redline | f8d879cd12c608b2e6c7dd91bea7031827636f40502a961a5f3aef9624c49b07

Analysis

max time kernel
139s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8d879cd12c608b2e6c7dd91bea7031827636f40502a961a5f3aef9624c49b07.exe
Size

1.5MB
MD5

d556d923b05c9fe50a9a86a26b4d36db
SHA1

5456936fae7c9fb888339d5cc13da28896ccc9e2
SHA256

f8d879cd12c608b2e6c7dd91bea7031827636f40502a961a5f3aef9624c49b07
SHA512

2b83e44615069439a61c2c2dcbdc73158cd24e13ef62ba9042fd692332754fbeb2913035aceb2ea6012c7a517ee63a24d2527632f1cb9a9b76e48b26a1e8e8f4
SSDEEP

24576:QyB6iOo566+OYTUgWbQfqP54dJ63uxSn/9GU/P7KmoR/9mVD4QLrUy9:XB6dUYT7q+j6+aVDbgOs+

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2564-169-0x00000000058D0000-0x0000000005EE8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1496	i51098712.exe
5072	i36918316.exe
3024	i66980410.exe
4524	i15307344.exe
2564	a44301919.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f8d879cd12c608b2e6c7dd91bea7031827636f40502a961a5f3aef9624c49b07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i51098712.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i36918316.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i15307344.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i15307344.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f8d879cd12c608b2e6c7dd91bea7031827636f40502a961a5f3aef9624c49b07.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i51098712.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i36918316.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i66980410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i66980410.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 1496	1568	f8d879cd12c608b2e6c7dd91bea7031827636f40502a961a5f3aef9624c49b07.exe	79
PID 1568 wrote to memory of 1496	1568	f8d879cd12c608b2e6c7dd91bea7031827636f40502a961a5f3aef9624c49b07.exe	79
PID 1568 wrote to memory of 1496	1568	f8d879cd12c608b2e6c7dd91bea7031827636f40502a961a5f3aef9624c49b07.exe	79
PID 1496 wrote to memory of 5072	1496	i51098712.exe	80
PID 1496 wrote to memory of 5072	1496	i51098712.exe	80
PID 1496 wrote to memory of 5072	1496	i51098712.exe	80
PID 5072 wrote to memory of 3024	5072	i36918316.exe	81
PID 5072 wrote to memory of 3024	5072	i36918316.exe	81
PID 5072 wrote to memory of 3024	5072	i36918316.exe	81
PID 3024 wrote to memory of 4524	3024	i66980410.exe	82
PID 3024 wrote to memory of 4524	3024	i66980410.exe	82
PID 3024 wrote to memory of 4524	3024	i66980410.exe	82
PID 4524 wrote to memory of 2564	4524	i15307344.exe	83
PID 4524 wrote to memory of 2564	4524	i15307344.exe	83
PID 4524 wrote to memory of 2564	4524	i15307344.exe	83

C:\Users\Admin\AppData\Local\Temp\f8d879cd12c608b2e6c7dd91bea7031827636f40502a961a5f3aef9624c49b07.exe
"C:\Users\Admin\AppData\Local\Temp\f8d879cd12c608b2e6c7dd91bea7031827636f40502a961a5f3aef9624c49b07.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51098712.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51098712.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36918316.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36918316.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i66980410.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i66980410.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i15307344.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i15307344.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a44301919.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a44301919.exe
        6⤵
        Executes dropped EXE
        
        PID:2564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51098712.exe

Filesize
1.3MB

MD5
dc2a6f4acf205324ba8e9a388a3a53ea

SHA1
af227dc476e39b21d320c94f4a2584d4a5412bf8

SHA256
e5bd9834efd41a87b5ed603ce153fb644cf2cc6cab87a2c128f07f647f3e6e1a

SHA512
8bfe1a91a51f56613b9a0b6ef9e05f4c947574d38097dc705f638c9a3a2f072a7b15f3fabc6279d8d702e9e31193a218a5c76f1f207121141213dd9ee0160a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51098712.exe

Filesize
1.3MB

MD5
dc2a6f4acf205324ba8e9a388a3a53ea

SHA1
af227dc476e39b21d320c94f4a2584d4a5412bf8

SHA256
e5bd9834efd41a87b5ed603ce153fb644cf2cc6cab87a2c128f07f647f3e6e1a

SHA512
8bfe1a91a51f56613b9a0b6ef9e05f4c947574d38097dc705f638c9a3a2f072a7b15f3fabc6279d8d702e9e31193a218a5c76f1f207121141213dd9ee0160a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36918316.exe

Filesize
1014KB

MD5
bff4ae0402de244d86f5c957872e9f54

SHA1
2eb9e43a075fa5ee9b2de4417b2a9e2d20292d94

SHA256
3f08d3d36446f9508d17aeb8d9bcbcf5ca0b2ed2b31e6404d21d8091bc299408

SHA512
2b2f45cccce7c33a323f661eedd1ddf3a7ae5b5e9faeef8799974418f1d58dd6e14b8b06f219a54fdecf5a9190339d8f588bca3ea1a7c23c2807a6ab8d695e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36918316.exe

Filesize
1014KB

MD5
bff4ae0402de244d86f5c957872e9f54

SHA1
2eb9e43a075fa5ee9b2de4417b2a9e2d20292d94

SHA256
3f08d3d36446f9508d17aeb8d9bcbcf5ca0b2ed2b31e6404d21d8091bc299408

SHA512
2b2f45cccce7c33a323f661eedd1ddf3a7ae5b5e9faeef8799974418f1d58dd6e14b8b06f219a54fdecf5a9190339d8f588bca3ea1a7c23c2807a6ab8d695e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i66980410.exe

Filesize
843KB

MD5
00078bf7eb0f65b5bcc0b2d07b325755

SHA1
f04aa55cb1c45379d9eafa3f393f5e0ee0cfe71f

SHA256
bc0c97f8dcc11c2468a553b965bcb3e75142abbbadd2ea5fed409dfec96395a8

SHA512
4b6f29d7c9d0aef657b62df2300a283bf4f6cb17b39f7d48feeccae58f86bd3c03fc37decc577d258f183ea87d27cfdf14afc88fde7c3e5c5b1f56ab65a91609

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i66980410.exe

Filesize
843KB

MD5
00078bf7eb0f65b5bcc0b2d07b325755

SHA1
f04aa55cb1c45379d9eafa3f393f5e0ee0cfe71f

SHA256
bc0c97f8dcc11c2468a553b965bcb3e75142abbbadd2ea5fed409dfec96395a8

SHA512
4b6f29d7c9d0aef657b62df2300a283bf4f6cb17b39f7d48feeccae58f86bd3c03fc37decc577d258f183ea87d27cfdf14afc88fde7c3e5c5b1f56ab65a91609

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i15307344.exe

Filesize
371KB

MD5
663cc9f0cd4a068014356fca9a5b5e42

SHA1
0a3019ac56a501ca0ce1ea643a626c2eb4a1d268

SHA256
6dd564f93789ca99016d7456ee7f234328384272905bc70b9bb7893044025b17

SHA512
b578f4ab1284bf11db6c05bc60e7eda1c33886751927703f28b847f41eb40f1d5fb72694b4ac27ad834948c5d87f695fcdbd124ffb0b0eda2db685a1fae6be8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i15307344.exe

Filesize
371KB

MD5
663cc9f0cd4a068014356fca9a5b5e42

SHA1
0a3019ac56a501ca0ce1ea643a626c2eb4a1d268

SHA256
6dd564f93789ca99016d7456ee7f234328384272905bc70b9bb7893044025b17

SHA512
b578f4ab1284bf11db6c05bc60e7eda1c33886751927703f28b847f41eb40f1d5fb72694b4ac27ad834948c5d87f695fcdbd124ffb0b0eda2db685a1fae6be8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a44301919.exe

Filesize
169KB

MD5
d14444c9f7473a822a8404d8c6a715ef

SHA1
ca9c40ddbaf1d6172816bb78be93969abcba3eaf

SHA256
94ff88ac6c3049d801bbb75e37191c0b5737029375035181a7c6a74abc4be095

SHA512
31518176bdfdaf0e91e010d506a4f41fe2c8b001086308cdaa1be64f1eff5d677dbbf663d3387d64dba2fb8850de89c53d7bfac953c642829308a585c4875140

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a44301919.exe

Filesize
169KB

MD5
d14444c9f7473a822a8404d8c6a715ef

SHA1
ca9c40ddbaf1d6172816bb78be93969abcba3eaf

SHA256
94ff88ac6c3049d801bbb75e37191c0b5737029375035181a7c6a74abc4be095

SHA512
31518176bdfdaf0e91e010d506a4f41fe2c8b001086308cdaa1be64f1eff5d677dbbf663d3387d64dba2fb8850de89c53d7bfac953c642829308a585c4875140

Download Submit
memory/2564-168-0x0000000000960000-0x0000000000990000-memory.dmp

Filesize
192KB

Download
memory/2564-169-0x00000000058D0000-0x0000000005EE8000-memory.dmp

Filesize
6.1MB

Download
memory/2564-170-0x00000000053C0000-0x00000000054CA000-memory.dmp

Filesize
1.0MB

Download
memory/2564-171-0x00000000052B0000-0x00000000052C2000-memory.dmp

Filesize
72KB

Download
memory/2564-172-0x0000000005310000-0x000000000534C000-memory.dmp

Filesize
240KB

Download
memory/2564-173-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/2564-174-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download