redline | 083f5a7c7d43231a95ceac1a50fe9af1422a8c2327031b79718d3b5ff1617ee1

Analysis

max time kernel
143s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

083f5a7c7d43231a95ceac1a50fe9af1422a8c2327031b79718d3b5ff1617ee1.exe
Size

1.2MB
MD5

e7d8f19931cc2564db61b7951ec1cde9
SHA1

fcd48509298f10e0cd448f6671b12f27f4373b28
SHA256

083f5a7c7d43231a95ceac1a50fe9af1422a8c2327031b79718d3b5ff1617ee1
SHA512

f4c2b61d66190901caf26f5381f60e68a773469305c2c73ae7c6a1e6d6c2b9909264e28110a3ee716b299d1a73ad16144b280b19720dd37cc64e415768b3a16c
SSDEEP

24576:uyKqo4/Jn9nPSIW+wfcnS0UZnBILXyqRN9LifWQS8rxpgCF8x5xwsImG/Z2A:9z1Sd+HnDaBwXNve8c8DesImGZ2

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/628-2333-0x00000000059E0000-0x0000000005FF8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s65870308.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	s65870308.exe

Executes dropped EXE 6 IoCs

Processes:

z00933170.exez48428592.exez50484218.exes65870308.exe1.exet40571111.exe

pid process

1576 z00933170.exe
4768 z48428592.exe
1656 z50484218.exe
640 s65870308.exe
4504 1.exe
628 t40571111.exe

pid	process
1576	z00933170.exe
4768	z48428592.exe
1656	z50484218.exe
640	s65870308.exe
4504	1.exe
628	t40571111.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

083f5a7c7d43231a95ceac1a50fe9af1422a8c2327031b79718d3b5ff1617ee1.exez00933170.exez48428592.exez50484218.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	083f5a7c7d43231a95ceac1a50fe9af1422a8c2327031b79718d3b5ff1617ee1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z00933170.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z00933170.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z48428592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z48428592.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z50484218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z50484218.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	083f5a7c7d43231a95ceac1a50fe9af1422a8c2327031b79718d3b5ff1617ee1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s65870308.exe

description pid process

Token: SeDebugPrivilege 640 s65870308.exe

description	pid	process
Token: SeDebugPrivilege	640	s65870308.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

083f5a7c7d43231a95ceac1a50fe9af1422a8c2327031b79718d3b5ff1617ee1.exez00933170.exez48428592.exez50484218.exes65870308.exe

description	pid	process	target process
PID 4716 wrote to memory of 1576	4716	083f5a7c7d43231a95ceac1a50fe9af1422a8c2327031b79718d3b5ff1617ee1.exe	z00933170.exe
PID 4716 wrote to memory of 1576	4716	083f5a7c7d43231a95ceac1a50fe9af1422a8c2327031b79718d3b5ff1617ee1.exe	z00933170.exe
PID 4716 wrote to memory of 1576	4716	083f5a7c7d43231a95ceac1a50fe9af1422a8c2327031b79718d3b5ff1617ee1.exe	z00933170.exe
PID 1576 wrote to memory of 4768	1576	z00933170.exe	z48428592.exe
PID 1576 wrote to memory of 4768	1576	z00933170.exe	z48428592.exe
PID 1576 wrote to memory of 4768	1576	z00933170.exe	z48428592.exe
PID 4768 wrote to memory of 1656	4768	z48428592.exe	z50484218.exe
PID 4768 wrote to memory of 1656	4768	z48428592.exe	z50484218.exe
PID 4768 wrote to memory of 1656	4768	z48428592.exe	z50484218.exe
PID 1656 wrote to memory of 640	1656	z50484218.exe	s65870308.exe
PID 1656 wrote to memory of 640	1656	z50484218.exe	s65870308.exe
PID 1656 wrote to memory of 640	1656	z50484218.exe	s65870308.exe
PID 640 wrote to memory of 4504	640	s65870308.exe	1.exe
PID 640 wrote to memory of 4504	640	s65870308.exe	1.exe
PID 640 wrote to memory of 4504	640	s65870308.exe	1.exe
PID 1656 wrote to memory of 628	1656	z50484218.exe	t40571111.exe
PID 1656 wrote to memory of 628	1656	z50484218.exe	t40571111.exe
PID 1656 wrote to memory of 628	1656	z50484218.exe	t40571111.exe

C:\Users\Admin\AppData\Local\Temp\083f5a7c7d43231a95ceac1a50fe9af1422a8c2327031b79718d3b5ff1617ee1.exe
"C:\Users\Admin\AppData\Local\Temp\083f5a7c7d43231a95ceac1a50fe9af1422a8c2327031b79718d3b5ff1617ee1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4716

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z00933170.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z00933170.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z48428592.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z48428592.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z50484218.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z50484218.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s65870308.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s65870308.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:4504

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t40571111.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t40571111.exe
5⤵
- Executes dropped EXE
PID:628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z00933170.exe
Filesize
1.0MB

MD5
3b4def32ee6b676094f0223832505f20

SHA1
cc87b5bd35a8190238652b093f41984b9eeee896

SHA256
1c201681c9d41c412af6153f4023803c91c1d80578520b339ebe018ab7fac549

SHA512
97fad4c134de1d00178967edfae20c64b545e3e3c0d0daca2ec005434f8afac3a75cf9d448e65ee961261c5bbb8d5221c2ee83b853ef2d18cdfc5d895f493fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z00933170.exe
Filesize
1.0MB

MD5
3b4def32ee6b676094f0223832505f20

SHA1
cc87b5bd35a8190238652b093f41984b9eeee896

SHA256
1c201681c9d41c412af6153f4023803c91c1d80578520b339ebe018ab7fac549

SHA512
97fad4c134de1d00178967edfae20c64b545e3e3c0d0daca2ec005434f8afac3a75cf9d448e65ee961261c5bbb8d5221c2ee83b853ef2d18cdfc5d895f493fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z48428592.exe
Filesize
765KB

MD5
7959d8e1f436a4f29e2a6c5ab54ed654

SHA1
2b7432412f4474777d61e5b60f777e061afe5a2f

SHA256
f6122c92d535980de2ae8e7a3a877750d86fcaa5c8bbf64cf3ecf7e04e34f686

SHA512
136c2f456e64b15eb56199fd1e05945a9361e068f458be242084f8def3ca64adf8ed9bf5368562d88fac6742fab92c79812606225a4530c32be82547a8b9a4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z48428592.exe
Filesize
765KB

MD5
7959d8e1f436a4f29e2a6c5ab54ed654

SHA1
2b7432412f4474777d61e5b60f777e061afe5a2f

SHA256
f6122c92d535980de2ae8e7a3a877750d86fcaa5c8bbf64cf3ecf7e04e34f686

SHA512
136c2f456e64b15eb56199fd1e05945a9361e068f458be242084f8def3ca64adf8ed9bf5368562d88fac6742fab92c79812606225a4530c32be82547a8b9a4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z50484218.exe
Filesize
581KB

MD5
ddad1beae5cec8e913b116ccdb3f4ebf

SHA1
17b89c608a139089e20fdbf52efef4a2e656ac32

SHA256
d5536e6eeae9bcd3e15180109f26b2aac8e69ca9f4ec59657c38115116d273de

SHA512
7664aef1b19ff7d24054adc386e9e14eaa1db47359fb561b95f6453f447e901cf4d54fa86344d3eb5b9d2b6fecea5785ce42f77ad9000063eabd5cdf8fca7d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z50484218.exe
Filesize
581KB

MD5
ddad1beae5cec8e913b116ccdb3f4ebf

SHA1
17b89c608a139089e20fdbf52efef4a2e656ac32

SHA256
d5536e6eeae9bcd3e15180109f26b2aac8e69ca9f4ec59657c38115116d273de

SHA512
7664aef1b19ff7d24054adc386e9e14eaa1db47359fb561b95f6453f447e901cf4d54fa86344d3eb5b9d2b6fecea5785ce42f77ad9000063eabd5cdf8fca7d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s65870308.exe
Filesize
582KB

MD5
706024f2f23b00fd4ab7975de5a4753e

SHA1
06a5941f69e9cbe722dab41afff5ed1bca7a36cd

SHA256
6f1aadc5da5464c0931369c667a3084e56dc4d39d6d94fbb7c8be8fe895c9e55

SHA512
c7d57df16de47a51eb621502308058dd7c4606cc7b021ca83436e79b0cf2a2a72390ea393590b4fa6e7b3eca94f7bec61d35f9b39ffe67c018c3bf7b6d53a578

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s65870308.exe
Filesize
582KB

MD5
706024f2f23b00fd4ab7975de5a4753e

SHA1
06a5941f69e9cbe722dab41afff5ed1bca7a36cd

SHA256
6f1aadc5da5464c0931369c667a3084e56dc4d39d6d94fbb7c8be8fe895c9e55

SHA512
c7d57df16de47a51eb621502308058dd7c4606cc7b021ca83436e79b0cf2a2a72390ea393590b4fa6e7b3eca94f7bec61d35f9b39ffe67c018c3bf7b6d53a578

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t40571111.exe
Filesize
169KB

MD5
42748d8a71c8dabd66891079b221e4e1

SHA1
558f21d9ef6046d3f927a4a9785c71f8e493841d

SHA256
634b323447ee5b1b7e13f3e67c2641d84057e972301356381ace73e87b9605e9

SHA512
c40698b9d4db765d0451e8b34307c4c19cd191feec9a1f59f4e11530870dea36fbbb9950c3612c864ce0400170fd4e2551609c1db21f9fbec493ef31c64696b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t40571111.exe
Filesize
169KB

MD5
42748d8a71c8dabd66891079b221e4e1

SHA1
558f21d9ef6046d3f927a4a9785c71f8e493841d

SHA256
634b323447ee5b1b7e13f3e67c2641d84057e972301356381ace73e87b9605e9

SHA512
c40698b9d4db765d0451e8b34307c4c19cd191feec9a1f59f4e11530870dea36fbbb9950c3612c864ce0400170fd4e2551609c1db21f9fbec493ef31c64696b5

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/628-2339-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/628-2332-0x0000000000A40000-0x0000000000A6E000-memory.dmp

Filesize
184KB

Download
memory/628-2333-0x00000000059E0000-0x0000000005FF8000-memory.dmp

Filesize
6.1MB

Download
memory/628-2335-0x0000000005280000-0x0000000005292000-memory.dmp

Filesize
72KB

Download
memory/628-2336-0x0000000005400000-0x000000000543C000-memory.dmp

Filesize
240KB

Download
memory/628-2337-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/640-200-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-220-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-182-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-184-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-186-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-188-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-190-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-192-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-194-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-196-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-198-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-178-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-202-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-204-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-206-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-208-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-210-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-212-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-214-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-216-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-218-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-180-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-222-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-224-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-226-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-228-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-230-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-176-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-2322-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/640-174-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-172-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-162-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/640-170-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-166-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/640-168-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-167-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/640-163-0x0000000000920000-0x000000000097B000-memory.dmp

Filesize
364KB

Download
memory/640-165-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/640-164-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4504-2334-0x00000000056B0000-0x00000000057BA000-memory.dmp

Filesize
1.0MB

Download
memory/4504-2338-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/4504-2328-0x0000000000BF0000-0x0000000000C1E000-memory.dmp

Filesize
184KB

Download
memory/4504-2340-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download