redline | 2749c9347b1bc1dce7b373c2b541d116fc379ce590b2f724463173b1cd402eca

Analysis

max time kernel
146s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2749c9347b1bc1dce7b373c2b541d116fc379ce590b2f724463173b1cd402eca.exe
Size

1.2MB
MD5

84a1279dc23c959a6e5aa8f0c11d7d62
SHA1

60e423763b5e63ce38581d2aa876a7d29c0658b9
SHA256

2749c9347b1bc1dce7b373c2b541d116fc379ce590b2f724463173b1cd402eca
SHA512

f5dc51491bc34169b3b123f394f223fa147ae8b0c1440f0fd28457ecc05ef5d88827f9d048655e80fe794c9cffd9b8ee22fe77438a9c2937737bfe185da9cd44
SSDEEP

24576:dyW9M70+6MWrjOK2bm0/m/C1dDE63BEnY65RxYSOZbtOet:4KqrQEOqvDE6x2BY5ZbtF

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4532-2335-0x0000000005C30000-0x0000000006248000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s47861949.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	s47861949.exe

Executes dropped EXE 6 IoCs

Processes:

z74169254.exez36042682.exez05422395.exes47861949.exe1.exet97336927.exe

pid process

3648 z74169254.exe
5044 z36042682.exe
5036 z05422395.exe
1288 s47861949.exe
4532 1.exe
460 t97336927.exe

pid	process
3648	z74169254.exe
5044	z36042682.exe
5036	z05422395.exe
1288	s47861949.exe
4532	1.exe
460	t97336927.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z74169254.exez36042682.exez05422395.exe2749c9347b1bc1dce7b373c2b541d116fc379ce590b2f724463173b1cd402eca.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z74169254.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z74169254.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z36042682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z36042682.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z05422395.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z05422395.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2749c9347b1bc1dce7b373c2b541d116fc379ce590b2f724463173b1cd402eca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2749c9347b1bc1dce7b373c2b541d116fc379ce590b2f724463173b1cd402eca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1192 1288 WerFault.exe s47861949.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s47861949.exe

description pid process

Token: SeDebugPrivilege 1288 s47861949.exe

pid	pid_target	process	target process
1192	1288	WerFault.exe	s47861949.exe

description	pid	process
Token: SeDebugPrivilege	1288	s47861949.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

2749c9347b1bc1dce7b373c2b541d116fc379ce590b2f724463173b1cd402eca.exez74169254.exez36042682.exez05422395.exes47861949.exe

description	pid	process	target process
PID 2192 wrote to memory of 3648	2192	2749c9347b1bc1dce7b373c2b541d116fc379ce590b2f724463173b1cd402eca.exe	z74169254.exe
PID 2192 wrote to memory of 3648	2192	2749c9347b1bc1dce7b373c2b541d116fc379ce590b2f724463173b1cd402eca.exe	z74169254.exe
PID 2192 wrote to memory of 3648	2192	2749c9347b1bc1dce7b373c2b541d116fc379ce590b2f724463173b1cd402eca.exe	z74169254.exe
PID 3648 wrote to memory of 5044	3648	z74169254.exe	z36042682.exe
PID 3648 wrote to memory of 5044	3648	z74169254.exe	z36042682.exe
PID 3648 wrote to memory of 5044	3648	z74169254.exe	z36042682.exe
PID 5044 wrote to memory of 5036	5044	z36042682.exe	z05422395.exe
PID 5044 wrote to memory of 5036	5044	z36042682.exe	z05422395.exe
PID 5044 wrote to memory of 5036	5044	z36042682.exe	z05422395.exe
PID 5036 wrote to memory of 1288	5036	z05422395.exe	s47861949.exe
PID 5036 wrote to memory of 1288	5036	z05422395.exe	s47861949.exe
PID 5036 wrote to memory of 1288	5036	z05422395.exe	s47861949.exe
PID 1288 wrote to memory of 4532	1288	s47861949.exe	1.exe
PID 1288 wrote to memory of 4532	1288	s47861949.exe	1.exe
PID 1288 wrote to memory of 4532	1288	s47861949.exe	1.exe
PID 5036 wrote to memory of 460	5036	z05422395.exe	t97336927.exe
PID 5036 wrote to memory of 460	5036	z05422395.exe	t97336927.exe
PID 5036 wrote to memory of 460	5036	z05422395.exe	t97336927.exe

C:\Users\Admin\AppData\Local\Temp\2749c9347b1bc1dce7b373c2b541d116fc379ce590b2f724463173b1cd402eca.exe
"C:\Users\Admin\AppData\Local\Temp\2749c9347b1bc1dce7b373c2b541d116fc379ce590b2f724463173b1cd402eca.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z74169254.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z74169254.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3648

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z36042682.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z36042682.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z05422395.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z05422395.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5036

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s47861949.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s47861949.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 1380
6⤵
- Program crash
PID:1192

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t97336927.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t97336927.exe
5⤵
- Executes dropped EXE
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1288 -ip 1288
1⤵
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z74169254.exe
Filesize
1.0MB

MD5
da444da1507ee29bce795149e3610dd7

SHA1
9ac81cc88003f3de0e07f6436212afbd1d859eb7

SHA256
bff0a5ae58aa14921573cdbde5d568a314ace283b4cb712072b70431242bcac6

SHA512
3c6c0ed5b137d52e42e5600612644690646385d3258e5fde7f88117a9dad31a06797efd62bf4828db08ae0a0435a95ee6b895c0017529e33e26a6296466d0a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z74169254.exe
Filesize
1.0MB

MD5
da444da1507ee29bce795149e3610dd7

SHA1
9ac81cc88003f3de0e07f6436212afbd1d859eb7

SHA256
bff0a5ae58aa14921573cdbde5d568a314ace283b4cb712072b70431242bcac6

SHA512
3c6c0ed5b137d52e42e5600612644690646385d3258e5fde7f88117a9dad31a06797efd62bf4828db08ae0a0435a95ee6b895c0017529e33e26a6296466d0a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z36042682.exe
Filesize
760KB

MD5
c5a5dd5cb0e5abbd337168fa92580ac5

SHA1
7de56361d26b5b08bce655db19582d52861446f8

SHA256
9ecca59b03fc52d03fec1c0ce398606aa5a99b3025a9429da68a9064e9d1a2d6

SHA512
6afc146831a791fa66941b911c9d6225da175c40fea3776d227d60cf916031a9034f3099e75abdd70be54c6269dc9dbc7ca14d83d612ddd30d0b5ca5616755c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z36042682.exe
Filesize
760KB

MD5
c5a5dd5cb0e5abbd337168fa92580ac5

SHA1
7de56361d26b5b08bce655db19582d52861446f8

SHA256
9ecca59b03fc52d03fec1c0ce398606aa5a99b3025a9429da68a9064e9d1a2d6

SHA512
6afc146831a791fa66941b911c9d6225da175c40fea3776d227d60cf916031a9034f3099e75abdd70be54c6269dc9dbc7ca14d83d612ddd30d0b5ca5616755c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z05422395.exe
Filesize
577KB

MD5
0dfef32b6d3aea939124669edc8b4d26

SHA1
1c5bbe9bd2f12f297c621cd905f502b2e1bd2edb

SHA256
143fe4749cfe8cc185d962d3b8b04c356db3bd4e70b73b1d9d792986c9ec8ed2

SHA512
9dfde5fe342a29f1b82ca48a86d8bbb99cc5ba4364ddb3018291d81fe4243858c60198940e11d372c573d8e598b5063744ebaca5c347b9336a88f7b7f316c902

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z05422395.exe
Filesize
577KB

MD5
0dfef32b6d3aea939124669edc8b4d26

SHA1
1c5bbe9bd2f12f297c621cd905f502b2e1bd2edb

SHA256
143fe4749cfe8cc185d962d3b8b04c356db3bd4e70b73b1d9d792986c9ec8ed2

SHA512
9dfde5fe342a29f1b82ca48a86d8bbb99cc5ba4364ddb3018291d81fe4243858c60198940e11d372c573d8e598b5063744ebaca5c347b9336a88f7b7f316c902

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s47861949.exe
Filesize
574KB

MD5
51a07f7a124dd22ffca68e6e6e4ba0e7

SHA1
eddcf6c7b494d10e70da87c9f8922fecddd9df21

SHA256
c2b773734dc1fa9664d2beab27e6f8a5a5a730a56df037398ccc6fece6bf65f5

SHA512
c7edf0f66cb88ca9aa29c37ea4e0080f13a3b28f5a054d70441a93c12632c34d3ccf446827db93a1ada1863277b1d961c8872cb3a5b650ed5c212339926e1947

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s47861949.exe
Filesize
574KB

MD5
51a07f7a124dd22ffca68e6e6e4ba0e7

SHA1
eddcf6c7b494d10e70da87c9f8922fecddd9df21

SHA256
c2b773734dc1fa9664d2beab27e6f8a5a5a730a56df037398ccc6fece6bf65f5

SHA512
c7edf0f66cb88ca9aa29c37ea4e0080f13a3b28f5a054d70441a93c12632c34d3ccf446827db93a1ada1863277b1d961c8872cb3a5b650ed5c212339926e1947

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t97336927.exe
Filesize
169KB

MD5
2392fd58f1296948765c566a76bd93a7

SHA1
b1fab88a513742db9cde9d043037615e9a60644a

SHA256
38c22d7ec64be60b0d2e84acdbf996562c98cc72835fa2cb1f785e8bdae5a74e

SHA512
9b6ba9b506d488f357876eca0b9ee4e96b4767ec33c280a2130f23586eb2aeb2a628a4657936b51fe460587a86e227e5f8b1f1fb1ce6f07eb1f73ae7173a5b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t97336927.exe
Filesize
169KB

MD5
2392fd58f1296948765c566a76bd93a7

SHA1
b1fab88a513742db9cde9d043037615e9a60644a

SHA256
38c22d7ec64be60b0d2e84acdbf996562c98cc72835fa2cb1f785e8bdae5a74e

SHA512
9b6ba9b506d488f357876eca0b9ee4e96b4767ec33c280a2130f23586eb2aeb2a628a4657936b51fe460587a86e227e5f8b1f1fb1ce6f07eb1f73ae7173a5b71

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/460-2347-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/460-2346-0x0000000000570000-0x000000000059E000-memory.dmp

Filesize
184KB

Download
memory/460-2349-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1288-207-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-221-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-179-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-181-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-183-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-185-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-187-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-189-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-191-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-193-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-195-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-197-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-199-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-201-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-203-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-205-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-175-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-209-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-211-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-213-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-215-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-217-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-219-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-177-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-223-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-225-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-227-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-229-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-2319-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/1288-173-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-171-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-170-0x00000000057B0000-0x0000000005810000-memory.dmp

Filesize
384KB

Download
memory/1288-163-0x0000000000940000-0x000000000099B000-memory.dmp

Filesize
364KB

Download
memory/1288-2331-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/1288-2332-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/1288-2333-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/1288-164-0x0000000000400000-0x0000000000835000-memory.dmp

Filesize
4.2MB

Download
memory/1288-2336-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/1288-167-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/1288-168-0x00000000051C0000-0x0000000005764000-memory.dmp

Filesize
5.6MB

Download
memory/1288-169-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4532-2340-0x0000000005700000-0x000000000573C000-memory.dmp

Filesize
240KB

Download
memory/4532-2339-0x00000000056A0000-0x00000000056B2000-memory.dmp

Filesize
72KB

Download
memory/4532-2338-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4532-2337-0x0000000005770000-0x000000000587A000-memory.dmp

Filesize
1.0MB

Download
memory/4532-2335-0x0000000005C30000-0x0000000006248000-memory.dmp

Filesize
6.1MB

Download
memory/4532-2348-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4532-2330-0x0000000000C10000-0x0000000000C3E000-memory.dmp

Filesize
184KB

Download