redline | 27b9698f7ad0b66663ed686cef8435aaae9c28d3e5c3b38e6ca1b8e000c32004

Analysis

max time kernel
151s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27b9698f7ad0b66663ed686cef8435aaae9c28d3e5c3b38e6ca1b8e000c32004.exe
Size

1.2MB
MD5

cfed9a061e43bf998dc9557c0cc5b3dc
SHA1

3cf2ff204b48042949db5f8acededbcb6b8ed75d
SHA256

27b9698f7ad0b66663ed686cef8435aaae9c28d3e5c3b38e6ca1b8e000c32004
SHA512

b0405c4d6c5e18258fef626dbb5fbf3efb20595b2d7713cb323fea5b67af164b262a46eac11260c96c396f3a157538adf3f4efd89c452d9d4c8c6796756e866b
SSDEEP

24576:Ryc693csooSXrBbK1ChRo9k7IJXIVW42BACXTIsuDmLnSbdG:EH3cs67pC+CXJbACXT7KL

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/3912-2337-0x000000000A8E0000-0x000000000AEF8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s34583201.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	s34583201.exe

Executes dropped EXE 6 IoCs

Processes:

z07833588.exez16817588.exez71675886.exes34583201.exe1.exet53588395.exe

pid process

1728 z07833588.exe
5028 z16817588.exe
2704 z71675886.exe
3976 s34583201.exe
968 1.exe
3912 t53588395.exe

pid	process
1728	z07833588.exe
5028	z16817588.exe
2704	z71675886.exe
3976	s34583201.exe
968	1.exe
3912	t53588395.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

27b9698f7ad0b66663ed686cef8435aaae9c28d3e5c3b38e6ca1b8e000c32004.exez07833588.exez16817588.exez71675886.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	27b9698f7ad0b66663ed686cef8435aaae9c28d3e5c3b38e6ca1b8e000c32004.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z07833588.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z07833588.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z16817588.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z16817588.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z71675886.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z71675886.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	27b9698f7ad0b66663ed686cef8435aaae9c28d3e5c3b38e6ca1b8e000c32004.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s34583201.exe

description pid process

Token: SeDebugPrivilege 3976 s34583201.exe

description	pid	process
Token: SeDebugPrivilege	3976	s34583201.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

27b9698f7ad0b66663ed686cef8435aaae9c28d3e5c3b38e6ca1b8e000c32004.exez07833588.exez16817588.exez71675886.exes34583201.exe

description	pid	process	target process
PID 3564 wrote to memory of 1728	3564	27b9698f7ad0b66663ed686cef8435aaae9c28d3e5c3b38e6ca1b8e000c32004.exe	z07833588.exe
PID 3564 wrote to memory of 1728	3564	27b9698f7ad0b66663ed686cef8435aaae9c28d3e5c3b38e6ca1b8e000c32004.exe	z07833588.exe
PID 3564 wrote to memory of 1728	3564	27b9698f7ad0b66663ed686cef8435aaae9c28d3e5c3b38e6ca1b8e000c32004.exe	z07833588.exe
PID 1728 wrote to memory of 5028	1728	z07833588.exe	z16817588.exe
PID 1728 wrote to memory of 5028	1728	z07833588.exe	z16817588.exe
PID 1728 wrote to memory of 5028	1728	z07833588.exe	z16817588.exe
PID 5028 wrote to memory of 2704	5028	z16817588.exe	z71675886.exe
PID 5028 wrote to memory of 2704	5028	z16817588.exe	z71675886.exe
PID 5028 wrote to memory of 2704	5028	z16817588.exe	z71675886.exe
PID 2704 wrote to memory of 3976	2704	z71675886.exe	s34583201.exe
PID 2704 wrote to memory of 3976	2704	z71675886.exe	s34583201.exe
PID 2704 wrote to memory of 3976	2704	z71675886.exe	s34583201.exe
PID 3976 wrote to memory of 968	3976	s34583201.exe	1.exe
PID 3976 wrote to memory of 968	3976	s34583201.exe	1.exe
PID 3976 wrote to memory of 968	3976	s34583201.exe	1.exe
PID 2704 wrote to memory of 3912	2704	z71675886.exe	t53588395.exe
PID 2704 wrote to memory of 3912	2704	z71675886.exe	t53588395.exe
PID 2704 wrote to memory of 3912	2704	z71675886.exe	t53588395.exe

C:\Users\Admin\AppData\Local\Temp\27b9698f7ad0b66663ed686cef8435aaae9c28d3e5c3b38e6ca1b8e000c32004.exe
"C:\Users\Admin\AppData\Local\Temp\27b9698f7ad0b66663ed686cef8435aaae9c28d3e5c3b38e6ca1b8e000c32004.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z07833588.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z07833588.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z16817588.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z16817588.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5028

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z71675886.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z71675886.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34583201.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34583201.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:968

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t53588395.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t53588395.exe
5⤵
- Executes dropped EXE
PID:3912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z07833588.exe

Filesize
1.0MB

MD5
f2841fa74d447dcabbc552c1564caa3e

SHA1
717fc106474d4bec2cd7ec8ede9fef0fd1c464af

SHA256
1425ab0bbf54dca4f62439c3accdc7f7140dcf582ca8bb197eeea872b3175c3b

SHA512
f09d168245fc8e838bcb6ff38990a126d65f4b4008f34e44b1978459862b3ff0d94349d8dc0728c033a39814497a9a31af9cff2aae98ad8d10be6c2c4a178777

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z07833588.exe

Filesize
1.0MB

MD5
f2841fa74d447dcabbc552c1564caa3e

SHA1
717fc106474d4bec2cd7ec8ede9fef0fd1c464af

SHA256
1425ab0bbf54dca4f62439c3accdc7f7140dcf582ca8bb197eeea872b3175c3b

SHA512
f09d168245fc8e838bcb6ff38990a126d65f4b4008f34e44b1978459862b3ff0d94349d8dc0728c033a39814497a9a31af9cff2aae98ad8d10be6c2c4a178777

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z16817588.exe

Filesize
764KB

MD5
e67794d60babc449dd05490332a18ea1

SHA1
1946f885162bf77a5264d62a2146a4318275dd20

SHA256
c4aee69d96cec5b20a8b0eae622726900ee3ed8ecaa38aee8b29801885cf59ff

SHA512
9559a6de3f4345ba4c5e696c9a12dfd9717bb0b35069d0e441015eb460e729c6da39c532d1b001b3733318114e14f6f40ae681416137c956ef288fe07d0d440b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z16817588.exe

Filesize
764KB

MD5
e67794d60babc449dd05490332a18ea1

SHA1
1946f885162bf77a5264d62a2146a4318275dd20

SHA256
c4aee69d96cec5b20a8b0eae622726900ee3ed8ecaa38aee8b29801885cf59ff

SHA512
9559a6de3f4345ba4c5e696c9a12dfd9717bb0b35069d0e441015eb460e729c6da39c532d1b001b3733318114e14f6f40ae681416137c956ef288fe07d0d440b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z71675886.exe

Filesize
582KB

MD5
518b2374ada0749acd31175ccef8d27e

SHA1
34b31258a023f55ec26ab0522028065ca7673220

SHA256
fdf413a6d3ed10b9303b44abf882a28de7c5ba00c7c322ee7b884152354a083d

SHA512
b16a3d0dea037042eb5d50ef598cb48438d302ba3a43bfbf26922714aeb3c820e6600a317c4c45155009589f7d2d8e83cff744952ebabf5854fa1985ff2b16f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z71675886.exe

Filesize
582KB

MD5
518b2374ada0749acd31175ccef8d27e

SHA1
34b31258a023f55ec26ab0522028065ca7673220

SHA256
fdf413a6d3ed10b9303b44abf882a28de7c5ba00c7c322ee7b884152354a083d

SHA512
b16a3d0dea037042eb5d50ef598cb48438d302ba3a43bfbf26922714aeb3c820e6600a317c4c45155009589f7d2d8e83cff744952ebabf5854fa1985ff2b16f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34583201.exe

Filesize
582KB

MD5
40065b3e69a998f07afc447b5aa2e5d6

SHA1
092c07afb08904f084bc9eb4b53b43850bb48d17

SHA256
ef5b91deb43b2f380504864cf9fc45667d30f341465649697cdc8ce0abc028fd

SHA512
0242db965301b217a66a1a1b36afeeab7f80d8de6fef99ae1403dce292501216dde3033927f08e3bcea891a93151678b6db69133e658a6b968f0921b0c855675

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s34583201.exe

Filesize
582KB

MD5
40065b3e69a998f07afc447b5aa2e5d6

SHA1
092c07afb08904f084bc9eb4b53b43850bb48d17

SHA256
ef5b91deb43b2f380504864cf9fc45667d30f341465649697cdc8ce0abc028fd

SHA512
0242db965301b217a66a1a1b36afeeab7f80d8de6fef99ae1403dce292501216dde3033927f08e3bcea891a93151678b6db69133e658a6b968f0921b0c855675

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t53588395.exe

Filesize
169KB

MD5
67cb8b0d8d308bc5931eb4305ff7f387

SHA1
6cb31fc0a460ef307807e07811fc0c26cb05a328

SHA256
f5fd73bfec4122e6947fbb48b73bfea32db28ae2ff67c16a9104a8ca782061dc

SHA512
0dcf68d0bd13471bc7ce8405b4eb1148317d88daf04648cb2e7e257e1f1d7d7303c3b419ec51345dec5807eac8d8a13168a8fc95db7e96eac70b1fb12dc667de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t53588395.exe

Filesize
169KB

MD5
67cb8b0d8d308bc5931eb4305ff7f387

SHA1
6cb31fc0a460ef307807e07811fc0c26cb05a328

SHA256
f5fd73bfec4122e6947fbb48b73bfea32db28ae2ff67c16a9104a8ca782061dc

SHA512
0dcf68d0bd13471bc7ce8405b4eb1148317d88daf04648cb2e7e257e1f1d7d7303c3b419ec51345dec5807eac8d8a13168a8fc95db7e96eac70b1fb12dc667de

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/968-2332-0x0000000000190000-0x00000000001BE000-memory.dmp

Filesize
184KB

Download
memory/968-2344-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/968-2342-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/968-2340-0x0000000004B60000-0x0000000004B9C000-memory.dmp

Filesize
240KB

Download
memory/3912-2343-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/3912-2341-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/3912-2339-0x000000000A350000-0x000000000A362000-memory.dmp

Filesize
72KB

Download
memory/3912-2338-0x000000000A420000-0x000000000A52A000-memory.dmp

Filesize
1.0MB

Download
memory/3912-2337-0x000000000A8E0000-0x000000000AEF8000-memory.dmp

Filesize
6.1MB

Download
memory/3912-2336-0x00000000005E0000-0x000000000060E000-memory.dmp

Filesize
184KB

Download
memory/3976-192-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-216-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-182-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-184-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-186-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-188-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-190-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-178-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-194-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-196-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-198-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-200-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-202-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-204-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-206-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-208-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-210-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-212-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-214-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-180-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-218-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-220-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-222-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-224-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-226-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-228-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-176-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-174-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-172-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-170-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-168-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-166-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-165-0x0000000005680000-0x00000000056E0000-memory.dmp

Filesize
384KB

Download
memory/3976-164-0x0000000005090000-0x0000000005634000-memory.dmp

Filesize
5.6MB

Download
memory/3976-163-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/3976-162-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/3976-2312-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/3976-2313-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/3976-2316-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/3976-2325-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download