redline | 4a210cf61314ced771b150884a6f37d9a9ee7b8eb1131995fdb6cca251b8df02

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a210cf61314ced771b150884a6f37d9a9ee7b8eb1131995fdb6cca251b8df02.exe
Size

1.2MB
MD5

487f6ce25b7ca4d6266cd4d266f35c8d
SHA1

8e73fc90af9baf662ce7e781dc98a74f9a18032d
SHA256

4a210cf61314ced771b150884a6f37d9a9ee7b8eb1131995fdb6cca251b8df02
SHA512

cdfb360aad59db6021d7cee143d85ae3890d9c31c7511cf8f8d1a73fd669e26d99adf6759f1466af478be22adaf5007280184aafd0c7d0b8891058103647fc0f
SSDEEP

24576:UyB5Y8/PTQUeWzE/WtJVNlsnk6ORIgXX3UNk3bkfQpaZbUl4/3I3srlmVdrKY6yU:jXYw0vWACl0k6OJXUeAfca1UlZ8rleQ+

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4772-2332-0x0000000005620000-0x0000000005C38000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s07564778.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	s07564778.exe

Executes dropped EXE 6 IoCs

Processes:

z65635918.exez35264975.exez54309040.exes07564778.exe1.exet75015286.exe

pid process

1228 z65635918.exe
1332 z35264975.exe
4564 z54309040.exe
2164 s07564778.exe
3484 1.exe
4772 t75015286.exe

pid	process
1228	z65635918.exe
1332	z35264975.exe
4564	z54309040.exe
2164	s07564778.exe
3484	1.exe
4772	t75015286.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z54309040.exe4a210cf61314ced771b150884a6f37d9a9ee7b8eb1131995fdb6cca251b8df02.exez65635918.exez35264975.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z54309040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z54309040.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4a210cf61314ced771b150884a6f37d9a9ee7b8eb1131995fdb6cca251b8df02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4a210cf61314ced771b150884a6f37d9a9ee7b8eb1131995fdb6cca251b8df02.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z65635918.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z65635918.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z35264975.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z35264975.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s07564778.exe

description pid process

Token: SeDebugPrivilege 2164 s07564778.exe

description	pid	process
Token: SeDebugPrivilege	2164	s07564778.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

4a210cf61314ced771b150884a6f37d9a9ee7b8eb1131995fdb6cca251b8df02.exez65635918.exez35264975.exez54309040.exes07564778.exe

description	pid	process	target process
PID 4496 wrote to memory of 1228	4496	4a210cf61314ced771b150884a6f37d9a9ee7b8eb1131995fdb6cca251b8df02.exe	z65635918.exe
PID 4496 wrote to memory of 1228	4496	4a210cf61314ced771b150884a6f37d9a9ee7b8eb1131995fdb6cca251b8df02.exe	z65635918.exe
PID 4496 wrote to memory of 1228	4496	4a210cf61314ced771b150884a6f37d9a9ee7b8eb1131995fdb6cca251b8df02.exe	z65635918.exe
PID 1228 wrote to memory of 1332	1228	z65635918.exe	z35264975.exe
PID 1228 wrote to memory of 1332	1228	z65635918.exe	z35264975.exe
PID 1228 wrote to memory of 1332	1228	z65635918.exe	z35264975.exe
PID 1332 wrote to memory of 4564	1332	z35264975.exe	z54309040.exe
PID 1332 wrote to memory of 4564	1332	z35264975.exe	z54309040.exe
PID 1332 wrote to memory of 4564	1332	z35264975.exe	z54309040.exe
PID 4564 wrote to memory of 2164	4564	z54309040.exe	s07564778.exe
PID 4564 wrote to memory of 2164	4564	z54309040.exe	s07564778.exe
PID 4564 wrote to memory of 2164	4564	z54309040.exe	s07564778.exe
PID 2164 wrote to memory of 3484	2164	s07564778.exe	1.exe
PID 2164 wrote to memory of 3484	2164	s07564778.exe	1.exe
PID 2164 wrote to memory of 3484	2164	s07564778.exe	1.exe
PID 4564 wrote to memory of 4772	4564	z54309040.exe	t75015286.exe
PID 4564 wrote to memory of 4772	4564	z54309040.exe	t75015286.exe
PID 4564 wrote to memory of 4772	4564	z54309040.exe	t75015286.exe

C:\Users\Admin\AppData\Local\Temp\4a210cf61314ced771b150884a6f37d9a9ee7b8eb1131995fdb6cca251b8df02.exe
"C:\Users\Admin\AppData\Local\Temp\4a210cf61314ced771b150884a6f37d9a9ee7b8eb1131995fdb6cca251b8df02.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4496

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z65635918.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z65635918.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z35264975.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z35264975.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z54309040.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z54309040.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4564

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s07564778.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s07564778.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:3484

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t75015286.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t75015286.exe
5⤵
- Executes dropped EXE
PID:4772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z65635918.exe
Filesize
1.0MB

MD5
35b1d4344df77a9c5ec54af70b3a5072

SHA1
61ce78b466015571a42dc9fc057a94ff718bcbc8

SHA256
0d048980440e35b1ecdb8b7ec152f8decbc59647e16f631510fa431b2b8c99de

SHA512
1355dc290708c392a3905f4d23f4a2a0724fc223aa450219732dd49b014682d9be5567b5dcdff6fa064b2c7eb13ce061859be07a89213c22489b238a7315a837

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z65635918.exe
Filesize
1.0MB

MD5
35b1d4344df77a9c5ec54af70b3a5072

SHA1
61ce78b466015571a42dc9fc057a94ff718bcbc8

SHA256
0d048980440e35b1ecdb8b7ec152f8decbc59647e16f631510fa431b2b8c99de

SHA512
1355dc290708c392a3905f4d23f4a2a0724fc223aa450219732dd49b014682d9be5567b5dcdff6fa064b2c7eb13ce061859be07a89213c22489b238a7315a837

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z35264975.exe
Filesize
764KB

MD5
ce55f2b91332af7bba66c8e1274ee459

SHA1
3a9e2b37ae07c2f07e5f06a8e49408c2eccdf221

SHA256
88364d34bd282fac85f5b0665fb6ab87d063e35b671638516f16b471f07475d4

SHA512
b4e9998cee38a91071c4df9951012ca5bbc3148fc23473f57c3e652d6e6d1530c3e4840cb3724a76be64bc01a63f345fb29e1cdc56ebab06cf23d1417f5d0d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z35264975.exe
Filesize
764KB

MD5
ce55f2b91332af7bba66c8e1274ee459

SHA1
3a9e2b37ae07c2f07e5f06a8e49408c2eccdf221

SHA256
88364d34bd282fac85f5b0665fb6ab87d063e35b671638516f16b471f07475d4

SHA512
b4e9998cee38a91071c4df9951012ca5bbc3148fc23473f57c3e652d6e6d1530c3e4840cb3724a76be64bc01a63f345fb29e1cdc56ebab06cf23d1417f5d0d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z54309040.exe
Filesize
582KB

MD5
8edbe3701971a9ee32c23eda4d3b5ec3

SHA1
364217f1d0aea278a89c32a7f63b00399d9567b5

SHA256
906e5235e37d137cb3dbbd7b81daea43c5eb40b439ba62b0d9cfefa11e60c9cb

SHA512
20c7f9246ee25b555c4e0dc97df43a275e9954e152290f820bdff0c26541cbdedd108ae669525d2aa0d36be7f1f1e79749b43a5a0ccdeaed4e0b7d10713942e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z54309040.exe
Filesize
582KB

MD5
8edbe3701971a9ee32c23eda4d3b5ec3

SHA1
364217f1d0aea278a89c32a7f63b00399d9567b5

SHA256
906e5235e37d137cb3dbbd7b81daea43c5eb40b439ba62b0d9cfefa11e60c9cb

SHA512
20c7f9246ee25b555c4e0dc97df43a275e9954e152290f820bdff0c26541cbdedd108ae669525d2aa0d36be7f1f1e79749b43a5a0ccdeaed4e0b7d10713942e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s07564778.exe
Filesize
582KB

MD5
0007ceaa33a4c22268e116e9c958b152

SHA1
6e7ac07e004b781086cbe26ffe25ba63d5e157e9

SHA256
6f202c2dd5bb0eba18f61c7ba02dea386ce47eb67d5864b5dafa06d42b116f50

SHA512
9073bd513f929c01dee438ecdf6c7d71191f35de3d2ed7f0ba779215f55e3b1ff59ed11596be35caafa5049fc73eb8ebbb2e78e78cb969b4bc35e5e1feca40d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s07564778.exe
Filesize
582KB

MD5
0007ceaa33a4c22268e116e9c958b152

SHA1
6e7ac07e004b781086cbe26ffe25ba63d5e157e9

SHA256
6f202c2dd5bb0eba18f61c7ba02dea386ce47eb67d5864b5dafa06d42b116f50

SHA512
9073bd513f929c01dee438ecdf6c7d71191f35de3d2ed7f0ba779215f55e3b1ff59ed11596be35caafa5049fc73eb8ebbb2e78e78cb969b4bc35e5e1feca40d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t75015286.exe
Filesize
169KB

MD5
add66855cb21397897b57cd6f0977b91

SHA1
13634e67547e616da99b4fe82c03d831d4b58cf4

SHA256
15572bdadf256c8ab85298a48685f64be7a31ff1c739b1ce3f2a1fff35d9d751

SHA512
56913fcb29ca613b839847a144648b3df7a5e1fa24d086908c754cc05997c12ddbc50dc5fc7afc243aa2a5c589b0daac8efd8cdfa2341aebe3c827af8c9f09ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t75015286.exe
Filesize
169KB

MD5
add66855cb21397897b57cd6f0977b91

SHA1
13634e67547e616da99b4fe82c03d831d4b58cf4

SHA256
15572bdadf256c8ab85298a48685f64be7a31ff1c739b1ce3f2a1fff35d9d751

SHA512
56913fcb29ca613b839847a144648b3df7a5e1fa24d086908c754cc05997c12ddbc50dc5fc7afc243aa2a5c589b0daac8efd8cdfa2341aebe3c827af8c9f09ad

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/2164-200-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-216-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-169-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-175-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-177-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-179-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-180-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2164-182-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2164-184-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2164-183-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-186-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-188-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-190-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-192-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-194-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-196-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-198-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-171-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-204-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-202-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-206-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-208-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-210-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-212-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-214-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-173-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-218-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-220-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-222-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-224-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-226-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-228-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-230-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-167-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-2321-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2164-165-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-164-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/2164-162-0x0000000000930000-0x000000000098B000-memory.dmp

Filesize
364KB

Download
memory/2164-163-0x0000000004F80000-0x0000000005524000-memory.dmp

Filesize
5.6MB

Download
memory/3484-2327-0x0000000000070000-0x000000000009E000-memory.dmp

Filesize
184KB

Download
memory/3484-2333-0x0000000004B50000-0x0000000004C5A000-memory.dmp

Filesize
1.0MB

Download
memory/3484-2334-0x00000000048B0000-0x00000000048C2000-memory.dmp

Filesize
72KB

Download
memory/3484-2335-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/3484-2338-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/4772-2331-0x00000000006C0000-0x00000000006EE000-memory.dmp

Filesize
184KB

Download
memory/4772-2332-0x0000000005620000-0x0000000005C38000-memory.dmp

Filesize
6.1MB

Download
memory/4772-2336-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/4772-2337-0x0000000005080000-0x00000000050BC000-memory.dmp

Filesize
240KB

Download
memory/4772-2339-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download