redline | e320703110bd60543200fb196309fa7611a6edbbd5c6483236498c04057306eb

Analysis

max time kernel
157s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e320703110bd60543200fb196309fa7611a6edbbd5c6483236498c04057306eb.exe
Size

1.5MB
MD5

924a443b45f37857dac34f1056951816
SHA1

f55da1aaa0b4e6ea8e60a1fcf6393bbbf019c2eb
SHA256

e320703110bd60543200fb196309fa7611a6edbbd5c6483236498c04057306eb
SHA512

45e9b3d3e263e90358e980520dcbb201e30ab2bff221ff89416d831ce001f847922ce5535e72c8dd0a73d393102a7e8a37c2026c3182fa235855814ed4ddef33
SSDEEP

24576:qytVTzzv/HVeEwJWmiWS180apXmZLUOhiSE/fAypdB3kFE+iQq/SGFeVuxI:xrvzvmbFp2ZLUyan1pdFZQq/SGFeVu

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4320-169-0x000000000AD90000-0x000000000B3A8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4248	i99368495.exe
1272	i75310627.exe
4628	i93053318.exe
4784	i14877730.exe
4320	a94896790.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i14877730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i14877730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e320703110bd60543200fb196309fa7611a6edbbd5c6483236498c04057306eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i93053318.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i99368495.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i75310627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i75310627.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i93053318.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e320703110bd60543200fb196309fa7611a6edbbd5c6483236498c04057306eb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i99368495.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 4248	4332	e320703110bd60543200fb196309fa7611a6edbbd5c6483236498c04057306eb.exe	83
PID 4332 wrote to memory of 4248	4332	e320703110bd60543200fb196309fa7611a6edbbd5c6483236498c04057306eb.exe	83
PID 4332 wrote to memory of 4248	4332	e320703110bd60543200fb196309fa7611a6edbbd5c6483236498c04057306eb.exe	83
PID 4248 wrote to memory of 1272	4248	i99368495.exe	84
PID 4248 wrote to memory of 1272	4248	i99368495.exe	84
PID 4248 wrote to memory of 1272	4248	i99368495.exe	84
PID 1272 wrote to memory of 4628	1272	i75310627.exe	85
PID 1272 wrote to memory of 4628	1272	i75310627.exe	85
PID 1272 wrote to memory of 4628	1272	i75310627.exe	85
PID 4628 wrote to memory of 4784	4628	i93053318.exe	86
PID 4628 wrote to memory of 4784	4628	i93053318.exe	86
PID 4628 wrote to memory of 4784	4628	i93053318.exe	86
PID 4784 wrote to memory of 4320	4784	i14877730.exe	87
PID 4784 wrote to memory of 4320	4784	i14877730.exe	87
PID 4784 wrote to memory of 4320	4784	i14877730.exe	87

C:\Users\Admin\AppData\Local\Temp\e320703110bd60543200fb196309fa7611a6edbbd5c6483236498c04057306eb.exe
"C:\Users\Admin\AppData\Local\Temp\e320703110bd60543200fb196309fa7611a6edbbd5c6483236498c04057306eb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i99368495.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i99368495.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75310627.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75310627.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93053318.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93053318.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i14877730.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i14877730.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4784
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a94896790.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a94896790.exe
        6⤵
        Executes dropped EXE
        
        PID:4320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i99368495.exe

Filesize
1.3MB

MD5
6c8c7e1794cada406a803cfeaf380e85

SHA1
39fb188dc2ea6196a9a684591d283b4bbe3f933b

SHA256
00f2e4fa7645b65b97c3c09ddb40e6f1df2da6b6b7263ee9db6c123ada67dc53

SHA512
f1a2e6dcf65d17a9ec57ba5d82b265426aa4357ad5521f9d424f46199fd4117aa55786dc3481c28acb7fcc19a95702e0d5179cecacba35ccef50d82e1c898a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i99368495.exe

Filesize
1.3MB

MD5
6c8c7e1794cada406a803cfeaf380e85

SHA1
39fb188dc2ea6196a9a684591d283b4bbe3f933b

SHA256
00f2e4fa7645b65b97c3c09ddb40e6f1df2da6b6b7263ee9db6c123ada67dc53

SHA512
f1a2e6dcf65d17a9ec57ba5d82b265426aa4357ad5521f9d424f46199fd4117aa55786dc3481c28acb7fcc19a95702e0d5179cecacba35ccef50d82e1c898a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75310627.exe

Filesize
1015KB

MD5
498ed43d955ccbadf1b080f13398a801

SHA1
c56b640e243380525f33cd4aa6517fa0567e8050

SHA256
af92381e52921dd59fcbd1845162203aa7d24d1adb0c1a862df92c644ed70d5e

SHA512
92f25be303b3623be670150c71874d0a51bc83039183dc4650b8cb98573e932598dcfe2247f5ea7b99ecf4090f1c649381b5bbc328b3a234302b43af5f01c87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75310627.exe

Filesize
1015KB

MD5
498ed43d955ccbadf1b080f13398a801

SHA1
c56b640e243380525f33cd4aa6517fa0567e8050

SHA256
af92381e52921dd59fcbd1845162203aa7d24d1adb0c1a862df92c644ed70d5e

SHA512
92f25be303b3623be670150c71874d0a51bc83039183dc4650b8cb98573e932598dcfe2247f5ea7b99ecf4090f1c649381b5bbc328b3a234302b43af5f01c87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93053318.exe

Filesize
843KB

MD5
423bff3beca44b5da89f052fce3851cc

SHA1
d34d7fb0abc6d66d961fc6128d982a7eec693332

SHA256
bd321d94b1ef4fb3ced9d323d9a0ebfa13d8172cd7cb0faeb22e3ed82a4bc5b9

SHA512
611425bc65c56103479d2adcf0488b96487bb6e93b5b657b52aecd0fb0e6cd839fab48d1fca79251961c7dba114ac5324444312a0a6bf683d5a5482f0c32907c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93053318.exe

Filesize
843KB

MD5
423bff3beca44b5da89f052fce3851cc

SHA1
d34d7fb0abc6d66d961fc6128d982a7eec693332

SHA256
bd321d94b1ef4fb3ced9d323d9a0ebfa13d8172cd7cb0faeb22e3ed82a4bc5b9

SHA512
611425bc65c56103479d2adcf0488b96487bb6e93b5b657b52aecd0fb0e6cd839fab48d1fca79251961c7dba114ac5324444312a0a6bf683d5a5482f0c32907c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i14877730.exe

Filesize
371KB

MD5
2f8d694329d848a4fd217e08a013fb31

SHA1
b130255327465ee99c5a5110c1c04756cf7f3b8a

SHA256
37202597325e353833a7b4c225b8228797703f8721f88999aa490a56f37a8526

SHA512
c63caacd76503a50ad08fe3bc8df8a79cb6242decc4711f9ec62c87b49f9609f758f9b919192fd75419a18075b10e857ee35c8da79e3e972c1022a77d9027e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i14877730.exe

Filesize
371KB

MD5
2f8d694329d848a4fd217e08a013fb31

SHA1
b130255327465ee99c5a5110c1c04756cf7f3b8a

SHA256
37202597325e353833a7b4c225b8228797703f8721f88999aa490a56f37a8526

SHA512
c63caacd76503a50ad08fe3bc8df8a79cb6242decc4711f9ec62c87b49f9609f758f9b919192fd75419a18075b10e857ee35c8da79e3e972c1022a77d9027e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a94896790.exe

Filesize
169KB

MD5
169549c977777cc55ce335e92d1d6d02

SHA1
2f5e83db6dafdcf5766a705918b9eae2d06d179c

SHA256
52f17fd42ea6677e4e377062fcd584a09441763d326a1a20457ab6572440018c

SHA512
150add524883c4b81e40fb2a3728487d369c4a42d96bab8daebd286d9bf2aae93fc51c6c3d5b2cd92fffdc5780db327ff8cb84bf944a93e6d007e1b50ee7e9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a94896790.exe

Filesize
169KB

MD5
169549c977777cc55ce335e92d1d6d02

SHA1
2f5e83db6dafdcf5766a705918b9eae2d06d179c

SHA256
52f17fd42ea6677e4e377062fcd584a09441763d326a1a20457ab6572440018c

SHA512
150add524883c4b81e40fb2a3728487d369c4a42d96bab8daebd286d9bf2aae93fc51c6c3d5b2cd92fffdc5780db327ff8cb84bf944a93e6d007e1b50ee7e9f0

Download Submit
memory/4320-168-0x0000000000990000-0x00000000009C0000-memory.dmp

Filesize
192KB

Download
memory/4320-169-0x000000000AD90000-0x000000000B3A8000-memory.dmp

Filesize
6.1MB

Download
memory/4320-170-0x000000000A910000-0x000000000AA1A000-memory.dmp

Filesize
1.0MB

Download
memory/4320-171-0x000000000A840000-0x000000000A852000-memory.dmp

Filesize
72KB

Download
memory/4320-172-0x000000000A8A0000-0x000000000A8DC000-memory.dmp

Filesize
240KB

Download
memory/4320-173-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4320-174-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download