redline | 2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6

Analysis

max time kernel
140s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe
Size

1.5MB
MD5

be60ee130faeea5bb8b5dd7146bf1163
SHA1

4addbee09c1a762139aef5efd8541d945462ed78
SHA256

2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6
SHA512

75dfa717253fdcaf99eb5821c899c249c368a592dd4f0545aef40e55fc2548f7808e9572b9ef719f805b403f54cbeda788eb37f224915d8b17b6a43a251ca010
SSDEEP

24576:tysMJY4UgCofCDvSwgGYsftcwKkOQ6W83lm/ZHyvtV6kyuMml7NWXCiCaZ+J2KY:Is66rofCDvSgHmwFOQY1m0V5GQN2Ci5

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3848-169-0x0000000005ED0000-0x00000000064E8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4112	i69173910.exe
2588	i90582679.exe
2616	i16152386.exe
2200	i10579467.exe
3848	a10374568.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i69173910.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i69173910.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i90582679.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i16152386.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i16152386.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i10579467.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i90582679.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i10579467.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4112	3004	2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe	89
PID 3004 wrote to memory of 4112	3004	2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe	89
PID 3004 wrote to memory of 4112	3004	2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe	89
PID 4112 wrote to memory of 2588	4112	i69173910.exe	90
PID 4112 wrote to memory of 2588	4112	i69173910.exe	90
PID 4112 wrote to memory of 2588	4112	i69173910.exe	90
PID 2588 wrote to memory of 2616	2588	i90582679.exe	91
PID 2588 wrote to memory of 2616	2588	i90582679.exe	91
PID 2588 wrote to memory of 2616	2588	i90582679.exe	91
PID 2616 wrote to memory of 2200	2616	i16152386.exe	92
PID 2616 wrote to memory of 2200	2616	i16152386.exe	92
PID 2616 wrote to memory of 2200	2616	i16152386.exe	92
PID 2200 wrote to memory of 3848	2200	i10579467.exe	93
PID 2200 wrote to memory of 3848	2200	i10579467.exe	93
PID 2200 wrote to memory of 3848	2200	i10579467.exe	93

C:\Users\Admin\AppData\Local\Temp\2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe
"C:\Users\Admin\AppData\Local\Temp\2525a29d7709466ff6df427678dd119d4c031a1344d82218f8bb890b6c5368f6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i69173910.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i69173910.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i90582679.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i90582679.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i16152386.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i16152386.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i10579467.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i10579467.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a10374568.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a10374568.exe
        6⤵
        Executes dropped EXE
        
        PID:3848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i69173910.exe

Filesize
1.3MB

MD5
bb2b59ab33a41dc3b5e7d4d9b13d174d

SHA1
34db1905e31f800b1a5a4aff58cdba724380cd26

SHA256
24b885c738a8cc6ff4418ebf5415ef6f31f51d77ae1f988dd2923c243b50b892

SHA512
db78670019c7c365cfded3dcb36d04cb4841850cad17bff232cea1bcbb6319dad74c24350d0b6ce5d131596f6b638a966bb22653d6e550d2e7dcbf7b99dc6e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i69173910.exe

Filesize
1.3MB

MD5
bb2b59ab33a41dc3b5e7d4d9b13d174d

SHA1
34db1905e31f800b1a5a4aff58cdba724380cd26

SHA256
24b885c738a8cc6ff4418ebf5415ef6f31f51d77ae1f988dd2923c243b50b892

SHA512
db78670019c7c365cfded3dcb36d04cb4841850cad17bff232cea1bcbb6319dad74c24350d0b6ce5d131596f6b638a966bb22653d6e550d2e7dcbf7b99dc6e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i90582679.exe

Filesize
1016KB

MD5
e1c366cbba480994bd76f0afd8f3659c

SHA1
9cd70ca26b741613d8859e4cf38b153bd04aec52

SHA256
18772b5c3ca6a960f675612d4eb7cc0bb35afac504ef2b357a21b05a87175f6a

SHA512
0c8c46e26144ee650866bae7e2438c90cccd8e0a9e7878a455c94b1c16d7d14442b3e74f57762fdcb3a0795aadf0c3f59eb26841f02cc32189cae5616c62815f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i90582679.exe

Filesize
1016KB

MD5
e1c366cbba480994bd76f0afd8f3659c

SHA1
9cd70ca26b741613d8859e4cf38b153bd04aec52

SHA256
18772b5c3ca6a960f675612d4eb7cc0bb35afac504ef2b357a21b05a87175f6a

SHA512
0c8c46e26144ee650866bae7e2438c90cccd8e0a9e7878a455c94b1c16d7d14442b3e74f57762fdcb3a0795aadf0c3f59eb26841f02cc32189cae5616c62815f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i16152386.exe

Filesize
844KB

MD5
7487585cd5960a0da85954489c4634cf

SHA1
1c571e2b469eb047d277c42e647a01e3567065df

SHA256
d909bcbc5005ee451889642740f692a62c8a53e844f55cc8d7dba52144bf8989

SHA512
290832fdefc46b7c657494e77a56df32bd3f015e9a43629bc60a22b0882edd02b3aae4090fba7220852b0b5b6f05d722dfef4e646785ecc2865599814f497b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i16152386.exe

Filesize
844KB

MD5
7487585cd5960a0da85954489c4634cf

SHA1
1c571e2b469eb047d277c42e647a01e3567065df

SHA256
d909bcbc5005ee451889642740f692a62c8a53e844f55cc8d7dba52144bf8989

SHA512
290832fdefc46b7c657494e77a56df32bd3f015e9a43629bc60a22b0882edd02b3aae4090fba7220852b0b5b6f05d722dfef4e646785ecc2865599814f497b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i10579467.exe

Filesize
371KB

MD5
50bf9c55683f6a027f1cbd0023fb3846

SHA1
3bc9168e58a22760687aa0b72045cd8bcaf803c5

SHA256
96fcb85061caa444870b5fce7e64a5fae5efdf13987e7f279289a412df76fdad

SHA512
1ab08539d1e66ba3de2dbffcaf75677b95b7e793487334e2f2d72bd9b4451277bf6b82da1f06ad1393c9839e5fd299a1df274542388e6c6bbe9fd7ed782b548e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i10579467.exe

Filesize
371KB

MD5
50bf9c55683f6a027f1cbd0023fb3846

SHA1
3bc9168e58a22760687aa0b72045cd8bcaf803c5

SHA256
96fcb85061caa444870b5fce7e64a5fae5efdf13987e7f279289a412df76fdad

SHA512
1ab08539d1e66ba3de2dbffcaf75677b95b7e793487334e2f2d72bd9b4451277bf6b82da1f06ad1393c9839e5fd299a1df274542388e6c6bbe9fd7ed782b548e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a10374568.exe

Filesize
169KB

MD5
9ea74742d587b3bb252c19881d555237

SHA1
b312fc2fda1834e24adcd1cc43961b183161e1cf

SHA256
34f752937ccdb31d2e75a118cb2dd67e43aea9f57f2289457d9dbeab3654f40f

SHA512
4acf40fbbb0680090e52ff455143140aea3166bc45ed3ebbb38338bcbb7e149205bd49094d90cc9684722904e743984c3b05d0cdb881312365a16e982fa0cafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a10374568.exe

Filesize
169KB

MD5
9ea74742d587b3bb252c19881d555237

SHA1
b312fc2fda1834e24adcd1cc43961b183161e1cf

SHA256
34f752937ccdb31d2e75a118cb2dd67e43aea9f57f2289457d9dbeab3654f40f

SHA512
4acf40fbbb0680090e52ff455143140aea3166bc45ed3ebbb38338bcbb7e149205bd49094d90cc9684722904e743984c3b05d0cdb881312365a16e982fa0cafb

Download Submit
memory/3848-168-0x0000000000EF0000-0x0000000000F20000-memory.dmp

Filesize
192KB

Download
memory/3848-169-0x0000000005ED0000-0x00000000064E8000-memory.dmp

Filesize
6.1MB

Download
memory/3848-170-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/3848-171-0x0000000005830000-0x0000000005842000-memory.dmp

Filesize
72KB

Download
memory/3848-172-0x00000000058B0000-0x00000000058EC000-memory.dmp

Filesize
240KB

Download
memory/3848-173-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/3848-174-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download