redline | 067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8

Analysis

max time kernel
188s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe
Size

1.2MB
MD5

f77bbb65f98793e1797f8cd0c39162c4
SHA1

76083a41520e62ce852f25194310b43d9d26b8cd
SHA256

067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8
SHA512

70f3d803b73ffdd1c9d2001f02155fbd28a99e53d8211637e386df3320425a60ca6b698aa305beafdf0737d2fd0ab2245607e0c17a60d58d1c7c9be3fed69c2c
SSDEEP

24576:xyankK4lvenj2GiODrsMK3mg5d651Flu3lHxs3dzuqT/zPY3JIxQ/:kanL0U2asVmg5k51FY3lRs3dhT/zPoJV

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4548-2334-0x0000000005B10000-0x0000000006128000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s32275988.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s32275988.exe

Executes dropped EXE 6 IoCs

Processes:

z75520223.exez91892254.exez88896073.exes32275988.exe1.exet94383935.exe

pid process

3752 z75520223.exe
348 z91892254.exe
3552 z88896073.exe
3780 s32275988.exe
4548 1.exe
4688 t94383935.exe

pid	process
3752	z75520223.exe
348	z91892254.exe
3552	z88896073.exe
3780	s32275988.exe
4548	1.exe
4688	t94383935.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z91892254.exez88896073.exe067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exez75520223.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z91892254.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z88896073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z88896073.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z75520223.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z75520223.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z91892254.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4480 3780 WerFault.exe s32275988.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s32275988.exe

description pid process

Token: SeDebugPrivilege 3780 s32275988.exe

pid	pid_target	process	target process
4480	3780	WerFault.exe	s32275988.exe

description	pid	process
Token: SeDebugPrivilege	3780	s32275988.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exez75520223.exez91892254.exez88896073.exes32275988.exe

description	pid	process	target process
PID 4572 wrote to memory of 3752	4572	067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe	z75520223.exe
PID 4572 wrote to memory of 3752	4572	067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe	z75520223.exe
PID 4572 wrote to memory of 3752	4572	067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe	z75520223.exe
PID 3752 wrote to memory of 348	3752	z75520223.exe	z91892254.exe
PID 3752 wrote to memory of 348	3752	z75520223.exe	z91892254.exe
PID 3752 wrote to memory of 348	3752	z75520223.exe	z91892254.exe
PID 348 wrote to memory of 3552	348	z91892254.exe	z88896073.exe
PID 348 wrote to memory of 3552	348	z91892254.exe	z88896073.exe
PID 348 wrote to memory of 3552	348	z91892254.exe	z88896073.exe
PID 3552 wrote to memory of 3780	3552	z88896073.exe	s32275988.exe
PID 3552 wrote to memory of 3780	3552	z88896073.exe	s32275988.exe
PID 3552 wrote to memory of 3780	3552	z88896073.exe	s32275988.exe
PID 3780 wrote to memory of 4548	3780	s32275988.exe	1.exe
PID 3780 wrote to memory of 4548	3780	s32275988.exe	1.exe
PID 3780 wrote to memory of 4548	3780	s32275988.exe	1.exe
PID 3552 wrote to memory of 4688	3552	z88896073.exe	t94383935.exe
PID 3552 wrote to memory of 4688	3552	z88896073.exe	t94383935.exe
PID 3552 wrote to memory of 4688	3552	z88896073.exe	t94383935.exe

C:\Users\Admin\AppData\Local\Temp\067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe
"C:\Users\Admin\AppData\Local\Temp\067ea0e0579545b139ed3450c77e31665b778ae33cf784f596bb4f5c88615dd8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4572

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z75520223.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z75520223.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3752

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z91892254.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z91892254.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:348

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z88896073.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z88896073.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3552

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s32275988.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s32275988.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 1384
6⤵
- Program crash
PID:4480

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t94383935.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t94383935.exe
5⤵
- Executes dropped EXE
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3780 -ip 3780
1⤵
PID:2796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z75520223.exe
Filesize
1.0MB

MD5
7c2237b7dc2edd2c83ccb460fcdf1029

SHA1
e0c655b351a21bbb0014af78dda642c7483c777d

SHA256
9ec496e78753178f7ed3d90ed8c9015aa4ade9a963a4d2bce87deb193123b870

SHA512
ddc3e0935464fabb0ca051dafa1e7688a55cdfca1095dc9e25621f45d24149a9b30a0c8cbcbf1e8a41d430353247e8b58ea219328dbc47a2e78d34db5d9251bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z75520223.exe
Filesize
1.0MB

MD5
7c2237b7dc2edd2c83ccb460fcdf1029

SHA1
e0c655b351a21bbb0014af78dda642c7483c777d

SHA256
9ec496e78753178f7ed3d90ed8c9015aa4ade9a963a4d2bce87deb193123b870

SHA512
ddc3e0935464fabb0ca051dafa1e7688a55cdfca1095dc9e25621f45d24149a9b30a0c8cbcbf1e8a41d430353247e8b58ea219328dbc47a2e78d34db5d9251bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z91892254.exe
Filesize
752KB

MD5
2f5a598d58bdc534a0d8d4d41e24e8a8

SHA1
d498c6fd0aa452e0e15d9d06ffd3736f59cc4a7c

SHA256
bab4cc57fed41510411e250571ee348e637972b56d9f0e80dc05130ccc4c4628

SHA512
d69144be86753459e8b1ab352342b4a50ba8df15a5a96f64bdcf13b03e780bea4364767def31c0f0ec1d673e95cf7b14b1b6a3367d56ebf4e3b72a7b4b35be97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z91892254.exe
Filesize
752KB

MD5
2f5a598d58bdc534a0d8d4d41e24e8a8

SHA1
d498c6fd0aa452e0e15d9d06ffd3736f59cc4a7c

SHA256
bab4cc57fed41510411e250571ee348e637972b56d9f0e80dc05130ccc4c4628

SHA512
d69144be86753459e8b1ab352342b4a50ba8df15a5a96f64bdcf13b03e780bea4364767def31c0f0ec1d673e95cf7b14b1b6a3367d56ebf4e3b72a7b4b35be97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z88896073.exe
Filesize
569KB

MD5
e0c80d034a0dbcefcd9180caa881b7cf

SHA1
e9c7a36868953014934740e18c7ea155abb9d3d9

SHA256
95c57f12a160ac69e7f1cc5d1ac66a70e4bbefbcde2b993e9c7abaf60f27fa4f

SHA512
4f3106f4120b21a95b25d5b82b3f72627a781fee7b2fecacaf545539933ea9bd3e1723ad0bece16356ce89d23c9efed73e9799436db6f5b677aaa1fb36384415

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z88896073.exe
Filesize
569KB

MD5
e0c80d034a0dbcefcd9180caa881b7cf

SHA1
e9c7a36868953014934740e18c7ea155abb9d3d9

SHA256
95c57f12a160ac69e7f1cc5d1ac66a70e4bbefbcde2b993e9c7abaf60f27fa4f

SHA512
4f3106f4120b21a95b25d5b82b3f72627a781fee7b2fecacaf545539933ea9bd3e1723ad0bece16356ce89d23c9efed73e9799436db6f5b677aaa1fb36384415

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s32275988.exe
Filesize
488KB

MD5
c63d3d3168ba70048bc51bc8cbf846ec

SHA1
53331c05bf21a0ef8a7b4576dc63c01f67792423

SHA256
b928ec6791cfa418273a90413a50c155a0e1a548fc6516bf32c3a841d0941cbf

SHA512
44263ec3f44dbe825539a4874bc654b8e4e20ea754abd12653bfad607ce0b8c67a385dec1603269a891d15b2a15d50e46bde4472da7f18195e752e9d16244376

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s32275988.exe
Filesize
488KB

MD5
c63d3d3168ba70048bc51bc8cbf846ec

SHA1
53331c05bf21a0ef8a7b4576dc63c01f67792423

SHA256
b928ec6791cfa418273a90413a50c155a0e1a548fc6516bf32c3a841d0941cbf

SHA512
44263ec3f44dbe825539a4874bc654b8e4e20ea754abd12653bfad607ce0b8c67a385dec1603269a891d15b2a15d50e46bde4472da7f18195e752e9d16244376

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t94383935.exe
Filesize
170KB

MD5
85eaa54245206d5dea98b091718fb77c

SHA1
f40e782c8fc6bfcea6fa896b9159700649a7d6f3

SHA256
ec4a6a5e92cadeb8fe5351258f8fa3ed21df392e71d9058915f31a9c95734a97

SHA512
354e82b89d516bf34f192d77035e6a0f572497b5461f795609840b31a1bdecbeea93e73d4fcf13d3808253fd280b381cba789f8072eddba29a73ab9509fd4f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t94383935.exe
Filesize
170KB

MD5
85eaa54245206d5dea98b091718fb77c

SHA1
f40e782c8fc6bfcea6fa896b9159700649a7d6f3

SHA256
ec4a6a5e92cadeb8fe5351258f8fa3ed21df392e71d9058915f31a9c95734a97

SHA512
354e82b89d516bf34f192d77035e6a0f572497b5461f795609840b31a1bdecbeea93e73d4fcf13d3808253fd280b381cba789f8072eddba29a73ab9509fd4f5a

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/3780-196-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-212-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-167-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-168-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3780-163-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-170-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3780-172-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3780-171-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-174-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-178-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-180-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-176-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-182-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-184-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-186-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-188-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-190-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-192-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-194-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-164-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-198-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-200-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-202-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-204-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-206-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-208-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-210-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-166-0x0000000000820000-0x000000000087B000-memory.dmp

Filesize
364KB

Download
memory/3780-214-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-216-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-220-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-218-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-222-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-224-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-226-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-228-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-230-0x00000000054D0000-0x0000000005530000-memory.dmp

Filesize
384KB

Download
memory/3780-2314-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3780-2317-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3780-2318-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3780-2319-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3780-2332-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3780-162-0x0000000004EE0000-0x0000000005484000-memory.dmp

Filesize
5.6MB

Download
memory/4548-2334-0x0000000005B10000-0x0000000006128000-memory.dmp

Filesize
6.1MB

Download
memory/4548-2335-0x0000000005600000-0x000000000570A000-memory.dmp

Filesize
1.0MB

Download
memory/4548-2336-0x0000000005360000-0x0000000005372000-memory.dmp

Filesize
72KB

Download
memory/4548-2338-0x00000000054F0000-0x000000000552C000-memory.dmp

Filesize
240KB

Download
memory/4548-2330-0x0000000000B20000-0x0000000000B4E000-memory.dmp

Filesize
184KB

Download
memory/4548-2339-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4548-2346-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4688-2344-0x0000000000D50000-0x0000000000D7E000-memory.dmp

Filesize
184KB

Download
memory/4688-2345-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/4688-2347-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download