redline | 238bffd7cbbbc3018957f86910aed7b0c15a7a57dcad64c94efadcca49b1a483

Analysis

max time kernel
154s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

238bffd7cbbbc3018957f86910aed7b0c15a7a57dcad64c94efadcca49b1a483.exe
Size

1.5MB
MD5

3e2d7c08eb5806c2473bcd2f30a1abe8
SHA1

736c2882cd937610dfe2e6f10ef3b4d0643efeb7
SHA256

238bffd7cbbbc3018957f86910aed7b0c15a7a57dcad64c94efadcca49b1a483
SHA512

ea470fada9d59bf8134463e875b0925ee60f03a9a87e24937059a2cc3d1436514bd17a90afec043e6cd71a5ddeb6bea83a3328e591e02ce586490195eeeb0b68
SSDEEP

24576:Dy5pu1NTvwtXT8vC5G/cGRBJrZ4Efh/C/xHOAGOW2cNk1Oumg/QvHTTKI8RD4Ob:W5U9vFvHcGRnrZ3fI5HOYe21egYvzTKr

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/116-169-0x000000000B2F0000-0x000000000B908000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4288	i61021112.exe
2024	i01479444.exe
556	i67403077.exe
1232	i07368701.exe
116	a61196029.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i67403077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i67403077.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i07368701.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i07368701.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i61021112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i01479444.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i61021112.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i01479444.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	238bffd7cbbbc3018957f86910aed7b0c15a7a57dcad64c94efadcca49b1a483.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	238bffd7cbbbc3018957f86910aed7b0c15a7a57dcad64c94efadcca49b1a483.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 4288	1948	238bffd7cbbbc3018957f86910aed7b0c15a7a57dcad64c94efadcca49b1a483.exe	83
PID 1948 wrote to memory of 4288	1948	238bffd7cbbbc3018957f86910aed7b0c15a7a57dcad64c94efadcca49b1a483.exe	83
PID 1948 wrote to memory of 4288	1948	238bffd7cbbbc3018957f86910aed7b0c15a7a57dcad64c94efadcca49b1a483.exe	83
PID 4288 wrote to memory of 2024	4288	i61021112.exe	84
PID 4288 wrote to memory of 2024	4288	i61021112.exe	84
PID 4288 wrote to memory of 2024	4288	i61021112.exe	84
PID 2024 wrote to memory of 556	2024	i01479444.exe	85
PID 2024 wrote to memory of 556	2024	i01479444.exe	85
PID 2024 wrote to memory of 556	2024	i01479444.exe	85
PID 556 wrote to memory of 1232	556	i67403077.exe	86
PID 556 wrote to memory of 1232	556	i67403077.exe	86
PID 556 wrote to memory of 1232	556	i67403077.exe	86
PID 1232 wrote to memory of 116	1232	i07368701.exe	87
PID 1232 wrote to memory of 116	1232	i07368701.exe	87
PID 1232 wrote to memory of 116	1232	i07368701.exe	87

C:\Users\Admin\AppData\Local\Temp\238bffd7cbbbc3018957f86910aed7b0c15a7a57dcad64c94efadcca49b1a483.exe
"C:\Users\Admin\AppData\Local\Temp\238bffd7cbbbc3018957f86910aed7b0c15a7a57dcad64c94efadcca49b1a483.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i61021112.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i61021112.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01479444.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01479444.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67403077.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67403077.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07368701.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07368701.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1232
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a61196029.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a61196029.exe
        6⤵
        Executes dropped EXE
        
        PID:116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i61021112.exe

Filesize
1.3MB

MD5
55318cf642ac88509e3e7b9002f763a2

SHA1
46f1c21d2797c18a2ed520ee473b8efcc7f58eb2

SHA256
ab3151ef3b684eafac5777292f5985a18368b8c1041152400d889c11322d9047

SHA512
1073ae8ac6430b8cb3bfecb471a299d75c886b46b8d2a4c971295da0f2146ec27d9ee18d2524650e868629a256931c88b829dcd6017cf3a9307bc69cf0c7605a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i61021112.exe

Filesize
1.3MB

MD5
55318cf642ac88509e3e7b9002f763a2

SHA1
46f1c21d2797c18a2ed520ee473b8efcc7f58eb2

SHA256
ab3151ef3b684eafac5777292f5985a18368b8c1041152400d889c11322d9047

SHA512
1073ae8ac6430b8cb3bfecb471a299d75c886b46b8d2a4c971295da0f2146ec27d9ee18d2524650e868629a256931c88b829dcd6017cf3a9307bc69cf0c7605a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01479444.exe

Filesize
1023KB

MD5
96190219b9a6fe3c0ddf2a4bfa34808c

SHA1
56c8cce137f227999161757a71d3993dc1b39f74

SHA256
7644b270b6be870f20a0285576b51fdb8c0dfcad348e24b8ba8454eac0dbc807

SHA512
42204a2228a34dbea7fdeccecf6a9582c4c968db17ce10211c119f5c4f700c7926388e581ed552936a68eb4e49429ffac26e5c994d10c01d14660d1e96148bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01479444.exe

Filesize
1023KB

MD5
96190219b9a6fe3c0ddf2a4bfa34808c

SHA1
56c8cce137f227999161757a71d3993dc1b39f74

SHA256
7644b270b6be870f20a0285576b51fdb8c0dfcad348e24b8ba8454eac0dbc807

SHA512
42204a2228a34dbea7fdeccecf6a9582c4c968db17ce10211c119f5c4f700c7926388e581ed552936a68eb4e49429ffac26e5c994d10c01d14660d1e96148bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67403077.exe

Filesize
851KB

MD5
99a20ef7f30239b6d7a95fc7b4e19ce7

SHA1
48f237600deaa2aaf921779f793378e38ca4c021

SHA256
302279aea18a01ced501087f301e2bfd88635fc29394211553dc3c8ffc93916b

SHA512
189bd3c5fee7ca12d6caaa00838a35d5e62507e82a7da0f0c7422528b790aa94b4a56981328f7a67e96e6084bdb9f74ceb90f59dddc86f5bf2051502dea78509

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i67403077.exe

Filesize
851KB

MD5
99a20ef7f30239b6d7a95fc7b4e19ce7

SHA1
48f237600deaa2aaf921779f793378e38ca4c021

SHA256
302279aea18a01ced501087f301e2bfd88635fc29394211553dc3c8ffc93916b

SHA512
189bd3c5fee7ca12d6caaa00838a35d5e62507e82a7da0f0c7422528b790aa94b4a56981328f7a67e96e6084bdb9f74ceb90f59dddc86f5bf2051502dea78509

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07368701.exe

Filesize
375KB

MD5
ff9be82c46b12fa413bdce8dfd8e8384

SHA1
233b5ceb20168bb874c522b4c0058225a66c3f1a

SHA256
7ac7803f228e1014ae86daa92c8116fd9c73c99e43494a2e13c679f3c30b945a

SHA512
fa59cc9c15bf9c24decd28acea6aa19a47ac6cfdb557976d4b11fcc953fe36f684659b02cae323e50bf96be639e8d160de2e40844c6499b35d0bebc627a21fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i07368701.exe

Filesize
375KB

MD5
ff9be82c46b12fa413bdce8dfd8e8384

SHA1
233b5ceb20168bb874c522b4c0058225a66c3f1a

SHA256
7ac7803f228e1014ae86daa92c8116fd9c73c99e43494a2e13c679f3c30b945a

SHA512
fa59cc9c15bf9c24decd28acea6aa19a47ac6cfdb557976d4b11fcc953fe36f684659b02cae323e50bf96be639e8d160de2e40844c6499b35d0bebc627a21fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a61196029.exe

Filesize
169KB

MD5
f4e56a1848527a21793266d0f1ef4b4a

SHA1
3e3195da790e3350a763eb0a99fbf7bfbe0d2e54

SHA256
6356626f4367907f59e520cbbf3fa9dec3679bf59e4ebe42499dcc172c6b6cdd

SHA512
afd080108727086383a08f2bf9534a0d6468df07f34cfcba43b6b965efe82de3e13bf5438771b68f6f39563f6098fbec9dd6ba24b8eec10d1fd4022b5e71c1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a61196029.exe

Filesize
169KB

MD5
f4e56a1848527a21793266d0f1ef4b4a

SHA1
3e3195da790e3350a763eb0a99fbf7bfbe0d2e54

SHA256
6356626f4367907f59e520cbbf3fa9dec3679bf59e4ebe42499dcc172c6b6cdd

SHA512
afd080108727086383a08f2bf9534a0d6468df07f34cfcba43b6b965efe82de3e13bf5438771b68f6f39563f6098fbec9dd6ba24b8eec10d1fd4022b5e71c1ff

Download Submit
memory/116-168-0x0000000000E50000-0x0000000000E80000-memory.dmp

Filesize
192KB

Download
memory/116-169-0x000000000B2F0000-0x000000000B908000-memory.dmp

Filesize
6.1MB

Download
memory/116-170-0x000000000ADE0000-0x000000000AEEA000-memory.dmp

Filesize
1.0MB

Download
memory/116-171-0x000000000AD00000-0x000000000AD12000-memory.dmp

Filesize
72KB

Download
memory/116-172-0x000000000AD60000-0x000000000AD9C000-memory.dmp

Filesize
240KB

Download
memory/116-173-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/116-174-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download