redline | 35e37c583bc7bf6119a8e4a9989f856e6b1342080ec6b39cc7436da49abb51d1

Analysis

max time kernel
246s
max time network
321s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35e37c583bc7bf6119a8e4a9989f856e6b1342080ec6b39cc7436da49abb51d1.exe
Size

1.5MB
MD5

4ed630907f0afad992751532cf64b2a2
SHA1

721f9b56ebf5fab181c057ad020b3bad86630e3a
SHA256

35e37c583bc7bf6119a8e4a9989f856e6b1342080ec6b39cc7436da49abb51d1
SHA512

00dc0a0a44fc71d3f67dbf1b52893820e87908c79536f1c1dfc27cb1f455f49ec17d6994f4bd7df2b005859a139529c93c8d40bdb7ec63de6d6fd0954872a093
SSDEEP

24576:zyCGZGia/UzsgMgTxzFYR2H503pgSuSG/0vMVkJceNK7/cR31aWxNfMhXMsGW:GCGnz9M4xpYR2Hqlo8UVkJzS8lamNfwC

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2156-169-0x000000000B060000-0x000000000B678000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4256	i55004006.exe
3880	i46682084.exe
2276	i64019411.exe
1304	i80394341.exe
2156	a30786574.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i46682084.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i64019411.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i64019411.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	35e37c583bc7bf6119a8e4a9989f856e6b1342080ec6b39cc7436da49abb51d1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i55004006.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i46682084.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i80394341.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i80394341.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	35e37c583bc7bf6119a8e4a9989f856e6b1342080ec6b39cc7436da49abb51d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i55004006.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 4256	3264	35e37c583bc7bf6119a8e4a9989f856e6b1342080ec6b39cc7436da49abb51d1.exe	80
PID 3264 wrote to memory of 4256	3264	35e37c583bc7bf6119a8e4a9989f856e6b1342080ec6b39cc7436da49abb51d1.exe	80
PID 3264 wrote to memory of 4256	3264	35e37c583bc7bf6119a8e4a9989f856e6b1342080ec6b39cc7436da49abb51d1.exe	80
PID 4256 wrote to memory of 3880	4256	i55004006.exe	81
PID 4256 wrote to memory of 3880	4256	i55004006.exe	81
PID 4256 wrote to memory of 3880	4256	i55004006.exe	81
PID 3880 wrote to memory of 2276	3880	i46682084.exe	82
PID 3880 wrote to memory of 2276	3880	i46682084.exe	82
PID 3880 wrote to memory of 2276	3880	i46682084.exe	82
PID 2276 wrote to memory of 1304	2276	i64019411.exe	83
PID 2276 wrote to memory of 1304	2276	i64019411.exe	83
PID 2276 wrote to memory of 1304	2276	i64019411.exe	83
PID 1304 wrote to memory of 2156	1304	i80394341.exe	84
PID 1304 wrote to memory of 2156	1304	i80394341.exe	84
PID 1304 wrote to memory of 2156	1304	i80394341.exe	84

C:\Users\Admin\AppData\Local\Temp\35e37c583bc7bf6119a8e4a9989f856e6b1342080ec6b39cc7436da49abb51d1.exe
"C:\Users\Admin\AppData\Local\Temp\35e37c583bc7bf6119a8e4a9989f856e6b1342080ec6b39cc7436da49abb51d1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i55004006.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i55004006.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i46682084.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i46682084.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i64019411.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i64019411.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i80394341.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i80394341.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1304
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a30786574.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a30786574.exe
        6⤵
        Executes dropped EXE
        
        PID:2156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i55004006.exe

Filesize
1.3MB

MD5
27f9c1f720d9f4aa3d0f2f40bc89d1a7

SHA1
879e91604d3ad1ae8128a46526e8c21b316412d3

SHA256
2adb93eb388d0310fd025b4d63a9f214612f325238e9d0748d44e55f6ead9304

SHA512
82a92a8f7d74b37591bac9e3e57edcfd8f3e2de0e7436375b670ffb530f67d71d01615b3a409f88548718429977c1d8f12f33ea1ddfeb837b68f7ac1fbf2be7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i55004006.exe

Filesize
1.3MB

MD5
27f9c1f720d9f4aa3d0f2f40bc89d1a7

SHA1
879e91604d3ad1ae8128a46526e8c21b316412d3

SHA256
2adb93eb388d0310fd025b4d63a9f214612f325238e9d0748d44e55f6ead9304

SHA512
82a92a8f7d74b37591bac9e3e57edcfd8f3e2de0e7436375b670ffb530f67d71d01615b3a409f88548718429977c1d8f12f33ea1ddfeb837b68f7ac1fbf2be7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i46682084.exe

Filesize
1015KB

MD5
dfd9400247a534135cff85ac11d64b68

SHA1
2fb23522efafd44def645c63ad42ee9b65f105e5

SHA256
5227df8574fe3d9054b963385bbc6a8005e510a9791cc31bcb3b201d8435e959

SHA512
55bfb8233dd9e240a95daf0540fb9c489f8745223d283d6f59ef95d0892be8e49485d88b1a49d22b40b16c95faa58e98a7d2e870db5d9f4e364efa97f353414e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i46682084.exe

Filesize
1015KB

MD5
dfd9400247a534135cff85ac11d64b68

SHA1
2fb23522efafd44def645c63ad42ee9b65f105e5

SHA256
5227df8574fe3d9054b963385bbc6a8005e510a9791cc31bcb3b201d8435e959

SHA512
55bfb8233dd9e240a95daf0540fb9c489f8745223d283d6f59ef95d0892be8e49485d88b1a49d22b40b16c95faa58e98a7d2e870db5d9f4e364efa97f353414e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i64019411.exe

Filesize
843KB

MD5
f49e2183ede2938a0061968ec066ca8d

SHA1
67aed13c0330398b22831f0bfbb531db823af14f

SHA256
97c25524b25a0bf6d9ef932a44fa230f1dadd028a0f20eb624e887bcc5a63c79

SHA512
b4558192fa2d24b44bd624603b69bf2c37c15f0cfb4c5eee69e7244305791afff8edef0ba8e879dee43b536277c2e2cfa03b8cb1e6307d3f70a5425784635e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i64019411.exe

Filesize
843KB

MD5
f49e2183ede2938a0061968ec066ca8d

SHA1
67aed13c0330398b22831f0bfbb531db823af14f

SHA256
97c25524b25a0bf6d9ef932a44fa230f1dadd028a0f20eb624e887bcc5a63c79

SHA512
b4558192fa2d24b44bd624603b69bf2c37c15f0cfb4c5eee69e7244305791afff8edef0ba8e879dee43b536277c2e2cfa03b8cb1e6307d3f70a5425784635e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i80394341.exe

Filesize
371KB

MD5
35bf888b8c5bdc8921c9c413f703f339

SHA1
11787bc3b1b3a4faf7ae7db89bfcc2d89961de94

SHA256
ccc4082793a0d5a2c122263d44d332f83aaeff6e3f662550c583e0a639918209

SHA512
0db112c855b70854aed4afdaafcf5b2e5e3d0891a88d40b56059a0bf4788981c2d94e104b55ac6e1a671fa2282fc75ddb1f75e8a25b5975501442846686e31ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i80394341.exe

Filesize
371KB

MD5
35bf888b8c5bdc8921c9c413f703f339

SHA1
11787bc3b1b3a4faf7ae7db89bfcc2d89961de94

SHA256
ccc4082793a0d5a2c122263d44d332f83aaeff6e3f662550c583e0a639918209

SHA512
0db112c855b70854aed4afdaafcf5b2e5e3d0891a88d40b56059a0bf4788981c2d94e104b55ac6e1a671fa2282fc75ddb1f75e8a25b5975501442846686e31ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a30786574.exe

Filesize
169KB

MD5
874d6cb66fe068f998263b5de42fdc02

SHA1
df5c1c6333191a6d75e9b958f4a6882b48e48560

SHA256
3c165c6126802b2f95de5cc670a56d458d1848a5bb4fc86588652f5fd4fddae6

SHA512
b9f826d8629e0103218d36d366070a294b9659bf35b93ba5d49e0bc696a63af63dff56ed9f7d483ea92b3dd12372182fcf1f6be57c462e9008a449d6f0a631ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a30786574.exe

Filesize
169KB

MD5
874d6cb66fe068f998263b5de42fdc02

SHA1
df5c1c6333191a6d75e9b958f4a6882b48e48560

SHA256
3c165c6126802b2f95de5cc670a56d458d1848a5bb4fc86588652f5fd4fddae6

SHA512
b9f826d8629e0103218d36d366070a294b9659bf35b93ba5d49e0bc696a63af63dff56ed9f7d483ea92b3dd12372182fcf1f6be57c462e9008a449d6f0a631ed

Download Submit
memory/2156-168-0x0000000000C00000-0x0000000000C30000-memory.dmp

Filesize
192KB

Download
memory/2156-169-0x000000000B060000-0x000000000B678000-memory.dmp

Filesize
6.1MB

Download
memory/2156-170-0x000000000AB80000-0x000000000AC8A000-memory.dmp

Filesize
1.0MB

Download
memory/2156-171-0x00000000054C0000-0x00000000054D2000-memory.dmp

Filesize
72KB

Download
memory/2156-172-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/2156-173-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/2156-174-0x0000000005560000-0x000000000559C000-memory.dmp

Filesize
240KB

Download