redline | 56cb56241acfdd41fc9ac4970cabb5a52ec6dff87c982574d7b95a00435bdd6b

Analysis

max time kernel
162s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56cb56241acfdd41fc9ac4970cabb5a52ec6dff87c982574d7b95a00435bdd6b.exe
Size

1.2MB
MD5

6943687baabe372e00a9fdda2b7d3c83
SHA1

ed70f22e42dd9a1a7234893723b80323ed81aba5
SHA256

56cb56241acfdd41fc9ac4970cabb5a52ec6dff87c982574d7b95a00435bdd6b
SHA512

5e6748d1eb779a03430b63ce8faf21723144bb18565eeb6edfb36a50fa05cef49bdc72b7d91fa247629ebf37d27543d68ee71c8af2695806da2e957e8603e7ff
SSDEEP

24576:bypTJx+XwJrVRnBgiyIKrKor9/xFIEIxZglNXTNTnM:O9jsKr1hjKG25WEIqNDt

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/544-2332-0x0000000005AB0000-0x00000000060C8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s92312264.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	s92312264.exe

Executes dropped EXE 6 IoCs

Processes:

z25918204.exez65653393.exez84440242.exes92312264.exe1.exet77750235.exe

pid process

1280 z25918204.exe
2128 z65653393.exe
3704 z84440242.exe
336 s92312264.exe
544 1.exe
3820 t77750235.exe

pid	process
1280	z25918204.exe
2128	z65653393.exe
3704	z84440242.exe
336	s92312264.exe
544	1.exe
3820	t77750235.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

56cb56241acfdd41fc9ac4970cabb5a52ec6dff87c982574d7b95a00435bdd6b.exez25918204.exez65653393.exez84440242.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	56cb56241acfdd41fc9ac4970cabb5a52ec6dff87c982574d7b95a00435bdd6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	56cb56241acfdd41fc9ac4970cabb5a52ec6dff87c982574d7b95a00435bdd6b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z25918204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z25918204.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z65653393.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z65653393.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z84440242.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z84440242.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4908 336 WerFault.exe s92312264.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s92312264.exe

description pid process

Token: SeDebugPrivilege 336 s92312264.exe

pid	pid_target	process	target process
4908	336	WerFault.exe	s92312264.exe

description	pid	process
Token: SeDebugPrivilege	336	s92312264.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

56cb56241acfdd41fc9ac4970cabb5a52ec6dff87c982574d7b95a00435bdd6b.exez25918204.exez65653393.exez84440242.exes92312264.exe

description	pid	process	target process
PID 1104 wrote to memory of 1280	1104	56cb56241acfdd41fc9ac4970cabb5a52ec6dff87c982574d7b95a00435bdd6b.exe	z25918204.exe
PID 1104 wrote to memory of 1280	1104	56cb56241acfdd41fc9ac4970cabb5a52ec6dff87c982574d7b95a00435bdd6b.exe	z25918204.exe
PID 1104 wrote to memory of 1280	1104	56cb56241acfdd41fc9ac4970cabb5a52ec6dff87c982574d7b95a00435bdd6b.exe	z25918204.exe
PID 1280 wrote to memory of 2128	1280	z25918204.exe	z65653393.exe
PID 1280 wrote to memory of 2128	1280	z25918204.exe	z65653393.exe
PID 1280 wrote to memory of 2128	1280	z25918204.exe	z65653393.exe
PID 2128 wrote to memory of 3704	2128	z65653393.exe	z84440242.exe
PID 2128 wrote to memory of 3704	2128	z65653393.exe	z84440242.exe
PID 2128 wrote to memory of 3704	2128	z65653393.exe	z84440242.exe
PID 3704 wrote to memory of 336	3704	z84440242.exe	s92312264.exe
PID 3704 wrote to memory of 336	3704	z84440242.exe	s92312264.exe
PID 3704 wrote to memory of 336	3704	z84440242.exe	s92312264.exe
PID 336 wrote to memory of 544	336	s92312264.exe	1.exe
PID 336 wrote to memory of 544	336	s92312264.exe	1.exe
PID 336 wrote to memory of 544	336	s92312264.exe	1.exe
PID 3704 wrote to memory of 3820	3704	z84440242.exe	t77750235.exe
PID 3704 wrote to memory of 3820	3704	z84440242.exe	t77750235.exe
PID 3704 wrote to memory of 3820	3704	z84440242.exe	t77750235.exe

C:\Users\Admin\AppData\Local\Temp\56cb56241acfdd41fc9ac4970cabb5a52ec6dff87c982574d7b95a00435bdd6b.exe
"C:\Users\Admin\AppData\Local\Temp\56cb56241acfdd41fc9ac4970cabb5a52ec6dff87c982574d7b95a00435bdd6b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z25918204.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z25918204.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z65653393.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z65653393.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z84440242.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z84440242.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s92312264.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s92312264.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 1368
6⤵
- Program crash
PID:4908

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t77750235.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t77750235.exe
5⤵
- Executes dropped EXE
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 336 -ip 336
1⤵
PID:2080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z25918204.exe
Filesize
1.0MB

MD5
654b09231530b494055a458b26a72371

SHA1
fb0a8956fe87701293afdb65282ceeca75fea136

SHA256
677c1fa67abad2f19610a9cfd7bb16d522498af1bab11af775d7d668292f1459

SHA512
cdf5499744776c5e5e1abffac4f22af21329e6cf26afd2fd9b3f7765e6921673e444b4acce67f0875d2c9b3b2923166910410f7e28ef96c0af41dc0884e0c2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z25918204.exe
Filesize
1.0MB

MD5
654b09231530b494055a458b26a72371

SHA1
fb0a8956fe87701293afdb65282ceeca75fea136

SHA256
677c1fa67abad2f19610a9cfd7bb16d522498af1bab11af775d7d668292f1459

SHA512
cdf5499744776c5e5e1abffac4f22af21329e6cf26afd2fd9b3f7765e6921673e444b4acce67f0875d2c9b3b2923166910410f7e28ef96c0af41dc0884e0c2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z65653393.exe
Filesize
759KB

MD5
b247d8819f1db9f9324b5168301032c8

SHA1
7ddc4fd3f690e503bc37171d53e4f3cbdc33760a

SHA256
72c330eb366f09c4d32c56b1dbf19d0b3e73a144f8c285f36fa9f29235c75b60

SHA512
21c4186e78a0556d153ae347f2ee33441a811613c3911fa7e9da6a1011a825996b1897ee33070d76ff96d951a9eec1e31435068b461eecf456c74248c72be44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z65653393.exe
Filesize
759KB

MD5
b247d8819f1db9f9324b5168301032c8

SHA1
7ddc4fd3f690e503bc37171d53e4f3cbdc33760a

SHA256
72c330eb366f09c4d32c56b1dbf19d0b3e73a144f8c285f36fa9f29235c75b60

SHA512
21c4186e78a0556d153ae347f2ee33441a811613c3911fa7e9da6a1011a825996b1897ee33070d76ff96d951a9eec1e31435068b461eecf456c74248c72be44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z84440242.exe
Filesize
577KB

MD5
c988e065a712476299380d8a0de0fb37

SHA1
667192a24a41b5ab24798f501999ed0eddbaf0a4

SHA256
1d10af5fff484f2ea7b89674d68936936603ed57300a5098c1a0601d4c6371b2

SHA512
5ddf03f9e040848218a8e5a3234a6675d17d2e98f057eee93f4b20f13e92a605a9ac3fc56b431899f49c2c32d7913f13f98c4d224393cbdb55a7ca0c0baf8ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z84440242.exe
Filesize
577KB

MD5
c988e065a712476299380d8a0de0fb37

SHA1
667192a24a41b5ab24798f501999ed0eddbaf0a4

SHA256
1d10af5fff484f2ea7b89674d68936936603ed57300a5098c1a0601d4c6371b2

SHA512
5ddf03f9e040848218a8e5a3234a6675d17d2e98f057eee93f4b20f13e92a605a9ac3fc56b431899f49c2c32d7913f13f98c4d224393cbdb55a7ca0c0baf8ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s92312264.exe
Filesize
574KB

MD5
05e846a7b010a8b97c01c6c8c4d50273

SHA1
c402da4f8097e23d138c8264a2fd87c6e8780941

SHA256
862432aa2a4d2fbf4db920396e71ffb5c45c224d9d6ee8e23a40385ead3da873

SHA512
578ff7de380e71c3b179228d6901a503c20f01f044f792eac5d205e409052e592ef81792605a16b7b627e3c926efe6cddefcd91975a5b014622712556e0539c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s92312264.exe
Filesize
574KB

MD5
05e846a7b010a8b97c01c6c8c4d50273

SHA1
c402da4f8097e23d138c8264a2fd87c6e8780941

SHA256
862432aa2a4d2fbf4db920396e71ffb5c45c224d9d6ee8e23a40385ead3da873

SHA512
578ff7de380e71c3b179228d6901a503c20f01f044f792eac5d205e409052e592ef81792605a16b7b627e3c926efe6cddefcd91975a5b014622712556e0539c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t77750235.exe
Filesize
169KB

MD5
c1e1fd641cd1a4ce48a44c56873b405d

SHA1
a6335bbabb26bb55d74c80cc9d7b79c53a2569c5

SHA256
0763c24f6c812ce7ab603541b53c27fffd68f0b8f6ee44de26f76196be8b87ad

SHA512
ec76deb224b16414db6aed3ee11f51cb4ea4e798b8550bb0a9bfaba3469463217eb658e90422f3d4346dda8dbc744089a6fd0d3c52d4f4d8f49dc07b415dcdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t77750235.exe
Filesize
169KB

MD5
c1e1fd641cd1a4ce48a44c56873b405d

SHA1
a6335bbabb26bb55d74c80cc9d7b79c53a2569c5

SHA256
0763c24f6c812ce7ab603541b53c27fffd68f0b8f6ee44de26f76196be8b87ad

SHA512
ec76deb224b16414db6aed3ee11f51cb4ea4e798b8550bb0a9bfaba3469463217eb658e90422f3d4346dda8dbc744089a6fd0d3c52d4f4d8f49dc07b415dcdb3

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/336-197-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-207-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-166-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-168-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-170-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-172-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-174-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-176-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-178-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-179-0x0000000000400000-0x0000000000835000-memory.dmp

Filesize
4.2MB

Download
memory/336-181-0x0000000000910000-0x000000000096B000-memory.dmp

Filesize
364KB

Download
memory/336-183-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/336-184-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/336-186-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/336-182-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-187-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-189-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-193-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-195-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-163-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-191-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-199-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-201-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-203-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-205-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-164-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-209-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-211-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-213-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-215-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-217-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-219-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-221-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-223-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-225-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-227-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-229-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/336-2316-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/336-2317-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/336-2318-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/336-2319-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/336-162-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/544-2332-0x0000000005AB0000-0x00000000060C8000-memory.dmp

Filesize
6.1MB

Download
memory/544-2333-0x00000000055A0000-0x00000000056AA000-memory.dmp

Filesize
1.0MB

Download
memory/544-2334-0x0000000005320000-0x0000000005332000-memory.dmp

Filesize
72KB

Download
memory/544-2335-0x0000000005490000-0x00000000054CC000-memory.dmp

Filesize
240KB

Download
memory/544-2331-0x0000000000AE0000-0x0000000000B0E000-memory.dmp

Filesize
184KB

Download
memory/544-2336-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/544-2343-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/3820-2341-0x00000000001E0000-0x000000000020E000-memory.dmp

Filesize
184KB

Download
memory/3820-2342-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/3820-2344-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download