redline | 242f8806ba6c0ff404f69cd4ef3b8a5ab94617ee399fb5c6b1b117713f2a409e

Analysis

max time kernel
185s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

242f8806ba6c0ff404f69cd4ef3b8a5ab94617ee399fb5c6b1b117713f2a409e.exe
Size

1.5MB
MD5

33753f3f4153ae07c4379dfbee8cb421
SHA1

68b4165a60a25e4c5145c89a7f234934f61dc48c
SHA256

242f8806ba6c0ff404f69cd4ef3b8a5ab94617ee399fb5c6b1b117713f2a409e
SHA512

aaf0cc8baa73999f16545229cb2629b40752c4ec0dc9e5b73b42d1a4e30aa74c28031656e27f4a803c86855074f12b7311ad67a4d0e78a4971dce974fe5fe5d5
SSDEEP

24576:IymQICYDm4Ry3rk9mh93pzDvdCYRGun72+xtPkxX1yKH3JJ+t4Vr8t4JTcY:PuCIRy7kYhnPvZn72+bsd1yKHOErS2T

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3036-169-0x000000000A840000-0x000000000AE58000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2272	i29812944.exe
3584	i47384386.exe
1576	i46484859.exe
4508	i30772868.exe
3036	a49146973.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i47384386.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i46484859.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i30772868.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i30772868.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i46484859.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	242f8806ba6c0ff404f69cd4ef3b8a5ab94617ee399fb5c6b1b117713f2a409e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	242f8806ba6c0ff404f69cd4ef3b8a5ab94617ee399fb5c6b1b117713f2a409e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i29812944.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i29812944.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i47384386.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2272	1420	242f8806ba6c0ff404f69cd4ef3b8a5ab94617ee399fb5c6b1b117713f2a409e.exe	82
PID 1420 wrote to memory of 2272	1420	242f8806ba6c0ff404f69cd4ef3b8a5ab94617ee399fb5c6b1b117713f2a409e.exe	82
PID 1420 wrote to memory of 2272	1420	242f8806ba6c0ff404f69cd4ef3b8a5ab94617ee399fb5c6b1b117713f2a409e.exe	82
PID 2272 wrote to memory of 3584	2272	i29812944.exe	83
PID 2272 wrote to memory of 3584	2272	i29812944.exe	83
PID 2272 wrote to memory of 3584	2272	i29812944.exe	83
PID 3584 wrote to memory of 1576	3584	i47384386.exe	84
PID 3584 wrote to memory of 1576	3584	i47384386.exe	84
PID 3584 wrote to memory of 1576	3584	i47384386.exe	84
PID 1576 wrote to memory of 4508	1576	i46484859.exe	85
PID 1576 wrote to memory of 4508	1576	i46484859.exe	85
PID 1576 wrote to memory of 4508	1576	i46484859.exe	85
PID 4508 wrote to memory of 3036	4508	i30772868.exe	86
PID 4508 wrote to memory of 3036	4508	i30772868.exe	86
PID 4508 wrote to memory of 3036	4508	i30772868.exe	86

C:\Users\Admin\AppData\Local\Temp\242f8806ba6c0ff404f69cd4ef3b8a5ab94617ee399fb5c6b1b117713f2a409e.exe
"C:\Users\Admin\AppData\Local\Temp\242f8806ba6c0ff404f69cd4ef3b8a5ab94617ee399fb5c6b1b117713f2a409e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i29812944.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i29812944.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47384386.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47384386.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i46484859.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i46484859.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1576
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i30772868.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i30772868.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4508
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a49146973.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a49146973.exe
        6⤵
        Executes dropped EXE
        
        PID:3036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i29812944.exe

Filesize
1.3MB

MD5
d9c4e8bf30b6f2f2f67a141a757ed175

SHA1
6a9a06f98e77018443ed0497493b38432ab42923

SHA256
4e7a1311f5938693e58ff53ad0087f59f1b9b56f5352836e48901c4d1046bcf6

SHA512
fd1909d8837b97b983dfc7c1047be439ec317b62216c0a1936e181b6a79b12055865d7673b2aafe72262578fe369749fd4932380f03f17af47d848ed2b74eee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i29812944.exe

Filesize
1.3MB

MD5
d9c4e8bf30b6f2f2f67a141a757ed175

SHA1
6a9a06f98e77018443ed0497493b38432ab42923

SHA256
4e7a1311f5938693e58ff53ad0087f59f1b9b56f5352836e48901c4d1046bcf6

SHA512
fd1909d8837b97b983dfc7c1047be439ec317b62216c0a1936e181b6a79b12055865d7673b2aafe72262578fe369749fd4932380f03f17af47d848ed2b74eee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47384386.exe

Filesize
1016KB

MD5
babac5aa4c6a131aa452f20d5c6014fb

SHA1
b3eeb2e1d154dea71f90bf427b170bb5a52d355c

SHA256
88e4344c917d94261ff0c69268bb813ac76a25cbbe6c386a8a75133bf9c10e66

SHA512
bd067c24d22a04f4ab3c4e1bf18222337d21f99f10083a13b47c1072b9f5a56851fdb90e23e430c61b6cb4bcd8fbdc6b7a4c363ff997ee2212678b39dda124aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i47384386.exe

Filesize
1016KB

MD5
babac5aa4c6a131aa452f20d5c6014fb

SHA1
b3eeb2e1d154dea71f90bf427b170bb5a52d355c

SHA256
88e4344c917d94261ff0c69268bb813ac76a25cbbe6c386a8a75133bf9c10e66

SHA512
bd067c24d22a04f4ab3c4e1bf18222337d21f99f10083a13b47c1072b9f5a56851fdb90e23e430c61b6cb4bcd8fbdc6b7a4c363ff997ee2212678b39dda124aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i46484859.exe

Filesize
844KB

MD5
436d26d38352e2ea4162f579928a134b

SHA1
b766b3dc0c8fd1c96454a8ecfeda68783c52d378

SHA256
8feecc9c4e6358609e5b4e95ab3d5a3eecbcc6049a6d9e80484c48fbc6e40ab9

SHA512
2d2ce423b913ee346b153e8fdd4c3ed8aa884fca56373186d5c1d4ceb5c302ffeaf8101263c9c8e4c3abeb9687b36ebbd6fb21951d80118e3c4116c031f5f40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i46484859.exe

Filesize
844KB

MD5
436d26d38352e2ea4162f579928a134b

SHA1
b766b3dc0c8fd1c96454a8ecfeda68783c52d378

SHA256
8feecc9c4e6358609e5b4e95ab3d5a3eecbcc6049a6d9e80484c48fbc6e40ab9

SHA512
2d2ce423b913ee346b153e8fdd4c3ed8aa884fca56373186d5c1d4ceb5c302ffeaf8101263c9c8e4c3abeb9687b36ebbd6fb21951d80118e3c4116c031f5f40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i30772868.exe

Filesize
371KB

MD5
17d5c99d80e2e516169c08bf3a285962

SHA1
385aa15c5a0908d942733b6f00decd041224aca5

SHA256
04802687973c9691b43b150d19228a5b22b423af89437578e8685239f1813e15

SHA512
064f66c80ffe824b1aa88ab91194be8b6d170d569ef5091f297dbabe5e3d46d11ed00c96d67f56774cd302c6c0edfbc74c723676bdc1ce8eb49538188ddf43cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i30772868.exe

Filesize
371KB

MD5
17d5c99d80e2e516169c08bf3a285962

SHA1
385aa15c5a0908d942733b6f00decd041224aca5

SHA256
04802687973c9691b43b150d19228a5b22b423af89437578e8685239f1813e15

SHA512
064f66c80ffe824b1aa88ab91194be8b6d170d569ef5091f297dbabe5e3d46d11ed00c96d67f56774cd302c6c0edfbc74c723676bdc1ce8eb49538188ddf43cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a49146973.exe

Filesize
169KB

MD5
7a69e0ede912fe7a1c43466b43cc6a82

SHA1
0aa3f135b28787eaf8fd1c3a0b6e3e2db6d1315f

SHA256
87b4979ec539d0a1eac971ed1be187ef5f7cebe2ec1de1c79c22ceac8ed5e0bb

SHA512
6345e11519e160d1238505266576b20133b625cea41e61b0f11b7e2dee293c9e2419d816ac568e360a56932b0f8ef4810f566a33a88bc7c1395c63024ce37ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a49146973.exe

Filesize
169KB

MD5
7a69e0ede912fe7a1c43466b43cc6a82

SHA1
0aa3f135b28787eaf8fd1c3a0b6e3e2db6d1315f

SHA256
87b4979ec539d0a1eac971ed1be187ef5f7cebe2ec1de1c79c22ceac8ed5e0bb

SHA512
6345e11519e160d1238505266576b20133b625cea41e61b0f11b7e2dee293c9e2419d816ac568e360a56932b0f8ef4810f566a33a88bc7c1395c63024ce37ad8

Download Submit
memory/3036-168-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3036-169-0x000000000A840000-0x000000000AE58000-memory.dmp

Filesize
6.1MB

Download
memory/3036-170-0x000000000A380000-0x000000000A48A000-memory.dmp

Filesize
1.0MB

Download
memory/3036-171-0x000000000A2B0000-0x000000000A2C2000-memory.dmp

Filesize
72KB

Download
memory/3036-172-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3036-173-0x000000000A310000-0x000000000A34C000-memory.dmp

Filesize
240KB

Download
memory/3036-174-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download