redline | 513d7e79ae99396b9d8a79f1af172929a020785510ab876afb0c25a547533354

Analysis

max time kernel
167s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

513d7e79ae99396b9d8a79f1af172929a020785510ab876afb0c25a547533354.exe
Size

1.5MB
MD5

ada40c4d94d6bf556255651b5ce72f7f
SHA1

2da79c523cab8a492434f7af0783b49fed3a859e
SHA256

513d7e79ae99396b9d8a79f1af172929a020785510ab876afb0c25a547533354
SHA512

5b4ba6d9f5f6b8cfa18020b431feacbe11522419ccee5a6b55ba8726dad82800dd291255f30be04dd2e0790c21166fa80401437dbb626b89f355604365801101
SSDEEP

24576:0y0NCFn7B0s0+VrbjML/Sv9Nd6T0hSnlvDWF9dJSG/i/Nk8n0AaZPGD/ytJy:D0wNVtDMy9Nd6AhSnlvDWhTaFk80AaZL

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2316-169-0x000000000A920000-0x000000000AF38000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2648	i16634946.exe
4552	i95401095.exe
2264	i02940512.exe
1796	i79756075.exe
2316	a69126310.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	513d7e79ae99396b9d8a79f1af172929a020785510ab876afb0c25a547533354.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i95401095.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i79756075.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i95401095.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i02940512.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i02940512.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i79756075.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	513d7e79ae99396b9d8a79f1af172929a020785510ab876afb0c25a547533354.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i16634946.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i16634946.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2648	2044	513d7e79ae99396b9d8a79f1af172929a020785510ab876afb0c25a547533354.exe	82
PID 2044 wrote to memory of 2648	2044	513d7e79ae99396b9d8a79f1af172929a020785510ab876afb0c25a547533354.exe	82
PID 2044 wrote to memory of 2648	2044	513d7e79ae99396b9d8a79f1af172929a020785510ab876afb0c25a547533354.exe	82
PID 2648 wrote to memory of 4552	2648	i16634946.exe	83
PID 2648 wrote to memory of 4552	2648	i16634946.exe	83
PID 2648 wrote to memory of 4552	2648	i16634946.exe	83
PID 4552 wrote to memory of 2264	4552	i95401095.exe	84
PID 4552 wrote to memory of 2264	4552	i95401095.exe	84
PID 4552 wrote to memory of 2264	4552	i95401095.exe	84
PID 2264 wrote to memory of 1796	2264	i02940512.exe	85
PID 2264 wrote to memory of 1796	2264	i02940512.exe	85
PID 2264 wrote to memory of 1796	2264	i02940512.exe	85
PID 1796 wrote to memory of 2316	1796	i79756075.exe	86
PID 1796 wrote to memory of 2316	1796	i79756075.exe	86
PID 1796 wrote to memory of 2316	1796	i79756075.exe	86

C:\Users\Admin\AppData\Local\Temp\513d7e79ae99396b9d8a79f1af172929a020785510ab876afb0c25a547533354.exe
"C:\Users\Admin\AppData\Local\Temp\513d7e79ae99396b9d8a79f1af172929a020785510ab876afb0c25a547533354.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i16634946.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i16634946.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i95401095.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i95401095.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i02940512.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i02940512.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i79756075.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i79756075.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a69126310.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a69126310.exe
        6⤵
        Executes dropped EXE
        
        PID:2316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i16634946.exe

Filesize
1.3MB

MD5
7157ff4c39060e7d45fcd4189c3c738c

SHA1
0c8f0dea920699e66caf939b58592141a0efd5c5

SHA256
ae2273dba5a7210631b427b0ef59bbb2c8dcbc94e245ebbb8c7ef8ddb3330aab

SHA512
076bf36600f5e92e284e1e062c329a285e4a99b97ca02b265d9410d706180aecc0db0a1733df2c9304d3e51dff5f71e4d4c59583f01e3c06dbe84de28f325813

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i16634946.exe

Filesize
1.3MB

MD5
7157ff4c39060e7d45fcd4189c3c738c

SHA1
0c8f0dea920699e66caf939b58592141a0efd5c5

SHA256
ae2273dba5a7210631b427b0ef59bbb2c8dcbc94e245ebbb8c7ef8ddb3330aab

SHA512
076bf36600f5e92e284e1e062c329a285e4a99b97ca02b265d9410d706180aecc0db0a1733df2c9304d3e51dff5f71e4d4c59583f01e3c06dbe84de28f325813

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i95401095.exe

Filesize
1015KB

MD5
feb042ba0bc14b56edb7db4040ddd614

SHA1
0ebc8de6fe4ab6b4c482bf187e39fc80a805f70b

SHA256
909a41ef5303627afd2752cc940c253954e4ec327ef724014973e5f55a7ea5d2

SHA512
145102c5eed8439fa9d2c05fadd48f5de4b87dd25c6cebaab8c5dbeeebb844cab22b5694bba510ec884d34ab7994a0f2fbed3f560555f3562d6f247912704ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i95401095.exe

Filesize
1015KB

MD5
feb042ba0bc14b56edb7db4040ddd614

SHA1
0ebc8de6fe4ab6b4c482bf187e39fc80a805f70b

SHA256
909a41ef5303627afd2752cc940c253954e4ec327ef724014973e5f55a7ea5d2

SHA512
145102c5eed8439fa9d2c05fadd48f5de4b87dd25c6cebaab8c5dbeeebb844cab22b5694bba510ec884d34ab7994a0f2fbed3f560555f3562d6f247912704ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i02940512.exe

Filesize
843KB

MD5
32dc14aea1bcd69f583a8357fe5f23e1

SHA1
72bd42420378766e80557fa1f47f4ce1c9a2ab71

SHA256
339bc9c4b63cb4f170e3d15e49a663bc806375b1099d7d2d9c03f4dff0e96702

SHA512
ed1660ddd205b4e3223100aa2c75dd535694c8df8727c9f7f411686616dad48dff8826437239bfb077691c0ada5fff7c62ef545004bed2eaa13d371a4ab2d61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i02940512.exe

Filesize
843KB

MD5
32dc14aea1bcd69f583a8357fe5f23e1

SHA1
72bd42420378766e80557fa1f47f4ce1c9a2ab71

SHA256
339bc9c4b63cb4f170e3d15e49a663bc806375b1099d7d2d9c03f4dff0e96702

SHA512
ed1660ddd205b4e3223100aa2c75dd535694c8df8727c9f7f411686616dad48dff8826437239bfb077691c0ada5fff7c62ef545004bed2eaa13d371a4ab2d61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i79756075.exe

Filesize
371KB

MD5
31687389a4da0964d36edd2c59330de5

SHA1
d919bb7ceb581ad97eb6ed3d5ea627304db8a57a

SHA256
bdb271b55427e0dedba7a8af8b68e052e4c1f73470e8e52c5e20bb424d0bc0bf

SHA512
addc4e0295c7985ef1f5bcaefa69257bd5c4d16aa658a86e50dc9611cf71955a029d3df9cd5c79a4e515c348ed54609c5a293945c6c226ae6e435c6ec3bc9755

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i79756075.exe

Filesize
371KB

MD5
31687389a4da0964d36edd2c59330de5

SHA1
d919bb7ceb581ad97eb6ed3d5ea627304db8a57a

SHA256
bdb271b55427e0dedba7a8af8b68e052e4c1f73470e8e52c5e20bb424d0bc0bf

SHA512
addc4e0295c7985ef1f5bcaefa69257bd5c4d16aa658a86e50dc9611cf71955a029d3df9cd5c79a4e515c348ed54609c5a293945c6c226ae6e435c6ec3bc9755

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a69126310.exe

Filesize
169KB

MD5
7bc6df1685c63619877c69f79cf10b04

SHA1
e082617aa228afc9e7fa6a931d7830c541afae7b

SHA256
c516b00eed206614c54469a17962ead781f64284b8f64f09497c8dad4596ac3a

SHA512
5b194e3170d61e079e34a31f519624f421fe5a517d6fab7d6f393c0d9eb4644419a564525bde31a23221b041be26802b654389d1c281bf6c4a46fa5f3c9c84fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a69126310.exe

Filesize
169KB

MD5
7bc6df1685c63619877c69f79cf10b04

SHA1
e082617aa228afc9e7fa6a931d7830c541afae7b

SHA256
c516b00eed206614c54469a17962ead781f64284b8f64f09497c8dad4596ac3a

SHA512
5b194e3170d61e079e34a31f519624f421fe5a517d6fab7d6f393c0d9eb4644419a564525bde31a23221b041be26802b654389d1c281bf6c4a46fa5f3c9c84fb

Download Submit
memory/2316-168-0x0000000000520000-0x0000000000550000-memory.dmp

Filesize
192KB

Download
memory/2316-169-0x000000000A920000-0x000000000AF38000-memory.dmp

Filesize
6.1MB

Download
memory/2316-170-0x000000000A5E0000-0x000000000A6EA000-memory.dmp

Filesize
1.0MB

Download
memory/2316-171-0x000000000A510000-0x000000000A522000-memory.dmp

Filesize
72KB

Download
memory/2316-172-0x000000000A570000-0x000000000A5AC000-memory.dmp

Filesize
240KB

Download
memory/2316-173-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/2316-174-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download