redline | 6c959635367daa72731bef39ce69141c43ecf69421dff1d6ed707cc75d104add

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c959635367daa72731bef39ce69141c43ecf69421dff1d6ed707cc75d104add.exe
Size

1.2MB
MD5

33dfaac3fe7fc5ea27493d4762f1bfc4
SHA1

32df3d5901152d5331f452c8429987e702f7e57e
SHA256

6c959635367daa72731bef39ce69141c43ecf69421dff1d6ed707cc75d104add
SHA512

9979cb65a32e04b5c1d177e076afe67b589547af75bc818ad0a0851fc33a8c33ec4de5cabe184ec1e2fa3e1a228909653b5adc30176e583a6772052886a748d1
SSDEEP

24576:Wyjn3CxQrh51+1baE9K2T6GRBy/OQo66bEKHayxp4RLg:ljnyurh5M1bagSrmQDIEhyxi

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/432-2330-0x0000000005D10000-0x0000000006328000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s93370367.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	s93370367.exe

Executes dropped EXE 6 IoCs

Processes:

z96278432.exez71210666.exez75911234.exes93370367.exe1.exet51286659.exe

pid process

2404 z96278432.exe
3736 z71210666.exe
5020 z75911234.exe
3608 s93370367.exe
432 1.exe
3340 t51286659.exe

pid	process
2404	z96278432.exe
3736	z71210666.exe
5020	z75911234.exe
3608	s93370367.exe
432	1.exe
3340	t51286659.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z75911234.exe6c959635367daa72731bef39ce69141c43ecf69421dff1d6ed707cc75d104add.exez96278432.exez71210666.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z75911234.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6c959635367daa72731bef39ce69141c43ecf69421dff1d6ed707cc75d104add.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6c959635367daa72731bef39ce69141c43ecf69421dff1d6ed707cc75d104add.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z96278432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z96278432.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z71210666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z71210666.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z75911234.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4104 3608 WerFault.exe s93370367.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s93370367.exe

description pid process

Token: SeDebugPrivilege 3608 s93370367.exe

pid	pid_target	process	target process
4104	3608	WerFault.exe	s93370367.exe

description	pid	process
Token: SeDebugPrivilege	3608	s93370367.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6c959635367daa72731bef39ce69141c43ecf69421dff1d6ed707cc75d104add.exez96278432.exez71210666.exez75911234.exes93370367.exe

description	pid	process	target process
PID 1872 wrote to memory of 2404	1872	6c959635367daa72731bef39ce69141c43ecf69421dff1d6ed707cc75d104add.exe	z96278432.exe
PID 1872 wrote to memory of 2404	1872	6c959635367daa72731bef39ce69141c43ecf69421dff1d6ed707cc75d104add.exe	z96278432.exe
PID 1872 wrote to memory of 2404	1872	6c959635367daa72731bef39ce69141c43ecf69421dff1d6ed707cc75d104add.exe	z96278432.exe
PID 2404 wrote to memory of 3736	2404	z96278432.exe	z71210666.exe
PID 2404 wrote to memory of 3736	2404	z96278432.exe	z71210666.exe
PID 2404 wrote to memory of 3736	2404	z96278432.exe	z71210666.exe
PID 3736 wrote to memory of 5020	3736	z71210666.exe	z75911234.exe
PID 3736 wrote to memory of 5020	3736	z71210666.exe	z75911234.exe
PID 3736 wrote to memory of 5020	3736	z71210666.exe	z75911234.exe
PID 5020 wrote to memory of 3608	5020	z75911234.exe	s93370367.exe
PID 5020 wrote to memory of 3608	5020	z75911234.exe	s93370367.exe
PID 5020 wrote to memory of 3608	5020	z75911234.exe	s93370367.exe
PID 3608 wrote to memory of 432	3608	s93370367.exe	1.exe
PID 3608 wrote to memory of 432	3608	s93370367.exe	1.exe
PID 3608 wrote to memory of 432	3608	s93370367.exe	1.exe
PID 5020 wrote to memory of 3340	5020	z75911234.exe	t51286659.exe
PID 5020 wrote to memory of 3340	5020	z75911234.exe	t51286659.exe
PID 5020 wrote to memory of 3340	5020	z75911234.exe	t51286659.exe

C:\Users\Admin\AppData\Local\Temp\6c959635367daa72731bef39ce69141c43ecf69421dff1d6ed707cc75d104add.exe
"C:\Users\Admin\AppData\Local\Temp\6c959635367daa72731bef39ce69141c43ecf69421dff1d6ed707cc75d104add.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z96278432.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z96278432.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z71210666.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z71210666.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z75911234.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z75911234.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s93370367.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s93370367.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        6⤵
        Executes dropped EXE
        
        PID:432
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 984
        6⤵
        Program crash
        
        PID:4104
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t51286659.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t51286659.exe
        5⤵
        Executes dropped EXE
        
        PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3608 -ip 3608
1⤵
PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z96278432.exe

Filesize
1.0MB

MD5
f9c7b4de9743439a2b78f8fbd9529bfe

SHA1
eec54a0beedf52c3fa76ebbc7861feac71990c19

SHA256
28d74e2d59c6e838e96c8f0d3162fbc0e2f7b74d25c2cb01f936e90e88939365

SHA512
9c77b5c23bca09310a9c9e86f7f0f5bc6be7dca69e1671bc88040cc8b7e25f7ff28709d1f18f883ec68cd006dc1e8800d62f54a733f68f0473c5ce4b9fe52c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z96278432.exe

Filesize
1.0MB

MD5
f9c7b4de9743439a2b78f8fbd9529bfe

SHA1
eec54a0beedf52c3fa76ebbc7861feac71990c19

SHA256
28d74e2d59c6e838e96c8f0d3162fbc0e2f7b74d25c2cb01f936e90e88939365

SHA512
9c77b5c23bca09310a9c9e86f7f0f5bc6be7dca69e1671bc88040cc8b7e25f7ff28709d1f18f883ec68cd006dc1e8800d62f54a733f68f0473c5ce4b9fe52c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z71210666.exe

Filesize
760KB

MD5
8919e9e6f4e73880912bee9d59e406ba

SHA1
637222df24498ed4c8b09a5e965922a5b86c03f7

SHA256
a9f88a60a20fa94947d61748b7124b71a63442d2f5fc598b2b1fe19fd0675976

SHA512
f0efd79854f40e65c21913d508408234405a4064577b0b7f463512c752de77c4653c7650bf19c269ee2a33caa7c42f4034054735fc7d934e6adb143084795024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z71210666.exe

Filesize
760KB

MD5
8919e9e6f4e73880912bee9d59e406ba

SHA1
637222df24498ed4c8b09a5e965922a5b86c03f7

SHA256
a9f88a60a20fa94947d61748b7124b71a63442d2f5fc598b2b1fe19fd0675976

SHA512
f0efd79854f40e65c21913d508408234405a4064577b0b7f463512c752de77c4653c7650bf19c269ee2a33caa7c42f4034054735fc7d934e6adb143084795024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z75911234.exe

Filesize
578KB

MD5
7f8d48f089b2905944f549f8e7ef147b

SHA1
60440da35df0bf46afe76ca7a5c0a346294cda2e

SHA256
d84fc71eb3f00247f92890e17ff78205991d33b605a73f3018f264c18a4b929c

SHA512
645dcc88a9c725051196eedfcbd18979cabd50dd433646f0ea1918d9bcd018cef6993bf3b9680d9190a9314e0fdc06c74f23518feff3145b49face3bb55fb959

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z75911234.exe

Filesize
578KB

MD5
7f8d48f089b2905944f549f8e7ef147b

SHA1
60440da35df0bf46afe76ca7a5c0a346294cda2e

SHA256
d84fc71eb3f00247f92890e17ff78205991d33b605a73f3018f264c18a4b929c

SHA512
645dcc88a9c725051196eedfcbd18979cabd50dd433646f0ea1918d9bcd018cef6993bf3b9680d9190a9314e0fdc06c74f23518feff3145b49face3bb55fb959

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s93370367.exe

Filesize
502KB

MD5
d321b8ebb3a771f7a7cdd299e670f01d

SHA1
9e5f99d97b119aa4f0e715906412fa5acac8164d

SHA256
b99c5d8263010b805cf2591bd00d80c26747425cbfa5aaa57023dd1d79d88589

SHA512
c5cf1c3f2c925914e5da623740dfa0b869d5b62bd0de33b6ab824b938bbe7b6396587ce15e410ee13a49dc1366b77bcbba52af8aa51955fadad85d95c85b6df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s93370367.exe

Filesize
502KB

MD5
d321b8ebb3a771f7a7cdd299e670f01d

SHA1
9e5f99d97b119aa4f0e715906412fa5acac8164d

SHA256
b99c5d8263010b805cf2591bd00d80c26747425cbfa5aaa57023dd1d79d88589

SHA512
c5cf1c3f2c925914e5da623740dfa0b869d5b62bd0de33b6ab824b938bbe7b6396587ce15e410ee13a49dc1366b77bcbba52af8aa51955fadad85d95c85b6df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t51286659.exe

Filesize
169KB

MD5
0137aa30428012962253085b463b068f

SHA1
3dcaa1b4daf8f6cdc1bb3b1490ef6731cc6a8ba4

SHA256
87327b212d0d1564244460078cf5aac2b66de78167d63afb73d7188cee6b5cf1

SHA512
d859ad89856c6d71f6b42e226b48446b70a67ed6de2bda4d7bd46f1b328f51670b27fd7447b5d723c2e6f0ef6f5980f521556c40b528b9db53c534b3bf464846

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t51286659.exe

Filesize
169KB

MD5
0137aa30428012962253085b463b068f

SHA1
3dcaa1b4daf8f6cdc1bb3b1490ef6731cc6a8ba4

SHA256
87327b212d0d1564244460078cf5aac2b66de78167d63afb73d7188cee6b5cf1

SHA512
d859ad89856c6d71f6b42e226b48446b70a67ed6de2bda4d7bd46f1b328f51670b27fd7447b5d723c2e6f0ef6f5980f521556c40b528b9db53c534b3bf464846

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/432-2333-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/432-2334-0x0000000005750000-0x000000000578C000-memory.dmp

Filesize
240KB

Download
memory/432-2332-0x00000000056F0000-0x0000000005702000-memory.dmp

Filesize
72KB

Download
memory/432-2331-0x0000000005800000-0x000000000590A000-memory.dmp

Filesize
1.0MB

Download
memory/432-2330-0x0000000005D10000-0x0000000006328000-memory.dmp

Filesize
6.1MB

Download
memory/432-2326-0x0000000000DA0000-0x0000000000DCE000-memory.dmp

Filesize
184KB

Download
memory/432-2343-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/3340-2341-0x0000000000430000-0x000000000045E000-memory.dmp

Filesize
184KB

Download
memory/3340-2342-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3340-2344-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3608-173-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-229-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-191-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-193-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-195-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-201-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-199-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-197-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-203-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-205-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-207-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-209-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-211-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-213-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-215-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-217-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-219-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-221-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-223-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-225-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-227-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-189-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-187-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-185-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-2323-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/3608-183-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-181-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-2327-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/3608-2328-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/3608-2329-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/3608-179-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-177-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-175-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-171-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-169-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-2336-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/3608-167-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-166-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3608-165-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/3608-164-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/3608-163-0x0000000002220000-0x000000000227B000-memory.dmp

Filesize
364KB

Download
memory/3608-162-0x0000000004EC0000-0x0000000005464000-memory.dmp

Filesize
5.6MB

Download