redline | 0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f

Analysis

max time kernel
245s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe
Size

1.2MB
MD5

dc3ca255b2f5285f80edd4f675bfe4f0
SHA1

98f14e49c5b4fdc6a805bd551516e4f1c58eb6aa
SHA256

0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f
SHA512

a550887fa1d4d884e0885fa12da1602f58595cd220033d6a7425c115d57561cdd57d6ca2f764e4d37f6df92bcc17539250f218bb4e1ec9ad0e150bbc5599041f
SSDEEP

24576:hy5ZS52i5RwpizJPS4PapKDlO/HFgfyJJ4Qs6hlXs4a8V17Aer7jnc:UnSH5OmJPS+akAf6fynL84n17A

Score

10^/10

redline gena infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s34275457.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	s34275457.exe

Executes dropped EXE 5 IoCs

Processes:

z56259721.exez46272767.exez68293174.exes34275457.exe1.exe

pid process

116 z56259721.exe
4948 z46272767.exe
4420 z68293174.exe
2256 s34275457.exe
3744 1.exe

pid	process
116	z56259721.exe
4948	z46272767.exe
4420	z68293174.exe
2256	s34275457.exe
3744	1.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z56259721.exez46272767.exez68293174.exe0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z56259721.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z46272767.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z46272767.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z68293174.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z68293174.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z56259721.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5104 2256 WerFault.exe s34275457.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s34275457.exe

description pid process

Token: SeDebugPrivilege 2256 s34275457.exe

pid	pid_target	process	target process
5104	2256	WerFault.exe	s34275457.exe

description	pid	process
Token: SeDebugPrivilege	2256	s34275457.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exez56259721.exez46272767.exez68293174.exes34275457.exe

description	pid	process	target process
PID 1548 wrote to memory of 116	1548	0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe	z56259721.exe
PID 1548 wrote to memory of 116	1548	0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe	z56259721.exe
PID 1548 wrote to memory of 116	1548	0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe	z56259721.exe
PID 116 wrote to memory of 4948	116	z56259721.exe	z46272767.exe
PID 116 wrote to memory of 4948	116	z56259721.exe	z46272767.exe
PID 116 wrote to memory of 4948	116	z56259721.exe	z46272767.exe
PID 4948 wrote to memory of 4420	4948	z46272767.exe	z68293174.exe
PID 4948 wrote to memory of 4420	4948	z46272767.exe	z68293174.exe
PID 4948 wrote to memory of 4420	4948	z46272767.exe	z68293174.exe
PID 4420 wrote to memory of 2256	4420	z68293174.exe	s34275457.exe
PID 4420 wrote to memory of 2256	4420	z68293174.exe	s34275457.exe
PID 4420 wrote to memory of 2256	4420	z68293174.exe	s34275457.exe
PID 2256 wrote to memory of 3744	2256	s34275457.exe	1.exe
PID 2256 wrote to memory of 3744	2256	s34275457.exe	1.exe
PID 2256 wrote to memory of 3744	2256	s34275457.exe	1.exe

C:\Users\Admin\AppData\Local\Temp\0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe
"C:\Users\Admin\AppData\Local\Temp\0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z56259721.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z56259721.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z46272767.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z46272767.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68293174.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68293174.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34275457.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34275457.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        6⤵
        Executes dropped EXE
        
        PID:3744
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1376
        6⤵
        Program crash
        
        PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2256 -ip 2256
1⤵
PID:3408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z56259721.exe

Filesize
1.0MB

MD5
b8b26a091f69ca2290a6461fcb9d62bb

SHA1
7bcc322f176c510f3727c90dbec03eb8ffe678c1

SHA256
edb6914e15fd23b8da7e8f285c6da340b2f50e3790aa998db60c7db7ef72962b

SHA512
07922e270701557fafea5133de24f48bd97682a654c91932bf17bc418ff030adbddfdd39c1e601dd99927f433d73ab951aac21c9cea5e9381b0c0ad236b5f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z56259721.exe

Filesize
1.0MB

MD5
b8b26a091f69ca2290a6461fcb9d62bb

SHA1
7bcc322f176c510f3727c90dbec03eb8ffe678c1

SHA256
edb6914e15fd23b8da7e8f285c6da340b2f50e3790aa998db60c7db7ef72962b

SHA512
07922e270701557fafea5133de24f48bd97682a654c91932bf17bc418ff030adbddfdd39c1e601dd99927f433d73ab951aac21c9cea5e9381b0c0ad236b5f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z46272767.exe

Filesize
759KB

MD5
ead8209ead21c1daf21824d103601b40

SHA1
48464acb634a3ab6a2bdccc9ac422039efd97ca7

SHA256
e97bfa0c3a1a292f4532a1e71fb08860ce47ac65955ca6bb3637f490ed770a71

SHA512
9d689501bb0e6ba0a96833a839ee4ef4c9a615767f1ceb551e5bc6a895e1d7913f79ea8bca7be37ac5baa92cfc81da6db77b13f9f0eb56250f84f37316556553

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z46272767.exe

Filesize
759KB

MD5
ead8209ead21c1daf21824d103601b40

SHA1
48464acb634a3ab6a2bdccc9ac422039efd97ca7

SHA256
e97bfa0c3a1a292f4532a1e71fb08860ce47ac65955ca6bb3637f490ed770a71

SHA512
9d689501bb0e6ba0a96833a839ee4ef4c9a615767f1ceb551e5bc6a895e1d7913f79ea8bca7be37ac5baa92cfc81da6db77b13f9f0eb56250f84f37316556553

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68293174.exe

Filesize
577KB

MD5
0fa3041379425cee979d461e1283d0bd

SHA1
d4a70ae1d83d63b5de35a68855505ce65d791301

SHA256
6b9e27edd282cd81b1277289b4be69d74d41e4fa28c9a122bf37214ee51d0b84

SHA512
b304ae8b54b6e824d94ac73fe8914339e0d01e0b226cc7a490f2e005eb7ee29e3d85326c36eba5476fdc21264f9a320c6a9591a614e76ceedcdf0e858197674a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68293174.exe

Filesize
577KB

MD5
0fa3041379425cee979d461e1283d0bd

SHA1
d4a70ae1d83d63b5de35a68855505ce65d791301

SHA256
6b9e27edd282cd81b1277289b4be69d74d41e4fa28c9a122bf37214ee51d0b84

SHA512
b304ae8b54b6e824d94ac73fe8914339e0d01e0b226cc7a490f2e005eb7ee29e3d85326c36eba5476fdc21264f9a320c6a9591a614e76ceedcdf0e858197674a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34275457.exe

Filesize
574KB

MD5
815c32068487e1107e9f0d9f51422cd3

SHA1
f4261f7f4934ca643adb0429a2f6b349204b9454

SHA256
5bac0e01014f33711c2eac3483c19c3014c4b1fbf844ad22363728dfa0df9d9a

SHA512
d4aac34c236879b0560341e8c38dee7e65a25b5a484c85b73bb14258203eefe5be530d20b5a7e0055789d75842c04a0a4e0a97a591dc4bd403d8ab3c88aab305

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34275457.exe

Filesize
574KB

MD5
815c32068487e1107e9f0d9f51422cd3

SHA1
f4261f7f4934ca643adb0429a2f6b349204b9454

SHA256
5bac0e01014f33711c2eac3483c19c3014c4b1fbf844ad22363728dfa0df9d9a

SHA512
d4aac34c236879b0560341e8c38dee7e65a25b5a484c85b73bb14258203eefe5be530d20b5a7e0055789d75842c04a0a4e0a97a591dc4bd403d8ab3c88aab305

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/2256-162-0x00000000023D0000-0x000000000242B000-memory.dmp

Filesize
364KB

Download
memory/2256-163-0x0000000000400000-0x0000000000835000-memory.dmp

Filesize
4.2MB

Download
memory/2256-166-0x0000000000400000-0x0000000000835000-memory.dmp

Filesize
4.2MB

Download
memory/2256-167-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/2256-168-0x00000000050C0000-0x0000000005664000-memory.dmp

Filesize
5.6MB

Download
memory/2256-169-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/2256-170-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/2256-171-0x0000000000400000-0x0000000000835000-memory.dmp

Filesize
4.2MB

Download
memory/2256-172-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-173-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-175-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-177-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-179-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-181-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-183-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-187-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-189-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-185-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-191-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-193-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-195-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-197-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-199-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-201-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-203-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-205-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-207-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-209-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-211-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-213-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-215-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-217-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-219-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-221-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-225-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-223-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-227-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-229-0x0000000005670000-0x00000000056D0000-memory.dmp

Filesize
384KB

Download
memory/2256-2250-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/2256-2320-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/2256-2321-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/2256-2330-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/2256-2337-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/3744-2335-0x00000000002B0000-0x00000000002DE000-memory.dmp

Filesize
184KB

Download