redline | 0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe
Size

1.2MB
MD5

dc3ca255b2f5285f80edd4f675bfe4f0
SHA1

98f14e49c5b4fdc6a805bd551516e4f1c58eb6aa
SHA256

0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f
SHA512

a550887fa1d4d884e0885fa12da1602f58595cd220033d6a7425c115d57561cdd57d6ca2f764e4d37f6df92bcc17539250f218bb4e1ec9ad0e150bbc5599041f
SSDEEP

24576:hy5ZS52i5RwpizJPS4PapKDlO/HFgfyJJ4Qs6hlXs4a8V17Aer7jnc:UnSH5OmJPS+akAf6fynL84n17A

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/3892-2331-0x0000000005100000-0x0000000005718000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s34275457.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	s34275457.exe

Executes dropped EXE 6 IoCs

Processes:

z56259721.exez46272767.exez68293174.exes34275457.exe1.exet43743514.exe

pid process

3096 z56259721.exe
1364 z46272767.exe
3060 z68293174.exe
3672 s34275457.exe
3892 1.exe
1672 t43743514.exe

pid	process
3096	z56259721.exe
1364	z46272767.exe
3060	z68293174.exe
3672	s34275457.exe
3892	1.exe
1672	t43743514.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exez56259721.exez46272767.exez68293174.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z56259721.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z56259721.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z46272767.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z46272767.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z68293174.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z68293174.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2000 3672 WerFault.exe s34275457.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s34275457.exe

description pid process

Token: SeDebugPrivilege 3672 s34275457.exe

pid	pid_target	process	target process
2000	3672	WerFault.exe	s34275457.exe

description	pid	process
Token: SeDebugPrivilege	3672	s34275457.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exez56259721.exez46272767.exez68293174.exes34275457.exe

description	pid	process	target process
PID 1792 wrote to memory of 3096	1792	0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe	z56259721.exe
PID 1792 wrote to memory of 3096	1792	0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe	z56259721.exe
PID 1792 wrote to memory of 3096	1792	0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe	z56259721.exe
PID 3096 wrote to memory of 1364	3096	z56259721.exe	z46272767.exe
PID 3096 wrote to memory of 1364	3096	z56259721.exe	z46272767.exe
PID 3096 wrote to memory of 1364	3096	z56259721.exe	z46272767.exe
PID 1364 wrote to memory of 3060	1364	z46272767.exe	z68293174.exe
PID 1364 wrote to memory of 3060	1364	z46272767.exe	z68293174.exe
PID 1364 wrote to memory of 3060	1364	z46272767.exe	z68293174.exe
PID 3060 wrote to memory of 3672	3060	z68293174.exe	s34275457.exe
PID 3060 wrote to memory of 3672	3060	z68293174.exe	s34275457.exe
PID 3060 wrote to memory of 3672	3060	z68293174.exe	s34275457.exe
PID 3672 wrote to memory of 3892	3672	s34275457.exe	1.exe
PID 3672 wrote to memory of 3892	3672	s34275457.exe	1.exe
PID 3672 wrote to memory of 3892	3672	s34275457.exe	1.exe
PID 3060 wrote to memory of 1672	3060	z68293174.exe	t43743514.exe
PID 3060 wrote to memory of 1672	3060	z68293174.exe	t43743514.exe
PID 3060 wrote to memory of 1672	3060	z68293174.exe	t43743514.exe

C:\Users\Admin\AppData\Local\Temp\0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe
"C:\Users\Admin\AppData\Local\Temp\0e95079a5aaa90c4c2cf69274ef3447317b3c303a574eee4d72251d394a6de4f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z56259721.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z56259721.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3096

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z46272767.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z46272767.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68293174.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68293174.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34275457.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34275457.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1376
6⤵
- Program crash
PID:2000

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t43743514.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t43743514.exe
5⤵
- Executes dropped EXE
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3672 -ip 3672
1⤵
PID:2740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z56259721.exe
Filesize
1.0MB

MD5
b8b26a091f69ca2290a6461fcb9d62bb

SHA1
7bcc322f176c510f3727c90dbec03eb8ffe678c1

SHA256
edb6914e15fd23b8da7e8f285c6da340b2f50e3790aa998db60c7db7ef72962b

SHA512
07922e270701557fafea5133de24f48bd97682a654c91932bf17bc418ff030adbddfdd39c1e601dd99927f433d73ab951aac21c9cea5e9381b0c0ad236b5f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z56259721.exe
Filesize
1.0MB

MD5
b8b26a091f69ca2290a6461fcb9d62bb

SHA1
7bcc322f176c510f3727c90dbec03eb8ffe678c1

SHA256
edb6914e15fd23b8da7e8f285c6da340b2f50e3790aa998db60c7db7ef72962b

SHA512
07922e270701557fafea5133de24f48bd97682a654c91932bf17bc418ff030adbddfdd39c1e601dd99927f433d73ab951aac21c9cea5e9381b0c0ad236b5f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z46272767.exe
Filesize
759KB

MD5
ead8209ead21c1daf21824d103601b40

SHA1
48464acb634a3ab6a2bdccc9ac422039efd97ca7

SHA256
e97bfa0c3a1a292f4532a1e71fb08860ce47ac65955ca6bb3637f490ed770a71

SHA512
9d689501bb0e6ba0a96833a839ee4ef4c9a615767f1ceb551e5bc6a895e1d7913f79ea8bca7be37ac5baa92cfc81da6db77b13f9f0eb56250f84f37316556553

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z46272767.exe
Filesize
759KB

MD5
ead8209ead21c1daf21824d103601b40

SHA1
48464acb634a3ab6a2bdccc9ac422039efd97ca7

SHA256
e97bfa0c3a1a292f4532a1e71fb08860ce47ac65955ca6bb3637f490ed770a71

SHA512
9d689501bb0e6ba0a96833a839ee4ef4c9a615767f1ceb551e5bc6a895e1d7913f79ea8bca7be37ac5baa92cfc81da6db77b13f9f0eb56250f84f37316556553

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68293174.exe
Filesize
577KB

MD5
0fa3041379425cee979d461e1283d0bd

SHA1
d4a70ae1d83d63b5de35a68855505ce65d791301

SHA256
6b9e27edd282cd81b1277289b4be69d74d41e4fa28c9a122bf37214ee51d0b84

SHA512
b304ae8b54b6e824d94ac73fe8914339e0d01e0b226cc7a490f2e005eb7ee29e3d85326c36eba5476fdc21264f9a320c6a9591a614e76ceedcdf0e858197674a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68293174.exe
Filesize
577KB

MD5
0fa3041379425cee979d461e1283d0bd

SHA1
d4a70ae1d83d63b5de35a68855505ce65d791301

SHA256
6b9e27edd282cd81b1277289b4be69d74d41e4fa28c9a122bf37214ee51d0b84

SHA512
b304ae8b54b6e824d94ac73fe8914339e0d01e0b226cc7a490f2e005eb7ee29e3d85326c36eba5476fdc21264f9a320c6a9591a614e76ceedcdf0e858197674a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34275457.exe
Filesize
574KB

MD5
815c32068487e1107e9f0d9f51422cd3

SHA1
f4261f7f4934ca643adb0429a2f6b349204b9454

SHA256
5bac0e01014f33711c2eac3483c19c3014c4b1fbf844ad22363728dfa0df9d9a

SHA512
d4aac34c236879b0560341e8c38dee7e65a25b5a484c85b73bb14258203eefe5be530d20b5a7e0055789d75842c04a0a4e0a97a591dc4bd403d8ab3c88aab305

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34275457.exe
Filesize
574KB

MD5
815c32068487e1107e9f0d9f51422cd3

SHA1
f4261f7f4934ca643adb0429a2f6b349204b9454

SHA256
5bac0e01014f33711c2eac3483c19c3014c4b1fbf844ad22363728dfa0df9d9a

SHA512
d4aac34c236879b0560341e8c38dee7e65a25b5a484c85b73bb14258203eefe5be530d20b5a7e0055789d75842c04a0a4e0a97a591dc4bd403d8ab3c88aab305

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t43743514.exe
Filesize
169KB

MD5
47e5d0a5517c5b6f1104f4d5d20fa664

SHA1
091a873cacedf0b0f39e2d751f78bcd1d08ecd5c

SHA256
a08f38e9e3638749ecb32833a16e7ea26f102ba98189b5baf17f3d480ed71fcb

SHA512
620af7f7c24a9b5faa313087c638be794ea0ca6a96aecf7c106d967188067a9c050900887e997d438328ceb30db852e3019b7e7f197c8ac19e18e49da9feb192

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t43743514.exe
Filesize
169KB

MD5
47e5d0a5517c5b6f1104f4d5d20fa664

SHA1
091a873cacedf0b0f39e2d751f78bcd1d08ecd5c

SHA256
a08f38e9e3638749ecb32833a16e7ea26f102ba98189b5baf17f3d480ed71fcb

SHA512
620af7f7c24a9b5faa313087c638be794ea0ca6a96aecf7c106d967188067a9c050900887e997d438328ceb30db852e3019b7e7f197c8ac19e18e49da9feb192

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/1672-2343-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/1672-2341-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/1672-2340-0x0000000000980000-0x00000000009AE000-memory.dmp

Filesize
184KB

Download
memory/3672-196-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-214-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-169-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/3672-170-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-172-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-174-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-176-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-178-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-180-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-182-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-184-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-186-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-188-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-190-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-192-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-194-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-166-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-198-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-200-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-202-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-204-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-206-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-208-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-210-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-212-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-164-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-216-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-218-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-220-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-222-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-224-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-226-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-228-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-230-0x0000000002C20000-0x0000000002C80000-memory.dmp

Filesize
384KB

Download
memory/3672-2315-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/3672-2316-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/3672-2317-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/3672-2318-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/3672-162-0x0000000002230000-0x000000000228B000-memory.dmp

Filesize
364KB

Download
memory/3672-163-0x00000000050F0000-0x0000000005694000-memory.dmp

Filesize
5.6MB

Download
memory/3672-165-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/3672-167-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/3892-2334-0x0000000004B80000-0x0000000004BBC000-memory.dmp

Filesize
240KB

Download
memory/3892-2333-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/3892-2332-0x0000000004BF0000-0x0000000004CFA000-memory.dmp

Filesize
1.0MB

Download
memory/3892-2331-0x0000000005100000-0x0000000005718000-memory.dmp

Filesize
6.1MB

Download
memory/3892-2336-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/3892-2342-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/3892-2330-0x00000000001E0000-0x000000000020E000-memory.dmp

Filesize
184KB

Download