redline | 30439b4d7d037df59a7a3e79371c3f88947b486bbcfa3816a054e7860197d7da

Analysis

max time kernel
135s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30439b4d7d037df59a7a3e79371c3f88947b486bbcfa3816a054e7860197d7da.exe
Size

1.5MB
MD5

3c3889d67f74d9fbb44f35c16b055919
SHA1

4ff7c33c87f2bb2efdcb8e63e9c525017e4ca1c2
SHA256

30439b4d7d037df59a7a3e79371c3f88947b486bbcfa3816a054e7860197d7da
SHA512

415fca54f278f4c9197013419d4b74013dda205a0c765f820911f1ec7d6b47d0aca7c1e72f44e2a446934a507d00b5c917980318af688b905fcb70eb505ccddc
SSDEEP

24576:Gy+PUEPJAV+eGKsFYi9NIvh6mfLMuyCvj/g4L3v+cRLri7SGBeUn4xB/sy39I:V+P/iV1JJBfL3T/CEgSGn6B//39

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/212-169-0x00000000052C0000-0x00000000058D8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1316	i77862251.exe
3508	i51611554.exe
1544	i10992586.exe
4000	i33567658.exe
212	a21946895.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	30439b4d7d037df59a7a3e79371c3f88947b486bbcfa3816a054e7860197d7da.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i51611554.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i10992586.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	30439b4d7d037df59a7a3e79371c3f88947b486bbcfa3816a054e7860197d7da.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i77862251.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i77862251.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i51611554.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i10992586.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i33567658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i33567658.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 1316	2148	30439b4d7d037df59a7a3e79371c3f88947b486bbcfa3816a054e7860197d7da.exe	87
PID 2148 wrote to memory of 1316	2148	30439b4d7d037df59a7a3e79371c3f88947b486bbcfa3816a054e7860197d7da.exe	87
PID 2148 wrote to memory of 1316	2148	30439b4d7d037df59a7a3e79371c3f88947b486bbcfa3816a054e7860197d7da.exe	87
PID 1316 wrote to memory of 3508	1316	i77862251.exe	88
PID 1316 wrote to memory of 3508	1316	i77862251.exe	88
PID 1316 wrote to memory of 3508	1316	i77862251.exe	88
PID 3508 wrote to memory of 1544	3508	i51611554.exe	89
PID 3508 wrote to memory of 1544	3508	i51611554.exe	89
PID 3508 wrote to memory of 1544	3508	i51611554.exe	89
PID 1544 wrote to memory of 4000	1544	i10992586.exe	90
PID 1544 wrote to memory of 4000	1544	i10992586.exe	90
PID 1544 wrote to memory of 4000	1544	i10992586.exe	90
PID 4000 wrote to memory of 212	4000	i33567658.exe	91
PID 4000 wrote to memory of 212	4000	i33567658.exe	91
PID 4000 wrote to memory of 212	4000	i33567658.exe	91

C:\Users\Admin\AppData\Local\Temp\30439b4d7d037df59a7a3e79371c3f88947b486bbcfa3816a054e7860197d7da.exe
"C:\Users\Admin\AppData\Local\Temp\30439b4d7d037df59a7a3e79371c3f88947b486bbcfa3816a054e7860197d7da.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i77862251.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i77862251.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i51611554.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i51611554.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i10992586.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i10992586.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i33567658.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i33567658.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4000
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21946895.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21946895.exe
        6⤵
        Executes dropped EXE
        
        PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i77862251.exe

Filesize
1.3MB

MD5
457b730445a17d6ffe5d6377db3da584

SHA1
6731273fb028cebf6a66877513aa74165d76d2f6

SHA256
fb608e4eeb16e777b3c90517e5be5bbf1e36fb6bbb0f545b8cac61afa4cd17a3

SHA512
5a0c18a28b82b56b1422665e5c07d8aa99e2a80a115a66a2e4bd7fce74a2b04132f93a17d069d69da14769f8af899e9eebee141a24d71e8c99c99a1324d7b5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i77862251.exe

Filesize
1.3MB

MD5
457b730445a17d6ffe5d6377db3da584

SHA1
6731273fb028cebf6a66877513aa74165d76d2f6

SHA256
fb608e4eeb16e777b3c90517e5be5bbf1e36fb6bbb0f545b8cac61afa4cd17a3

SHA512
5a0c18a28b82b56b1422665e5c07d8aa99e2a80a115a66a2e4bd7fce74a2b04132f93a17d069d69da14769f8af899e9eebee141a24d71e8c99c99a1324d7b5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i51611554.exe

Filesize
1015KB

MD5
57ad5864de6da1f28ce8f77f4f920e7e

SHA1
f842723bf20b9df8e28da4c23442deb8414eb388

SHA256
bc9e10f4490a532f1912638c111e8f2c6eda5787d7c4e6d05e4fa6bbad5fb25a

SHA512
1925d9c09c6013ca16f654d3e12c25bf20cad944eacf546d1b79ffecc4bb6ae9b2b58184e7272375d206bb6d3eec83f8579178c9f98ed27b8ffea92daad62ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i51611554.exe

Filesize
1015KB

MD5
57ad5864de6da1f28ce8f77f4f920e7e

SHA1
f842723bf20b9df8e28da4c23442deb8414eb388

SHA256
bc9e10f4490a532f1912638c111e8f2c6eda5787d7c4e6d05e4fa6bbad5fb25a

SHA512
1925d9c09c6013ca16f654d3e12c25bf20cad944eacf546d1b79ffecc4bb6ae9b2b58184e7272375d206bb6d3eec83f8579178c9f98ed27b8ffea92daad62ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i10992586.exe

Filesize
843KB

MD5
8b909a358d5b2c41cedb5b86c94b6ac3

SHA1
0fa2ad0069916bbc50ea6163d1da4e7a292a7dbf

SHA256
0258d2c80b5d45ccd69bd26c0ba545b3609ce4718f3d3af9fd60f9a9a938f081

SHA512
92d629abd6afb67e0187db8716942fd421178c7d6dadde0873828d887a6e2b5ec5a3421af82f3d01273dea531b0675e4a05237e85f1387dad22f7369db22fe0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i10992586.exe

Filesize
843KB

MD5
8b909a358d5b2c41cedb5b86c94b6ac3

SHA1
0fa2ad0069916bbc50ea6163d1da4e7a292a7dbf

SHA256
0258d2c80b5d45ccd69bd26c0ba545b3609ce4718f3d3af9fd60f9a9a938f081

SHA512
92d629abd6afb67e0187db8716942fd421178c7d6dadde0873828d887a6e2b5ec5a3421af82f3d01273dea531b0675e4a05237e85f1387dad22f7369db22fe0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i33567658.exe

Filesize
370KB

MD5
2bcb04b2a1c7c3a9caddaf14b27c7c46

SHA1
7dbb700cb0af0afc25afd510404be897d7599ace

SHA256
08911869f365e4ef95b0fa2afa8d78be3dff903feb0ad29396f5103b3613e5a2

SHA512
2d5472722c9d7680d2a4d3c83c52f30b239d933117f208b3c4268cade4bf468d0d7219eac88e23a857e2c1e3386b0f371de7604c2b86a82a2e3116884d812cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i33567658.exe

Filesize
370KB

MD5
2bcb04b2a1c7c3a9caddaf14b27c7c46

SHA1
7dbb700cb0af0afc25afd510404be897d7599ace

SHA256
08911869f365e4ef95b0fa2afa8d78be3dff903feb0ad29396f5103b3613e5a2

SHA512
2d5472722c9d7680d2a4d3c83c52f30b239d933117f208b3c4268cade4bf468d0d7219eac88e23a857e2c1e3386b0f371de7604c2b86a82a2e3116884d812cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21946895.exe

Filesize
169KB

MD5
febbeabca9e557d986e906459a89891f

SHA1
a892c8798bc4c20fe6bbd9c9cdcb176077ff1ad8

SHA256
cf102d762740a39b02c232f3f568638eabcb2b6a8328f7ab2eb45eb513bd0952

SHA512
18276cc331edb0d32fba393b0933e21d18b5f8614638da1e79f8dafe180711ff058bc54297b416553f017df5af5b66715bbbdb420183a97708ab71a2860e6d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21946895.exe

Filesize
169KB

MD5
febbeabca9e557d986e906459a89891f

SHA1
a892c8798bc4c20fe6bbd9c9cdcb176077ff1ad8

SHA256
cf102d762740a39b02c232f3f568638eabcb2b6a8328f7ab2eb45eb513bd0952

SHA512
18276cc331edb0d32fba393b0933e21d18b5f8614638da1e79f8dafe180711ff058bc54297b416553f017df5af5b66715bbbdb420183a97708ab71a2860e6d76

Download Submit
memory/212-168-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/212-169-0x00000000052C0000-0x00000000058D8000-memory.dmp

Filesize
6.1MB

Download
memory/212-170-0x0000000004DB0000-0x0000000004EBA000-memory.dmp

Filesize
1.0MB

Download
memory/212-171-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/212-172-0x0000000004D20000-0x0000000004D5C000-memory.dmp

Filesize
240KB

Download
memory/212-173-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/212-174-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download