redline | d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13

Analysis

max time kernel
216s
max time network
222s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe
Size

1.5MB
MD5

5c620c62467a6304f5dd664638b8889f
SHA1

53d2ffa57a32c66a61486822f687c3ebd6ed059b
SHA256

d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13
SHA512

e70b87acf137a1dfbcdfaa4c8a8e939bbd6d876926fb353bac36bfe4515b8571aae3f618a30d545695d088f570cae65b6d21087dc298f18dd97795623f9be7e4
SSDEEP

24576:hyBmWNfcH32aTXhNSPoa8wWiWzcgTa5yNWfG+IgnH3A4XRphjTeFZ/0hSM4KRxi/:UcpHm+RNSAhIfH5yd01pjmZ/grWBJI

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1436-169-0x000000000AFC0000-0x000000000B5D8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3728	i96809559.exe
232	i42105692.exe
1788	i05984276.exe
2908	i58353799.exe
1436	a48361062.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i96809559.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i42105692.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i58353799.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i96809559.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i42105692.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i05984276.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i05984276.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i58353799.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 3728	2016	d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe	82
PID 2016 wrote to memory of 3728	2016	d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe	82
PID 2016 wrote to memory of 3728	2016	d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe	82
PID 3728 wrote to memory of 232	3728	i96809559.exe	84
PID 3728 wrote to memory of 232	3728	i96809559.exe	84
PID 3728 wrote to memory of 232	3728	i96809559.exe	84
PID 232 wrote to memory of 1788	232	i42105692.exe	85
PID 232 wrote to memory of 1788	232	i42105692.exe	85
PID 232 wrote to memory of 1788	232	i42105692.exe	85
PID 1788 wrote to memory of 2908	1788	i05984276.exe	87
PID 1788 wrote to memory of 2908	1788	i05984276.exe	87
PID 1788 wrote to memory of 2908	1788	i05984276.exe	87
PID 2908 wrote to memory of 1436	2908	i58353799.exe	88
PID 2908 wrote to memory of 1436	2908	i58353799.exe	88
PID 2908 wrote to memory of 1436	2908	i58353799.exe	88

C:\Users\Admin\AppData\Local\Temp\d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe
"C:\Users\Admin\AppData\Local\Temp\d14d30d1ddb021a776ac0126a9cad8b3897add20d6f1966d6cb1d5b227e97d13.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i96809559.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i96809559.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i42105692.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i42105692.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05984276.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05984276.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58353799.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58353799.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48361062.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48361062.exe
        6⤵
        Executes dropped EXE
        
        PID:1436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i96809559.exe

Filesize
1.3MB

MD5
985fb5b69ff33598c2c2735bf5911275

SHA1
47090d679fef5a73a54aeefc15f13d33ec678303

SHA256
5939146376c798008175b8cefcf3cd5b5fd685737cb0be03204707df0864f552

SHA512
29d46491dc008d3000381f5bfb8c24896ff07339e9a39c7a8b07323fd09381d14210c940b2eba0e29dc5a55370baad3a5301f0b76116b3f1d0d5c4117b68c517

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i96809559.exe

Filesize
1.3MB

MD5
985fb5b69ff33598c2c2735bf5911275

SHA1
47090d679fef5a73a54aeefc15f13d33ec678303

SHA256
5939146376c798008175b8cefcf3cd5b5fd685737cb0be03204707df0864f552

SHA512
29d46491dc008d3000381f5bfb8c24896ff07339e9a39c7a8b07323fd09381d14210c940b2eba0e29dc5a55370baad3a5301f0b76116b3f1d0d5c4117b68c517

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i42105692.exe

Filesize
1016KB

MD5
d724ef134a9c1189802735921fdf45cb

SHA1
ab94cf6efc5787df7e182daa6c7c60bdd81f3fe0

SHA256
0e572a49d570c48d51d92e8f52e00180abae2abb6223b9c93e752dafa226465d

SHA512
849f86ff9d3aebf94e23555cdcae49fdca85d04c4b5ad719dff52be2db24b4027a19bb7f29bc9aae64c81d8532eacd7647e2a14aa69ed722c5d9e347d699fa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i42105692.exe

Filesize
1016KB

MD5
d724ef134a9c1189802735921fdf45cb

SHA1
ab94cf6efc5787df7e182daa6c7c60bdd81f3fe0

SHA256
0e572a49d570c48d51d92e8f52e00180abae2abb6223b9c93e752dafa226465d

SHA512
849f86ff9d3aebf94e23555cdcae49fdca85d04c4b5ad719dff52be2db24b4027a19bb7f29bc9aae64c81d8532eacd7647e2a14aa69ed722c5d9e347d699fa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05984276.exe

Filesize
844KB

MD5
577de30e99be4ddb5748ca636aca515e

SHA1
d3a96dc92d4d7baaa05460e1f13c730891a877ca

SHA256
a0880e7934fc112b4cbb47cab668ad981b17ffc7eaa33d50df644ddd2845d788

SHA512
2c3eed52d998dd3de867be696150b2f14f19ba4f558387bef80158ff553d916eac5394944c35c67d3d56c38529ac3955da17ddecf4c06650942323b6c98d743c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i05984276.exe

Filesize
844KB

MD5
577de30e99be4ddb5748ca636aca515e

SHA1
d3a96dc92d4d7baaa05460e1f13c730891a877ca

SHA256
a0880e7934fc112b4cbb47cab668ad981b17ffc7eaa33d50df644ddd2845d788

SHA512
2c3eed52d998dd3de867be696150b2f14f19ba4f558387bef80158ff553d916eac5394944c35c67d3d56c38529ac3955da17ddecf4c06650942323b6c98d743c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58353799.exe

Filesize
371KB

MD5
af778505fdf3f57b1e175cdd666a3407

SHA1
272cdab781b2e8314bb12616922fb91642676fc7

SHA256
b517a1974c7635fc86ed495369fae4f756ef3ff66b8c35abff7e7f2fb4ab4814

SHA512
7bfabfb2724ef66d1f0488fc86449fcb0f95da5d3a72f12e0adc3b83c19770d6bc1a5bdee0461e7dce840a37d33b0c3ffaf31718a2136dc761053bad04af82c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58353799.exe

Filesize
371KB

MD5
af778505fdf3f57b1e175cdd666a3407

SHA1
272cdab781b2e8314bb12616922fb91642676fc7

SHA256
b517a1974c7635fc86ed495369fae4f756ef3ff66b8c35abff7e7f2fb4ab4814

SHA512
7bfabfb2724ef66d1f0488fc86449fcb0f95da5d3a72f12e0adc3b83c19770d6bc1a5bdee0461e7dce840a37d33b0c3ffaf31718a2136dc761053bad04af82c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48361062.exe

Filesize
169KB

MD5
9bcf4e9bf47465f95d7d4d159a9b0930

SHA1
c30290d90c3f34fa64dad7d58c2f2e442bb159cf

SHA256
065016cf37d5c8135b796cbe33240f500dd4a47fbe2e2556dbad19c7a0cd05be

SHA512
c48c1d24c0f4bbaa848038303e0cd086241e1d42d685e0ddc2e9f389fd2962c6355177202ce9fea9af599dab132138f923331209bd44b75a1ebe6751157333da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48361062.exe

Filesize
169KB

MD5
9bcf4e9bf47465f95d7d4d159a9b0930

SHA1
c30290d90c3f34fa64dad7d58c2f2e442bb159cf

SHA256
065016cf37d5c8135b796cbe33240f500dd4a47fbe2e2556dbad19c7a0cd05be

SHA512
c48c1d24c0f4bbaa848038303e0cd086241e1d42d685e0ddc2e9f389fd2962c6355177202ce9fea9af599dab132138f923331209bd44b75a1ebe6751157333da

Download Submit
memory/1436-168-0x0000000000AE0000-0x0000000000B10000-memory.dmp

Filesize
192KB

Download
memory/1436-169-0x000000000AFC0000-0x000000000B5D8000-memory.dmp

Filesize
6.1MB

Download
memory/1436-170-0x000000000AAB0000-0x000000000ABBA000-memory.dmp

Filesize
1.0MB

Download
memory/1436-171-0x000000000A9A0000-0x000000000A9B2000-memory.dmp

Filesize
72KB

Download
memory/1436-172-0x000000000A9C0000-0x000000000A9FC000-memory.dmp

Filesize
240KB

Download
memory/1436-173-0x0000000005610000-0x0000000005620000-memory.dmp

Filesize
64KB

Download
memory/1436-174-0x0000000005610000-0x0000000005620000-memory.dmp

Filesize
64KB

Download