redline | 0d1e12c521a49609e3e84ec68cbe26ad3dc54b738e7271b2432aaff25d21544c

Analysis

max time kernel
130s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d1e12c521a49609e3e84ec68cbe26ad3dc54b738e7271b2432aaff25d21544c.exe
Size

1.2MB
MD5

d31e9d275cb8884c0d7110993acc36f1
SHA1

0c039017ecdfa11854198d67b1b5360536be511f
SHA256

0d1e12c521a49609e3e84ec68cbe26ad3dc54b738e7271b2432aaff25d21544c
SHA512

83d71371b3e55b7636db7233d5a8d231bc2de5e40e1b70ab275d6e54d9ea3ff0ea769bf173808c529c2b486fab1e379c31ad3881f2f9863c16e7eeba0b8037a2
SSDEEP

24576:Hy8JCb627TEB1NCwfoKhy7/a8Gp7IE/jFYoELTeiFlZUS:S0CbR7YBTCI3yCvp757FYhTeUT

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4844-2331-0x00000000059A0000-0x0000000005FB8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s38048790.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	s38048790.exe

Executes dropped EXE 6 IoCs

Processes:

z46707377.exez23736376.exez98962566.exes38048790.exe1.exet74083792.exe

pid process

4520 z46707377.exe
3448 z23736376.exe
1692 z98962566.exe
1780 s38048790.exe
4844 1.exe
2128 t74083792.exe

pid	process
4520	z46707377.exe
3448	z23736376.exe
1692	z98962566.exe
1780	s38048790.exe
4844	1.exe
2128	t74083792.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z98962566.exe0d1e12c521a49609e3e84ec68cbe26ad3dc54b738e7271b2432aaff25d21544c.exez46707377.exez23736376.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z98962566.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z98962566.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0d1e12c521a49609e3e84ec68cbe26ad3dc54b738e7271b2432aaff25d21544c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0d1e12c521a49609e3e84ec68cbe26ad3dc54b738e7271b2432aaff25d21544c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z46707377.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z46707377.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z23736376.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z23736376.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4460 1780 WerFault.exe s38048790.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s38048790.exe

description pid process

Token: SeDebugPrivilege 1780 s38048790.exe

pid	pid_target	process	target process
4460	1780	WerFault.exe	s38048790.exe

description	pid	process
Token: SeDebugPrivilege	1780	s38048790.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

0d1e12c521a49609e3e84ec68cbe26ad3dc54b738e7271b2432aaff25d21544c.exez46707377.exez23736376.exez98962566.exes38048790.exe

description	pid	process	target process
PID 3004 wrote to memory of 4520	3004	0d1e12c521a49609e3e84ec68cbe26ad3dc54b738e7271b2432aaff25d21544c.exe	z46707377.exe
PID 3004 wrote to memory of 4520	3004	0d1e12c521a49609e3e84ec68cbe26ad3dc54b738e7271b2432aaff25d21544c.exe	z46707377.exe
PID 3004 wrote to memory of 4520	3004	0d1e12c521a49609e3e84ec68cbe26ad3dc54b738e7271b2432aaff25d21544c.exe	z46707377.exe
PID 4520 wrote to memory of 3448	4520	z46707377.exe	z23736376.exe
PID 4520 wrote to memory of 3448	4520	z46707377.exe	z23736376.exe
PID 4520 wrote to memory of 3448	4520	z46707377.exe	z23736376.exe
PID 3448 wrote to memory of 1692	3448	z23736376.exe	z98962566.exe
PID 3448 wrote to memory of 1692	3448	z23736376.exe	z98962566.exe
PID 3448 wrote to memory of 1692	3448	z23736376.exe	z98962566.exe
PID 1692 wrote to memory of 1780	1692	z98962566.exe	s38048790.exe
PID 1692 wrote to memory of 1780	1692	z98962566.exe	s38048790.exe
PID 1692 wrote to memory of 1780	1692	z98962566.exe	s38048790.exe
PID 1780 wrote to memory of 4844	1780	s38048790.exe	1.exe
PID 1780 wrote to memory of 4844	1780	s38048790.exe	1.exe
PID 1780 wrote to memory of 4844	1780	s38048790.exe	1.exe
PID 1692 wrote to memory of 2128	1692	z98962566.exe	t74083792.exe
PID 1692 wrote to memory of 2128	1692	z98962566.exe	t74083792.exe
PID 1692 wrote to memory of 2128	1692	z98962566.exe	t74083792.exe

C:\Users\Admin\AppData\Local\Temp\0d1e12c521a49609e3e84ec68cbe26ad3dc54b738e7271b2432aaff25d21544c.exe
"C:\Users\Admin\AppData\Local\Temp\0d1e12c521a49609e3e84ec68cbe26ad3dc54b738e7271b2432aaff25d21544c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z46707377.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z46707377.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z23736376.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z23736376.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z98962566.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z98962566.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s38048790.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s38048790.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
      - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        6⤵
        Executes dropped EXE
        
        PID:4844
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 1376
        6⤵
        Program crash
        
        PID:4460
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t74083792.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t74083792.exe
        5⤵
        Executes dropped EXE
        
        PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1780 -ip 1780
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z46707377.exe

Filesize
1.0MB

MD5
6b23072f441cc355add6ac3e7172b838

SHA1
cfa56235b9a158cb3c99e283f72d665fab66b6ba

SHA256
169532e85cf377ce69489474b1e4023b089b0740647aa7bc3825a26d81ae08af

SHA512
7ebec55cc39f02e7b708bbe4e3d24ae11bd2fef848d113f4730d14fb10733f3b7829f8fa1d9a0c8ed4bc63c73be9a8f13b26d7f80e849b13f608729360050c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z46707377.exe

Filesize
1.0MB

MD5
6b23072f441cc355add6ac3e7172b838

SHA1
cfa56235b9a158cb3c99e283f72d665fab66b6ba

SHA256
169532e85cf377ce69489474b1e4023b089b0740647aa7bc3825a26d81ae08af

SHA512
7ebec55cc39f02e7b708bbe4e3d24ae11bd2fef848d113f4730d14fb10733f3b7829f8fa1d9a0c8ed4bc63c73be9a8f13b26d7f80e849b13f608729360050c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z23736376.exe

Filesize
760KB

MD5
66a44f2ce4e6d8a05b3b2b38d2f083dd

SHA1
df1a3120497fb4bbc2a08ada5371730101e00b9c

SHA256
30d972c7667472063f4a133f6d6e7da42558e85929534d48f4c753f678b77653

SHA512
bc5b31cb9d2c119e85966dd4affd04337c963120268ffbb13af1e3625e0d68298c5ffdf1f204665c810115fbf52908929408d431adf34132ca41b423e5a99181

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z23736376.exe

Filesize
760KB

MD5
66a44f2ce4e6d8a05b3b2b38d2f083dd

SHA1
df1a3120497fb4bbc2a08ada5371730101e00b9c

SHA256
30d972c7667472063f4a133f6d6e7da42558e85929534d48f4c753f678b77653

SHA512
bc5b31cb9d2c119e85966dd4affd04337c963120268ffbb13af1e3625e0d68298c5ffdf1f204665c810115fbf52908929408d431adf34132ca41b423e5a99181

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z98962566.exe

Filesize
577KB

MD5
7762603f7d1a3f76fe6eae084052f161

SHA1
163b7a03cba8fb9fdf8fe1925b2dc492dac680c1

SHA256
16a815c08ccaae1e7c84767955c97186cc5b6c23d28b6b6dae448c3418b34d98

SHA512
87212f66eb63857b081290626fff1d456117a608da4847e5b6aee2b83d2f851d9a2d806ed408e8caa45353cf1b659123741a177b1852fe4a4388f6356f665509

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z98962566.exe

Filesize
577KB

MD5
7762603f7d1a3f76fe6eae084052f161

SHA1
163b7a03cba8fb9fdf8fe1925b2dc492dac680c1

SHA256
16a815c08ccaae1e7c84767955c97186cc5b6c23d28b6b6dae448c3418b34d98

SHA512
87212f66eb63857b081290626fff1d456117a608da4847e5b6aee2b83d2f851d9a2d806ed408e8caa45353cf1b659123741a177b1852fe4a4388f6356f665509

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s38048790.exe

Filesize
574KB

MD5
a7a30c8cac777096766d5eaeee044e8e

SHA1
2761d0300ccb4084215654424102f633198f0985

SHA256
a8bb9b8d7d9948bb44192d5cb6932709bcd29d2641c406eb2666211fbbce98cf

SHA512
3117aa596a88407f635891ffc2e2db6a7706ed610ad795229b2ec0bfbd814680691c69f1dec94ff9e6ba1e2baf5980c7d56def2361e9c3f4ce4d8c032c993edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s38048790.exe

Filesize
574KB

MD5
a7a30c8cac777096766d5eaeee044e8e

SHA1
2761d0300ccb4084215654424102f633198f0985

SHA256
a8bb9b8d7d9948bb44192d5cb6932709bcd29d2641c406eb2666211fbbce98cf

SHA512
3117aa596a88407f635891ffc2e2db6a7706ed610ad795229b2ec0bfbd814680691c69f1dec94ff9e6ba1e2baf5980c7d56def2361e9c3f4ce4d8c032c993edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t74083792.exe

Filesize
169KB

MD5
7b7fec37a0c9c21a4ab109ddc5125b0a

SHA1
77746c4ef9fe4a449a6983f816b032cad6376d45

SHA256
815e4dab003e088c07aa56e51a10612edd6efeb3cf4db4f4cd3fd6fd523733df

SHA512
a0dec72c1d1da011841cd794e58aacad72a63066ac66009d0287b8719a884094cbb5a5cdb3e736a721c8cfe07efb117234d40464c2cddf70a6d51caf68250ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t74083792.exe

Filesize
169KB

MD5
7b7fec37a0c9c21a4ab109ddc5125b0a

SHA1
77746c4ef9fe4a449a6983f816b032cad6376d45

SHA256
815e4dab003e088c07aa56e51a10612edd6efeb3cf4db4f4cd3fd6fd523733df

SHA512
a0dec72c1d1da011841cd794e58aacad72a63066ac66009d0287b8719a884094cbb5a5cdb3e736a721c8cfe07efb117234d40464c2cddf70a6d51caf68250ba6

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/1780-196-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-208-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-165-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/1780-166-0x00000000050A0000-0x0000000005644000-memory.dmp

Filesize
5.6MB

Download
memory/1780-167-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-168-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-170-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-172-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-174-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-176-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-178-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-180-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-182-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-184-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-186-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-188-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-190-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-192-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-194-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-163-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/1780-198-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-200-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-202-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-204-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-206-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-164-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/1780-210-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-212-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-214-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-216-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-218-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-220-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-222-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-224-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-226-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-228-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-230-0x0000000005650000-0x00000000056B0000-memory.dmp

Filesize
384KB

Download
memory/1780-2194-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/1780-2196-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/1780-2198-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/1780-2318-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/1780-162-0x0000000002260000-0x00000000022BB000-memory.dmp

Filesize
364KB

Download
memory/2128-2340-0x0000000000690000-0x00000000006BE000-memory.dmp

Filesize
184KB

Download
memory/2128-2341-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/2128-2343-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4844-2331-0x00000000059A0000-0x0000000005FB8000-memory.dmp

Filesize
6.1MB

Download
memory/4844-2332-0x00000000054B0000-0x00000000055BA000-memory.dmp

Filesize
1.0MB

Download
memory/4844-2333-0x00000000053E0000-0x00000000053F2000-memory.dmp

Filesize
72KB

Download
memory/4844-2334-0x0000000005440000-0x000000000547C000-memory.dmp

Filesize
240KB

Download
memory/4844-2330-0x0000000000A90000-0x0000000000ABE000-memory.dmp

Filesize
184KB

Download
memory/4844-2335-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/4844-2342-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download