory.dmp

Filesize
384KB

Download
memory/5064-2339-0x000000000A390000-0x000000000A49A000-memory.dmp

Filesize
1.0MB

Download
memory/5064-2341-0x000000000A320000-0x000000000A35C000-memory.dmp

Filesize
240KB

Download
memory/5064-2342-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/5064-2338-0x000000000A880000-0x000000000AE98000-memory.dmp

Filesize
6.1MB

Download
memory/5064-2344-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/5064-2337-0x0000000000410000-0x000000000043E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads