redline | 3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160c

Analysis

max time kernel
185s
max time network
219s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160c.exe
Size

1.5MB
MD5

fd67ff18ddfc1d4c27c4e209a79c4980
SHA1

87e265f16b64b4e8aea647431b0e8cb041c2ebaa
SHA256

3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160c
SHA512

803cbb1ef0e02455bb657355ebc8857c5f05532086d1b60ddc5983ff3dd56ac20d50f183e4b29a7202dd07b0b9078c026f783a658a3b56508b924e18343c7c15
SSDEEP

24576:8yxP4YHlQR0Y+PL5HLpEgFwdOL36ljC1hBGSG8jhu/s5oGN3jvJ88kLrR/H1:rxP44lO0YbdWKt2hsSBjh24z3jB8vLrF

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1944-169-0x000000000B0C0000-0x000000000B6D8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1224	i10299687.exe
1084	i72693967.exe
3396	i52330224.exe
2020	i68938859.exe
1944	a40676473.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i72693967.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i52330224.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i52330224.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i10299687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i72693967.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i68938859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i68938859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i10299687.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 1224	5048	3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160c.exe	81
PID 5048 wrote to memory of 1224	5048	3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160c.exe	81
PID 5048 wrote to memory of 1224	5048	3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160c.exe	81
PID 1224 wrote to memory of 1084	1224	i10299687.exe	83
PID 1224 wrote to memory of 1084	1224	i10299687.exe	83
PID 1224 wrote to memory of 1084	1224	i10299687.exe	83
PID 1084 wrote to memory of 3396	1084	i72693967.exe	84
PID 1084 wrote to memory of 3396	1084	i72693967.exe	84
PID 1084 wrote to memory of 3396	1084	i72693967.exe	84
PID 3396 wrote to memory of 2020	3396	i52330224.exe	86
PID 3396 wrote to memory of 2020	3396	i52330224.exe	86
PID 3396 wrote to memory of 2020	3396	i52330224.exe	86
PID 2020 wrote to memory of 1944	2020	i68938859.exe	87
PID 2020 wrote to memory of 1944	2020	i68938859.exe	87
PID 2020 wrote to memory of 1944	2020	i68938859.exe	87

C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160c.exe
"C:\Users\Admin\AppData\Local\Temp\3775e7cd36ab4efe0ba40b94bdc489c81e7bd0b2beec70d8ec0b816c53d1160c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3396
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe
        6⤵
        Executes dropped EXE
        
        PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe

Filesize
1.3MB

MD5
96424ad0dbee1cbb7253980d6c1a6be7

SHA1
c0738d7f51a41623c704a154a9a9013304244d47

SHA256
0d55df92f772a478e54daf19b714d03404a7ac3edcd5abbc88c7eadf3733bfd2

SHA512
2a8d3aaa1f1fb9865dcb7fcff9eb26e756d7c698ff0100c984ed0cf4f4d99479e87bba1d1c38b25000681dbcb22417cbc63bc507c9622410b528a1d1bb6aef45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i10299687.exe

Filesize
1.3MB

MD5
96424ad0dbee1cbb7253980d6c1a6be7

SHA1
c0738d7f51a41623c704a154a9a9013304244d47

SHA256
0d55df92f772a478e54daf19b714d03404a7ac3edcd5abbc88c7eadf3733bfd2

SHA512
2a8d3aaa1f1fb9865dcb7fcff9eb26e756d7c698ff0100c984ed0cf4f4d99479e87bba1d1c38b25000681dbcb22417cbc63bc507c9622410b528a1d1bb6aef45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe

Filesize
1015KB

MD5
435c23635c3fdf9468818d370c448fb3

SHA1
b7d1c39b7adfa85103e0dcb7f81da101c3511790

SHA256
7719f88e17528c67eceb623ff389cf6581d5f1052b7c3748988db0cdbb23dfdb

SHA512
9a5cd3122d9b8aa6eb14f24e73511c833c485af0681270e4ebc92f887882bd951434560b2131caa07718b7c496163e96673c91bd60b77a541f9f6403834f19ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i72693967.exe

Filesize
1015KB

MD5
435c23635c3fdf9468818d370c448fb3

SHA1
b7d1c39b7adfa85103e0dcb7f81da101c3511790

SHA256
7719f88e17528c67eceb623ff389cf6581d5f1052b7c3748988db0cdbb23dfdb

SHA512
9a5cd3122d9b8aa6eb14f24e73511c833c485af0681270e4ebc92f887882bd951434560b2131caa07718b7c496163e96673c91bd60b77a541f9f6403834f19ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe

Filesize
843KB

MD5
df9bffbd5de29604cfcf05286f367cf3

SHA1
2f2f7b628eb083068a9220f98779bfa7e423d03d

SHA256
cf78e5d897eace16f314562aaaf28b46e9368ed435ea3f734baf0ccda3106a5a

SHA512
64a26f763c04ed685f33ff12596f06d63e2e07f8b99695eaf66810f8d27b421a927f2b89d12151412b4f2169d78c15a3b8c2e8dbc9db271e12bcb49947954906

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52330224.exe

Filesize
843KB

MD5
df9bffbd5de29604cfcf05286f367cf3

SHA1
2f2f7b628eb083068a9220f98779bfa7e423d03d

SHA256
cf78e5d897eace16f314562aaaf28b46e9368ed435ea3f734baf0ccda3106a5a

SHA512
64a26f763c04ed685f33ff12596f06d63e2e07f8b99695eaf66810f8d27b421a927f2b89d12151412b4f2169d78c15a3b8c2e8dbc9db271e12bcb49947954906

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe

Filesize
370KB

MD5
b5665f55e1124c091a5f344f231bd10f

SHA1
b733a68359599dacf7c43cf04708db767d3afdee

SHA256
8291e7676418fc56d50b263365968e98ccc7d18a5439017d8eaaa88d6741a4d8

SHA512
146958f1c403c3c13e77a00a0494165e011e16cf2ba741d309ac3aabe36be7c454b9976dc02356d5652adcb55468d638180810b12bed019641d7c530c4034056

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i68938859.exe

Filesize
370KB

MD5
b5665f55e1124c091a5f344f231bd10f

SHA1
b733a68359599dacf7c43cf04708db767d3afdee

SHA256
8291e7676418fc56d50b263365968e98ccc7d18a5439017d8eaaa88d6741a4d8

SHA512
146958f1c403c3c13e77a00a0494165e011e16cf2ba741d309ac3aabe36be7c454b9976dc02356d5652adcb55468d638180810b12bed019641d7c530c4034056

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe

Filesize
169KB

MD5
9e3d31f3302c87b6bbc03ffe3af5cb52

SHA1
82df246e1fdf14e87d95d1772d0be46e391e2a57

SHA256
e3537994912e245abac3d6c0d6e0cf66632a2697b555d8dd6296a6af1205f596

SHA512
40356f32bac252a36da2f4f0d1b7aaee97deebed36d94785b4ed180e5487a7d8b32dfb10c75f40f604dcabb12701c78bea0956c91e73ba8b05442c0e372a2995

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40676473.exe

Filesize
169KB

MD5
9e3d31f3302c87b6bbc03ffe3af5cb52

SHA1
82df246e1fdf14e87d95d1772d0be46e391e2a57

SHA256
e3537994912e245abac3d6c0d6e0cf66632a2697b555d8dd6296a6af1205f596

SHA512
40356f32bac252a36da2f4f0d1b7aaee97deebed36d94785b4ed180e5487a7d8b32dfb10c75f40f604dcabb12701c78bea0956c91e73ba8b05442c0e372a2995

Download Submit
memory/1944-168-0x0000000000D60000-0x0000000000D90000-memory.dmp

Filesize
192KB

Download
memory/1944-169-0x000000000B0C0000-0x000000000B6D8000-memory.dmp

Filesize
6.1MB

Download
memory/1944-170-0x000000000ABB0000-0x000000000ACBA000-memory.dmp

Filesize
1.0MB

Download
memory/1944-171-0x000000000AAD0000-0x000000000AAE2000-memory.dmp

Filesize
72KB

Download
memory/1944-172-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/1944-173-0x000000000AB30000-0x000000000AB6C000-memory.dmp

Filesize
240KB

Download
memory/1944-174-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download