redline | 4ff93ea51d2627aba018ea856c741298bfcaf3357fd6ea61bfd5128ef9db442c

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ff93ea51d2627aba018ea856c741298bfcaf3357fd6ea61bfd5128ef9db442c.exe
Size

1.2MB
MD5

6dfae126cc68950a211f9d11a0e60e51
SHA1

8fa0c4d99bad680da11b1ea61eba152dc23de489
SHA256

4ff93ea51d2627aba018ea856c741298bfcaf3357fd6ea61bfd5128ef9db442c
SHA512

44a0cb0ca8e0285544e73977c50cb103e26f6ed2dafbff0898366b2723c5e6a36caf12c6053bdeea6e22ae9e57ef03a923c25b197ec8add464ef9fd1e5f9731b
SSDEEP

24576:vyaK8b8P95J+nSOe8CI0XQHgyxItxAbMiI+z36vDF3vLSKIBpGY:6WDeLDXz8bMD4KLF3DjI

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/3356-2332-0x0000000005CF0000-0x0000000006308000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s34533747.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	s34533747.exe

Executes dropped EXE 6 IoCs

Processes:

z22295990.exez08756220.exez52145999.exes34533747.exe1.exet62148520.exe

pid process

376 z22295990.exe
4668 z08756220.exe
4416 z52145999.exe
4276 s34533747.exe
1420 1.exe
3356 t62148520.exe

pid	process
376	z22295990.exe
4668	z08756220.exe
4416	z52145999.exe
4276	s34533747.exe
1420	1.exe
3356	t62148520.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4ff93ea51d2627aba018ea856c741298bfcaf3357fd6ea61bfd5128ef9db442c.exez22295990.exez08756220.exez52145999.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ff93ea51d2627aba018ea856c741298bfcaf3357fd6ea61bfd5128ef9db442c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z22295990.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z22295990.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z08756220.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z08756220.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z52145999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z52145999.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4ff93ea51d2627aba018ea856c741298bfcaf3357fd6ea61bfd5128ef9db442c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s34533747.exe

description pid process

Token: SeDebugPrivilege 4276 s34533747.exe

description	pid	process
Token: SeDebugPrivilege	4276	s34533747.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

4ff93ea51d2627aba018ea856c741298bfcaf3357fd6ea61bfd5128ef9db442c.exez22295990.exez08756220.exez52145999.exes34533747.exe

description	pid	process	target process
PID 4536 wrote to memory of 376	4536	4ff93ea51d2627aba018ea856c741298bfcaf3357fd6ea61bfd5128ef9db442c.exe	z22295990.exe
PID 4536 wrote to memory of 376	4536	4ff93ea51d2627aba018ea856c741298bfcaf3357fd6ea61bfd5128ef9db442c.exe	z22295990.exe
PID 4536 wrote to memory of 376	4536	4ff93ea51d2627aba018ea856c741298bfcaf3357fd6ea61bfd5128ef9db442c.exe	z22295990.exe
PID 376 wrote to memory of 4668	376	z22295990.exe	z08756220.exe
PID 376 wrote to memory of 4668	376	z22295990.exe	z08756220.exe
PID 376 wrote to memory of 4668	376	z22295990.exe	z08756220.exe
PID 4668 wrote to memory of 4416	4668	z08756220.exe	z52145999.exe
PID 4668 wrote to memory of 4416	4668	z08756220.exe	z52145999.exe
PID 4668 wrote to memory of 4416	4668	z08756220.exe	z52145999.exe
PID 4416 wrote to memory of 4276	4416	z52145999.exe	s34533747.exe
PID 4416 wrote to memory of 4276	4416	z52145999.exe	s34533747.exe
PID 4416 wrote to memory of 4276	4416	z52145999.exe	s34533747.exe
PID 4276 wrote to memory of 1420	4276	s34533747.exe	1.exe
PID 4276 wrote to memory of 1420	4276	s34533747.exe	1.exe
PID 4276 wrote to memory of 1420	4276	s34533747.exe	1.exe
PID 4416 wrote to memory of 3356	4416	z52145999.exe	t62148520.exe
PID 4416 wrote to memory of 3356	4416	z52145999.exe	t62148520.exe
PID 4416 wrote to memory of 3356	4416	z52145999.exe	t62148520.exe

C:\Users\Admin\AppData\Local\Temp\4ff93ea51d2627aba018ea856c741298bfcaf3357fd6ea61bfd5128ef9db442c.exe
"C:\Users\Admin\AppData\Local\Temp\4ff93ea51d2627aba018ea856c741298bfcaf3357fd6ea61bfd5128ef9db442c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z22295990.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z22295990.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:376

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z08756220.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z08756220.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4668

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z52145999.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z52145999.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4416

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34533747.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34533747.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:1420

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t62148520.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t62148520.exe
5⤵
- Executes dropped EXE
PID:3356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z22295990.exe
Filesize
1.0MB

MD5
9e254cbea598b751f557e86e2fe4a67e

SHA1
d59e00cff396903e8c47ff09d36c20b31a4144c2

SHA256
51a934827a6ed18610e9a85242ccfaf0b5c244cd5995fa2f809630be6767cc1b

SHA512
699b69a16f5bc10b19bbc2b6b84cb5ff982117524b8cb3652e11721986b4cb5cad51818a634097de68291deafb5182f48e5d99fc20f3bf88648fe955e7f90bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z22295990.exe
Filesize
1.0MB

MD5
9e254cbea598b751f557e86e2fe4a67e

SHA1
d59e00cff396903e8c47ff09d36c20b31a4144c2

SHA256
51a934827a6ed18610e9a85242ccfaf0b5c244cd5995fa2f809630be6767cc1b

SHA512
699b69a16f5bc10b19bbc2b6b84cb5ff982117524b8cb3652e11721986b4cb5cad51818a634097de68291deafb5182f48e5d99fc20f3bf88648fe955e7f90bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z08756220.exe
Filesize
764KB

MD5
001903ab1bff4b27ceaca50d55441f67

SHA1
570ca5c80fbcc0c4bff82ea07a9cd652f54ea0ff

SHA256
5f8aef0181a86a3c91987ffa38df92a734fcaad35748ac03aab1f62895ea3dbb

SHA512
639821d0b30a9bef40dacd713b85b34cdc4a2a3ad3506bae06c6c70927191cea64f452b412a0650e37653bf23b70478fa0ee3df6adafd0a229095136e749cc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z08756220.exe
Filesize
764KB

MD5
001903ab1bff4b27ceaca50d55441f67

SHA1
570ca5c80fbcc0c4bff82ea07a9cd652f54ea0ff

SHA256
5f8aef0181a86a3c91987ffa38df92a734fcaad35748ac03aab1f62895ea3dbb

SHA512
639821d0b30a9bef40dacd713b85b34cdc4a2a3ad3506bae06c6c70927191cea64f452b412a0650e37653bf23b70478fa0ee3df6adafd0a229095136e749cc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z52145999.exe
Filesize
581KB

MD5
475ad03bb5c8971b4258586f048c43a2

SHA1
730725ee5bbdd987a93a205c1e6ba8019f704026

SHA256
264efe463609da3e7d8909bbf6319531ea4153c23fc56f41e01cd270f5b5ed40

SHA512
4395d676bd486c8b8c646197272515ab6a30383da49f6fde59f2281195021ae8a4c7f26818b12e57fc137a01981b83933e50e4ad4f23112f31205b2b76dd1889

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z52145999.exe
Filesize
581KB

MD5
475ad03bb5c8971b4258586f048c43a2

SHA1
730725ee5bbdd987a93a205c1e6ba8019f704026

SHA256
264efe463609da3e7d8909bbf6319531ea4153c23fc56f41e01cd270f5b5ed40

SHA512
4395d676bd486c8b8c646197272515ab6a30383da49f6fde59f2281195021ae8a4c7f26818b12e57fc137a01981b83933e50e4ad4f23112f31205b2b76dd1889

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34533747.exe
Filesize
582KB

MD5
4d1759c403233a90f4b772bfc317dc21

SHA1
e59b8ad69742731c417a44db3dc4bb83f181d06a

SHA256
da3d6a767748d1a8b267552cfa76881452a1d8cbd544b21ced5111b60a1eb3d7

SHA512
a819c193722d0a4e7e1b3993038eac57bbefa3a18dddd9625d2bf9727b5635fb655e9da52cef7a33eb8cef6119840c5f5d236ec71f8d4069807aec0cabbb0a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34533747.exe
Filesize
582KB

MD5
4d1759c403233a90f4b772bfc317dc21

SHA1
e59b8ad69742731c417a44db3dc4bb83f181d06a

SHA256
da3d6a767748d1a8b267552cfa76881452a1d8cbd544b21ced5111b60a1eb3d7

SHA512
a819c193722d0a4e7e1b3993038eac57bbefa3a18dddd9625d2bf9727b5635fb655e9da52cef7a33eb8cef6119840c5f5d236ec71f8d4069807aec0cabbb0a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t62148520.exe
Filesize
169KB

MD5
6131e20aa6dcd7236addcfb07d963cd8

SHA1
9bba3ffc75e2a69fa7cb4eb62d296d5e971c5e89

SHA256
339116130ba9f92000af1c33c5966786856c9a6fe865b5dcc8f2c364d4752bcf

SHA512
871ce48bd556b6bc0f66d219c1bb6542ba583a2700ae3315a19bd8c842b79da0a4dca9a7999037235c54e673fe82816a38c384174aeca0c107daee66dc3dd8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t62148520.exe
Filesize
169KB

MD5
6131e20aa6dcd7236addcfb07d963cd8

SHA1
9bba3ffc75e2a69fa7cb4eb62d296d5e971c5e89

SHA256
339116130ba9f92000af1c33c5966786856c9a6fe865b5dcc8f2c364d4752bcf

SHA512
871ce48bd556b6bc0f66d219c1bb6542ba583a2700ae3315a19bd8c842b79da0a4dca9a7999037235c54e673fe82816a38c384174aeca0c107daee66dc3dd8b8

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/1420-2327-0x0000000000840000-0x000000000086E000-memory.dmp

Filesize
184KB

Download
memory/1420-2338-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/1420-2335-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/1420-2334-0x0000000005190000-0x00000000051A2000-memory.dmp

Filesize
72KB

Download
memory/3356-2339-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/3356-2336-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/3356-2337-0x0000000005770000-0x00000000057AC000-memory.dmp

Filesize
240KB

Download
memory/3356-2333-0x00000000057E0000-0x00000000058EA000-memory.dmp

Filesize
1.0MB

Download
memory/3356-2332-0x0000000005CF0000-0x0000000006308000-memory.dmp

Filesize
6.1MB

Download
memory/3356-2331-0x0000000000DD0000-0x0000000000DFE000-memory.dmp

Filesize
184KB

Download
memory/4276-192-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-214-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-182-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-184-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-187-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4276-186-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-190-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-178-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-188-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4276-194-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-196-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-198-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-200-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-202-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-204-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-206-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-208-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-210-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-212-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-180-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-216-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-218-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-220-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-222-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-176-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-174-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-172-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-170-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-168-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-166-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-165-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-164-0x0000000004F40000-0x00000000054E4000-memory.dmp

Filesize
5.6MB

Download
memory/4276-163-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4276-162-0x0000000000A50000-0x0000000000AAB000-memory.dmp

Filesize
364KB

Download
memory/4276-224-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-226-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-228-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-230-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4276-2315-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download