redline | 025b2053120d6931f561bacae0ac2a0326ad0ed5f05ae7fa27ce4840e90aa6d4

Analysis

max time kernel
136s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

025b2053120d6931f561bacae0ac2a0326ad0ed5f05ae7fa27ce4840e90aa6d4.bin.exe
Size

1.5MB
MD5

9156b8249fd57e61aa2490d78cc2aff1
SHA1

839602d5d88af79809f52c600400280fcc49f7e1
SHA256

025b2053120d6931f561bacae0ac2a0326ad0ed5f05ae7fa27ce4840e90aa6d4
SHA512

a58b65546cb454de0c5a1aa9383e6e9c706bee28e441995999638d2faa33fafcde70fe52428a2a7d72ad9b0b4e40b9e1e7f3e456ddd5eda789b041ceaa1465fd
SSDEEP

24576:kyOnl2yFYKDokXGSy/7Gu3qWTdHqZEr9V3wzOECwM92Oxq+qds57BgCx:zUHFYJyGS8TdK4MyB1924gdA7

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1472-169-0x000000000ADC0000-0x000000000B3D8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4132	i51408402.exe
3344	i33535751.exe
2124	i32538085.exe
4088	i68294020.exe
1472	a91175423.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i51408402.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i33535751.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i32538085.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i68294020.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i68294020.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	025b2053120d6931f561bacae0ac2a0326ad0ed5f05ae7fa27ce4840e90aa6d4.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	025b2053120d6931f561bacae0ac2a0326ad0ed5f05ae7fa27ce4840e90aa6d4.bin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i51408402.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i33535751.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i32538085.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 4132	2028	025b2053120d6931f561bacae0ac2a0326ad0ed5f05ae7fa27ce4840e90aa6d4.bin.exe	84
PID 2028 wrote to memory of 4132	2028	025b2053120d6931f561bacae0ac2a0326ad0ed5f05ae7fa27ce4840e90aa6d4.bin.exe	84
PID 2028 wrote to memory of 4132	2028	025b2053120d6931f561bacae0ac2a0326ad0ed5f05ae7fa27ce4840e90aa6d4.bin.exe	84
PID 4132 wrote to memory of 3344	4132	i51408402.exe	85
PID 4132 wrote to memory of 3344	4132	i51408402.exe	85
PID 4132 wrote to memory of 3344	4132	i51408402.exe	85
PID 3344 wrote to memory of 2124	3344	i33535751.exe	86
PID 3344 wrote to memory of 2124	3344	i33535751.exe	86
PID 3344 wrote to memory of 2124	3344	i33535751.exe	86
PID 2124 wrote to memory of 4088	2124	i32538085.exe	87
PID 2124 wrote to memory of 4088	2124	i32538085.exe	87
PID 2124 wrote to memory of 4088	2124	i32538085.exe	87
PID 4088 wrote to memory of 1472	4088	i68294020.exe	88
PID 4088 wrote to memory of 1472	4088	i68294020.exe	88
PID 4088 wrote to memory of 1472	4088	i68294020.exe	88

C:\Users\Admin\AppData\Local\Temp\025b2053120d6931f561bacae0ac2a0326ad0ed5f05ae7fa27ce4840e90aa6d4.bin.exe
"C:\Users\Admin\AppData\Local\Temp\025b2053120d6931f561bacae0ac2a0326ad0ed5f05ae7fa27ce4840e90aa6d4.bin.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51408402.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51408402.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i33535751.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i33535751.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i32538085.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i32538085.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68294020.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68294020.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a91175423.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a91175423.exe
        6⤵
        Executes dropped EXE
        
        PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51408402.exe

Filesize
1.3MB

MD5
6416584652f8ba8c3d2c09fd9e53ae38

SHA1
0291aa50ccca1a61cdaa87e9f9ec4276c3386cd4

SHA256
172371d1088655993d731bbc92dbc0159608616bce3278cc02f87d4ab5e152ee

SHA512
d11d3b6f0b90586a1b496a289e582c50efca0b2b0f8ab7b748ac4c8aac481790e02ea86b04f61a3f4877f21e4ebef903312bcee0be82dacb404f790cb711cff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i51408402.exe

Filesize
1.3MB

MD5
6416584652f8ba8c3d2c09fd9e53ae38

SHA1
0291aa50ccca1a61cdaa87e9f9ec4276c3386cd4

SHA256
172371d1088655993d731bbc92dbc0159608616bce3278cc02f87d4ab5e152ee

SHA512
d11d3b6f0b90586a1b496a289e582c50efca0b2b0f8ab7b748ac4c8aac481790e02ea86b04f61a3f4877f21e4ebef903312bcee0be82dacb404f790cb711cff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i33535751.exe

Filesize
1014KB

MD5
1ab699d67803c2b6caa24e3aac094f37

SHA1
d699e4f72292185cc0de5eb171f3eefe217ac2f7

SHA256
82436e96350ed9613745e8fc267dc92eedfd9735520204deb3543301050acfac

SHA512
6dc34c85339406e4a9930bb024b0eb974e3280382da02f0d92a89afdd24e0fe24c75baf53af41178cb777d8fe0d2618088a70618b77eb0e4aa84d86123d668dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i33535751.exe

Filesize
1014KB

MD5
1ab699d67803c2b6caa24e3aac094f37

SHA1
d699e4f72292185cc0de5eb171f3eefe217ac2f7

SHA256
82436e96350ed9613745e8fc267dc92eedfd9735520204deb3543301050acfac

SHA512
6dc34c85339406e4a9930bb024b0eb974e3280382da02f0d92a89afdd24e0fe24c75baf53af41178cb777d8fe0d2618088a70618b77eb0e4aa84d86123d668dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i32538085.exe

Filesize
842KB

MD5
f7d098e0dc5d66d127009c2c6a432f38

SHA1
346655b9f9239256bd7a405823c5475c68059b74

SHA256
406f551aa4a126e4ebc88b00d12dc44113539fa9b4f3427f4ca36b3c13bc4226

SHA512
12c5dd2a07c04096c8dc1b40617cea22653ba90e8671da77a76aa4a537f74d1998813ea081946bb38be8c6ddf040e488ea12a2efcc30b0b1b402c522a9a9a268

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i32538085.exe

Filesize
842KB

MD5
f7d098e0dc5d66d127009c2c6a432f38

SHA1
346655b9f9239256bd7a405823c5475c68059b74

SHA256
406f551aa4a126e4ebc88b00d12dc44113539fa9b4f3427f4ca36b3c13bc4226

SHA512
12c5dd2a07c04096c8dc1b40617cea22653ba90e8671da77a76aa4a537f74d1998813ea081946bb38be8c6ddf040e488ea12a2efcc30b0b1b402c522a9a9a268

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68294020.exe

Filesize
370KB

MD5
3f97db5e35c6c8fc4e422584befdb004

SHA1
f0bf59dac1409323c8e2a019ce13406148601479

SHA256
4ca13ab19d1c03fae68377ed66db38874914936a9a7393eae9067ff4784d2693

SHA512
93a45d4f8ab27db9abb93ac1f05fe949e8f18d6c6f73b1ec8569f639dfb212031fa62f373047ab54bba3080bad88939b43f490b1dd4042830a0ad9bf5f56b44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68294020.exe

Filesize
370KB

MD5
3f97db5e35c6c8fc4e422584befdb004

SHA1
f0bf59dac1409323c8e2a019ce13406148601479

SHA256
4ca13ab19d1c03fae68377ed66db38874914936a9a7393eae9067ff4784d2693

SHA512
93a45d4f8ab27db9abb93ac1f05fe949e8f18d6c6f73b1ec8569f639dfb212031fa62f373047ab54bba3080bad88939b43f490b1dd4042830a0ad9bf5f56b44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a91175423.exe

Filesize
169KB

MD5
e9e4662dc1ee9b72bf650e154973cf7e

SHA1
c55cd32d1008b4c119648e4748ee21b92ed81905

SHA256
c6b5f284a320746214f909da086aaaecdad1d890e3d5683048d345616638f2d9

SHA512
712461888e6c9a0aa4d732812fa9a201d4c49e73572c04e4466af3f5044aaad1137b87a5a8e373fb929a6cf22b9263835e5b43d04935d2e97ce73d98adbe0945

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a91175423.exe

Filesize
169KB

MD5
e9e4662dc1ee9b72bf650e154973cf7e

SHA1
c55cd32d1008b4c119648e4748ee21b92ed81905

SHA256
c6b5f284a320746214f909da086aaaecdad1d890e3d5683048d345616638f2d9

SHA512
712461888e6c9a0aa4d732812fa9a201d4c49e73572c04e4466af3f5044aaad1137b87a5a8e373fb929a6cf22b9263835e5b43d04935d2e97ce73d98adbe0945

Download Submit
memory/1472-168-0x00000000009C0000-0x00000000009F0000-memory.dmp

Filesize
192KB

Download
memory/1472-169-0x000000000ADC0000-0x000000000B3D8000-memory.dmp

Filesize
6.1MB

Download
memory/1472-170-0x000000000A940000-0x000000000AA4A000-memory.dmp

Filesize
1.0MB

Download
memory/1472-171-0x000000000A870000-0x000000000A882000-memory.dmp

Filesize
72KB

Download
memory/1472-172-0x000000000A8D0000-0x000000000A90C000-memory.dmp

Filesize
240KB

Download
memory/1472-173-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/1472-174-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download