redline | 18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af

Analysis

max time kernel
135s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe
Size

890KB
MD5

d1156d92b2b741dd88dac7b3a3304800
SHA1

83f7239229b78ccf6f3033668ab7c135f1f93a26
SHA256

18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af
SHA512

82fc39c6af299c2aefe087566a6ed12ff2f201ddac85a3203fe4b3a9d0aca9b6c9dedc52facf72bc8253375e85e1e7053566ba9c821fe898f817d1a846134a65
SSDEEP

12288:hy90x9fP1CMpUOrsDF5+56cFUrFrktjUdRzVKdkIJwIh3S0zKFBo9/g3SfsKu2f1:hycX0ZO8+uwwdL1ICI8SvoCxu2TeaoS

Score

10^/10

redline dork gena infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dork

185.161.248.73:4164

Attributes

auth_value
e81be7d6cfb453cc812e1b4890eeadad

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4864-2317-0x0000000005120000-0x0000000005738000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	p11505084.exe

Executes dropped EXE 4 IoCs

pid	Process
4108	y28900514.exe
1032	p11505084.exe
4864	1.exe
4684	r97629527.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y28900514.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y28900514.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3724	1032	WerFault.exe	83

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	p11505084.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 4108	4260	18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe	82
PID 4260 wrote to memory of 4108	4260	18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe	82
PID 4260 wrote to memory of 4108	4260	18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe	82
PID 4108 wrote to memory of 1032	4108	y28900514.exe	83
PID 4108 wrote to memory of 1032	4108	y28900514.exe	83
PID 4108 wrote to memory of 1032	4108	y28900514.exe	83
PID 1032 wrote to memory of 4864	1032	p11505084.exe	90
PID 1032 wrote to memory of 4864	1032	p11505084.exe	90
PID 1032 wrote to memory of 4864	1032	p11505084.exe	90
PID 4108 wrote to memory of 4684	4108	y28900514.exe	94
PID 4108 wrote to memory of 4684	4108	y28900514.exe	94
PID 4108 wrote to memory of 4684	4108	y28900514.exe	94

C:\Users\Admin\AppData\Local\Temp\18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe
"C:\Users\Admin\AppData\Local\Temp\18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y28900514.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y28900514.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11505084.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11505084.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      PID:4864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1376
      4⤵
      Program crash
      PID:3724
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r97629527.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r97629527.exe
    3⤵
    - Executes dropped EXE
    PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1032 -ip 1032
1⤵
PID:3388

Network

DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

73.254.224.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.254.224.20.in-addr.arpa

IN PTR

Response

185.161.248.73:4164

1.exe

260 B
5
185.161.248.73:4164

r97629527.exe

260 B
5
20.189.173.9:443

322 B
7
40.125.122.176:443

260 B
5
8.238.21.126:80

322 B
7
40.125.122.176:443

260 B
5
185.161.248.73:4164

1.exe

260 B
5
185.161.248.73:4164

r97629527.exe

260 B
5
8.238.21.126:80

322 B
7
40.125.122.176:443

260 B
5
185.161.248.73:4164

1.exe

260 B
5
185.161.248.73:4164

r97629527.exe

260 B
5
40.125.122.176:443

260 B
5
185.161.248.73:4164

1.exe

260 B
5
185.161.248.73:4164

r97629527.exe

260 B
5
40.125.122.176:443

260 B
5
185.161.248.73:4164

1.exe

260 B
5
185.161.248.73:4164

r97629527.exe

260 B
5
40.125.122.176:443

260 B
5

8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

73.254.224.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

73.254.224.20.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y28900514.exe

Filesize
589KB

MD5
ff364d53df504632dbc1701429e154b2

SHA1
f8df1498bcb70ab19755162d2e0d30cfc023500d

SHA256
e8a7312544eb5fa0b3bf22300a67d3fc0ddf322c0739778a1a40f37488419311

SHA512
64b1545ba3bd80821a4c2315cbb3172ae0c0d2bad79c705619692b6a30701d3b2511fd938ead0184f8998444458519a28d91204e03a17f994e55a71ebb38e77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y28900514.exe

Filesize
589KB

MD5
ff364d53df504632dbc1701429e154b2

SHA1
f8df1498bcb70ab19755162d2e0d30cfc023500d

SHA256
e8a7312544eb5fa0b3bf22300a67d3fc0ddf322c0739778a1a40f37488419311

SHA512
64b1545ba3bd80821a4c2315cbb3172ae0c0d2bad79c705619692b6a30701d3b2511fd938ead0184f8998444458519a28d91204e03a17f994e55a71ebb38e77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11505084.exe

Filesize
530KB

MD5
2278cb7db32184ebde6b36e5d87236a7

SHA1
fd9b12d385e24e443ac2f029e689f01aa6ffa005

SHA256
698d98c66f544b06f815cb7b24db3241afad40cb2d3d0c9460d5ac0e5567f035

SHA512
873268d7debd2eac7b8edc7900bdc3cbf01cc9e6c4a68d336e2e04302579fb91c14b97ca42263118973ccca881cbb3e67a82fb97bd762c01933cc538b5b80c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11505084.exe

Filesize
530KB

MD5
2278cb7db32184ebde6b36e5d87236a7

SHA1
fd9b12d385e24e443ac2f029e689f01aa6ffa005

SHA256
698d98c66f544b06f815cb7b24db3241afad40cb2d3d0c9460d5ac0e5567f035

SHA512
873268d7debd2eac7b8edc7900bdc3cbf01cc9e6c4a68d336e2e04302579fb91c14b97ca42263118973ccca881cbb3e67a82fb97bd762c01933cc538b5b80c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r97629527.exe

Filesize
168KB

MD5
d19ee2ed2586976c85447c68d56b2627

SHA1
3b1e45730c3e7f7765d70e6e4155d7eb70221b30

SHA256
3ef6919b437f1cd62ce1140568cee42c077cfc95ef4bf2274d177e577f292abe

SHA512
3cd3b1e8aea21bfbb8444f75cf1bbe137f1fcf9dff55ca3427fd72f945a119cae05e35217f919bacc081177faf10a2f39e65a74d3e29d7e96df19abbda92e07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r97629527.exe

Filesize
168KB

MD5
d19ee2ed2586976c85447c68d56b2627

SHA1
3b1e45730c3e7f7765d70e6e4155d7eb70221b30

SHA256
3ef6919b437f1cd62ce1140568cee42c077cfc95ef4bf2274d177e577f292abe

SHA512
3cd3b1e8aea21bfbb8444f75cf1bbe137f1fcf9dff55ca3427fd72f945a119cae05e35217f919bacc081177faf10a2f39e65a74d3e29d7e96df19abbda92e07a

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/1032-165-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-203-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-157-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-159-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-163-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-161-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-154-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-167-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-169-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-171-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-173-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-175-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-177-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-179-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-181-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-183-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-185-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-187-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-189-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-191-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-193-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-195-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-197-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-199-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-201-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-155-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-205-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-207-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-209-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-211-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-213-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-215-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-217-0x0000000005790000-0x00000000057F0000-memory.dmp

Filesize
384KB

Download
memory/1032-1948-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/1032-2175-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/1032-2306-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/1032-153-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/1032-152-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/1032-151-0x00000000051A0000-0x0000000005744000-memory.dmp

Filesize
5.6MB

Download
memory/1032-149-0x0000000000D10000-0x0000000000D6B000-memory.dmp

Filesize
364KB

Download
memory/1032-150-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/4684-2327-0x0000000000340000-0x0000000000370000-memory.dmp

Filesize
192KB

Download
memory/4684-2328-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/4684-2330-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/4864-2318-0x0000000004C10000-0x0000000004D1A000-memory.dmp

Filesize
1.0MB

Download
memory/4864-2319-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/4864-2321-0x0000000004B40000-0x0000000004B7C000-memory.dmp

Filesize
240KB

Download
memory/4864-2322-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/4864-2317-0x0000000005120000-0x0000000005738000-memory.dmp

Filesize
6.1MB

Download
memory/4864-2316-0x0000000000190000-0x00000000001BE000-memory.dmp

Filesize
184KB

Download
memory/4864-2329-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.