redline | 4653331b97db6a248676203b7d3c04c257b001c1e2660c23bc8627b8adad15a4

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4653331b97db6a248676203b7d3c04c257b001c1e2660c23bc8627b8adad15a4.exe
Size

1.2MB
MD5

9f728dd1b469c8ff1db420672cb83670
SHA1

c18a61fe7fada66f8dae744fcb7f9858e923d0b3
SHA256

4653331b97db6a248676203b7d3c04c257b001c1e2660c23bc8627b8adad15a4
SHA512

e72fc8a86aca199cfb9a559fe85c8322513f62547997d45fbcff3ec9a8e1b4b203d2509fa2205d81d1aedc6852ba790a2d51f5abe4983b351af9b60ed997ab9b
SSDEEP

24576:vyus64UxFNiSiPmliAHNT3uHaA2KuDQSb8K3xo6mm32jIQR/7uI:6VNUhiu0AHNzuH/XuDQSb8onO7R/S

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/824-2328-0x000000000AF80000-0x000000000B598000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s01752819.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	s01752819.exe

Executes dropped EXE 6 IoCs

Processes:

z27517666.exez96594660.exez63351656.exes01752819.exe1.exet34210592.exe

pid process

1860 z27517666.exe
1708 z96594660.exe
4016 z63351656.exe
3032 s01752819.exe
824 1.exe
2536 t34210592.exe

pid	process
1860	z27517666.exe
1708	z96594660.exe
4016	z63351656.exe
3032	s01752819.exe
824	1.exe
2536	t34210592.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z63351656.exe4653331b97db6a248676203b7d3c04c257b001c1e2660c23bc8627b8adad15a4.exez27517666.exez96594660.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z63351656.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4653331b97db6a248676203b7d3c04c257b001c1e2660c23bc8627b8adad15a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4653331b97db6a248676203b7d3c04c257b001c1e2660c23bc8627b8adad15a4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z27517666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z27517666.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z96594660.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z96594660.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z63351656.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3620 3032 WerFault.exe s01752819.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s01752819.exe

description pid process

Token: SeDebugPrivilege 3032 s01752819.exe

pid	pid_target	process	target process
3620	3032	WerFault.exe	s01752819.exe

description	pid	process
Token: SeDebugPrivilege	3032	s01752819.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

4653331b97db6a248676203b7d3c04c257b001c1e2660c23bc8627b8adad15a4.exez27517666.exez96594660.exez63351656.exes01752819.exe

description	pid	process	target process
PID 2532 wrote to memory of 1860	2532	4653331b97db6a248676203b7d3c04c257b001c1e2660c23bc8627b8adad15a4.exe	z27517666.exe
PID 2532 wrote to memory of 1860	2532	4653331b97db6a248676203b7d3c04c257b001c1e2660c23bc8627b8adad15a4.exe	z27517666.exe
PID 2532 wrote to memory of 1860	2532	4653331b97db6a248676203b7d3c04c257b001c1e2660c23bc8627b8adad15a4.exe	z27517666.exe
PID 1860 wrote to memory of 1708	1860	z27517666.exe	z96594660.exe
PID 1860 wrote to memory of 1708	1860	z27517666.exe	z96594660.exe
PID 1860 wrote to memory of 1708	1860	z27517666.exe	z96594660.exe
PID 1708 wrote to memory of 4016	1708	z96594660.exe	z63351656.exe
PID 1708 wrote to memory of 4016	1708	z96594660.exe	z63351656.exe
PID 1708 wrote to memory of 4016	1708	z96594660.exe	z63351656.exe
PID 4016 wrote to memory of 3032	4016	z63351656.exe	s01752819.exe
PID 4016 wrote to memory of 3032	4016	z63351656.exe	s01752819.exe
PID 4016 wrote to memory of 3032	4016	z63351656.exe	s01752819.exe
PID 3032 wrote to memory of 824	3032	s01752819.exe	1.exe
PID 3032 wrote to memory of 824	3032	s01752819.exe	1.exe
PID 3032 wrote to memory of 824	3032	s01752819.exe	1.exe
PID 4016 wrote to memory of 2536	4016	z63351656.exe	t34210592.exe
PID 4016 wrote to memory of 2536	4016	z63351656.exe	t34210592.exe
PID 4016 wrote to memory of 2536	4016	z63351656.exe	t34210592.exe

C:\Users\Admin\AppData\Local\Temp\4653331b97db6a248676203b7d3c04c257b001c1e2660c23bc8627b8adad15a4.exe
"C:\Users\Admin\AppData\Local\Temp\4653331b97db6a248676203b7d3c04c257b001c1e2660c23bc8627b8adad15a4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z27517666.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z27517666.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z96594660.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z96594660.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z63351656.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z63351656.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4016

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s01752819.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s01752819.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1376
6⤵
- Program crash
PID:3620

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t34210592.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t34210592.exe
5⤵
- Executes dropped EXE
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3032 -ip 3032
1⤵
PID:2120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z27517666.exe
Filesize
1.0MB

MD5
69202706987bd3272dc34d8bb25f0085

SHA1
09fd4f25d4b53ed98a77bb38152992a79ea496b6

SHA256
7740508d305d0512db86d3ede36db3f30e706bcbbd4aa866e01ece031e76239d

SHA512
f8b9f5f90462b0b98224b6b440b0e1ae9b2ccdea5d0d76b49e81b79335666ae5b54a223e3a5a226dbbb39c7ddafc0895a599c34c81af9d6cf2e2b9364861b7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z27517666.exe
Filesize
1.0MB

MD5
69202706987bd3272dc34d8bb25f0085

SHA1
09fd4f25d4b53ed98a77bb38152992a79ea496b6

SHA256
7740508d305d0512db86d3ede36db3f30e706bcbbd4aa866e01ece031e76239d

SHA512
f8b9f5f90462b0b98224b6b440b0e1ae9b2ccdea5d0d76b49e81b79335666ae5b54a223e3a5a226dbbb39c7ddafc0895a599c34c81af9d6cf2e2b9364861b7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z96594660.exe
Filesize
760KB

MD5
4c44f378dee1f519eb0b7b0c2be24194

SHA1
b1615fd5099d78dbf3e05150ff835c200ed995de

SHA256
35d241c368f43c2c8cfdf939078e371576765c6692900821c33a87c1d375fcd9

SHA512
9d21cfe75c3b80eaa737e334f77547653d116543dbc3e0b91c6e79b4960adf94e161cc496473af2e95e31d9a9b89c3d45b052d4b312a91fd81659e70a7ff27e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z96594660.exe
Filesize
760KB

MD5
4c44f378dee1f519eb0b7b0c2be24194

SHA1
b1615fd5099d78dbf3e05150ff835c200ed995de

SHA256
35d241c368f43c2c8cfdf939078e371576765c6692900821c33a87c1d375fcd9

SHA512
9d21cfe75c3b80eaa737e334f77547653d116543dbc3e0b91c6e79b4960adf94e161cc496473af2e95e31d9a9b89c3d45b052d4b312a91fd81659e70a7ff27e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z63351656.exe
Filesize
578KB

MD5
409b053465fd5d8ce2bce296cf7ce94c

SHA1
3885382321b32a5c43a26617503f2a6b1544a2e6

SHA256
dd97038d6c0a15afc949e45ea7c9f1e435d5e90ec71ca90d13aac1c1497847a0

SHA512
82702b68e29e5fac0b4ac041085fdc083c7567dfb5826dfd6b9b623027365b54b88724119b85972ca42b1fe6adf8538f5fc45b3751cecb5d950414fb0c1732c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z63351656.exe
Filesize
578KB

MD5
409b053465fd5d8ce2bce296cf7ce94c

SHA1
3885382321b32a5c43a26617503f2a6b1544a2e6

SHA256
dd97038d6c0a15afc949e45ea7c9f1e435d5e90ec71ca90d13aac1c1497847a0

SHA512
82702b68e29e5fac0b4ac041085fdc083c7567dfb5826dfd6b9b623027365b54b88724119b85972ca42b1fe6adf8538f5fc45b3751cecb5d950414fb0c1732c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s01752819.exe
Filesize
575KB

MD5
3386aa3fdd35060e6f72745c70265875

SHA1
c786ffafbd9f9663aa47e65955cb411017b6c57c

SHA256
2723d806be2d16d18bfb86a04adfc171cbc2965f16645bb12d13f7237af80f08

SHA512
16fcc6a46b09aabe88e1720611e9e465e234b8d0a59a2853da59575f068f4acf42cb898bac8f4077ac064aaf6b5d872d7f98055b92b26d4c1e0c0202066ba52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s01752819.exe
Filesize
575KB

MD5
3386aa3fdd35060e6f72745c70265875

SHA1
c786ffafbd9f9663aa47e65955cb411017b6c57c

SHA256
2723d806be2d16d18bfb86a04adfc171cbc2965f16645bb12d13f7237af80f08

SHA512
16fcc6a46b09aabe88e1720611e9e465e234b8d0a59a2853da59575f068f4acf42cb898bac8f4077ac064aaf6b5d872d7f98055b92b26d4c1e0c0202066ba52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t34210592.exe
Filesize
169KB

MD5
9bb62c62f69ae07a7f7df7c3e74dd8d9

SHA1
d6cadb348c7cfd54e271f9cd9a308613f2babeb7

SHA256
4f0baf13a169d902957e9fb57e43f399246b3b264119ce3906df9a99d3466667

SHA512
4cc139b413486b006bfcaba091f2ad14a268c1d46d19612dcbabc7ee8a15655b0eba3d4833b3e9ce00548859af2dd0c15dfe3a4a3421ff7f68a6a2532bf5ca2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t34210592.exe
Filesize
169KB

MD5
9bb62c62f69ae07a7f7df7c3e74dd8d9

SHA1
d6cadb348c7cfd54e271f9cd9a308613f2babeb7

SHA256
4f0baf13a169d902957e9fb57e43f399246b3b264119ce3906df9a99d3466667

SHA512
4cc139b413486b006bfcaba091f2ad14a268c1d46d19612dcbabc7ee8a15655b0eba3d4833b3e9ce00548859af2dd0c15dfe3a4a3421ff7f68a6a2532bf5ca2a

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/824-2331-0x000000000AA00000-0x000000000AA3C000-memory.dmp

Filesize
240KB

Download
memory/824-2332-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/824-2330-0x000000000A9A0000-0x000000000A9B2000-memory.dmp

Filesize
72KB

Download
memory/824-2329-0x000000000AA70000-0x000000000AB7A000-memory.dmp

Filesize
1.0MB

Download
memory/824-2328-0x000000000AF80000-0x000000000B598000-memory.dmp

Filesize
6.1MB

Download
memory/824-2327-0x0000000000C30000-0x0000000000C5E000-memory.dmp

Filesize
184KB

Download
memory/824-2339-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/2536-2337-0x00000000008A0000-0x00000000008CE000-memory.dmp

Filesize
184KB

Download
memory/2536-2338-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/2536-2340-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/3032-200-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-224-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-190-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-192-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-194-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-196-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-198-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-186-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-202-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-204-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-206-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-208-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-210-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-212-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-214-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-216-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-218-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-220-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-222-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-188-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-226-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-228-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-230-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-184-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-2322-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3032-182-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-180-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-178-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-172-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3032-176-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-174-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3032-173-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-170-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3032-169-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-167-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-165-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-164-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/3032-163-0x0000000004F40000-0x00000000054E4000-memory.dmp

Filesize
5.6MB

Download
memory/3032-162-0x0000000002270000-0x00000000022CB000-memory.dmp

Filesize
364KB

Download