redline | 2227902d9a2b096bdfcafeb7ef42c413ab65087f8761f30b9baaec856250734f

Analysis

max time kernel
196s
max time network
255s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2227902d9a2b096bdfcafeb7ef42c413ab65087f8761f30b9baaec856250734f.exe
Size

1.5MB
MD5

64a48944628e9786978e243aa5ef628f
SHA1

0b3cffe9f70b5b38f1be03bf5b7dc79b3b417da5
SHA256

2227902d9a2b096bdfcafeb7ef42c413ab65087f8761f30b9baaec856250734f
SHA512

d2ebd51f4b1bc38a3395ac06525917d6f2703392186252070353bc055d7aca16897ffdd5bf3c3382a4940a63830dd0312ff550c1e879010a84171b1024dc9b9d
SSDEEP

24576:Iy6/g14sotpfiYb6mROE0k5iggexwSA/SV1wSfNV9t6OyDR2OAU:PQs0686UOu7g+06T3fLmO423

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4652-169-0x000000000A430000-0x000000000AA48000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3352	i52443838.exe
848	i60461112.exe
220	i78671877.exe
4024	i15896566.exe
4652	a94424661.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i60461112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2227902d9a2b096bdfcafeb7ef42c413ab65087f8761f30b9baaec856250734f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i52443838.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i60461112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i78671877.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i15896566.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i15896566.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2227902d9a2b096bdfcafeb7ef42c413ab65087f8761f30b9baaec856250734f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i52443838.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i78671877.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 3352	2688	2227902d9a2b096bdfcafeb7ef42c413ab65087f8761f30b9baaec856250734f.exe	81
PID 2688 wrote to memory of 3352	2688	2227902d9a2b096bdfcafeb7ef42c413ab65087f8761f30b9baaec856250734f.exe	81
PID 2688 wrote to memory of 3352	2688	2227902d9a2b096bdfcafeb7ef42c413ab65087f8761f30b9baaec856250734f.exe	81
PID 3352 wrote to memory of 848	3352	i52443838.exe	82
PID 3352 wrote to memory of 848	3352	i52443838.exe	82
PID 3352 wrote to memory of 848	3352	i52443838.exe	82
PID 848 wrote to memory of 220	848	i60461112.exe	83
PID 848 wrote to memory of 220	848	i60461112.exe	83
PID 848 wrote to memory of 220	848	i60461112.exe	83
PID 220 wrote to memory of 4024	220	i78671877.exe	84
PID 220 wrote to memory of 4024	220	i78671877.exe	84
PID 220 wrote to memory of 4024	220	i78671877.exe	84
PID 4024 wrote to memory of 4652	4024	i15896566.exe	85
PID 4024 wrote to memory of 4652	4024	i15896566.exe	85
PID 4024 wrote to memory of 4652	4024	i15896566.exe	85

C:\Users\Admin\AppData\Local\Temp\2227902d9a2b096bdfcafeb7ef42c413ab65087f8761f30b9baaec856250734f.exe
"C:\Users\Admin\AppData\Local\Temp\2227902d9a2b096bdfcafeb7ef42c413ab65087f8761f30b9baaec856250734f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52443838.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52443838.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i60461112.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i60461112.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i78671877.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i78671877.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i15896566.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i15896566.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4024
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a94424661.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a94424661.exe
        6⤵
        Executes dropped EXE
        
        PID:4652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52443838.exe

Filesize
1.3MB

MD5
4cf23fe3619f1680c63e0595b1e68121

SHA1
245b38fe94f93d77ef6b10c5fb1677d9745b2d58

SHA256
6ba91d5104f819c295cda0f03846af3344498ce853e2659de417fbd194edf1d7

SHA512
b8132b2fb9483c8cd164d2a9b90f51fcb4512b4ae7baee48797176c7345096185e588196fb18d2fdf7b7ef387c040478b13b70073f5fbba22cf29e9da31bdcbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i52443838.exe

Filesize
1.3MB

MD5
4cf23fe3619f1680c63e0595b1e68121

SHA1
245b38fe94f93d77ef6b10c5fb1677d9745b2d58

SHA256
6ba91d5104f819c295cda0f03846af3344498ce853e2659de417fbd194edf1d7

SHA512
b8132b2fb9483c8cd164d2a9b90f51fcb4512b4ae7baee48797176c7345096185e588196fb18d2fdf7b7ef387c040478b13b70073f5fbba22cf29e9da31bdcbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i60461112.exe

Filesize
1014KB

MD5
a4da5fb727772dc46d1de01fca8d623c

SHA1
59dc1f52316f4527a73f7f71097e6fd7ed5e2570

SHA256
4db442a8a7dc2dcb2659ddcb23d1db42f252e0fc7338b50d435e49cb099b99fd

SHA512
4886d09487b48771183646c7bb2d0ccd195b2687b18bc89792e8d29421a25a4398a5097c0df3db4ae8cf2a4d161d13c41dc7fd81d5279ce159acf78d63bd0141

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i60461112.exe

Filesize
1014KB

MD5
a4da5fb727772dc46d1de01fca8d623c

SHA1
59dc1f52316f4527a73f7f71097e6fd7ed5e2570

SHA256
4db442a8a7dc2dcb2659ddcb23d1db42f252e0fc7338b50d435e49cb099b99fd

SHA512
4886d09487b48771183646c7bb2d0ccd195b2687b18bc89792e8d29421a25a4398a5097c0df3db4ae8cf2a4d161d13c41dc7fd81d5279ce159acf78d63bd0141

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i78671877.exe

Filesize
843KB

MD5
05fbd12c3624584864f41ec262af1eed

SHA1
7c195ddca9f2054ae134ea42ff0e87ea30fdf382

SHA256
f937d9eb46d5fc8b777dd64830d874f62e809d167cc99f36c4622f0dd10f3564

SHA512
4ae55389231041b03e46da382f53d74a0b26dbb245880dbb24715ab3e85ad19f7b4dfd730dfabe6d934da1b5be3f0afe81f218732a5e66383731631fac241ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i78671877.exe

Filesize
843KB

MD5
05fbd12c3624584864f41ec262af1eed

SHA1
7c195ddca9f2054ae134ea42ff0e87ea30fdf382

SHA256
f937d9eb46d5fc8b777dd64830d874f62e809d167cc99f36c4622f0dd10f3564

SHA512
4ae55389231041b03e46da382f53d74a0b26dbb245880dbb24715ab3e85ad19f7b4dfd730dfabe6d934da1b5be3f0afe81f218732a5e66383731631fac241ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i15896566.exe

Filesize
371KB

MD5
37157f2f5c8324e3d73b7d6df874e8f1

SHA1
880627265ba140481ccf540be53397708175cd3a

SHA256
6e4e7637d5e651ec5b9fe7c0f05e49989424b33ce0909f6673af33b77f2e1846

SHA512
dd305034a672888dec925e831b5dc1ee8daf4ac37b4cffe0294211ae6f5ea89ca1402bcd5c94f1e16dff5cc331f2d351c73241df1f440a9b87bc9039f692ef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i15896566.exe

Filesize
371KB

MD5
37157f2f5c8324e3d73b7d6df874e8f1

SHA1
880627265ba140481ccf540be53397708175cd3a

SHA256
6e4e7637d5e651ec5b9fe7c0f05e49989424b33ce0909f6673af33b77f2e1846

SHA512
dd305034a672888dec925e831b5dc1ee8daf4ac37b4cffe0294211ae6f5ea89ca1402bcd5c94f1e16dff5cc331f2d351c73241df1f440a9b87bc9039f692ef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a94424661.exe

Filesize
169KB

MD5
b1a0645a6699d958b339507048d5bb70

SHA1
84427aeb858c71af3d56524d9876af1e172634b0

SHA256
5c2f3ed8816454062bc84fb7febe8364656735dce97b942b550bdbb3e4147c0a

SHA512
613f65651cb32c1e13b121b2b6e0c919fd77dbc2026e7d520a1c23648140fdb171611c7cd211d5e6eacb77dc041c60b1d0786a26948895bef948bd18faa4071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a94424661.exe

Filesize
169KB

MD5
b1a0645a6699d958b339507048d5bb70

SHA1
84427aeb858c71af3d56524d9876af1e172634b0

SHA256
5c2f3ed8816454062bc84fb7febe8364656735dce97b942b550bdbb3e4147c0a

SHA512
613f65651cb32c1e13b121b2b6e0c919fd77dbc2026e7d520a1c23648140fdb171611c7cd211d5e6eacb77dc041c60b1d0786a26948895bef948bd18faa4071a

Download Submit
memory/4652-168-0x0000000000030000-0x0000000000060000-memory.dmp

Filesize
192KB

Download
memory/4652-169-0x000000000A430000-0x000000000AA48000-memory.dmp

Filesize
6.1MB

Download
memory/4652-170-0x0000000009FB0000-0x000000000A0BA000-memory.dmp

Filesize
1.0MB

Download
memory/4652-171-0x0000000009EE0000-0x0000000009EF2000-memory.dmp

Filesize
72KB

Download
memory/4652-172-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/4652-173-0x0000000009F40000-0x0000000009F7C000-memory.dmp

Filesize
240KB

Download
memory/4652-174-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download