redline | 711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d

Analysis

max time kernel
250s
max time network
292s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe
Size

1.2MB
MD5

d96887d27fddd55b6bc9cca39e8a8c01
SHA1

4f8b0b546788d376cfc3722a365b6125583d4de4
SHA256

711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d
SHA512

5a42d68742e8f87c4be1a1ceece71426f6cf5b1d8e61edba8d2112e9b10080343ef3ccfa64c7ae1d902fb9800594d1766d7251ebf0e93384f8e25a1ebccea143
SSDEEP

24576:5yxy+kRmJNCJPo9H7dvb6KkyY/TpQ3qK0u7lfdLh9DhRAkSUW93/aUE:sxyvMJNCho9H1bp87u6K5JhTzLo

Score

10^/10

redline gena infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s76867837.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	s76867837.exe

Executes dropped EXE 5 IoCs

Processes:

z32091292.exez57610492.exez25776460.exes76867837.exe1.exe

pid process

396 z32091292.exe
4428 z57610492.exe
220 z25776460.exe
5084 s76867837.exe
3708 1.exe

pid	process
396	z32091292.exe
4428	z57610492.exe
220	z25776460.exe
5084	s76867837.exe
3708	1.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z57610492.exez25776460.exe711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exez32091292.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z57610492.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z57610492.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z25776460.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z25776460.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z32091292.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z32091292.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1044 5084 WerFault.exe s76867837.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s76867837.exe

description pid process

Token: SeDebugPrivilege 5084 s76867837.exe

pid	pid_target	process	target process
1044	5084	WerFault.exe	s76867837.exe

description	pid	process
Token: SeDebugPrivilege	5084	s76867837.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exez32091292.exez57610492.exez25776460.exes76867837.exe

description	pid	process	target process
PID 2736 wrote to memory of 396	2736	711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe	z32091292.exe
PID 2736 wrote to memory of 396	2736	711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe	z32091292.exe
PID 2736 wrote to memory of 396	2736	711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe	z32091292.exe
PID 396 wrote to memory of 4428	396	z32091292.exe	z57610492.exe
PID 396 wrote to memory of 4428	396	z32091292.exe	z57610492.exe
PID 396 wrote to memory of 4428	396	z32091292.exe	z57610492.exe
PID 4428 wrote to memory of 220	4428	z57610492.exe	z25776460.exe
PID 4428 wrote to memory of 220	4428	z57610492.exe	z25776460.exe
PID 4428 wrote to memory of 220	4428	z57610492.exe	z25776460.exe
PID 220 wrote to memory of 5084	220	z25776460.exe	s76867837.exe
PID 220 wrote to memory of 5084	220	z25776460.exe	s76867837.exe
PID 220 wrote to memory of 5084	220	z25776460.exe	s76867837.exe
PID 5084 wrote to memory of 3708	5084	s76867837.exe	1.exe
PID 5084 wrote to memory of 3708	5084	s76867837.exe	1.exe
PID 5084 wrote to memory of 3708	5084	s76867837.exe	1.exe

C:\Users\Admin\AppData\Local\Temp\711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe
"C:\Users\Admin\AppData\Local\Temp\711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z32091292.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z32091292.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z57610492.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z57610492.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z25776460.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z25776460.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s76867837.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s76867837.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
      - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        6⤵
        Executes dropped EXE
        
        PID:3708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1556
        6⤵
        Program crash
        
        PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5084 -ip 5084
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z32091292.exe

Filesize
1.0MB

MD5
b59664c5e03b1201c6a92aea6793aeaa

SHA1
41f8e54f097319aa70a6b3816e567cda4094621c

SHA256
6dd728d2f5532824dd4dd588ed50af9e35052e971013bf9f72d48f4f0a93cc00

SHA512
50033c3aa2d2cb0033ea2794de950d5042c7aa5c831b50f8d034ef57691d96c3afa4302d95d57af5dc45c0cdab0ce8fb1ca1453beeaab5bb7931154f8a5a232c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z32091292.exe

Filesize
1.0MB

MD5
b59664c5e03b1201c6a92aea6793aeaa

SHA1
41f8e54f097319aa70a6b3816e567cda4094621c

SHA256
6dd728d2f5532824dd4dd588ed50af9e35052e971013bf9f72d48f4f0a93cc00

SHA512
50033c3aa2d2cb0033ea2794de950d5042c7aa5c831b50f8d034ef57691d96c3afa4302d95d57af5dc45c0cdab0ce8fb1ca1453beeaab5bb7931154f8a5a232c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z57610492.exe

Filesize
759KB

MD5
2743d3e44eaa34ec2084d6660ae330c3

SHA1
197eebae2b65bbc6508a91a002d1e7d45a092c26

SHA256
d28f85a09497c9e3932b6e937f4d7811a72576ab7c76daf8bafa4617402e7995

SHA512
04802f5fd414a437c9576b29da56b06b1fd30f1a65b1ed61cf82ad5943399dbd5600dfce1e7be409dc2cf26dbdd8912e4f2b847142cbda3a72eb44f1babb03fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z57610492.exe

Filesize
759KB

MD5
2743d3e44eaa34ec2084d6660ae330c3

SHA1
197eebae2b65bbc6508a91a002d1e7d45a092c26

SHA256
d28f85a09497c9e3932b6e937f4d7811a72576ab7c76daf8bafa4617402e7995

SHA512
04802f5fd414a437c9576b29da56b06b1fd30f1a65b1ed61cf82ad5943399dbd5600dfce1e7be409dc2cf26dbdd8912e4f2b847142cbda3a72eb44f1babb03fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z25776460.exe

Filesize
577KB

MD5
39b419f7bd9faf4b3de5b86563b96e6b

SHA1
84d57108e4bd894d220565b2e6498d55622d5d51

SHA256
1f941a9e317d5a247657313a4e6b8ff2faa50d0d739f700e75d039a176594368

SHA512
03441e3786be527728d079f8f10e58d90406f92914456cf74add89372cf67312fa888348911c9453e1200108f0113d9204e83f65f0c1a9683aba9440a33f32ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z25776460.exe

Filesize
577KB

MD5
39b419f7bd9faf4b3de5b86563b96e6b

SHA1
84d57108e4bd894d220565b2e6498d55622d5d51

SHA256
1f941a9e317d5a247657313a4e6b8ff2faa50d0d739f700e75d039a176594368

SHA512
03441e3786be527728d079f8f10e58d90406f92914456cf74add89372cf67312fa888348911c9453e1200108f0113d9204e83f65f0c1a9683aba9440a33f32ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s76867837.exe

Filesize
574KB

MD5
d33a622ccec9deacf85544d3bfdd6d51

SHA1
42c841718d25db700dcc2a39c259a49b2712e94d

SHA256
aadff0cf486966cfd1b95bac878bb846dbc8a7dcc241ee5a0f7d5a8d28552b56

SHA512
2194978bc3b9ec40b122d887250838ae8fcf0643d1ea3ac43170d80e090727ec0dad92d62ee53b82038792ecd6a61ca78c674872534a479ad07510e3c79d1b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s76867837.exe

Filesize
574KB

MD5
d33a622ccec9deacf85544d3bfdd6d51

SHA1
42c841718d25db700dcc2a39c259a49b2712e94d

SHA256
aadff0cf486966cfd1b95bac878bb846dbc8a7dcc241ee5a0f7d5a8d28552b56

SHA512
2194978bc3b9ec40b122d887250838ae8fcf0643d1ea3ac43170d80e090727ec0dad92d62ee53b82038792ecd6a61ca78c674872534a479ad07510e3c79d1b3d

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/3708-2334-0x0000000000AF0000-0x0000000000B1E000-memory.dmp

Filesize
184KB

Download
memory/5084-162-0x0000000000400000-0x0000000000835000-memory.dmp

Filesize
4.2MB

Download
memory/5084-163-0x0000000000990000-0x00000000009EB000-memory.dmp

Filesize
364KB

Download
memory/5084-164-0x0000000004FA0000-0x0000000005544000-memory.dmp

Filesize
5.6MB

Download
memory/5084-166-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-165-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-168-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-170-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-172-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-174-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-176-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-178-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-180-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-182-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-183-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/5084-186-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-187-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/5084-189-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-185-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/5084-191-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-193-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-195-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-197-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-199-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-201-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-203-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-205-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-207-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-209-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-211-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-213-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-215-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-217-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-219-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-221-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-223-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-225-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-227-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-229-0x0000000005550000-0x00000000055B0000-memory.dmp

Filesize
384KB

Download
memory/5084-2315-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/5084-2316-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/5084-2317-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/5084-2322-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/5084-2336-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download