redline | 428e747c3a92e00d0dd112ade39d97a6534788b45240db3c9ed66046021a6b70

Analysis

max time kernel
131s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

428e747c3a92e00d0dd112ade39d97a6534788b45240db3c9ed66046021a6b70.exe
Size

1.2MB
MD5

b62cfd993d1009a5da9f05e449f654e8
SHA1

2d5db07ed24a428b1f65ac9e881c1b0612fd72be
SHA256

428e747c3a92e00d0dd112ade39d97a6534788b45240db3c9ed66046021a6b70
SHA512

309b1032e3c56158b914a35727459dca02c7699aed4100b00fe325221ba8c4e4dc6e925e837ead83ca2b062a4993f5667c93e000bfd1418346f270becdd34fe8
SSDEEP

24576:vyI2a/xp9WuZmuxpCX+xXiMCdTgsf7sD5wDk:6Q/xpYuZm+gXvMC/J

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/2040-2330-0x0000000005C40000-0x0000000006258000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s58965204.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	s58965204.exe

Executes dropped EXE 6 IoCs

Processes:

z65362558.exez23307532.exez68463315.exes58965204.exe1.exet03806187.exe

pid process

4220 z65362558.exe
1436 z23307532.exe
396 z68463315.exe
1992 s58965204.exe
2040 1.exe
2640 t03806187.exe

pid	process
4220	z65362558.exe
1436	z23307532.exe
396	z68463315.exe
1992	s58965204.exe
2040	1.exe
2640	t03806187.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z23307532.exez68463315.exe428e747c3a92e00d0dd112ade39d97a6534788b45240db3c9ed66046021a6b70.exez65362558.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z23307532.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z68463315.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z68463315.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	428e747c3a92e00d0dd112ade39d97a6534788b45240db3c9ed66046021a6b70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	428e747c3a92e00d0dd112ade39d97a6534788b45240db3c9ed66046021a6b70.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z65362558.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z65362558.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z23307532.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1232 1992 WerFault.exe s58965204.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s58965204.exe

description pid process

Token: SeDebugPrivilege 1992 s58965204.exe

pid	pid_target	process	target process
1232	1992	WerFault.exe	s58965204.exe

description	pid	process
Token: SeDebugPrivilege	1992	s58965204.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

428e747c3a92e00d0dd112ade39d97a6534788b45240db3c9ed66046021a6b70.exez65362558.exez23307532.exez68463315.exes58965204.exe

description	pid	process	target process
PID 4232 wrote to memory of 4220	4232	428e747c3a92e00d0dd112ade39d97a6534788b45240db3c9ed66046021a6b70.exe	z65362558.exe
PID 4232 wrote to memory of 4220	4232	428e747c3a92e00d0dd112ade39d97a6534788b45240db3c9ed66046021a6b70.exe	z65362558.exe
PID 4232 wrote to memory of 4220	4232	428e747c3a92e00d0dd112ade39d97a6534788b45240db3c9ed66046021a6b70.exe	z65362558.exe
PID 4220 wrote to memory of 1436	4220	z65362558.exe	z23307532.exe
PID 4220 wrote to memory of 1436	4220	z65362558.exe	z23307532.exe
PID 4220 wrote to memory of 1436	4220	z65362558.exe	z23307532.exe
PID 1436 wrote to memory of 396	1436	z23307532.exe	z68463315.exe
PID 1436 wrote to memory of 396	1436	z23307532.exe	z68463315.exe
PID 1436 wrote to memory of 396	1436	z23307532.exe	z68463315.exe
PID 396 wrote to memory of 1992	396	z68463315.exe	s58965204.exe
PID 396 wrote to memory of 1992	396	z68463315.exe	s58965204.exe
PID 396 wrote to memory of 1992	396	z68463315.exe	s58965204.exe
PID 1992 wrote to memory of 2040	1992	s58965204.exe	1.exe
PID 1992 wrote to memory of 2040	1992	s58965204.exe	1.exe
PID 1992 wrote to memory of 2040	1992	s58965204.exe	1.exe
PID 396 wrote to memory of 2640	396	z68463315.exe	t03806187.exe
PID 396 wrote to memory of 2640	396	z68463315.exe	t03806187.exe
PID 396 wrote to memory of 2640	396	z68463315.exe	t03806187.exe

C:\Users\Admin\AppData\Local\Temp\428e747c3a92e00d0dd112ade39d97a6534788b45240db3c9ed66046021a6b70.exe
"C:\Users\Admin\AppData\Local\Temp\428e747c3a92e00d0dd112ade39d97a6534788b45240db3c9ed66046021a6b70.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z65362558.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z65362558.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z23307532.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z23307532.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68463315.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68463315.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s58965204.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s58965204.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        6⤵
        Executes dropped EXE
        
        PID:2040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1512
        6⤵
        Program crash
        
        PID:1232
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t03806187.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t03806187.exe
        5⤵
        Executes dropped EXE
        
        PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1992 -ip 1992
1⤵
PID:3708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z65362558.exe

Filesize
1.0MB

MD5
285c7f97a12e1cd608ccd9cb88bebc45

SHA1
c508311d86f6395168009d548ec26947c0b8c3b4

SHA256
00876107bf994a91ceabf6a7371c815d8161af3703f0c3219b1874de5b1bbbf9

SHA512
5b9cdafe71bfb0bd5839016e0b6a3b1d48dc352be84488ee0e35b6af187e4b676763a47f0eacdcecbfcace6feae9312e498c52344a4adb048ddf58aa8b354270

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z65362558.exe

Filesize
1.0MB

MD5
285c7f97a12e1cd608ccd9cb88bebc45

SHA1
c508311d86f6395168009d548ec26947c0b8c3b4

SHA256
00876107bf994a91ceabf6a7371c815d8161af3703f0c3219b1874de5b1bbbf9

SHA512
5b9cdafe71bfb0bd5839016e0b6a3b1d48dc352be84488ee0e35b6af187e4b676763a47f0eacdcecbfcace6feae9312e498c52344a4adb048ddf58aa8b354270

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z23307532.exe

Filesize
760KB

MD5
ac31a7a591ec09036babe85667b7bc57

SHA1
6119d2af6af9ec85ed666d5e306fa371c3cf0e55

SHA256
08742bddc977417e565589e810dcc5e076fbb84736544859133d56a758c1e2ef

SHA512
9af66aae3df057082960d13adc06305015b79f913bfcf401bd286b9d0e4941d40b1c3d66a690fbedf141b340cdc3541366ce10f74d20086cd4f6da24c13cf2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z23307532.exe

Filesize
760KB

MD5
ac31a7a591ec09036babe85667b7bc57

SHA1
6119d2af6af9ec85ed666d5e306fa371c3cf0e55

SHA256
08742bddc977417e565589e810dcc5e076fbb84736544859133d56a758c1e2ef

SHA512
9af66aae3df057082960d13adc06305015b79f913bfcf401bd286b9d0e4941d40b1c3d66a690fbedf141b340cdc3541366ce10f74d20086cd4f6da24c13cf2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68463315.exe

Filesize
578KB

MD5
f7a6cb0b9bafabd467605dfcfa8b8fef

SHA1
652377ee9591ce2dab4021822f6a9dd0c87a868d

SHA256
9ba6ec99c1306a11d05f11a9acadddc4acbeeb52be83ff369656071d6cb8d4ab

SHA512
c286a78fcf32db6a275e96dcff8ff94dfb7de03c5b6552446b7a5cf1d022701e15230f868b5ef17c0fecb9ca126f31bfb3377dfd0cfa24719beeedc14a7d4c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68463315.exe

Filesize
578KB

MD5
f7a6cb0b9bafabd467605dfcfa8b8fef

SHA1
652377ee9591ce2dab4021822f6a9dd0c87a868d

SHA256
9ba6ec99c1306a11d05f11a9acadddc4acbeeb52be83ff369656071d6cb8d4ab

SHA512
c286a78fcf32db6a275e96dcff8ff94dfb7de03c5b6552446b7a5cf1d022701e15230f868b5ef17c0fecb9ca126f31bfb3377dfd0cfa24719beeedc14a7d4c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s58965204.exe

Filesize
502KB

MD5
014de496e5245e5c16b52e735303c0d3

SHA1
4d96e66d96a895ec183d8392f46f20c18bc72d71

SHA256
4232a1a849ebf4d6c25665c8c7108d6a9ab2e2c5b723ce6c5b965f08c890f10d

SHA512
cd245f1ae54774e991878e3cc7940abd3a6e6e47ba60508ffac78a3d6213199c29686feff743f054757ce74a81f917ee53d0e736428e2f64f9ab896c900359c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s58965204.exe

Filesize
502KB

MD5
014de496e5245e5c16b52e735303c0d3

SHA1
4d96e66d96a895ec183d8392f46f20c18bc72d71

SHA256
4232a1a849ebf4d6c25665c8c7108d6a9ab2e2c5b723ce6c5b965f08c890f10d

SHA512
cd245f1ae54774e991878e3cc7940abd3a6e6e47ba60508ffac78a3d6213199c29686feff743f054757ce74a81f917ee53d0e736428e2f64f9ab896c900359c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t03806187.exe

Filesize
169KB

MD5
64616ab7c17f29ce4fcb0f4339d2ebf5

SHA1
2481c1bfdbb05eb0c01f409dd2a08dd484d0a7f1

SHA256
51218c170776b7b58965a72b4a6079f87ae24c137f2caa830f83f84108e30144

SHA512
5260093d3e9047581e500c3e8ce3ce4edec97921c7bd07edc5760b132433627197d527395b12126534b86ae37ed4e83e0ee8f226da70310da4183998937e3f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t03806187.exe

Filesize
169KB

MD5
64616ab7c17f29ce4fcb0f4339d2ebf5

SHA1
2481c1bfdbb05eb0c01f409dd2a08dd484d0a7f1

SHA256
51218c170776b7b58965a72b4a6079f87ae24c137f2caa830f83f84108e30144

SHA512
5260093d3e9047581e500c3e8ce3ce4edec97921c7bd07edc5760b132433627197d527395b12126534b86ae37ed4e83e0ee8f226da70310da4183998937e3f1c

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/1992-204-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-216-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-170-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-172-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-174-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-176-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-178-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-180-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-182-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-184-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-186-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-188-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-190-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-192-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-194-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-196-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-198-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-200-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-202-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-167-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-206-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-208-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-210-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-212-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-214-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-168-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-218-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-220-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-222-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-224-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-226-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-228-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-230-0x0000000004E10000-0x0000000004E70000-memory.dmp

Filesize
384KB

Download
memory/1992-2315-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/1992-2314-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/1992-2316-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/1992-166-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/1992-165-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/1992-164-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/1992-162-0x0000000000970000-0x00000000009CB000-memory.dmp

Filesize
364KB

Download
memory/1992-163-0x0000000004FF0000-0x0000000005594000-memory.dmp

Filesize
5.6MB

Download
memory/2040-2331-0x0000000005730000-0x000000000583A000-memory.dmp

Filesize
1.0MB

Download
memory/2040-2332-0x0000000005650000-0x0000000005662000-memory.dmp

Filesize
72KB

Download
memory/2040-2333-0x00000000056B0000-0x00000000056EC000-memory.dmp

Filesize
240KB

Download
memory/2040-2334-0x0000000005610000-0x0000000005620000-memory.dmp

Filesize
64KB

Download
memory/2040-2330-0x0000000005C40000-0x0000000006258000-memory.dmp

Filesize
6.1MB

Download
memory/2040-2329-0x0000000000D00000-0x0000000000D2E000-memory.dmp

Filesize
184KB

Download
memory/2040-2341-0x0000000005610000-0x0000000005620000-memory.dmp

Filesize
64KB

Download
memory/2640-2339-0x0000000000860000-0x000000000088E000-memory.dmp

Filesize
184KB

Download
memory/2640-2340-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/2640-2342-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download