redline | 4f65bab67edb5ba4ff853587b132200eef63b3d4aeccac1dd58a7d1ad7f73b9a

Analysis

max time kernel
138s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f65bab67edb5ba4ff853587b132200eef63b3d4aeccac1dd58a7d1ad7f73b9a.exe
Size

1.5MB
MD5

08320187f21fb5cf492cb6d7b5fa4a63
SHA1

57d9e2c827dbd191f5685cac16574cfe5f775f89
SHA256

4f65bab67edb5ba4ff853587b132200eef63b3d4aeccac1dd58a7d1ad7f73b9a
SHA512

1330b899685bc704e23d3aafc256e1a4bce6faad006d429a240da5b336a165931db1eac2c4e4688e077509b16e31d59acb96beee1f7107fb653c65afba896abf
SSDEEP

24576:yyN9xNl8iZESo+gsTfEIyOp1xl229gvuoHxFNPWN83rRHd9AQ0TpB8jhPDC7ND:ZrWyLTHTf+8175gmCuN87RHfy1ByDC7N

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2192-169-0x000000000A890000-0x000000000AEA8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4408	i33161819.exe
4992	i34355932.exe
4976	i03483805.exe
3644	i51174381.exe
2192	a56510896.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4f65bab67edb5ba4ff853587b132200eef63b3d4aeccac1dd58a7d1ad7f73b9a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i33161819.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i33161819.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i03483805.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i51174381.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4f65bab67edb5ba4ff853587b132200eef63b3d4aeccac1dd58a7d1ad7f73b9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i34355932.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i03483805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i51174381.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i34355932.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 480 wrote to memory of 4408	480	4f65bab67edb5ba4ff853587b132200eef63b3d4aeccac1dd58a7d1ad7f73b9a.exe	81
PID 480 wrote to memory of 4408	480	4f65bab67edb5ba4ff853587b132200eef63b3d4aeccac1dd58a7d1ad7f73b9a.exe	81
PID 480 wrote to memory of 4408	480	4f65bab67edb5ba4ff853587b132200eef63b3d4aeccac1dd58a7d1ad7f73b9a.exe	81
PID 4408 wrote to memory of 4992	4408	i33161819.exe	82
PID 4408 wrote to memory of 4992	4408	i33161819.exe	82
PID 4408 wrote to memory of 4992	4408	i33161819.exe	82
PID 4992 wrote to memory of 4976	4992	i34355932.exe	83
PID 4992 wrote to memory of 4976	4992	i34355932.exe	83
PID 4992 wrote to memory of 4976	4992	i34355932.exe	83
PID 4976 wrote to memory of 3644	4976	i03483805.exe	84
PID 4976 wrote to memory of 3644	4976	i03483805.exe	84
PID 4976 wrote to memory of 3644	4976	i03483805.exe	84
PID 3644 wrote to memory of 2192	3644	i51174381.exe	85
PID 3644 wrote to memory of 2192	3644	i51174381.exe	85
PID 3644 wrote to memory of 2192	3644	i51174381.exe	85

C:\Users\Admin\AppData\Local\Temp\4f65bab67edb5ba4ff853587b132200eef63b3d4aeccac1dd58a7d1ad7f73b9a.exe
"C:\Users\Admin\AppData\Local\Temp\4f65bab67edb5ba4ff853587b132200eef63b3d4aeccac1dd58a7d1ad7f73b9a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i33161819.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i33161819.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i34355932.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i34355932.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03483805.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03483805.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4976
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i51174381.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i51174381.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3644
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56510896.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56510896.exe
        6⤵
        Executes dropped EXE
        
        PID:2192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i33161819.exe

Filesize
1.3MB

MD5
69111772edd7024089e596807203aaf3

SHA1
2e185fb1ebebfecc72d3d736cf4dc5641178e3fa

SHA256
cb52f95f2ba9539221db6c71c0615635fec2fe3660f5aedcb1bf595b862b0d64

SHA512
10fe8c403e7ff58d2645f7cac0f831790d484d2eb1151f5fdd3116a57bf03e676f89ab6703f587de25c8df0b51cac3e618d221c07287ee29bc8644b95130b44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i33161819.exe

Filesize
1.3MB

MD5
69111772edd7024089e596807203aaf3

SHA1
2e185fb1ebebfecc72d3d736cf4dc5641178e3fa

SHA256
cb52f95f2ba9539221db6c71c0615635fec2fe3660f5aedcb1bf595b862b0d64

SHA512
10fe8c403e7ff58d2645f7cac0f831790d484d2eb1151f5fdd3116a57bf03e676f89ab6703f587de25c8df0b51cac3e618d221c07287ee29bc8644b95130b44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i34355932.exe

Filesize
1014KB

MD5
f7c8c00b729d76a9298ffad5166f41cd

SHA1
4e6f7b3704f9f4139167f6f65eaed826a6cfe891

SHA256
329e4d841506d9beff8299bbff7f5d0cb477caf4b2a59d8f69b03b58c19ea97a

SHA512
7cbcfa41b34e1a092fff5376683211cfe5055f03030f6288583790c79b99c11c6e288cb64f3d26cac6afdea9f50f694589e8190fc72b53e55add5861f0aa5406

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i34355932.exe

Filesize
1014KB

MD5
f7c8c00b729d76a9298ffad5166f41cd

SHA1
4e6f7b3704f9f4139167f6f65eaed826a6cfe891

SHA256
329e4d841506d9beff8299bbff7f5d0cb477caf4b2a59d8f69b03b58c19ea97a

SHA512
7cbcfa41b34e1a092fff5376683211cfe5055f03030f6288583790c79b99c11c6e288cb64f3d26cac6afdea9f50f694589e8190fc72b53e55add5861f0aa5406

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03483805.exe

Filesize
842KB

MD5
24a04ce69e3286222907c8c992117369

SHA1
4f8c456d8f4d42006ee06fa8e5a957cea7839441

SHA256
56d4f7c11ed0bee078be58568ef16a8ce3a21f04936a438e961854913695fe9d

SHA512
cb876a8f1160d7bbecadab86649173e6485f07a68151da254523df54133f9c69d8d19f29d99f9a150805038d5a2631d0c589b5997842a6b7ea30b3893294019b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03483805.exe

Filesize
842KB

MD5
24a04ce69e3286222907c8c992117369

SHA1
4f8c456d8f4d42006ee06fa8e5a957cea7839441

SHA256
56d4f7c11ed0bee078be58568ef16a8ce3a21f04936a438e961854913695fe9d

SHA512
cb876a8f1160d7bbecadab86649173e6485f07a68151da254523df54133f9c69d8d19f29d99f9a150805038d5a2631d0c589b5997842a6b7ea30b3893294019b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i51174381.exe

Filesize
370KB

MD5
060875bb9cab6d0d31157271ec96e92a

SHA1
a513a64e221fa78c64cbc7c7af982a1d9be8abf6

SHA256
0c9ef7668b2413d873ba2991393460c52fdc4c84cf481a090f8a724b84b5600d

SHA512
bd6a5e749bbb28cfdb49e8979fc8d8f502707d0866d61b010ccd843c306fcd34aa026f8ad889e8f33a8a7ca3f8042c4806e699bf1b1e204eae9385bd481410e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i51174381.exe

Filesize
370KB

MD5
060875bb9cab6d0d31157271ec96e92a

SHA1
a513a64e221fa78c64cbc7c7af982a1d9be8abf6

SHA256
0c9ef7668b2413d873ba2991393460c52fdc4c84cf481a090f8a724b84b5600d

SHA512
bd6a5e749bbb28cfdb49e8979fc8d8f502707d0866d61b010ccd843c306fcd34aa026f8ad889e8f33a8a7ca3f8042c4806e699bf1b1e204eae9385bd481410e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56510896.exe

Filesize
169KB

MD5
a34e26a5d778240b8ce82c7077a3cc12

SHA1
c2d9bd3e36cf367dec101b1b0aa47af55ce93045

SHA256
66f94dad99ed4f9ef75cb30fa967dc2adddfb49a3305a87840ec2c69fa5089e0

SHA512
442ebda93242b39b6e843ec105bd332d5bd59c30ea3ae95ffdc4eab36843acf8f97a0e02c5c08f5e62c2f4cbf34e6604766b747adf1ecc67c4ffbccb75f23cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a56510896.exe

Filesize
169KB

MD5
a34e26a5d778240b8ce82c7077a3cc12

SHA1
c2d9bd3e36cf367dec101b1b0aa47af55ce93045

SHA256
66f94dad99ed4f9ef75cb30fa967dc2adddfb49a3305a87840ec2c69fa5089e0

SHA512
442ebda93242b39b6e843ec105bd332d5bd59c30ea3ae95ffdc4eab36843acf8f97a0e02c5c08f5e62c2f4cbf34e6604766b747adf1ecc67c4ffbccb75f23cf2

Download Submit
memory/2192-168-0x0000000000530000-0x0000000000560000-memory.dmp

Filesize
192KB

Download
memory/2192-169-0x000000000A890000-0x000000000AEA8000-memory.dmp

Filesize
6.1MB

Download
memory/2192-170-0x000000000A380000-0x000000000A48A000-memory.dmp

Filesize
1.0MB

Download
memory/2192-171-0x000000000A2A0000-0x000000000A2B2000-memory.dmp

Filesize
72KB

Download
memory/2192-172-0x000000000A300000-0x000000000A33C000-memory.dmp

Filesize
240KB

Download
memory/2192-173-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/2192-174-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download