redline | 04d91cf96bb749f4c39e4f787b52f5dca1e7699fac03d0a45fe870ba9eef5bb6

Analysis

max time kernel
137s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04d91cf96bb749f4c39e4f787b52f5dca1e7699fac03d0a45fe870ba9eef5bb6.bin.exe
Size

1.5MB
MD5

b75b3b1173613e44ecd357a7b563ab5c
SHA1

9173d70646ae7716f13271ae54635173c77a9597
SHA256

04d91cf96bb749f4c39e4f787b52f5dca1e7699fac03d0a45fe870ba9eef5bb6
SHA512

e4c7bf1dd7bb987daaea27d11d0b40e85a27bf76ed6b6c888cc84edf11aadca59ae95b95a0060ce957bb80400f25467824c8c99f64f5b5a24f55c3bc47d0465a
SSDEEP

24576:qytVXlUSN4O0Eh7llP8zCxWkOkTbbS0/rODwWQxjl2mO5HVerXl/TsKOAM:xt5l541E5DMkvhDuwWQ2mK1erW7A

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3464-169-0x000000000AB00000-0x000000000B118000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4724	i52175973.exe
4108	i53705109.exe
2080	i87709883.exe
4556	i17519398.exe
3464	a97890452.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	04d91cf96bb749f4c39e4f787b52f5dca1e7699fac03d0a45fe870ba9eef5bb6.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	04d91cf96bb749f4c39e4f787b52f5dca1e7699fac03d0a45fe870ba9eef5bb6.bin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i53705109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i53705109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i17519398.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i52175973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i52175973.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i87709883.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i87709883.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i17519398.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 4724	396	04d91cf96bb749f4c39e4f787b52f5dca1e7699fac03d0a45fe870ba9eef5bb6.bin.exe	84
PID 396 wrote to memory of 4724	396	04d91cf96bb749f4c39e4f787b52f5dca1e7699fac03d0a45fe870ba9eef5bb6.bin.exe	84
PID 396 wrote to memory of 4724	396	04d91cf96bb749f4c39e4f787b52f5dca1e7699fac03d0a45fe870ba9eef5bb6.bin.exe	84
PID 4724 wrote to memory of 4108	4724	i52175973.exe	85
PID 4724 wrote to memory of 4108	4724	i52175973.exe	85
PID 4724 wrote to memory of 4108	4724	i52175973.exe	85
PID 4108 wrote to memory of 2080	4108	i53705109.exe	86
PID 4108 wrote to memory of 2080	4108	i53705109.exe	86
PID 4108 wrote to memory of 2080	4108	i53705109.exe	86
PID 2080 wrote to memory of 4556	2080	i87709883.exe	87
PID 2080 wrote to memory of 4556	2080	i87709883.exe	87
PID 2080 wrote to memory of 4556	2080	i87709883.exe	87
PID 4556 wrote to memory of 3464	4556	i17519398.exe	88
PID 4556 wrote to memory of 3464	4556	i17519398.exe	88
PID 4556 wrote to memory of 3464	4556	i17519398.exe	88

C:\Users\Admin\AppData\Local\Temp\04d91cf96bb749f4c39e4f787b52f5dca1e7699fac03d0a45fe870ba9eef5bb6.bin.exe
"C:\Users\Admin\AppData\Local\Temp\04d91cf96bb749f4c39e4f787b52f5dca1e7699fac03d0a45fe870ba9eef5bb6.bin.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52175973.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52175973.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i53705109.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i53705109.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87709883.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87709883.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17519398.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17519398.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97890452.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97890452.exe
        6⤵
        Executes dropped EXE
        
        PID:3464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52175973.exe

Filesize
1.3MB

MD5
2043c911f183f00dadd9013087bb083b

SHA1
4db7eb9f3520cad14c0e70bed3c51399f9d13d34

SHA256
abca67e5dfc2ab3c310176cbde6ba777ccd67be577234740008d5eb171f8486e

SHA512
1cc9cdb0a8b217370e6cd596cea230aac8d0b78d9d0fc52689f85fc829188e564df7a55549e9c88a98fa5fa9f01228ea8c7d9de075966c13c716f0035c07d7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52175973.exe

Filesize
1.3MB

MD5
2043c911f183f00dadd9013087bb083b

SHA1
4db7eb9f3520cad14c0e70bed3c51399f9d13d34

SHA256
abca67e5dfc2ab3c310176cbde6ba777ccd67be577234740008d5eb171f8486e

SHA512
1cc9cdb0a8b217370e6cd596cea230aac8d0b78d9d0fc52689f85fc829188e564df7a55549e9c88a98fa5fa9f01228ea8c7d9de075966c13c716f0035c07d7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i53705109.exe

Filesize
1014KB

MD5
b9e55ffcec5185e5799bd0184496fbf5

SHA1
13d486997d8f4cdfe87924826800115e966674e7

SHA256
94976da79e0e3035ee19cf4d89ae5e2fd7959e743554a010e11e3b07c4cae827

SHA512
99b2ab0a4ce0793a86540cc3199b436f4251ea29ba137c956e6898e6058b24e8689cf4dc928ede49bd034b4ef4629d6984e3c8006444dacd674fc41e8a9f5a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i53705109.exe

Filesize
1014KB

MD5
b9e55ffcec5185e5799bd0184496fbf5

SHA1
13d486997d8f4cdfe87924826800115e966674e7

SHA256
94976da79e0e3035ee19cf4d89ae5e2fd7959e743554a010e11e3b07c4cae827

SHA512
99b2ab0a4ce0793a86540cc3199b436f4251ea29ba137c956e6898e6058b24e8689cf4dc928ede49bd034b4ef4629d6984e3c8006444dacd674fc41e8a9f5a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87709883.exe

Filesize
843KB

MD5
bdb7d31c02950ad69665aa0740466278

SHA1
ab245763739b25a1372c6c828560a3c557cfb769

SHA256
cdb4ec5fb42faabe02df53e223720b806db231917441ee60b2d79cb790fb4773

SHA512
2e62a2bf448174617a81649b9375b938e4dcb3961339ef2ecafbdb26f355df1f767738f5da9b28b76feabd66bd1bc488c1db625be5ccfd6f298785081d68fffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87709883.exe

Filesize
843KB

MD5
bdb7d31c02950ad69665aa0740466278

SHA1
ab245763739b25a1372c6c828560a3c557cfb769

SHA256
cdb4ec5fb42faabe02df53e223720b806db231917441ee60b2d79cb790fb4773

SHA512
2e62a2bf448174617a81649b9375b938e4dcb3961339ef2ecafbdb26f355df1f767738f5da9b28b76feabd66bd1bc488c1db625be5ccfd6f298785081d68fffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17519398.exe

Filesize
371KB

MD5
58195536021ac6dbac8dececbef73bcf

SHA1
fe9897aabdad201b9c016389e0d6633a4fa71eb1

SHA256
63565ea0aeb94e8c7f3944d9c01f51198e1644e185983779cf3ebed188738de4

SHA512
2e43e465eec9b14c2c34a2a3800745ffec9158f88ad8debee775ae7b62bff782ffb3452dd2f0acffaae2d33e24869f6f0251cd550a4f06ed75de9350663625b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i17519398.exe

Filesize
371KB

MD5
58195536021ac6dbac8dececbef73bcf

SHA1
fe9897aabdad201b9c016389e0d6633a4fa71eb1

SHA256
63565ea0aeb94e8c7f3944d9c01f51198e1644e185983779cf3ebed188738de4

SHA512
2e43e465eec9b14c2c34a2a3800745ffec9158f88ad8debee775ae7b62bff782ffb3452dd2f0acffaae2d33e24869f6f0251cd550a4f06ed75de9350663625b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97890452.exe

Filesize
169KB

MD5
856ccbdebece9765c9ebd7bbfc80b43e

SHA1
7cf3bf7384c2a8de67f04ba51b9f985412e1e878

SHA256
ff10e8f626d23a23b6e9b9847c24490954dfaebbd1543e40506ab92b0a32d0a8

SHA512
bd4614ba14e6b5e31be9f5cb339e79a887fcdb22cc268908c0ad62c4e27c48d0c7c8e8ea0cb3b8fb2f4b2dafdc1e348b94ce7ab8fe16bb8d3ec8293ef24e7535

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97890452.exe

Filesize
169KB

MD5
856ccbdebece9765c9ebd7bbfc80b43e

SHA1
7cf3bf7384c2a8de67f04ba51b9f985412e1e878

SHA256
ff10e8f626d23a23b6e9b9847c24490954dfaebbd1543e40506ab92b0a32d0a8

SHA512
bd4614ba14e6b5e31be9f5cb339e79a887fcdb22cc268908c0ad62c4e27c48d0c7c8e8ea0cb3b8fb2f4b2dafdc1e348b94ce7ab8fe16bb8d3ec8293ef24e7535

Download Submit
memory/3464-168-0x0000000000640000-0x0000000000670000-memory.dmp

Filesize
192KB

Download
memory/3464-169-0x000000000AB00000-0x000000000B118000-memory.dmp

Filesize
6.1MB

Download
memory/3464-170-0x000000000A5F0000-0x000000000A6FA000-memory.dmp

Filesize
1.0MB

Download
memory/3464-171-0x000000000A500000-0x000000000A512000-memory.dmp

Filesize
72KB

Download
memory/3464-172-0x000000000A560000-0x000000000A59C000-memory.dmp

Filesize
240KB

Download
memory/3464-173-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/3464-174-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download