redline | 307e72e5af64b9ac8a2d7b2a95647fb1b111966ce4cf25bcb44c1756083cc8e3

Analysis

max time kernel
179s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

307e72e5af64b9ac8a2d7b2a95647fb1b111966ce4cf25bcb44c1756083cc8e3.exe
Size

1.2MB
MD5

0486ea0d6bc2f0233a6e4c2035c77968
SHA1

fb958dc1354394310d3352703ab684678689ab9c
SHA256

307e72e5af64b9ac8a2d7b2a95647fb1b111966ce4cf25bcb44c1756083cc8e3
SHA512

732da3e5d8687af8a8a0750a0ce63e60bf56d246ecdb63d2c0bac5824f06106c2677e3067baa98e5135c168619a016e619d0e86b70b6b10b4de4603de2af5856
SSDEEP

24576:ZykB99mvJF/jQhus9WIWyQUVmqI28HRT3ibC8/rA91UliTyKY6/:M8ADQhljQemqZ8HNS+D91NTym

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/3712-2336-0x0000000005560000-0x0000000005B78000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s25927047.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s25927047.exe

Executes dropped EXE 6 IoCs

Processes:

z96125162.exez40476668.exez38069815.exes25927047.exe1.exet16470843.exe

pid process

1856 z96125162.exe
3476 z40476668.exe
3220 z38069815.exe
424 s25927047.exe
3712 1.exe
3440 t16470843.exe

pid	process
1856	z96125162.exe
3476	z40476668.exe
3220	z38069815.exe
424	s25927047.exe
3712	1.exe
3440	t16470843.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

307e72e5af64b9ac8a2d7b2a95647fb1b111966ce4cf25bcb44c1756083cc8e3.exez96125162.exez40476668.exez38069815.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	307e72e5af64b9ac8a2d7b2a95647fb1b111966ce4cf25bcb44c1756083cc8e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	307e72e5af64b9ac8a2d7b2a95647fb1b111966ce4cf25bcb44c1756083cc8e3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z96125162.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z96125162.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z40476668.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z40476668.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z38069815.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z38069815.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5076 424 WerFault.exe s25927047.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s25927047.exe

description pid process

Token: SeDebugPrivilege 424 s25927047.exe

pid	pid_target	process	target process
5076	424	WerFault.exe	s25927047.exe

description	pid	process
Token: SeDebugPrivilege	424	s25927047.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

307e72e5af64b9ac8a2d7b2a95647fb1b111966ce4cf25bcb44c1756083cc8e3.exez96125162.exez40476668.exez38069815.exes25927047.exe

description	pid	process	target process
PID 2700 wrote to memory of 1856	2700	307e72e5af64b9ac8a2d7b2a95647fb1b111966ce4cf25bcb44c1756083cc8e3.exe	z96125162.exe
PID 2700 wrote to memory of 1856	2700	307e72e5af64b9ac8a2d7b2a95647fb1b111966ce4cf25bcb44c1756083cc8e3.exe	z96125162.exe
PID 2700 wrote to memory of 1856	2700	307e72e5af64b9ac8a2d7b2a95647fb1b111966ce4cf25bcb44c1756083cc8e3.exe	z96125162.exe
PID 1856 wrote to memory of 3476	1856	z96125162.exe	z40476668.exe
PID 1856 wrote to memory of 3476	1856	z96125162.exe	z40476668.exe
PID 1856 wrote to memory of 3476	1856	z96125162.exe	z40476668.exe
PID 3476 wrote to memory of 3220	3476	z40476668.exe	z38069815.exe
PID 3476 wrote to memory of 3220	3476	z40476668.exe	z38069815.exe
PID 3476 wrote to memory of 3220	3476	z40476668.exe	z38069815.exe
PID 3220 wrote to memory of 424	3220	z38069815.exe	s25927047.exe
PID 3220 wrote to memory of 424	3220	z38069815.exe	s25927047.exe
PID 3220 wrote to memory of 424	3220	z38069815.exe	s25927047.exe
PID 424 wrote to memory of 3712	424	s25927047.exe	1.exe
PID 424 wrote to memory of 3712	424	s25927047.exe	1.exe
PID 424 wrote to memory of 3712	424	s25927047.exe	1.exe
PID 3220 wrote to memory of 3440	3220	z38069815.exe	t16470843.exe
PID 3220 wrote to memory of 3440	3220	z38069815.exe	t16470843.exe
PID 3220 wrote to memory of 3440	3220	z38069815.exe	t16470843.exe

C:\Users\Admin\AppData\Local\Temp\307e72e5af64b9ac8a2d7b2a95647fb1b111966ce4cf25bcb44c1756083cc8e3.exe
"C:\Users\Admin\AppData\Local\Temp\307e72e5af64b9ac8a2d7b2a95647fb1b111966ce4cf25bcb44c1756083cc8e3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z96125162.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z96125162.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z40476668.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z40476668.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3476

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z38069815.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z38069815.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s25927047.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s25927047.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:424

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1384
6⤵
- Program crash
PID:5076

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t16470843.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t16470843.exe
5⤵
- Executes dropped EXE
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 424 -ip 424
1⤵
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z96125162.exe
Filesize
1.0MB

MD5
3c87be38cd2e885ebb7484edb4447b82

SHA1
89d6fd571408050f4a3a9399bab6be146d5730f6

SHA256
c9c3de681e5dcfcb8c62b0249a510e06b57cee6426cce24604ec190244c23e6a

SHA512
90787eba24e18d435b5c1f52dc27b7ba9084f70574fc144c27f920a65d1e7e3dac642a1e9d5613ae136d7b186c0a67a367501623d444f39c5a646c863b2fe38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z96125162.exe
Filesize
1.0MB

MD5
3c87be38cd2e885ebb7484edb4447b82

SHA1
89d6fd571408050f4a3a9399bab6be146d5730f6

SHA256
c9c3de681e5dcfcb8c62b0249a510e06b57cee6426cce24604ec190244c23e6a

SHA512
90787eba24e18d435b5c1f52dc27b7ba9084f70574fc144c27f920a65d1e7e3dac642a1e9d5613ae136d7b186c0a67a367501623d444f39c5a646c863b2fe38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z40476668.exe
Filesize
760KB

MD5
e818ddd59c1cfd229f8bdc1de72c714f

SHA1
852263ae5f5dd3ab8626e97a12c0534042149de8

SHA256
be90538c5106a9dceccb99922bb8f67766b38b7b17aa77ae1e903069d1626b34

SHA512
9a3e29c33b24bc182e308e530694d779fb9c6daa46c77daa434b1113153ba4aceb679ccc727a9452d66a0d8ea925412e5464750a4b70e60246ef50c9b25be66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z40476668.exe
Filesize
760KB

MD5
e818ddd59c1cfd229f8bdc1de72c714f

SHA1
852263ae5f5dd3ab8626e97a12c0534042149de8

SHA256
be90538c5106a9dceccb99922bb8f67766b38b7b17aa77ae1e903069d1626b34

SHA512
9a3e29c33b24bc182e308e530694d779fb9c6daa46c77daa434b1113153ba4aceb679ccc727a9452d66a0d8ea925412e5464750a4b70e60246ef50c9b25be66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z38069815.exe
Filesize
578KB

MD5
7e3f38d51eeadb1a89922f8bbed0b9ae

SHA1
ae69a9ac169d94ff3ca64ed9c9b44b3d3ac49bce

SHA256
bdf5e6888aba03258c962c1c353abc6d4792f17c7f581a6a3ed97c6d790571ba

SHA512
1681136e4810c73e2cc4933d27b4baa43463ab49a49acba0e8a24a645bfe20de11708832e2772025f7d68580c03e39b16224cb1bcdaa4c10b5e9e2cc2b537608

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z38069815.exe
Filesize
578KB

MD5
7e3f38d51eeadb1a89922f8bbed0b9ae

SHA1
ae69a9ac169d94ff3ca64ed9c9b44b3d3ac49bce

SHA256
bdf5e6888aba03258c962c1c353abc6d4792f17c7f581a6a3ed97c6d790571ba

SHA512
1681136e4810c73e2cc4933d27b4baa43463ab49a49acba0e8a24a645bfe20de11708832e2772025f7d68580c03e39b16224cb1bcdaa4c10b5e9e2cc2b537608

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s25927047.exe
Filesize
575KB

MD5
2e494dc7fa6875bf5e9eb8e157708637

SHA1
ca2c6c9b48263021380375e8d0c9f7be0d129479

SHA256
8fafa1c287325022e2f7707b04777754c1feff69c8b4f4fb8418093b2579ed81

SHA512
068ea5653cc005a28cd3ee13ba6c866c9addf69608153af05e54a92407cc6c8ec4bf59ddbdc194e14693eb084342f444183051a3ab6ecb571ec3261df30d7f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s25927047.exe
Filesize
575KB

MD5
2e494dc7fa6875bf5e9eb8e157708637

SHA1
ca2c6c9b48263021380375e8d0c9f7be0d129479

SHA256
8fafa1c287325022e2f7707b04777754c1feff69c8b4f4fb8418093b2579ed81

SHA512
068ea5653cc005a28cd3ee13ba6c866c9addf69608153af05e54a92407cc6c8ec4bf59ddbdc194e14693eb084342f444183051a3ab6ecb571ec3261df30d7f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t16470843.exe
Filesize
169KB

MD5
0280483fa8573f437ca07e395d0bdf56

SHA1
106e20058ee17c55ca3120d0048df60d6b728be6

SHA256
279a0e05139969dee692b1596c5cafe1f9ab3e071e2f846ad0d4d7ad538ffec8

SHA512
5123b9158fe6a777d38607da296e294ab83e09981a6851f65d8afbe2fbd9513e32f4b6d16f505bd537adbca41e74029c7a3fb50ec2ead6f5e2bcf21ff922d825

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t16470843.exe
Filesize
169KB

MD5
0280483fa8573f437ca07e395d0bdf56

SHA1
106e20058ee17c55ca3120d0048df60d6b728be6

SHA256
279a0e05139969dee692b1596c5cafe1f9ab3e071e2f846ad0d4d7ad538ffec8

SHA512
5123b9158fe6a777d38607da296e294ab83e09981a6851f65d8afbe2fbd9513e32f4b6d16f505bd537adbca41e74029c7a3fb50ec2ead6f5e2bcf21ff922d825

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/424-199-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-216-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/424-167-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/424-168-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-169-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-171-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-173-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-175-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-177-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-181-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-183-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-179-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-185-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-187-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-189-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-191-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-193-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-195-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-197-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-165-0x0000000004EE0000-0x0000000005484000-memory.dmp

Filesize
5.6MB

Download
memory/424-201-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-203-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-205-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-207-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-209-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-211-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-213-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-166-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/424-215-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-218-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-220-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-222-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-224-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-226-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-228-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-230-0x00000000054E0000-0x0000000005540000-memory.dmp

Filesize
384KB

Download
memory/424-2316-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/424-2317-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/424-2320-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/424-164-0x0000000000400000-0x0000000000835000-memory.dmp

Filesize
4.2MB

Download
memory/424-2329-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/424-162-0x0000000000910000-0x000000000096B000-memory.dmp

Filesize
364KB

Download
memory/424-163-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3440-2347-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/3440-2348-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3440-2350-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3712-2339-0x0000000005050000-0x000000000515A000-memory.dmp

Filesize
1.0MB

Download
memory/3712-2340-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3712-2341-0x0000000004E50000-0x0000000004E8C000-memory.dmp

Filesize
240KB

Download
memory/3712-2342-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3712-2336-0x0000000005560000-0x0000000005B78000-memory.dmp

Filesize
6.1MB

Download
memory/3712-2334-0x00000000005F0000-0x000000000061E000-memory.dmp

Filesize
184KB

Download
memory/3712-2349-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download