redline | 1d8a1ac1eef59b35a168506d42f7614daa4cbe5b90b35bceca922a0a888958ac

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d8a1ac1eef59b35a168506d42f7614daa4cbe5b90b35bceca922a0a888958ac.exe
Size

1.2MB
MD5

6c02f9b5c49ea5dce229af49d59b8336
SHA1

54913ffe282edf7e916aadd7265d37cec0c518ae
SHA256

1d8a1ac1eef59b35a168506d42f7614daa4cbe5b90b35bceca922a0a888958ac
SHA512

b9608281f90ce6da1922b321cb9f7cc5262fbbee3b16f5b41a3e6fb851a892d0b88315ef5bb9c8ab883b4cedff4ab07501378714c66bf0b5301adc11c003b612
SSDEEP

24576:UyQYqaBCz3ASCTQ34V6l2pQRGVKOaj/8W+A/LG+URaz9l06odsg:jQOgMSYq4Ql2pOGYJkdyGp6od

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4328-2331-0x0000000005CC0000-0x00000000062D8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s39186967.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	s39186967.exe

Executes dropped EXE 6 IoCs

Processes:

z57325026.exez79799989.exez21632492.exes39186967.exe1.exet95836691.exe

pid process

2504 z57325026.exe
1760 z79799989.exe
4432 z21632492.exe
2308 s39186967.exe
4328 1.exe
5084 t95836691.exe

pid	process
2504	z57325026.exe
1760	z79799989.exe
4432	z21632492.exe
2308	s39186967.exe
4328	1.exe
5084	t95836691.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1d8a1ac1eef59b35a168506d42f7614daa4cbe5b90b35bceca922a0a888958ac.exez57325026.exez79799989.exez21632492.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1d8a1ac1eef59b35a168506d42f7614daa4cbe5b90b35bceca922a0a888958ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1d8a1ac1eef59b35a168506d42f7614daa4cbe5b90b35bceca922a0a888958ac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z57325026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z57325026.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z79799989.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z79799989.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z21632492.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z21632492.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

352 2308 WerFault.exe s39186967.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s39186967.exe

description pid process

Token: SeDebugPrivilege 2308 s39186967.exe

pid	pid_target	process	target process
352	2308	WerFault.exe	s39186967.exe

description	pid	process
Token: SeDebugPrivilege	2308	s39186967.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1d8a1ac1eef59b35a168506d42f7614daa4cbe5b90b35bceca922a0a888958ac.exez57325026.exez79799989.exez21632492.exes39186967.exe

description	pid	process	target process
PID 2264 wrote to memory of 2504	2264	1d8a1ac1eef59b35a168506d42f7614daa4cbe5b90b35bceca922a0a888958ac.exe	z57325026.exe
PID 2264 wrote to memory of 2504	2264	1d8a1ac1eef59b35a168506d42f7614daa4cbe5b90b35bceca922a0a888958ac.exe	z57325026.exe
PID 2264 wrote to memory of 2504	2264	1d8a1ac1eef59b35a168506d42f7614daa4cbe5b90b35bceca922a0a888958ac.exe	z57325026.exe
PID 2504 wrote to memory of 1760	2504	z57325026.exe	z79799989.exe
PID 2504 wrote to memory of 1760	2504	z57325026.exe	z79799989.exe
PID 2504 wrote to memory of 1760	2504	z57325026.exe	z79799989.exe
PID 1760 wrote to memory of 4432	1760	z79799989.exe	z21632492.exe
PID 1760 wrote to memory of 4432	1760	z79799989.exe	z21632492.exe
PID 1760 wrote to memory of 4432	1760	z79799989.exe	z21632492.exe
PID 4432 wrote to memory of 2308	4432	z21632492.exe	s39186967.exe
PID 4432 wrote to memory of 2308	4432	z21632492.exe	s39186967.exe
PID 4432 wrote to memory of 2308	4432	z21632492.exe	s39186967.exe
PID 2308 wrote to memory of 4328	2308	s39186967.exe	1.exe
PID 2308 wrote to memory of 4328	2308	s39186967.exe	1.exe
PID 2308 wrote to memory of 4328	2308	s39186967.exe	1.exe
PID 4432 wrote to memory of 5084	4432	z21632492.exe	t95836691.exe
PID 4432 wrote to memory of 5084	4432	z21632492.exe	t95836691.exe
PID 4432 wrote to memory of 5084	4432	z21632492.exe	t95836691.exe

C:\Users\Admin\AppData\Local\Temp\1d8a1ac1eef59b35a168506d42f7614daa4cbe5b90b35bceca922a0a888958ac.exe
"C:\Users\Admin\AppData\Local\Temp\1d8a1ac1eef59b35a168506d42f7614daa4cbe5b90b35bceca922a0a888958ac.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z57325026.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z57325026.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z79799989.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z79799989.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z21632492.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z21632492.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s39186967.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s39186967.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
      - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        6⤵
        Executes dropped EXE
        
        PID:4328
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 1372
        6⤵
        Program crash
        
        PID:352
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t95836691.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t95836691.exe
        5⤵
        Executes dropped EXE
        
        PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2308 -ip 2308
1⤵
PID:3328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z57325026.exe

Filesize
1.0MB

MD5
85858773f64f9fa0c3b696f6c095e77d

SHA1
59d72d5b8d377c2d6e834e64c0a8a88d610d413a

SHA256
be44a78197f796a0f392789de07003f5988436488297b208271ee1d788be9a1d

SHA512
8d2e82ded2dab123ed727a695c0741e44a0d8b4c60197ba6b01b87f4c4c48ca6265ad14b53a1be9944ae8178371fc34a00668fbc6f7f23b882632d2fdb713b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z57325026.exe

Filesize
1.0MB

MD5
85858773f64f9fa0c3b696f6c095e77d

SHA1
59d72d5b8d377c2d6e834e64c0a8a88d610d413a

SHA256
be44a78197f796a0f392789de07003f5988436488297b208271ee1d788be9a1d

SHA512
8d2e82ded2dab123ed727a695c0741e44a0d8b4c60197ba6b01b87f4c4c48ca6265ad14b53a1be9944ae8178371fc34a00668fbc6f7f23b882632d2fdb713b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z79799989.exe

Filesize
759KB

MD5
70dcc0ec72ddd67bc25726dfcea6d8cb

SHA1
2c191988d3495489b0398f48e9bf40f0fc452db0

SHA256
651646c48aab9c70ecfdab235c00c1e806f38516311d947d4ea894eb137ed9c6

SHA512
5c92aeafa34d883b12e569fca404fb82deda685b40a72a785c2c2e6f361831c5cfe9701b7c40f8ecc56a8504e0e894570b983a37d1219042e385d9d352ce5b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z79799989.exe

Filesize
759KB

MD5
70dcc0ec72ddd67bc25726dfcea6d8cb

SHA1
2c191988d3495489b0398f48e9bf40f0fc452db0

SHA256
651646c48aab9c70ecfdab235c00c1e806f38516311d947d4ea894eb137ed9c6

SHA512
5c92aeafa34d883b12e569fca404fb82deda685b40a72a785c2c2e6f361831c5cfe9701b7c40f8ecc56a8504e0e894570b983a37d1219042e385d9d352ce5b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z21632492.exe

Filesize
577KB

MD5
703e836a5b15a28aff17043d0226cba6

SHA1
305155901e049e726ffc1067f46b77a457e3708d

SHA256
141a4845110d6ebe847ec024a45266aaa40efec065056e45bf7a6ed8f3e387f6

SHA512
5c459ebebbc2d9469da7c5bcd90ddeb54b4d25bce0330b7a49b8af9119680678ba574b1c999caf9479ce583012329326f276b397cf4d686721a3dd45d83f6964

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z21632492.exe

Filesize
577KB

MD5
703e836a5b15a28aff17043d0226cba6

SHA1
305155901e049e726ffc1067f46b77a457e3708d

SHA256
141a4845110d6ebe847ec024a45266aaa40efec065056e45bf7a6ed8f3e387f6

SHA512
5c459ebebbc2d9469da7c5bcd90ddeb54b4d25bce0330b7a49b8af9119680678ba574b1c999caf9479ce583012329326f276b397cf4d686721a3dd45d83f6964

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s39186967.exe

Filesize
574KB

MD5
1191f03f6a39ce7d453de3a69eee5b94

SHA1
6c32ebf9dfea617e54bd7b0b6929c325d54db8a8

SHA256
d7141920a916c359cba42d546a1df0e40a5ea5339b61e05b69c9bcb9f497ab5b

SHA512
5a276d2d237ce7cbadc1a64169e64c18d8b1f698dfc28c1092e5eb4bfc3b5b4560867d86786b3fea2537ce3880f28d22092eb1c4e13288b0802d44fa06180383

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s39186967.exe

Filesize
574KB

MD5
1191f03f6a39ce7d453de3a69eee5b94

SHA1
6c32ebf9dfea617e54bd7b0b6929c325d54db8a8

SHA256
d7141920a916c359cba42d546a1df0e40a5ea5339b61e05b69c9bcb9f497ab5b

SHA512
5a276d2d237ce7cbadc1a64169e64c18d8b1f698dfc28c1092e5eb4bfc3b5b4560867d86786b3fea2537ce3880f28d22092eb1c4e13288b0802d44fa06180383

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t95836691.exe

Filesize
169KB

MD5
7d2dde20d30802bbc930b63053a48029

SHA1
6cc79e6327b001c189d23ea2233ea79495d6e1ae

SHA256
4a7d4350736a2c5a0f818bcbf76a2b5f8e2648d47eac81540e86ffa7d8257935

SHA512
e01dfdbb36e68ec557b0b20f063100f0cdab7b99246c76b1df5deba4ce72aa8f5fb809ae6bd70033ea27befe88e3c2223810e28c8986fac8c9b3074f16416d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t95836691.exe

Filesize
169KB

MD5
7d2dde20d30802bbc930b63053a48029

SHA1
6cc79e6327b001c189d23ea2233ea79495d6e1ae

SHA256
4a7d4350736a2c5a0f818bcbf76a2b5f8e2648d47eac81540e86ffa7d8257935

SHA512
e01dfdbb36e68ec557b0b20f063100f0cdab7b99246c76b1df5deba4ce72aa8f5fb809ae6bd70033ea27befe88e3c2223810e28c8986fac8c9b3074f16416d2e

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/2308-194-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-208-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-164-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/2308-165-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/2308-166-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/2308-167-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-168-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-170-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-172-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-174-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-176-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-178-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-180-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-182-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-184-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-186-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-188-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-190-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-192-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-162-0x0000000005070000-0x0000000005614000-memory.dmp

Filesize
5.6MB

Download
memory/2308-196-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-198-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-200-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-202-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-204-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-163-0x00000000008A0000-0x00000000008FB000-memory.dmp

Filesize
364KB

Download
memory/2308-206-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-212-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-216-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-218-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-214-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-210-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-220-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-222-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-224-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-226-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-228-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-230-0x0000000005660000-0x00000000056C0000-memory.dmp

Filesize
384KB

Download
memory/2308-2314-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/2308-2315-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/2308-2316-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/2308-2317-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/4328-2330-0x0000000000D30000-0x0000000000D5E000-memory.dmp

Filesize
184KB

Download
memory/4328-2331-0x0000000005CC0000-0x00000000062D8000-memory.dmp

Filesize
6.1MB

Download
memory/4328-2332-0x00000000057B0000-0x00000000058BA000-memory.dmp

Filesize
1.0MB

Download
memory/4328-2333-0x0000000005670000-0x0000000005682000-memory.dmp

Filesize
72KB

Download
memory/4328-2334-0x00000000056E0000-0x000000000571C000-memory.dmp

Filesize
240KB

Download
memory/4328-2335-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4328-2342-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/5084-2340-0x00000000000F0000-0x000000000011E000-memory.dmp

Filesize
184KB

Download
memory/5084-2341-0x00000000048D0000-0x00000000048E0000-memory.dmp

Filesize
64KB

Download
memory/5084-2343-0x00000000048D0000-0x00000000048E0000-memory.dmp

Filesize
64KB

Download