redline | 4d77aa693c7d8562e73e998f40c578f5e2b88d58fa3bea5dd42d086f73ebf827

Analysis

max time kernel
170s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d77aa693c7d8562e73e998f40c578f5e2b88d58fa3bea5dd42d086f73ebf827.exe
Size

1.5MB
MD5

b0fadb5f55a00ec6169c1aff3d19ec94
SHA1

8556297abc4a36c6dd0d2c798f48b03e7242ca66
SHA256

4d77aa693c7d8562e73e998f40c578f5e2b88d58fa3bea5dd42d086f73ebf827
SHA512

a5a710c55dd5b1ab293952fcc7c5a00db43beeae782ad4885143615307111d38e439643d7bad44e234b4fb3ae8d761664fc9a155dfc0ccca2d096f77b3082672
SSDEEP

24576:ly8Xm2U/3klyKBoRZ9fE4JCEslZNKeXA0UGUWpRdmFj5en9HL9C9WKMq1SGLo:A8Xm2U/0lN2JJCjLXx589w9eWKMcJ

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1744-169-0x000000000A860000-0x000000000AE78000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1160	i36250233.exe
2012	i36885698.exe
2108	i44027528.exe
4544	i89408596.exe
1744	a72652500.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i44027528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4d77aa693c7d8562e73e998f40c578f5e2b88d58fa3bea5dd42d086f73ebf827.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i36885698.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i44027528.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i36885698.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i89408596.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i89408596.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4d77aa693c7d8562e73e998f40c578f5e2b88d58fa3bea5dd42d086f73ebf827.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i36250233.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i36250233.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 1160	3628	4d77aa693c7d8562e73e998f40c578f5e2b88d58fa3bea5dd42d086f73ebf827.exe	82
PID 3628 wrote to memory of 1160	3628	4d77aa693c7d8562e73e998f40c578f5e2b88d58fa3bea5dd42d086f73ebf827.exe	82
PID 3628 wrote to memory of 1160	3628	4d77aa693c7d8562e73e998f40c578f5e2b88d58fa3bea5dd42d086f73ebf827.exe	82
PID 1160 wrote to memory of 2012	1160	i36250233.exe	83
PID 1160 wrote to memory of 2012	1160	i36250233.exe	83
PID 1160 wrote to memory of 2012	1160	i36250233.exe	83
PID 2012 wrote to memory of 2108	2012	i36885698.exe	84
PID 2012 wrote to memory of 2108	2012	i36885698.exe	84
PID 2012 wrote to memory of 2108	2012	i36885698.exe	84
PID 2108 wrote to memory of 4544	2108	i44027528.exe	85
PID 2108 wrote to memory of 4544	2108	i44027528.exe	85
PID 2108 wrote to memory of 4544	2108	i44027528.exe	85
PID 4544 wrote to memory of 1744	4544	i89408596.exe	86
PID 4544 wrote to memory of 1744	4544	i89408596.exe	86
PID 4544 wrote to memory of 1744	4544	i89408596.exe	86

C:\Users\Admin\AppData\Local\Temp\4d77aa693c7d8562e73e998f40c578f5e2b88d58fa3bea5dd42d086f73ebf827.exe
"C:\Users\Admin\AppData\Local\Temp\4d77aa693c7d8562e73e998f40c578f5e2b88d58fa3bea5dd42d086f73ebf827.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i36250233.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i36250233.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36885698.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36885698.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i44027528.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i44027528.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89408596.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89408596.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4544
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a72652500.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a72652500.exe
        6⤵
        Executes dropped EXE
        
        PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i36250233.exe

Filesize
1.3MB

MD5
410359cc34c03b7c538a5e86cde21ebf

SHA1
1b3080c30e5c245bc50e51b1cd1db412949a2a84

SHA256
80518985daf6f09f3f08fa5fc8afb36504c4d04db3f1b129a3903d5f9ba61a1b

SHA512
045daae37240a1f3ee31c049c15e9ef0b3a3256c2b0e1dcbf64e09e2c224e0316308b71c3426850bc4bc8583fafe73c1dfd0285af77a497b97e0eee11be0c855

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i36250233.exe

Filesize
1.3MB

MD5
410359cc34c03b7c538a5e86cde21ebf

SHA1
1b3080c30e5c245bc50e51b1cd1db412949a2a84

SHA256
80518985daf6f09f3f08fa5fc8afb36504c4d04db3f1b129a3903d5f9ba61a1b

SHA512
045daae37240a1f3ee31c049c15e9ef0b3a3256c2b0e1dcbf64e09e2c224e0316308b71c3426850bc4bc8583fafe73c1dfd0285af77a497b97e0eee11be0c855

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36885698.exe

Filesize
1016KB

MD5
ff35b4d24dd6f699927b0bf97afe0ffd

SHA1
d1fe05f441dfa3204053e8ce0fd4be2fa6c7c5b3

SHA256
99053a5f0d225a9d69056b3d8b133e23017a57bfae0b8670e6a42e570cfcae9f

SHA512
1f5b4f2843edeb3e16e3ad76af1f78a19e903f5151e8fbeb753d7e3e3af751275c8c31a1551f4f0e259df7724a024ce9289b071c8e287b6c1185dd3d71d33b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36885698.exe

Filesize
1016KB

MD5
ff35b4d24dd6f699927b0bf97afe0ffd

SHA1
d1fe05f441dfa3204053e8ce0fd4be2fa6c7c5b3

SHA256
99053a5f0d225a9d69056b3d8b133e23017a57bfae0b8670e6a42e570cfcae9f

SHA512
1f5b4f2843edeb3e16e3ad76af1f78a19e903f5151e8fbeb753d7e3e3af751275c8c31a1551f4f0e259df7724a024ce9289b071c8e287b6c1185dd3d71d33b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i44027528.exe

Filesize
844KB

MD5
52887bfb1d81b3ff2f4509ded9cccfd4

SHA1
f38949a9c20b7190463f744e641d813c22cf34e4

SHA256
f1aff138bf099811343159e4c2fdfdf210e2a10695ac2ec218e278ab03a811d7

SHA512
3f715a3c029d851a296eccabbcbd74d061590272c7ae31971d53baefdc0301e2d6baafdc95753c54d69671dfcfa65b05b641c2287e1501fe9d26b156f31e958c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i44027528.exe

Filesize
844KB

MD5
52887bfb1d81b3ff2f4509ded9cccfd4

SHA1
f38949a9c20b7190463f744e641d813c22cf34e4

SHA256
f1aff138bf099811343159e4c2fdfdf210e2a10695ac2ec218e278ab03a811d7

SHA512
3f715a3c029d851a296eccabbcbd74d061590272c7ae31971d53baefdc0301e2d6baafdc95753c54d69671dfcfa65b05b641c2287e1501fe9d26b156f31e958c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89408596.exe

Filesize
371KB

MD5
7e852a1cf2cf1361a3407ea0a0ccf273

SHA1
e352f6353c72028811e55c0be790e9c1a79404a5

SHA256
82fb83f8c45e154f5c4ca28247c3d57abbad501025b4acb1d5fd6164bd32426e

SHA512
99a1c18b40814a74e984ebf5deb44e6bef0ba9e628b46b7b7a8a33af8beb9077f79443c28ff22dbef874b4bfad77422cca3ba9409279e6596f928a7b7bef030d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89408596.exe

Filesize
371KB

MD5
7e852a1cf2cf1361a3407ea0a0ccf273

SHA1
e352f6353c72028811e55c0be790e9c1a79404a5

SHA256
82fb83f8c45e154f5c4ca28247c3d57abbad501025b4acb1d5fd6164bd32426e

SHA512
99a1c18b40814a74e984ebf5deb44e6bef0ba9e628b46b7b7a8a33af8beb9077f79443c28ff22dbef874b4bfad77422cca3ba9409279e6596f928a7b7bef030d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a72652500.exe

Filesize
169KB

MD5
65aa43f3043af072911eb87fd0aea04d

SHA1
689114c279c854c3eabe5082328716e450bc3318

SHA256
59a1b3b0308ded5879190d17764f343be8912e4535a54c20a2223354ed08a959

SHA512
5c36a323c75963b9f8d3788c5fc15c4714eee7dabcef085a51092912a0670e482d6d0cfbd23dc178f9623903a48c2d73d560764215768a15a5a8497442deb03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a72652500.exe

Filesize
169KB

MD5
65aa43f3043af072911eb87fd0aea04d

SHA1
689114c279c854c3eabe5082328716e450bc3318

SHA256
59a1b3b0308ded5879190d17764f343be8912e4535a54c20a2223354ed08a959

SHA512
5c36a323c75963b9f8d3788c5fc15c4714eee7dabcef085a51092912a0670e482d6d0cfbd23dc178f9623903a48c2d73d560764215768a15a5a8497442deb03b

Download Submit
memory/1744-168-0x0000000000590000-0x00000000005C0000-memory.dmp

Filesize
192KB

Download
memory/1744-169-0x000000000A860000-0x000000000AE78000-memory.dmp

Filesize
6.1MB

Download
memory/1744-170-0x000000000A3D0000-0x000000000A4DA000-memory.dmp

Filesize
1.0MB

Download
memory/1744-171-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/1744-172-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1744-173-0x000000000A360000-0x000000000A39C000-memory.dmp

Filesize
240KB

Download
memory/1744-174-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download