redline | 17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe
Size

1.2MB
MD5

89671b02829517398f50f298b77e7b48
SHA1

9c3f944ce808bf259f204e1167f1fee549610318
SHA256

17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b
SHA512

c3eafd063914c773ac4920ead0cda82cff5f0d6404f619d03b2ac2031348ace96092f61834a717b6559f9f4699a235ec5393bf0709d4c0e49a629209dc916002
SSDEEP

24576:3yNwwpFJfUY2rZjSPa6IAm72VVGQs6cBMDKrtzCFGD:CrJeMLId72Vq68oj

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/408-2334-0x0000000005B60000-0x0000000006178000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s94861212.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	s94861212.exe

Executes dropped EXE 6 IoCs

Processes:

z58596077.exez06047833.exez04042869.exes94861212.exe1.exet42810816.exe

pid process

952 z58596077.exe
4692 z06047833.exe
4936 z04042869.exe
4216 s94861212.exe
408 1.exe
4304 t42810816.exe

pid	process
952	z58596077.exe
4692	z06047833.exe
4936	z04042869.exe
4216	s94861212.exe
408	1.exe
4304	t42810816.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z58596077.exez06047833.exez04042869.exe17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z58596077.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z06047833.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z06047833.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z04042869.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z04042869.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z58596077.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1920 4216 WerFault.exe s94861212.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s94861212.exe

description pid process

Token: SeDebugPrivilege 4216 s94861212.exe

pid	pid_target	process	target process
1920	4216	WerFault.exe	s94861212.exe

description	pid	process
Token: SeDebugPrivilege	4216	s94861212.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exez58596077.exez06047833.exez04042869.exes94861212.exe

description	pid	process	target process
PID 1100 wrote to memory of 952	1100	17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe	z58596077.exe
PID 1100 wrote to memory of 952	1100	17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe	z58596077.exe
PID 1100 wrote to memory of 952	1100	17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe	z58596077.exe
PID 952 wrote to memory of 4692	952	z58596077.exe	z06047833.exe
PID 952 wrote to memory of 4692	952	z58596077.exe	z06047833.exe
PID 952 wrote to memory of 4692	952	z58596077.exe	z06047833.exe
PID 4692 wrote to memory of 4936	4692	z06047833.exe	z04042869.exe
PID 4692 wrote to memory of 4936	4692	z06047833.exe	z04042869.exe
PID 4692 wrote to memory of 4936	4692	z06047833.exe	z04042869.exe
PID 4936 wrote to memory of 4216	4936	z04042869.exe	s94861212.exe
PID 4936 wrote to memory of 4216	4936	z04042869.exe	s94861212.exe
PID 4936 wrote to memory of 4216	4936	z04042869.exe	s94861212.exe
PID 4216 wrote to memory of 408	4216	s94861212.exe	1.exe
PID 4216 wrote to memory of 408	4216	s94861212.exe	1.exe
PID 4216 wrote to memory of 408	4216	s94861212.exe	1.exe
PID 4936 wrote to memory of 4304	4936	z04042869.exe	t42810816.exe
PID 4936 wrote to memory of 4304	4936	z04042869.exe	t42810816.exe
PID 4936 wrote to memory of 4304	4936	z04042869.exe	t42810816.exe

C:\Users\Admin\AppData\Local\Temp\17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe
"C:\Users\Admin\AppData\Local\Temp\17eb9826b4f72a2e73a4ef93e851e687b91e16b9959bf220506d4a14702d584b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z58596077.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z58596077.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z06047833.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z06047833.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z04042869.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z04042869.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4936

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s94861212.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s94861212.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 1524
6⤵
- Program crash
PID:1920

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t42810816.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t42810816.exe
5⤵
- Executes dropped EXE
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4216 -ip 4216
1⤵
PID:4688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z58596077.exe
Filesize
1.0MB

MD5
fdc2c16a149afaffba006988a63c563f

SHA1
9fedb234adc0935472d857ee43138798280d63ad

SHA256
ac0d547dfaed9d24da719123a5badbf8bf78476e9a6249e45ff7de8628750b05

SHA512
08869912a6c6bea2b92f736876a394da86d3a9069983c32985a1094e121d5ed867e76d818e3d1d433a0a1f857b6c0587d8a6dbdcd8030b21f9247422958beffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z58596077.exe
Filesize
1.0MB

MD5
fdc2c16a149afaffba006988a63c563f

SHA1
9fedb234adc0935472d857ee43138798280d63ad

SHA256
ac0d547dfaed9d24da719123a5badbf8bf78476e9a6249e45ff7de8628750b05

SHA512
08869912a6c6bea2b92f736876a394da86d3a9069983c32985a1094e121d5ed867e76d818e3d1d433a0a1f857b6c0587d8a6dbdcd8030b21f9247422958beffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z06047833.exe
Filesize
761KB

MD5
b1ae819d826d2f5954eaf1fe45225aec

SHA1
8fad113f39aff864390b2dfb01f3cbde00dfc15c

SHA256
bbffc2df8b06c8fd8bb5e30d764580ca7ed8960453405f1074b6dd0e174f4c1d

SHA512
3a5b66f76b35588d1a60302f519b0ba98c85cac726cac07064f49fe5b8850d3d7ad2095aef0c0d54d057dabc68fe6eeff0a20847405c1bf6d7d9c25095ba3010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z06047833.exe
Filesize
761KB

MD5
b1ae819d826d2f5954eaf1fe45225aec

SHA1
8fad113f39aff864390b2dfb01f3cbde00dfc15c

SHA256
bbffc2df8b06c8fd8bb5e30d764580ca7ed8960453405f1074b6dd0e174f4c1d

SHA512
3a5b66f76b35588d1a60302f519b0ba98c85cac726cac07064f49fe5b8850d3d7ad2095aef0c0d54d057dabc68fe6eeff0a20847405c1bf6d7d9c25095ba3010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z04042869.exe
Filesize
578KB

MD5
6e9a8169989824c860fa4df8aa781457

SHA1
84d39238051f81c13989257515864d1b1fd4437e

SHA256
aacade2fd12c0f8492982bddbacb57ede2916c83f4b5564192ae4586fdde62c2

SHA512
2ff51a0e36ad033c19691fed0494a2ea27042f593f14e88fb013225c5c53d3d0b8e811608534b6d7c852fbe7b1e7af2351af4425aa02670072da807a4f939394

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z04042869.exe
Filesize
578KB

MD5
6e9a8169989824c860fa4df8aa781457

SHA1
84d39238051f81c13989257515864d1b1fd4437e

SHA256
aacade2fd12c0f8492982bddbacb57ede2916c83f4b5564192ae4586fdde62c2

SHA512
2ff51a0e36ad033c19691fed0494a2ea27042f593f14e88fb013225c5c53d3d0b8e811608534b6d7c852fbe7b1e7af2351af4425aa02670072da807a4f939394

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s94861212.exe
Filesize
502KB

MD5
19a1e7ee7d198e28855d626680c91c7c

SHA1
02e317d79376d732b0f0890f461337fb3e319bac

SHA256
1a0ed2b29ca1e19b4b334f302913b58d59530bf7db48d468e3445055847e01cd

SHA512
9a5fa1f2f56b42ed19d8189a05500c55249d74f3c5125f12d1371e2cf4b20ad97f774e668e97710827d693bb38ab7e3856a65db2e8c12b734780e11af50eeaf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s94861212.exe
Filesize
502KB

MD5
19a1e7ee7d198e28855d626680c91c7c

SHA1
02e317d79376d732b0f0890f461337fb3e319bac

SHA256
1a0ed2b29ca1e19b4b334f302913b58d59530bf7db48d468e3445055847e01cd

SHA512
9a5fa1f2f56b42ed19d8189a05500c55249d74f3c5125f12d1371e2cf4b20ad97f774e668e97710827d693bb38ab7e3856a65db2e8c12b734780e11af50eeaf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t42810816.exe
Filesize
169KB

MD5
85796814ac86b641872a2e5e84c967c1

SHA1
591ee2aa4b40d9c021b2e4788470a778a1bcadec

SHA256
d48d3503e048d6725486cef2ecd1e39b37e84940ae47a0ca32ae426025894cab

SHA512
244f2041d49a6456421432b9106c0dc4dcd237b28ff815aa3fd9d59c3f01e525cd7461a8371b31dde3f53fff95f6cdbd65a5e0605ef36f6150e2c4413b3a2024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t42810816.exe
Filesize
169KB

MD5
85796814ac86b641872a2e5e84c967c1

SHA1
591ee2aa4b40d9c021b2e4788470a778a1bcadec

SHA256
d48d3503e048d6725486cef2ecd1e39b37e84940ae47a0ca32ae426025894cab

SHA512
244f2041d49a6456421432b9106c0dc4dcd237b28ff815aa3fd9d59c3f01e525cd7461a8371b31dde3f53fff95f6cdbd65a5e0605ef36f6150e2c4413b3a2024

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/408-2334-0x0000000005B60000-0x0000000006178000-memory.dmp

Filesize
6.1MB

Download
memory/408-2333-0x0000000000C10000-0x0000000000C3E000-memory.dmp

Filesize
184KB

Download
memory/408-2341-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/408-2338-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/408-2337-0x00000000055C0000-0x00000000055FC000-memory.dmp

Filesize
240KB

Download
memory/408-2336-0x0000000005560000-0x0000000005572000-memory.dmp

Filesize
72KB

Download
memory/408-2335-0x0000000005650000-0x000000000575A000-memory.dmp

Filesize
1.0MB

Download
memory/4216-193-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-211-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-173-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-175-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-177-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-179-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-181-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-183-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-185-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-187-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-189-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-191-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-169-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-195-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-197-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-199-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-201-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-203-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-205-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-207-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-209-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-171-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-213-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-215-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-217-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-219-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-221-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-223-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-225-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-227-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-168-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-167-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/4216-166-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/4216-165-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/4216-229-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4216-813-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/4216-811-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/4216-815-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/4216-2320-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/4216-2340-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/4216-164-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/4216-163-0x0000000004F70000-0x0000000005514000-memory.dmp

Filesize
5.6MB

Download
memory/4216-162-0x0000000000890000-0x00000000008EB000-memory.dmp

Filesize
364KB

Download
memory/4304-2349-0x0000000000150000-0x000000000017E000-memory.dmp

Filesize
184KB

Download