redline | 6f7816d4f43a3b3d73e2166057f56ddcdd2ed1c922a91743a0be4bc0b58592f4

Analysis

max time kernel
205s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f7816d4f43a3b3d73e2166057f56ddcdd2ed1c922a91743a0be4bc0b58592f4.exe
Size

1.2MB
MD5

e2daeda870d6802704cc5ac873dc465b
SHA1

73054bd775105fe569331c3339febe633d3c3646
SHA256

6f7816d4f43a3b3d73e2166057f56ddcdd2ed1c922a91743a0be4bc0b58592f4
SHA512

3845429b0b1b71f63b66a3be5f2e8e24d745e95c77046994508e1ce57ace1e4ea52b8abd2304dda1528b9269f3d27af8e082481ad8cb51b178377351cecf909c
SSDEEP

24576:pyNO4WkaIjjKjYGrOfWfxe0A1+prHJa1zRAaP2uk9L/6sp:cMHpNmfExxA1+NHJalRAaM/

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4108-2333-0x00000000053F0000-0x0000000005A08000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s59929585.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s59929585.exe

Executes dropped EXE 6 IoCs

Processes:

z84690247.exez63561361.exez62891639.exes59929585.exe1.exet55153598.exe

pid process

4780 z84690247.exe
2088 z63561361.exe
3948 z62891639.exe
3444 s59929585.exe
4108 1.exe
3736 t55153598.exe

pid	process
4780	z84690247.exe
2088	z63561361.exe
3948	z62891639.exe
3444	s59929585.exe
4108	1.exe
3736	t55153598.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6f7816d4f43a3b3d73e2166057f56ddcdd2ed1c922a91743a0be4bc0b58592f4.exez84690247.exez63561361.exez62891639.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6f7816d4f43a3b3d73e2166057f56ddcdd2ed1c922a91743a0be4bc0b58592f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6f7816d4f43a3b3d73e2166057f56ddcdd2ed1c922a91743a0be4bc0b58592f4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z84690247.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z84690247.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z63561361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z63561361.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z62891639.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z62891639.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2716 3444 WerFault.exe s59929585.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s59929585.exe

description pid process

Token: SeDebugPrivilege 3444 s59929585.exe

pid	pid_target	process	target process
2716	3444	WerFault.exe	s59929585.exe

description	pid	process
Token: SeDebugPrivilege	3444	s59929585.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6f7816d4f43a3b3d73e2166057f56ddcdd2ed1c922a91743a0be4bc0b58592f4.exez84690247.exez63561361.exez62891639.exes59929585.exe

description	pid	process	target process
PID 2536 wrote to memory of 4780	2536	6f7816d4f43a3b3d73e2166057f56ddcdd2ed1c922a91743a0be4bc0b58592f4.exe	z84690247.exe
PID 2536 wrote to memory of 4780	2536	6f7816d4f43a3b3d73e2166057f56ddcdd2ed1c922a91743a0be4bc0b58592f4.exe	z84690247.exe
PID 2536 wrote to memory of 4780	2536	6f7816d4f43a3b3d73e2166057f56ddcdd2ed1c922a91743a0be4bc0b58592f4.exe	z84690247.exe
PID 4780 wrote to memory of 2088	4780	z84690247.exe	z63561361.exe
PID 4780 wrote to memory of 2088	4780	z84690247.exe	z63561361.exe
PID 4780 wrote to memory of 2088	4780	z84690247.exe	z63561361.exe
PID 2088 wrote to memory of 3948	2088	z63561361.exe	z62891639.exe
PID 2088 wrote to memory of 3948	2088	z63561361.exe	z62891639.exe
PID 2088 wrote to memory of 3948	2088	z63561361.exe	z62891639.exe
PID 3948 wrote to memory of 3444	3948	z62891639.exe	s59929585.exe
PID 3948 wrote to memory of 3444	3948	z62891639.exe	s59929585.exe
PID 3948 wrote to memory of 3444	3948	z62891639.exe	s59929585.exe
PID 3444 wrote to memory of 4108	3444	s59929585.exe	1.exe
PID 3444 wrote to memory of 4108	3444	s59929585.exe	1.exe
PID 3444 wrote to memory of 4108	3444	s59929585.exe	1.exe
PID 3948 wrote to memory of 3736	3948	z62891639.exe	t55153598.exe
PID 3948 wrote to memory of 3736	3948	z62891639.exe	t55153598.exe
PID 3948 wrote to memory of 3736	3948	z62891639.exe	t55153598.exe

C:\Users\Admin\AppData\Local\Temp\6f7816d4f43a3b3d73e2166057f56ddcdd2ed1c922a91743a0be4bc0b58592f4.exe
"C:\Users\Admin\AppData\Local\Temp\6f7816d4f43a3b3d73e2166057f56ddcdd2ed1c922a91743a0be4bc0b58592f4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z84690247.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z84690247.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z63561361.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z63561361.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z62891639.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z62891639.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s59929585.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s59929585.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 1528
6⤵
- Program crash
PID:2716

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t55153598.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t55153598.exe
5⤵
- Executes dropped EXE
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3444 -ip 3444
1⤵
PID:3236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z84690247.exe
Filesize
1.0MB

MD5
2bc5faa172826dc188e3b93faf80f3c6

SHA1
1f7f24a89e423cf079c677beef404ee8b2743b7b

SHA256
3966602b5ae7c906af8a87b021defda41b2330c21078c40139fd39d8c0c9f287

SHA512
8d82130e29cfab9f3855beaec6adf447eedf3ba5d3e503b1c94b40347285e8af30e4cc9e5909aa6f0391750659dbd327ad0b90e90960eac2139d74c5e26b6ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z84690247.exe
Filesize
1.0MB

MD5
2bc5faa172826dc188e3b93faf80f3c6

SHA1
1f7f24a89e423cf079c677beef404ee8b2743b7b

SHA256
3966602b5ae7c906af8a87b021defda41b2330c21078c40139fd39d8c0c9f287

SHA512
8d82130e29cfab9f3855beaec6adf447eedf3ba5d3e503b1c94b40347285e8af30e4cc9e5909aa6f0391750659dbd327ad0b90e90960eac2139d74c5e26b6ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z63561361.exe
Filesize
753KB

MD5
b78fd0b632fced8bb3d4040b07c8ff37

SHA1
b4dad005bda7ceb3b4a1c4347a8ab8f5d2efce7a

SHA256
b1361b53b38de36cfebfcbba6566ad1e3da22e7945c2db5abd14d39e7f12a996

SHA512
aa9c81d8de06fe048bbd42a7998d44e5ab02484f1df45f529f6609108a4bf9b6ee6bb7d6e90ca618df9a59d59b7532dcc5a1cb81ec50d68465a0a963a27f19f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z63561361.exe
Filesize
753KB

MD5
b78fd0b632fced8bb3d4040b07c8ff37

SHA1
b4dad005bda7ceb3b4a1c4347a8ab8f5d2efce7a

SHA256
b1361b53b38de36cfebfcbba6566ad1e3da22e7945c2db5abd14d39e7f12a996

SHA512
aa9c81d8de06fe048bbd42a7998d44e5ab02484f1df45f529f6609108a4bf9b6ee6bb7d6e90ca618df9a59d59b7532dcc5a1cb81ec50d68465a0a963a27f19f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z62891639.exe
Filesize
570KB

MD5
fe270154407accb83353acc03aab019f

SHA1
72868b8d43ddb35c7dea30213a4b192060b9dc1f

SHA256
651a4aa3cace0ea7de3f12edadccd37cce690cd2c86328fa593b6464235857a8

SHA512
68e2d8b0c5eae9bfd37351eb8113c263a790c87ba5b2fe3eb1d6195829e2dec824f5775beefec923209c07c084be98140b4bafd41a3bcbd974af28363d10dd3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z62891639.exe
Filesize
570KB

MD5
fe270154407accb83353acc03aab019f

SHA1
72868b8d43ddb35c7dea30213a4b192060b9dc1f

SHA256
651a4aa3cace0ea7de3f12edadccd37cce690cd2c86328fa593b6464235857a8

SHA512
68e2d8b0c5eae9bfd37351eb8113c263a790c87ba5b2fe3eb1d6195829e2dec824f5775beefec923209c07c084be98140b4bafd41a3bcbd974af28363d10dd3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s59929585.exe
Filesize
488KB

MD5
58c9e73b825f1c09f01eb8e7178e35b8

SHA1
c4dbb39a4e31a63ddbd0dd0e102b1f7030378575

SHA256
5c6d0f201c225f5663beda9dbba307302690235ba2f630fa0d5222407b987cb6

SHA512
b892ceb791a9b3a806521d940df03ee6c04c8369bfb7e769e3dcc5f5a971d8d40d80430232fdf3e61381cf8355fd79224aa5fcb2492a7294e9c61313e91cf2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s59929585.exe
Filesize
488KB

MD5
58c9e73b825f1c09f01eb8e7178e35b8

SHA1
c4dbb39a4e31a63ddbd0dd0e102b1f7030378575

SHA256
5c6d0f201c225f5663beda9dbba307302690235ba2f630fa0d5222407b987cb6

SHA512
b892ceb791a9b3a806521d940df03ee6c04c8369bfb7e769e3dcc5f5a971d8d40d80430232fdf3e61381cf8355fd79224aa5fcb2492a7294e9c61313e91cf2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t55153598.exe
Filesize
169KB

MD5
f2931e5e6f14fa65ff3551ed32123b06

SHA1
9c65034630fcf1af879a414fa6f750cfbb40c74b

SHA256
6d3481adff1aa7092cff207390708d005a1fe604f07b1c12c20449efcf624975

SHA512
be9ee704fc362dc5aa2bf88c2f9e1b947e7e79589e65d5d6ecf9025d9ff70843e7ff9ff0601150be3b1055d095e3c194f4b65154a7fd5ac847c7f318b6a2b13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t55153598.exe
Filesize
169KB

MD5
f2931e5e6f14fa65ff3551ed32123b06

SHA1
9c65034630fcf1af879a414fa6f750cfbb40c74b

SHA256
6d3481adff1aa7092cff207390708d005a1fe604f07b1c12c20449efcf624975

SHA512
be9ee704fc362dc5aa2bf88c2f9e1b947e7e79589e65d5d6ecf9025d9ff70843e7ff9ff0601150be3b1055d095e3c194f4b65154a7fd5ac847c7f318b6a2b13c

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/3444-205-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-217-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-171-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-173-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-175-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-177-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-179-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-181-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-183-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-185-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-187-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-189-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-191-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-193-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-195-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-197-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-199-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-201-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-203-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-167-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-207-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-209-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-211-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-213-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-215-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-169-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-219-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-221-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-223-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-225-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-227-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-229-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-2313-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3444-2314-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3444-2315-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3444-2317-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3444-166-0x0000000005620000-0x0000000005680000-memory.dmp

Filesize
384KB

Download
memory/3444-165-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3444-164-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3444-162-0x0000000005030000-0x00000000055D4000-memory.dmp

Filesize
5.6MB

Download
memory/3444-2332-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3444-163-0x00000000008F0000-0x000000000094B000-memory.dmp

Filesize
364KB

Download
memory/3736-2343-0x00000000000F0000-0x000000000011E000-memory.dmp

Filesize
184KB

Download
memory/3736-2344-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/3736-2346-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/4108-2334-0x0000000004EE0000-0x0000000004FEA000-memory.dmp

Filesize
1.0MB

Download
memory/4108-2335-0x0000000004D40000-0x0000000004D52000-memory.dmp

Filesize
72KB

Download
memory/4108-2337-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4108-2338-0x0000000004DD0000-0x0000000004E0C000-memory.dmp

Filesize
240KB

Download
memory/4108-2333-0x00000000053F0000-0x0000000005A08000-memory.dmp

Filesize
6.1MB

Download
memory/4108-2331-0x00000000003E0000-0x000000000040E000-memory.dmp

Filesize
184KB

Download
memory/4108-2345-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download