redline | df76967ec96643733c871a6b3df8a7d9f8b185ebdfc4162c1114c382d3ccd485

Analysis

max time kernel
158s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df76967ec96643733c871a6b3df8a7d9f8b185ebdfc4162c1114c382d3ccd485.exe
Size

1.2MB
MD5

3010ca9de768f5836a2eb9586b2b109b
SHA1

12dd5558b5f12b4cda44382093575320481ccace
SHA256

df76967ec96643733c871a6b3df8a7d9f8b185ebdfc4162c1114c382d3ccd485
SHA512

3500a892f3e882365de55eeeb5e48b0fd9b1de009fb9085592abfb209487302e71a1eed85b4cfc8be7e3026a5c93686d88e105db39a373ef7e5fb3acaaf5cb75
SSDEEP

24576:Ky/pKj7H29pYGL09agDjmukGsIyXraYjegac5UF63ZhU+DjFSLhWYX9:RxSb23vL0sgDaukXlXzKgaIeomiELJ

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4944-2333-0x00000000058F0000-0x0000000005F08000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s40965289.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	s40965289.exe

Executes dropped EXE 6 IoCs

Processes:

z03514100.exez82288623.exez50523956.exes40965289.exe1.exet37896633.exe

pid process

416 z03514100.exe
884 z82288623.exe
4412 z50523956.exe
864 s40965289.exe
4944 1.exe
4560 t37896633.exe

pid	process
416	z03514100.exe
884	z82288623.exe
4412	z50523956.exe
864	s40965289.exe
4944	1.exe
4560	t37896633.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

df76967ec96643733c871a6b3df8a7d9f8b185ebdfc4162c1114c382d3ccd485.exez03514100.exez82288623.exez50523956.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	df76967ec96643733c871a6b3df8a7d9f8b185ebdfc4162c1114c382d3ccd485.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	df76967ec96643733c871a6b3df8a7d9f8b185ebdfc4162c1114c382d3ccd485.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z03514100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z03514100.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z82288623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z82288623.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z50523956.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z50523956.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s40965289.exe

description pid process

Token: SeDebugPrivilege 864 s40965289.exe

description	pid	process
Token: SeDebugPrivilege	864	s40965289.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

df76967ec96643733c871a6b3df8a7d9f8b185ebdfc4162c1114c382d3ccd485.exez03514100.exez82288623.exez50523956.exes40965289.exe

description	pid	process	target process
PID 4152 wrote to memory of 416	4152	df76967ec96643733c871a6b3df8a7d9f8b185ebdfc4162c1114c382d3ccd485.exe	z03514100.exe
PID 4152 wrote to memory of 416	4152	df76967ec96643733c871a6b3df8a7d9f8b185ebdfc4162c1114c382d3ccd485.exe	z03514100.exe
PID 4152 wrote to memory of 416	4152	df76967ec96643733c871a6b3df8a7d9f8b185ebdfc4162c1114c382d3ccd485.exe	z03514100.exe
PID 416 wrote to memory of 884	416	z03514100.exe	z82288623.exe
PID 416 wrote to memory of 884	416	z03514100.exe	z82288623.exe
PID 416 wrote to memory of 884	416	z03514100.exe	z82288623.exe
PID 884 wrote to memory of 4412	884	z82288623.exe	z50523956.exe
PID 884 wrote to memory of 4412	884	z82288623.exe	z50523956.exe
PID 884 wrote to memory of 4412	884	z82288623.exe	z50523956.exe
PID 4412 wrote to memory of 864	4412	z50523956.exe	s40965289.exe
PID 4412 wrote to memory of 864	4412	z50523956.exe	s40965289.exe
PID 4412 wrote to memory of 864	4412	z50523956.exe	s40965289.exe
PID 864 wrote to memory of 4944	864	s40965289.exe	1.exe
PID 864 wrote to memory of 4944	864	s40965289.exe	1.exe
PID 864 wrote to memory of 4944	864	s40965289.exe	1.exe
PID 4412 wrote to memory of 4560	4412	z50523956.exe	t37896633.exe
PID 4412 wrote to memory of 4560	4412	z50523956.exe	t37896633.exe
PID 4412 wrote to memory of 4560	4412	z50523956.exe	t37896633.exe

C:\Users\Admin\AppData\Local\Temp\df76967ec96643733c871a6b3df8a7d9f8b185ebdfc4162c1114c382d3ccd485.exe
"C:\Users\Admin\AppData\Local\Temp\df76967ec96643733c871a6b3df8a7d9f8b185ebdfc4162c1114c382d3ccd485.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z03514100.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z03514100.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:416

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z82288623.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z82288623.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z50523956.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z50523956.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4412

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s40965289.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s40965289.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:4944

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t37896633.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t37896633.exe
5⤵
- Executes dropped EXE
PID:4560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z03514100.exe
Filesize
1.0MB

MD5
fed204f2a7697ed58c97defd75d10186

SHA1
01ad59c6c02e6c33543ad4d146ce0ad7febecfe0

SHA256
f746277166ae96d1702bfc29049f932cb2b4058cb85cd5affa6f40b83e801390

SHA512
53bbd8667da68a814ea6cedf88b5dc1c2b556fbd3b396a33788ff9da619ddb869090401f5b8b115a5b307133860c9687e1cdbdb4a8f92a55bf374b4b63be694d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z03514100.exe
Filesize
1.0MB

MD5
fed204f2a7697ed58c97defd75d10186

SHA1
01ad59c6c02e6c33543ad4d146ce0ad7febecfe0

SHA256
f746277166ae96d1702bfc29049f932cb2b4058cb85cd5affa6f40b83e801390

SHA512
53bbd8667da68a814ea6cedf88b5dc1c2b556fbd3b396a33788ff9da619ddb869090401f5b8b115a5b307133860c9687e1cdbdb4a8f92a55bf374b4b63be694d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z82288623.exe
Filesize
764KB

MD5
acc01ebbcc9fb232c440650a4ef2a929

SHA1
15f6222d7c6b66ad00fe1129afbe3dc29c94c425

SHA256
1ba91cde97ed36b3843528986e9adef0f309fdb103b7e6713e8ad7136ea01666

SHA512
76de74b45ac4904289caf096402adbdcdab266eaaf62b2e28fa2b499c180bf663e271ef1f713baa9cf2c89e7c528510ef56000f19694330bcacadcb6c2a30e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z82288623.exe
Filesize
764KB

MD5
acc01ebbcc9fb232c440650a4ef2a929

SHA1
15f6222d7c6b66ad00fe1129afbe3dc29c94c425

SHA256
1ba91cde97ed36b3843528986e9adef0f309fdb103b7e6713e8ad7136ea01666

SHA512
76de74b45ac4904289caf096402adbdcdab266eaaf62b2e28fa2b499c180bf663e271ef1f713baa9cf2c89e7c528510ef56000f19694330bcacadcb6c2a30e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z50523956.exe
Filesize
582KB

MD5
84f9b3931c6b43e7d41ed4cb09cd049e

SHA1
8523cb74a59e02c2086de260639b05ff3b13816f

SHA256
180e8f07bea552e49739b6f0945af5f7730823497e02f9415960e0deaf0fdad9

SHA512
c19fdec79ad7d15fb0ee0cd978a6170069aa20a9fe02602e865a64ee932764e4eb5d452555eabaa9a1aec4af24d642af54199f2bcc89c0363a4b273e7f41b9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z50523956.exe
Filesize
582KB

MD5
84f9b3931c6b43e7d41ed4cb09cd049e

SHA1
8523cb74a59e02c2086de260639b05ff3b13816f

SHA256
180e8f07bea552e49739b6f0945af5f7730823497e02f9415960e0deaf0fdad9

SHA512
c19fdec79ad7d15fb0ee0cd978a6170069aa20a9fe02602e865a64ee932764e4eb5d452555eabaa9a1aec4af24d642af54199f2bcc89c0363a4b273e7f41b9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s40965289.exe
Filesize
582KB

MD5
e14929bd6db0776e948bcda21719b058

SHA1
fd12bcdc8033f7a01e30e1bb9864367ff9257d6c

SHA256
e437687fba90a99e5213c7414342750a6d8aeebea79dc5fdaa21c1a4d40429ec

SHA512
e50ef93fb4129c62ac23c3ebfcfcead154108234d274316415f90ef801f24ad160c648fe12e90908c2e313903f285ddd6bf097c4c24cd65d2a55024d457fd6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s40965289.exe
Filesize
582KB

MD5
e14929bd6db0776e948bcda21719b058

SHA1
fd12bcdc8033f7a01e30e1bb9864367ff9257d6c

SHA256
e437687fba90a99e5213c7414342750a6d8aeebea79dc5fdaa21c1a4d40429ec

SHA512
e50ef93fb4129c62ac23c3ebfcfcead154108234d274316415f90ef801f24ad160c648fe12e90908c2e313903f285ddd6bf097c4c24cd65d2a55024d457fd6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t37896633.exe
Filesize
169KB

MD5
bc28e08c6a822d7b5da42e24ba80b5be

SHA1
262c39a488959e8bca5f60ff4fc4d57ba56c65d5

SHA256
ffb694849ad56f4ca589f0446be39abd0c7278addde5fa6210f53b865345d6b8

SHA512
3cd8057f6c1810bb93d992fc3b652d3071b0ec59c0fc07f77d75cc1bdccdc0b5c703b534ed1efd4791a5c8903f7da7a83e1b12573ca9edd771b151dfb463ead6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t37896633.exe
Filesize
169KB

MD5
bc28e08c6a822d7b5da42e24ba80b5be

SHA1
262c39a488959e8bca5f60ff4fc4d57ba56c65d5

SHA256
ffb694849ad56f4ca589f0446be39abd0c7278addde5fa6210f53b865345d6b8

SHA512
3cd8057f6c1810bb93d992fc3b652d3071b0ec59c0fc07f77d75cc1bdccdc0b5c703b534ed1efd4791a5c8903f7da7a83e1b12573ca9edd771b151dfb463ead6

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/864-200-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-216-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-170-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-172-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-174-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-176-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-178-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-180-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-182-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-184-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-186-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-188-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-190-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-192-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-194-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-196-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-198-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-167-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-202-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-204-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-206-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-208-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-210-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-212-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-214-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-168-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-218-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-220-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-222-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-224-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-226-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-228-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-230-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/864-166-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/864-2322-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/864-165-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/864-164-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/864-162-0x0000000000910000-0x000000000096B000-memory.dmp

Filesize
364KB

Download
memory/864-163-0x0000000004F40000-0x00000000054E4000-memory.dmp

Filesize
5.6MB

Download
memory/4560-2332-0x0000000000680000-0x00000000006AE000-memory.dmp

Filesize
184KB

Download
memory/4560-2336-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/4560-2339-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/4944-2328-0x0000000000930000-0x000000000095E000-memory.dmp

Filesize
184KB

Download
memory/4944-2333-0x00000000058F0000-0x0000000005F08000-memory.dmp

Filesize
6.1MB

Download
memory/4944-2334-0x00000000053E0000-0x00000000054EA000-memory.dmp

Filesize
1.0MB

Download
memory/4944-2337-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/4944-2335-0x0000000005170000-0x0000000005182000-memory.dmp

Filesize
72KB

Download
memory/4944-2338-0x0000000005310000-0x000000000534C000-memory.dmp

Filesize
240KB

Download
memory/4944-2340-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download