redline | 1fb95ebc37d892fe7fd3abea3b34e49365dc945992139ab8a113440a498f99e9

Analysis

max time kernel
136s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb95ebc37d892fe7fd3abea3b34e49365dc945992139ab8a113440a498f99e9.exe
Size

1.2MB
MD5

ff8ed776a05414bde0b5a89eb48405ee
SHA1

94ccb8352cc2884c4b1a64a42fcbc9b3b0672a4b
SHA256

1fb95ebc37d892fe7fd3abea3b34e49365dc945992139ab8a113440a498f99e9
SHA512

b316ed34605fcbb57439c39cf0b16226b6c042c0c79e1b9fa2e3f611fbf0ff149f582c8c5ca9197d13ad8cb3919a8786fff8af5645e00d32133f7c5b15b673bf
SSDEEP

24576:OyC0sD4A1oVzK7PTi8Bn5WTInXFjW3j4YSkUjZHhfj6wq/fF7:dlovamXNGUXYz4YzUjLfmx/fF

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/3752-2333-0x00000000058F0000-0x0000000005F08000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s87851372.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	s87851372.exe

Executes dropped EXE 6 IoCs

Processes:

z01710048.exez12732503.exez80449439.exes87851372.exe1.exet24136995.exe

pid process

1776 z01710048.exe
3692 z12732503.exe
4628 z80449439.exe
4756 s87851372.exe
3752 1.exe
1960 t24136995.exe

pid	process
1776	z01710048.exe
3692	z12732503.exe
4628	z80449439.exe
4756	s87851372.exe
3752	1.exe
1960	t24136995.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z01710048.exez12732503.exez80449439.exe1fb95ebc37d892fe7fd3abea3b34e49365dc945992139ab8a113440a498f99e9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z01710048.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z12732503.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z12732503.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z80449439.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z80449439.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1fb95ebc37d892fe7fd3abea3b34e49365dc945992139ab8a113440a498f99e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1fb95ebc37d892fe7fd3abea3b34e49365dc945992139ab8a113440a498f99e9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z01710048.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s87851372.exe

description pid process

Token: SeDebugPrivilege 4756 s87851372.exe

description	pid	process
Token: SeDebugPrivilege	4756	s87851372.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1fb95ebc37d892fe7fd3abea3b34e49365dc945992139ab8a113440a498f99e9.exez01710048.exez12732503.exez80449439.exes87851372.exe

description	pid	process	target process
PID 856 wrote to memory of 1776	856	1fb95ebc37d892fe7fd3abea3b34e49365dc945992139ab8a113440a498f99e9.exe	z01710048.exe
PID 856 wrote to memory of 1776	856	1fb95ebc37d892fe7fd3abea3b34e49365dc945992139ab8a113440a498f99e9.exe	z01710048.exe
PID 856 wrote to memory of 1776	856	1fb95ebc37d892fe7fd3abea3b34e49365dc945992139ab8a113440a498f99e9.exe	z01710048.exe
PID 1776 wrote to memory of 3692	1776	z01710048.exe	z12732503.exe
PID 1776 wrote to memory of 3692	1776	z01710048.exe	z12732503.exe
PID 1776 wrote to memory of 3692	1776	z01710048.exe	z12732503.exe
PID 3692 wrote to memory of 4628	3692	z12732503.exe	z80449439.exe
PID 3692 wrote to memory of 4628	3692	z12732503.exe	z80449439.exe
PID 3692 wrote to memory of 4628	3692	z12732503.exe	z80449439.exe
PID 4628 wrote to memory of 4756	4628	z80449439.exe	s87851372.exe
PID 4628 wrote to memory of 4756	4628	z80449439.exe	s87851372.exe
PID 4628 wrote to memory of 4756	4628	z80449439.exe	s87851372.exe
PID 4756 wrote to memory of 3752	4756	s87851372.exe	1.exe
PID 4756 wrote to memory of 3752	4756	s87851372.exe	1.exe
PID 4756 wrote to memory of 3752	4756	s87851372.exe	1.exe
PID 4628 wrote to memory of 1960	4628	z80449439.exe	t24136995.exe
PID 4628 wrote to memory of 1960	4628	z80449439.exe	t24136995.exe
PID 4628 wrote to memory of 1960	4628	z80449439.exe	t24136995.exe

C:\Users\Admin\AppData\Local\Temp\1fb95ebc37d892fe7fd3abea3b34e49365dc945992139ab8a113440a498f99e9.exe
"C:\Users\Admin\AppData\Local\Temp\1fb95ebc37d892fe7fd3abea3b34e49365dc945992139ab8a113440a498f99e9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z01710048.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z01710048.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z12732503.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z12732503.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3692

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z80449439.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z80449439.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4628

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s87851372.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s87851372.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:3752

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t24136995.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t24136995.exe
5⤵
- Executes dropped EXE
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z01710048.exe
Filesize
1.0MB

MD5
671746e0fc6123d6c5f18c9c546a9486

SHA1
adcd6eb5768c856a76e4f68d397530fc2efa0800

SHA256
d22bc41cd360177c79b32b70eea569253895b30786f4d6a25602dceccf720150

SHA512
83e2c810c960a22b18c7c71cc550e6e430854940bf8f2956404489574ef14c768482c2892558a69bbd312179da7ff664cd92931ff97200c141a9f0abd1e86848

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z01710048.exe
Filesize
1.0MB

MD5
671746e0fc6123d6c5f18c9c546a9486

SHA1
adcd6eb5768c856a76e4f68d397530fc2efa0800

SHA256
d22bc41cd360177c79b32b70eea569253895b30786f4d6a25602dceccf720150

SHA512
83e2c810c960a22b18c7c71cc550e6e430854940bf8f2956404489574ef14c768482c2892558a69bbd312179da7ff664cd92931ff97200c141a9f0abd1e86848

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z12732503.exe
Filesize
764KB

MD5
80fc4b95c247e12068a288aada592ef4

SHA1
0fc915dd3ee0596038c5cf92f876f75d5c3763bf

SHA256
61d4e4c7a0c65ddef57a7727508b56f157c9812c9c73794cf39a0cb6501d76fb

SHA512
5edbd6ec798d5e5530066501e5c026594768cb7fe9cdbe22f5dd09c4e7d0bd97f4f416436c9bcf65fe90093aed41123550dbe6eba4a41b152fa4fb106da74957

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z12732503.exe
Filesize
764KB

MD5
80fc4b95c247e12068a288aada592ef4

SHA1
0fc915dd3ee0596038c5cf92f876f75d5c3763bf

SHA256
61d4e4c7a0c65ddef57a7727508b56f157c9812c9c73794cf39a0cb6501d76fb

SHA512
5edbd6ec798d5e5530066501e5c026594768cb7fe9cdbe22f5dd09c4e7d0bd97f4f416436c9bcf65fe90093aed41123550dbe6eba4a41b152fa4fb106da74957

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z80449439.exe
Filesize
581KB

MD5
f6cbb6b8cffbfa5b350d580622bf26f0

SHA1
1909e5a1ac89111150357be60fc1d7f815ede96b

SHA256
2792b1b60a543ffda055cc82695639b52e87086e96cce562c064e5f3b54881c0

SHA512
8f37127bd55621177aaa5aceca0a9a31acb70ecbfbcbf1b7c0d509b01d4506a1a38fcf1b4d5827e5a33a19baf398dbf698f86012689fb022a1fc8a280f85123f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z80449439.exe
Filesize
581KB

MD5
f6cbb6b8cffbfa5b350d580622bf26f0

SHA1
1909e5a1ac89111150357be60fc1d7f815ede96b

SHA256
2792b1b60a543ffda055cc82695639b52e87086e96cce562c064e5f3b54881c0

SHA512
8f37127bd55621177aaa5aceca0a9a31acb70ecbfbcbf1b7c0d509b01d4506a1a38fcf1b4d5827e5a33a19baf398dbf698f86012689fb022a1fc8a280f85123f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s87851372.exe
Filesize
582KB

MD5
4087c94f592a46c4cdb0b2e15087d257

SHA1
ac570dc3ecf82a1d1256613d499408df0bc6a3ac

SHA256
9baf369683a25dd6c0bc202bd4e3028c4710f439ce9845f3b77448c830d4be44

SHA512
0aaa3e33bc7a29231be9c66e7d1207ac034d72cbcc1d25ca8c649e331cf16f0edf1eb6c232a51a4ba221b3fe6e059a4dbc89e1553fd6380a51f8f316035c5424

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s87851372.exe
Filesize
582KB

MD5
4087c94f592a46c4cdb0b2e15087d257

SHA1
ac570dc3ecf82a1d1256613d499408df0bc6a3ac

SHA256
9baf369683a25dd6c0bc202bd4e3028c4710f439ce9845f3b77448c830d4be44

SHA512
0aaa3e33bc7a29231be9c66e7d1207ac034d72cbcc1d25ca8c649e331cf16f0edf1eb6c232a51a4ba221b3fe6e059a4dbc89e1553fd6380a51f8f316035c5424

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t24136995.exe
Filesize
169KB

MD5
659976b775d99c798318a6d7c471c9d8

SHA1
5e57a770429485c464d4061997be7b79d14261a2

SHA256
6212f0880ceed72010c9e194c983a3bc0c690676f647d835dbf150c3eecfec27

SHA512
1a90733919a648eb6e1739fdea436e15f7b4331336e1f0e0092c3357bb25a0b9b45584bfe11af22de9bd196b200a05455b22b6ac00a89c87d691e534b9ae3d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t24136995.exe
Filesize
169KB

MD5
659976b775d99c798318a6d7c471c9d8

SHA1
5e57a770429485c464d4061997be7b79d14261a2

SHA256
6212f0880ceed72010c9e194c983a3bc0c690676f647d835dbf150c3eecfec27

SHA512
1a90733919a648eb6e1739fdea436e15f7b4331336e1f0e0092c3357bb25a0b9b45584bfe11af22de9bd196b200a05455b22b6ac00a89c87d691e534b9ae3d6f

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/1960-2340-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/1960-2338-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/1960-2332-0x0000000000320000-0x000000000034E000-memory.dmp

Filesize
184KB

Download
memory/3752-2328-0x0000000000840000-0x000000000086E000-memory.dmp

Filesize
184KB

Download
memory/3752-2339-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/3752-2337-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/3752-2336-0x00000000050E0000-0x000000000511C000-memory.dmp

Filesize
240KB

Download
memory/3752-2335-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3752-2334-0x00000000053E0000-0x00000000054EA000-memory.dmp

Filesize
1.0MB

Download
memory/3752-2333-0x00000000058F0000-0x0000000005F08000-memory.dmp

Filesize
6.1MB

Download
memory/4756-190-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-214-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-180-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-182-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-184-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-186-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-188-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-176-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-192-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-194-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-196-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-198-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-200-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-202-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-204-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-206-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-208-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-210-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-212-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-178-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-216-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-218-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-220-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-222-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-174-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-172-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-170-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-167-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-168-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-166-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4756-165-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4756-163-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4756-164-0x0000000005120000-0x00000000056C4000-memory.dmp

Filesize
5.6MB

Download
memory/4756-162-0x0000000000940000-0x000000000099B000-memory.dmp

Filesize
364KB

Download
memory/4756-224-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-226-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-228-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-230-0x00000000056D0000-0x0000000005730000-memory.dmp

Filesize
384KB

Download
memory/4756-2314-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download