redline | 08641eb274a26a76d8f5973137d49e6717abaf48820d7f8a11fea5cc0ca182c8

Analysis

max time kernel
136s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

08641eb274a26a76d8f5973137d49e6717abaf48820d7f8a11fea5cc0ca182c8.exe
Size

1.5MB
MD5

5b0a49556a45f2e36ffdb19069ed1b22
SHA1

42ef9f79ab5f1d4d5467e7760b7466cee885bb9b
SHA256

08641eb274a26a76d8f5973137d49e6717abaf48820d7f8a11fea5cc0ca182c8
SHA512

b4e5ebc21903ade46b5bcbe766b8f6d548adae31429b9f42eaab51bd361e4c3a14c1698248dd04aaff7927f434d808e5dd06bacb0cedc1c8e7a965de16753d61
SSDEEP

24576:vyETBKMA43S0Q/E1tungGOXTPFkSk/xsJ+pLb0y0khMHJzV0tGcqAJnI0S:6ETIM7i0eE1MEt8ZWwbdhgZcqyf

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1304-169-0x000000000B0D0000-0x000000000B6E8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4560	i47436851.exe
3876	i75385278.exe
3532	i14694386.exe
1180	i58974323.exe
1304	a48707280.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i58974323.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	08641eb274a26a76d8f5973137d49e6717abaf48820d7f8a11fea5cc0ca182c8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i47436851.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i75385278.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i58974323.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i14694386.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	08641eb274a26a76d8f5973137d49e6717abaf48820d7f8a11fea5cc0ca182c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i47436851.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i75385278.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i14694386.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 4560	4260	08641eb274a26a76d8f5973137d49e6717abaf48820d7f8a11fea5cc0ca182c8.exe	84
PID 4260 wrote to memory of 4560	4260	08641eb274a26a76d8f5973137d49e6717abaf48820d7f8a11fea5cc0ca182c8.exe	84
PID 4260 wrote to memory of 4560	4260	08641eb274a26a76d8f5973137d49e6717abaf48820d7f8a11fea5cc0ca182c8.exe	84
PID 4560 wrote to memory of 3876	4560	i47436851.exe	85
PID 4560 wrote to memory of 3876	4560	i47436851.exe	85
PID 4560 wrote to memory of 3876	4560	i47436851.exe	85
PID 3876 wrote to memory of 3532	3876	i75385278.exe	86
PID 3876 wrote to memory of 3532	3876	i75385278.exe	86
PID 3876 wrote to memory of 3532	3876	i75385278.exe	86
PID 3532 wrote to memory of 1180	3532	i14694386.exe	87
PID 3532 wrote to memory of 1180	3532	i14694386.exe	87
PID 3532 wrote to memory of 1180	3532	i14694386.exe	87
PID 1180 wrote to memory of 1304	1180	i58974323.exe	88
PID 1180 wrote to memory of 1304	1180	i58974323.exe	88
PID 1180 wrote to memory of 1304	1180	i58974323.exe	88

C:\Users\Admin\AppData\Local\Temp\08641eb274a26a76d8f5973137d49e6717abaf48820d7f8a11fea5cc0ca182c8.exe
"C:\Users\Admin\AppData\Local\Temp\08641eb274a26a76d8f5973137d49e6717abaf48820d7f8a11fea5cc0ca182c8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47436851.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47436851.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75385278.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75385278.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i14694386.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i14694386.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3532
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58974323.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58974323.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1180
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48707280.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48707280.exe
        6⤵
        Executes dropped EXE
        
        PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47436851.exe

Filesize
1.3MB

MD5
286729809f6cac58b2d3068a5c9e3c94

SHA1
b64c69520e4746c8a5a8d9f59b3fcaa75311b2bf

SHA256
50205b11f87421fdb62a4c68dd4b44c1f14d0e8083fc3f079dd099bac61461dd

SHA512
b115c397b9ca1f062a0af6f00e09a7f263ba172960de2af978f99a6bac81ec2166a96229bace58da5e65c726420dc32a2623aa7308c66c078f250a4b46a3073e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47436851.exe

Filesize
1.3MB

MD5
286729809f6cac58b2d3068a5c9e3c94

SHA1
b64c69520e4746c8a5a8d9f59b3fcaa75311b2bf

SHA256
50205b11f87421fdb62a4c68dd4b44c1f14d0e8083fc3f079dd099bac61461dd

SHA512
b115c397b9ca1f062a0af6f00e09a7f263ba172960de2af978f99a6bac81ec2166a96229bace58da5e65c726420dc32a2623aa7308c66c078f250a4b46a3073e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75385278.exe

Filesize
1015KB

MD5
f2ea86e289c8e299710fa94b22ff3b7a

SHA1
847f3e1df92e6d75d7634febbafcceb42cee0b7f

SHA256
954ab01b18592d32454afad405f82b9f2afc860007dcb9caf33bc2d9ebe00827

SHA512
a6f2f1d58d34296a05db787351286222664bbbc26b6553f9c450c3c23256eaf492bd96de16e3c2a69bd1c77c1b6dab75afc46662ca44acd1668b361c0b1c22ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i75385278.exe

Filesize
1015KB

MD5
f2ea86e289c8e299710fa94b22ff3b7a

SHA1
847f3e1df92e6d75d7634febbafcceb42cee0b7f

SHA256
954ab01b18592d32454afad405f82b9f2afc860007dcb9caf33bc2d9ebe00827

SHA512
a6f2f1d58d34296a05db787351286222664bbbc26b6553f9c450c3c23256eaf492bd96de16e3c2a69bd1c77c1b6dab75afc46662ca44acd1668b361c0b1c22ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i14694386.exe

Filesize
843KB

MD5
459356cc2a85b484cd423a93caad6b7f

SHA1
9a03a3ab1653afdc0536c0eff4f3815c17735051

SHA256
48e52f44094ed8be47fe84254ab6c4f84db6dfcfb1d5c542b5da2b93ae56c97b

SHA512
9bd8a6952a989ca41775ac2020835e198f2019f80c842527557d488ef97725b353365fa64273e7323cf3845badba3b25135a87e603f1dd41bd96b5483d0631cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i14694386.exe

Filesize
843KB

MD5
459356cc2a85b484cd423a93caad6b7f

SHA1
9a03a3ab1653afdc0536c0eff4f3815c17735051

SHA256
48e52f44094ed8be47fe84254ab6c4f84db6dfcfb1d5c542b5da2b93ae56c97b

SHA512
9bd8a6952a989ca41775ac2020835e198f2019f80c842527557d488ef97725b353365fa64273e7323cf3845badba3b25135a87e603f1dd41bd96b5483d0631cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58974323.exe

Filesize
371KB

MD5
a2f78486eb9c97ba3b6cd4b7a97df121

SHA1
b8a662b5cf348f8af91fe7dcce28c3783e06af82

SHA256
8dd85761c39ee8c4325ac11d03ad4a9bd72c3f8cd7e81db4d2b575cb32319c91

SHA512
bf5ba05ed8154906f504ae96b0d91de887995f507f0a32b9ca9a9c438df03556e2a9d17bb3c281547254bdde299a2cfee239847e65cea6483315045564d28db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i58974323.exe

Filesize
371KB

MD5
a2f78486eb9c97ba3b6cd4b7a97df121

SHA1
b8a662b5cf348f8af91fe7dcce28c3783e06af82

SHA256
8dd85761c39ee8c4325ac11d03ad4a9bd72c3f8cd7e81db4d2b575cb32319c91

SHA512
bf5ba05ed8154906f504ae96b0d91de887995f507f0a32b9ca9a9c438df03556e2a9d17bb3c281547254bdde299a2cfee239847e65cea6483315045564d28db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48707280.exe

Filesize
169KB

MD5
93b82a7bd266e68c5306f9135b76014c

SHA1
9b0c96a8e82d0562847aee587e66d4f1f5fd4dbf

SHA256
559574bcca1eabb1a5c332a2c96b0b25096a9825e3ca12320e0680259031f1c7

SHA512
413f933d984f59a22252ecc7ff6d840d55690ef2b0d2bd9efdf883128b584b855aa4b74484446f4a735807137db0c0ff75d688024dc4d7ede5b365d2bb828606

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48707280.exe

Filesize
169KB

MD5
93b82a7bd266e68c5306f9135b76014c

SHA1
9b0c96a8e82d0562847aee587e66d4f1f5fd4dbf

SHA256
559574bcca1eabb1a5c332a2c96b0b25096a9825e3ca12320e0680259031f1c7

SHA512
413f933d984f59a22252ecc7ff6d840d55690ef2b0d2bd9efdf883128b584b855aa4b74484446f4a735807137db0c0ff75d688024dc4d7ede5b365d2bb828606

Download Submit
memory/1304-168-0x0000000000CD0000-0x0000000000D00000-memory.dmp

Filesize
192KB

Download
memory/1304-169-0x000000000B0D0000-0x000000000B6E8000-memory.dmp

Filesize
6.1MB

Download
memory/1304-170-0x000000000AC50000-0x000000000AD5A000-memory.dmp

Filesize
1.0MB

Download
memory/1304-171-0x000000000AB80000-0x000000000AB92000-memory.dmp

Filesize
72KB

Download
memory/1304-172-0x000000000ABE0000-0x000000000AC1C000-memory.dmp

Filesize
240KB

Download
memory/1304-173-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/1304-174-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download