redline | 093d6359952f3cad52a12d8b0b0001d174dc4d5605af50a7c5b8d8063d43d2e3

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

093d6359952f3cad52a12d8b0b0001d174dc4d5605af50a7c5b8d8063d43d2e3.exe
Size

774KB
MD5

111938b15b7b8180b2ad097e7e25381b
SHA1

575641b80819925a9e6b0fd8976014142dd685bc
SHA256

093d6359952f3cad52a12d8b0b0001d174dc4d5605af50a7c5b8d8063d43d2e3
SHA512

e5feed06510d4581db16cee560f8ecb848cc3b2036d94b7164203053ba35fa7db769d38a44827fd6d4a6b2febd3c8b083087e1edb3a0f667f24e69e866ba0419
SSDEEP

24576:tysYxLWnyZgqc14s+918P5NcFv0ZZDOvQ:IskKL14Z918xNcF8DDS

Score

10^/10

redline dark gena infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dark

185.161.248.73:4164

Attributes

auth_value
ae85b01f66afe8770afeed560513fc2d

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1272-2314-0x0000000005D40000-0x0000000006358000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	m85157131.exe

Executes dropped EXE 4 IoCs

pid	Process
2932	x12740388.exe
1144	m85157131.exe
1272	1.exe
2232	n21928604.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	093d6359952f3cad52a12d8b0b0001d174dc4d5605af50a7c5b8d8063d43d2e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	093d6359952f3cad52a12d8b0b0001d174dc4d5605af50a7c5b8d8063d43d2e3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x12740388.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x12740388.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
404	1144	WerFault.exe	87

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1144	m85157131.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2932	548	093d6359952f3cad52a12d8b0b0001d174dc4d5605af50a7c5b8d8063d43d2e3.exe	86
PID 548 wrote to memory of 2932	548	093d6359952f3cad52a12d8b0b0001d174dc4d5605af50a7c5b8d8063d43d2e3.exe	86
PID 548 wrote to memory of 2932	548	093d6359952f3cad52a12d8b0b0001d174dc4d5605af50a7c5b8d8063d43d2e3.exe	86
PID 2932 wrote to memory of 1144	2932	x12740388.exe	87
PID 2932 wrote to memory of 1144	2932	x12740388.exe	87
PID 2932 wrote to memory of 1144	2932	x12740388.exe	87
PID 1144 wrote to memory of 1272	1144	m85157131.exe	88
PID 1144 wrote to memory of 1272	1144	m85157131.exe	88
PID 1144 wrote to memory of 1272	1144	m85157131.exe	88
PID 2932 wrote to memory of 2232	2932	x12740388.exe	92
PID 2932 wrote to memory of 2232	2932	x12740388.exe	92
PID 2932 wrote to memory of 2232	2932	x12740388.exe	92

C:\Users\Admin\AppData\Local\Temp\093d6359952f3cad52a12d8b0b0001d174dc4d5605af50a7c5b8d8063d43d2e3.exe
"C:\Users\Admin\AppData\Local\Temp\093d6359952f3cad52a12d8b0b0001d174dc4d5605af50a7c5b8d8063d43d2e3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x12740388.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x12740388.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m85157131.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m85157131.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      PID:1272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1372
      4⤵
      Program crash
      PID:404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n21928604.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n21928604.exe
    3⤵
    - Executes dropped EXE
    PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1144 -ip 1144
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x12740388.exe

Filesize
570KB

MD5
d5bd327a7eff5b76fbcda95221c49006

SHA1
385f9ab313a5607f21cc32422a55c1fbe5f051ba

SHA256
1d334412f2f2cf839618846c738fe30e2e07fc7abfe01dab16227eac30104fd6

SHA512
699a3a3315a5c1193d45324d5dce9174b3930215caf9bd3389d82a5be6f772456932d430113c4a4e6c16236405ca7ede4032bd40ff222c951a4b78aee1d9b3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x12740388.exe

Filesize
570KB

MD5
d5bd327a7eff5b76fbcda95221c49006

SHA1
385f9ab313a5607f21cc32422a55c1fbe5f051ba

SHA256
1d334412f2f2cf839618846c738fe30e2e07fc7abfe01dab16227eac30104fd6

SHA512
699a3a3315a5c1193d45324d5dce9174b3930215caf9bd3389d82a5be6f772456932d430113c4a4e6c16236405ca7ede4032bd40ff222c951a4b78aee1d9b3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m85157131.exe

Filesize
488KB

MD5
a6913272723d49f3b159a9f38a351d88

SHA1
f9068afbad50e1b09346af421694d4faa7dc3127

SHA256
440ba739fede851d8c3505f61b28b5acbc341a7829fefc15dbb6a773ada72f22

SHA512
56a658617e288ac7bb2ab172d0d99d198cc4b4de674198d71dd46260208a586cdc4176086e70cc8683621d43c9bf74e45acd2c4ba20d50a73a6afb1dce0cac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m85157131.exe

Filesize
488KB

MD5
a6913272723d49f3b159a9f38a351d88

SHA1
f9068afbad50e1b09346af421694d4faa7dc3127

SHA256
440ba739fede851d8c3505f61b28b5acbc341a7829fefc15dbb6a773ada72f22

SHA512
56a658617e288ac7bb2ab172d0d99d198cc4b4de674198d71dd46260208a586cdc4176086e70cc8683621d43c9bf74e45acd2c4ba20d50a73a6afb1dce0cac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n21928604.exe

Filesize
172KB

MD5
738d3cb5989a80638e99775887933278

SHA1
28e29fd66f4b1ca211a31bd8593371490916ac87

SHA256
d0d848c8cae5e7584162bc6878d3e739e1412e293ffaf8f7289b63c03bcab5a2

SHA512
c89f1d701a0839747309c7feefba9dedbd49a3e4b01a48d98e9925d2474e41b47697ed68081a5b458ef56ff6ad905c01f2e3639a43735bfe1a4d4d5da290c277

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n21928604.exe

Filesize
172KB

MD5
738d3cb5989a80638e99775887933278

SHA1
28e29fd66f4b1ca211a31bd8593371490916ac87

SHA256
d0d848c8cae5e7584162bc6878d3e739e1412e293ffaf8f7289b63c03bcab5a2

SHA512
c89f1d701a0839747309c7feefba9dedbd49a3e4b01a48d98e9925d2474e41b47697ed68081a5b458ef56ff6ad905c01f2e3639a43735bfe1a4d4d5da290c277

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/1144-164-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1144-201-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-157-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-160-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1144-162-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1144-155-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-167-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-165-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-161-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-169-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-171-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-173-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-175-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-177-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-179-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-181-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-183-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-185-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-187-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-189-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-191-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-193-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-195-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-197-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-199-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-158-0x0000000000400000-0x0000000000820000-memory.dmp

Filesize
4.1MB

Download
memory/1144-203-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-205-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-207-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-209-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-211-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-213-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-215-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-153-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-151-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-150-0x0000000004F70000-0x0000000004FD0000-memory.dmp

Filesize
384KB

Download
memory/1144-148-0x0000000000820000-0x000000000087B000-memory.dmp

Filesize
364KB

Download
memory/1144-2313-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1144-149-0x0000000005020000-0x00000000055C4000-memory.dmp

Filesize
5.6MB

Download
memory/1272-2315-0x0000000005830000-0x000000000593A000-memory.dmp

Filesize
1.0MB

Download
memory/1272-2316-0x00000000030B0000-0x00000000030C2000-memory.dmp

Filesize
72KB

Download
memory/1272-2317-0x0000000005760000-0x000000000579C000-memory.dmp

Filesize
240KB

Download
memory/1272-2318-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/1272-2314-0x0000000005D40000-0x0000000006358000-memory.dmp

Filesize
6.1MB

Download
memory/1272-2312-0x0000000000DB0000-0x0000000000DDE000-memory.dmp

Filesize
184KB

Download
memory/1272-2325-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/2232-2323-0x0000000000A60000-0x0000000000A90000-memory.dmp

Filesize
192KB

Download
memory/2232-2324-0x0000000001140000-0x0000000001150000-memory.dmp

Filesize
64KB

Download
memory/2232-2326-0x0000000001140000-0x0000000001150000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads