redline | 31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c

Analysis

max time kernel
139s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe
Size

1.2MB
MD5

fb003ac2830aedc93b133f3ae48b930a
SHA1

fd7ee217ba9ab7a477fef95eb8c45376660b23ad
SHA256

31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c
SHA512

e8b4619ee009fe173b17adb20b0629939677fc4aba18b7486167e4594e07da28a92a541a6dc1699f762289bfdf0d94ac3e447713f9975497a49346de6559c41c
SSDEEP

24576:MyxyI5FUYqGm1LL4ohTS3DHNg9O3XKrGA3YxaKZCPeOVmECGjL:7B5FU+6fHhTcDHmQ3XtAIx62EN

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/3444-2331-0x000000000A9D0000-0x000000000AFE8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s09707141.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	s09707141.exe

Executes dropped EXE 6 IoCs

Processes:

z40566039.exez49116799.exez85267264.exes09707141.exe1.exet34519220.exe

pid process

4972 z40566039.exe
1936 z49116799.exe
2140 z85267264.exe
4900 s09707141.exe
3444 1.exe
2656 t34519220.exe

pid	process
4972	z40566039.exe
1936	z49116799.exe
2140	z85267264.exe
4900	s09707141.exe
3444	1.exe
2656	t34519220.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z49116799.exez85267264.exe31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exez40566039.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z49116799.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z49116799.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z85267264.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z85267264.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z40566039.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z40566039.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

820 4900 WerFault.exe s09707141.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s09707141.exe

description pid process

Token: SeDebugPrivilege 4900 s09707141.exe

pid	pid_target	process	target process
820	4900	WerFault.exe	s09707141.exe

description	pid	process
Token: SeDebugPrivilege	4900	s09707141.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exez40566039.exez49116799.exez85267264.exes09707141.exe

description	pid	process	target process
PID 660 wrote to memory of 4972	660	31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe	z40566039.exe
PID 660 wrote to memory of 4972	660	31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe	z40566039.exe
PID 660 wrote to memory of 4972	660	31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe	z40566039.exe
PID 4972 wrote to memory of 1936	4972	z40566039.exe	z49116799.exe
PID 4972 wrote to memory of 1936	4972	z40566039.exe	z49116799.exe
PID 4972 wrote to memory of 1936	4972	z40566039.exe	z49116799.exe
PID 1936 wrote to memory of 2140	1936	z49116799.exe	z85267264.exe
PID 1936 wrote to memory of 2140	1936	z49116799.exe	z85267264.exe
PID 1936 wrote to memory of 2140	1936	z49116799.exe	z85267264.exe
PID 2140 wrote to memory of 4900	2140	z85267264.exe	s09707141.exe
PID 2140 wrote to memory of 4900	2140	z85267264.exe	s09707141.exe
PID 2140 wrote to memory of 4900	2140	z85267264.exe	s09707141.exe
PID 4900 wrote to memory of 3444	4900	s09707141.exe	1.exe
PID 4900 wrote to memory of 3444	4900	s09707141.exe	1.exe
PID 4900 wrote to memory of 3444	4900	s09707141.exe	1.exe
PID 2140 wrote to memory of 2656	2140	z85267264.exe	t34519220.exe
PID 2140 wrote to memory of 2656	2140	z85267264.exe	t34519220.exe
PID 2140 wrote to memory of 2656	2140	z85267264.exe	t34519220.exe

C:\Users\Admin\AppData\Local\Temp\31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe
"C:\Users\Admin\AppData\Local\Temp\31fe991dfe71261bc3baf44bc9ec95156b373cbf79e526575fa578f9ceda549c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z40566039.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z40566039.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z49116799.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z49116799.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z85267264.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z85267264.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s09707141.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s09707141.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1384
6⤵
- Program crash
PID:820

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t34519220.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t34519220.exe
5⤵
- Executes dropped EXE
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4900 -ip 4900
1⤵
PID:3456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z40566039.exe
Filesize
1.0MB

MD5
20acaa83e2b4dd612122f0eef12764bf

SHA1
e8b4932e26cc8d0ddef1efa43aee1cf70d73c70a

SHA256
33cbe507df1cbfd0cf19f6fe8cf52081ca02b6ad15f088e2b6135861e1a4c235

SHA512
756d4bbce7162c90ad9607e9124830d0b26018db8cd5a39306184f72a0b81ecaf446dbc8653d3dcbda706f17c14abbb585a226ceaad3104754477badf0d1259a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z40566039.exe
Filesize
1.0MB

MD5
20acaa83e2b4dd612122f0eef12764bf

SHA1
e8b4932e26cc8d0ddef1efa43aee1cf70d73c70a

SHA256
33cbe507df1cbfd0cf19f6fe8cf52081ca02b6ad15f088e2b6135861e1a4c235

SHA512
756d4bbce7162c90ad9607e9124830d0b26018db8cd5a39306184f72a0b81ecaf446dbc8653d3dcbda706f17c14abbb585a226ceaad3104754477badf0d1259a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z49116799.exe
Filesize
760KB

MD5
28b759d97125f9a864e3761477690c6a

SHA1
08893a0f8ca87c28b65797d3a3bb190c40fba040

SHA256
75a2f6628879c77f6c396ec5ee31c7bae0b84432551a844a34d6581b12beab67

SHA512
8194a99bdcc6d3c1bd38a6742820e67c7aeba1735e046db3553b9ee0ab6dec31c15323917092735dfca500b9f223da3e5c7073e994e2c638edcae0a70a4acd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z49116799.exe
Filesize
760KB

MD5
28b759d97125f9a864e3761477690c6a

SHA1
08893a0f8ca87c28b65797d3a3bb190c40fba040

SHA256
75a2f6628879c77f6c396ec5ee31c7bae0b84432551a844a34d6581b12beab67

SHA512
8194a99bdcc6d3c1bd38a6742820e67c7aeba1735e046db3553b9ee0ab6dec31c15323917092735dfca500b9f223da3e5c7073e994e2c638edcae0a70a4acd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z85267264.exe
Filesize
578KB

MD5
ddd4402aac5fb8119380066a4c9feb01

SHA1
78bc4c3da8b1ce86c0918984b267941881b8bd48

SHA256
fb0a8af54855bd9a20088b14e8416fa86990ead0effe159b3c3ca78989bfd21b

SHA512
10179f8fce540f975941694139d75ae20adf3ffc63c0b8e48fe06a6854f2895cbbca638ed53e695e2a0c8ae1a36b98724775f986e5d2a65959045055862f2183

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z85267264.exe
Filesize
578KB

MD5
ddd4402aac5fb8119380066a4c9feb01

SHA1
78bc4c3da8b1ce86c0918984b267941881b8bd48

SHA256
fb0a8af54855bd9a20088b14e8416fa86990ead0effe159b3c3ca78989bfd21b

SHA512
10179f8fce540f975941694139d75ae20adf3ffc63c0b8e48fe06a6854f2895cbbca638ed53e695e2a0c8ae1a36b98724775f986e5d2a65959045055862f2183

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s09707141.exe
Filesize
575KB

MD5
731a6d3c60b2a01fc4192acaf235303f

SHA1
dc8db6b3a13a6a78531245a9344fa75a989e2171

SHA256
344904bf79b39e8890777211b92481c002f7975efffeaac484b8b3b1a0c31fac

SHA512
e3b704660d534e9a9f5f77d65e8c1a0f6cb475a6df702e362ed2bc63472b01674fd6b038433981cb8051cfafc9d6cc7b2e4b371c3bf7d098a56aa1cd7432af31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s09707141.exe
Filesize
575KB

MD5
731a6d3c60b2a01fc4192acaf235303f

SHA1
dc8db6b3a13a6a78531245a9344fa75a989e2171

SHA256
344904bf79b39e8890777211b92481c002f7975efffeaac484b8b3b1a0c31fac

SHA512
e3b704660d534e9a9f5f77d65e8c1a0f6cb475a6df702e362ed2bc63472b01674fd6b038433981cb8051cfafc9d6cc7b2e4b371c3bf7d098a56aa1cd7432af31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t34519220.exe
Filesize
169KB

MD5
1f920c66e5bca3814d7874f50f112d0c

SHA1
c581a7a9647ae004866f1d88e13882dcce194d36

SHA256
72b145286afdc2fa6206593d8e75761db4e3ee33ff88b4d617d8154210a44401

SHA512
65a19d14da775318bce90865f9ce2ec5649c80186da472d003b157eb093b9a442a96c9a19d1efe4d7b2b5f94ac049f74a3987a5abc9b38d949f3611632b37bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t34519220.exe
Filesize
169KB

MD5
1f920c66e5bca3814d7874f50f112d0c

SHA1
c581a7a9647ae004866f1d88e13882dcce194d36

SHA256
72b145286afdc2fa6206593d8e75761db4e3ee33ff88b4d617d8154210a44401

SHA512
65a19d14da775318bce90865f9ce2ec5649c80186da472d003b157eb093b9a442a96c9a19d1efe4d7b2b5f94ac049f74a3987a5abc9b38d949f3611632b37bd1

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/2656-2342-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/2656-2341-0x0000000000540000-0x000000000056E000-memory.dmp

Filesize
184KB

Download
memory/2656-2344-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3444-2343-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3444-2330-0x0000000000590000-0x00000000005BE000-memory.dmp

Filesize
184KB

Download
memory/3444-2336-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/3444-2334-0x000000000A4A0000-0x000000000A4DC000-memory.dmp

Filesize
240KB

Download
memory/3444-2333-0x000000000A440000-0x000000000A452000-memory.dmp

Filesize
72KB

Download
memory/3444-2332-0x000000000A510000-0x000000000A61A000-memory.dmp

Filesize
1.0MB

Download
memory/3444-2331-0x000000000A9D0000-0x000000000AFE8000-memory.dmp

Filesize
6.1MB

Download
memory/4900-196-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-220-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-184-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-182-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-186-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-190-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-188-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-192-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-194-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-178-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-198-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-200-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-202-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-204-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-208-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-210-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-206-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-212-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-214-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-216-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-218-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-180-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-222-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-224-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-226-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-228-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-230-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-2315-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/4900-176-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-166-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-174-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-171-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-172-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/4900-170-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/4900-168-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/4900-167-0x00000000022A0000-0x00000000022FB000-memory.dmp

Filesize
364KB

Download
memory/4900-164-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-163-0x0000000005530000-0x0000000005590000-memory.dmp

Filesize
384KB

Download
memory/4900-162-0x0000000004F80000-0x0000000005524000-memory.dmp

Filesize
5.6MB

Download
memory/4900-2323-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/4900-2324-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/4900-2325-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download