redline | 43db7c06acc329420532c78a9af5a051bdfd2ef17cf937aeb683f5caa441b8d5

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43db7c06acc329420532c78a9af5a051bdfd2ef17cf937aeb683f5caa441b8d5.exe
Size

1.5MB
MD5

f9e9e0efae390ecf48e3980ca94b41e7
SHA1

c6af8bffebb5c94f169784aed57300dc67db968a
SHA256

43db7c06acc329420532c78a9af5a051bdfd2ef17cf937aeb683f5caa441b8d5
SHA512

f88c77c9cd4b287c117b3648f00dc987ed1c3ae26288e28d20cbfae9ed8f5ae46c873bafcd5bbcf5cf543a180ac9b41062fa003e170660e77a1f22bd2cef5654
SSDEEP

24576:byb2z9EVumHtQUbH4BGprCUA/dEIYVgfgrDRpfeUxPaQfAMm2axscm:OSzmsYtNH4B6NA/qrVlXDeUoam2aKc

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2472-169-0x000000000A960000-0x000000000AF78000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1084	i16211201.exe
5108	i12579111.exe
3076	i69285244.exe
4352	i35673389.exe
2472	a70740375.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i16211201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i69285244.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i35673389.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	43db7c06acc329420532c78a9af5a051bdfd2ef17cf937aeb683f5caa441b8d5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i16211201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i12579111.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i69285244.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i35673389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	43db7c06acc329420532c78a9af5a051bdfd2ef17cf937aeb683f5caa441b8d5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i12579111.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 1084	4396	43db7c06acc329420532c78a9af5a051bdfd2ef17cf937aeb683f5caa441b8d5.exe	82
PID 4396 wrote to memory of 1084	4396	43db7c06acc329420532c78a9af5a051bdfd2ef17cf937aeb683f5caa441b8d5.exe	82
PID 4396 wrote to memory of 1084	4396	43db7c06acc329420532c78a9af5a051bdfd2ef17cf937aeb683f5caa441b8d5.exe	82
PID 1084 wrote to memory of 5108	1084	i16211201.exe	84
PID 1084 wrote to memory of 5108	1084	i16211201.exe	84
PID 1084 wrote to memory of 5108	1084	i16211201.exe	84
PID 5108 wrote to memory of 3076	5108	i12579111.exe	85
PID 5108 wrote to memory of 3076	5108	i12579111.exe	85
PID 5108 wrote to memory of 3076	5108	i12579111.exe	85
PID 3076 wrote to memory of 4352	3076	i69285244.exe	87
PID 3076 wrote to memory of 4352	3076	i69285244.exe	87
PID 3076 wrote to memory of 4352	3076	i69285244.exe	87
PID 4352 wrote to memory of 2472	4352	i35673389.exe	88
PID 4352 wrote to memory of 2472	4352	i35673389.exe	88
PID 4352 wrote to memory of 2472	4352	i35673389.exe	88

C:\Users\Admin\AppData\Local\Temp\43db7c06acc329420532c78a9af5a051bdfd2ef17cf937aeb683f5caa441b8d5.exe
"C:\Users\Admin\AppData\Local\Temp\43db7c06acc329420532c78a9af5a051bdfd2ef17cf937aeb683f5caa441b8d5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i16211201.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i16211201.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i12579111.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i12579111.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i69285244.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i69285244.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3076
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i35673389.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i35673389.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4352
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70740375.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70740375.exe
        6⤵
        Executes dropped EXE
        
        PID:2472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i16211201.exe

Filesize
1.3MB

MD5
11c9d7b8dfa4272ed181076b56a62f2b

SHA1
e686c917513bf18d2defa3e7884c6236e526b19b

SHA256
4723a365351997d6ec10a497d2653a296b0c63c06eaaea7c949c6cf9861168eb

SHA512
c09f46e4393413c1e7e5c22e4ec7fa4881d01c430138d865aa2dbfb3f40810b07f4d2f9aa492dd05d1e03c5ecbf7356cc9bb1233d5ba0d511780476117d632a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i16211201.exe

Filesize
1.3MB

MD5
11c9d7b8dfa4272ed181076b56a62f2b

SHA1
e686c917513bf18d2defa3e7884c6236e526b19b

SHA256
4723a365351997d6ec10a497d2653a296b0c63c06eaaea7c949c6cf9861168eb

SHA512
c09f46e4393413c1e7e5c22e4ec7fa4881d01c430138d865aa2dbfb3f40810b07f4d2f9aa492dd05d1e03c5ecbf7356cc9bb1233d5ba0d511780476117d632a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i12579111.exe

Filesize
1.0MB

MD5
c1f99c245a18055d0c3f13060b267988

SHA1
d76544e33b370df7316b75911353545983be9b11

SHA256
5c352199a43a8503de7dcea9c7fc646d192f00677a6fdc42461a1b7af5161516

SHA512
0edf175a3cc0de6d55cdb1f4fb76ddfcbd71c6dc2ec6ed72503ab68fee09c870b27402bfe939255a2aacdcd36fca53567904f9f6a69a4aa34e0f8aea7acfe67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i12579111.exe

Filesize
1.0MB

MD5
c1f99c245a18055d0c3f13060b267988

SHA1
d76544e33b370df7316b75911353545983be9b11

SHA256
5c352199a43a8503de7dcea9c7fc646d192f00677a6fdc42461a1b7af5161516

SHA512
0edf175a3cc0de6d55cdb1f4fb76ddfcbd71c6dc2ec6ed72503ab68fee09c870b27402bfe939255a2aacdcd36fca53567904f9f6a69a4aa34e0f8aea7acfe67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i69285244.exe

Filesize
852KB

MD5
04f21543c622045576931953fd6edfb1

SHA1
adf4c0437119241e324832e2915303b771c496a5

SHA256
e6c0c885ba8e1a3050df3eca3ea0d02bd669afddc514f4bf1a5cc743ad1b6eee

SHA512
8d375d0799a8778a482f65d3609eedfc6e779b69042540b012106b26311b55caac170c4842059803580b14b7930b880fa46dd5eb6150c96494e4cf60a95098ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i69285244.exe

Filesize
852KB

MD5
04f21543c622045576931953fd6edfb1

SHA1
adf4c0437119241e324832e2915303b771c496a5

SHA256
e6c0c885ba8e1a3050df3eca3ea0d02bd669afddc514f4bf1a5cc743ad1b6eee

SHA512
8d375d0799a8778a482f65d3609eedfc6e779b69042540b012106b26311b55caac170c4842059803580b14b7930b880fa46dd5eb6150c96494e4cf60a95098ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i35673389.exe

Filesize
375KB

MD5
750e565546a889e6b20856a45f509923

SHA1
c4bee24d830e3f3757d6f24700aaad9198f133e4

SHA256
99195bc5476ad8c429665a717f7ef29b468fb1f901582841f5b3604515d08941

SHA512
75c3f2ba95e41bf01195ea7889c084948b75883c048e7e907546cc6f038fb3f89019d296c53871424a648d1b0fdf6c2e97cd81a802d5ec27b38fc789e7e644d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i35673389.exe

Filesize
375KB

MD5
750e565546a889e6b20856a45f509923

SHA1
c4bee24d830e3f3757d6f24700aaad9198f133e4

SHA256
99195bc5476ad8c429665a717f7ef29b468fb1f901582841f5b3604515d08941

SHA512
75c3f2ba95e41bf01195ea7889c084948b75883c048e7e907546cc6f038fb3f89019d296c53871424a648d1b0fdf6c2e97cd81a802d5ec27b38fc789e7e644d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70740375.exe

Filesize
169KB

MD5
22ce9876f9b2c4792b6b5e569d59c106

SHA1
d65e34eb46a1b32c5c0bc2c3d47df76e7c2e8115

SHA256
0f74a5ffab47312e13a6e8d7007c561ab9163501a019ed17ea03665f8abff411

SHA512
3e934e93ece97ce011e327c1d09ec12563008435504e5b21078529eccd8cbcedf05b8080c897e4c38011216085263a9ee1087b23fb63574fe5e46e9be0cb52c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a70740375.exe

Filesize
169KB

MD5
22ce9876f9b2c4792b6b5e569d59c106

SHA1
d65e34eb46a1b32c5c0bc2c3d47df76e7c2e8115

SHA256
0f74a5ffab47312e13a6e8d7007c561ab9163501a019ed17ea03665f8abff411

SHA512
3e934e93ece97ce011e327c1d09ec12563008435504e5b21078529eccd8cbcedf05b8080c897e4c38011216085263a9ee1087b23fb63574fe5e46e9be0cb52c3

Download Submit
memory/2472-168-0x0000000000500000-0x0000000000530000-memory.dmp

Filesize
192KB

Download
memory/2472-169-0x000000000A960000-0x000000000AF78000-memory.dmp

Filesize
6.1MB

Download
memory/2472-170-0x000000000A480000-0x000000000A58A000-memory.dmp

Filesize
1.0MB

Download
memory/2472-171-0x000000000A3B0000-0x000000000A3C2000-memory.dmp

Filesize
72KB

Download
memory/2472-172-0x000000000A410000-0x000000000A44C000-memory.dmp

Filesize
240KB

Download
memory/2472-173-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/2472-174-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download