redline | 5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54

Analysis

max time kernel
140s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe
Size

1.4MB
MD5

760589aca2c763c7c6494e3df408943c
SHA1

7d9eecd6ae4818c5b7a5ef707ea6bee0ae1ccf06
SHA256

5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54
SHA512

f75b0813354f2b25137461bc13d4e616a0b56bc55b0a9bd3bc283e9bf5af4aa5aadf6cef2a0963b937c61c7a5683c46d872190b2afe22d032c21368e47ff52a5
SSDEEP

24576:nyTQEo0deVoVXaY3x4SH9z2ST2aKIQvtSCn0dYB7u18it66mYCriJ:yjo0deVUqY3xASTfgtSpYtu18irBA

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4436-169-0x0000000005A60000-0x0000000006078000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i47548912.exei05432573.exei23945477.exei57448399.exea53195080.exe

pid process

1268 i47548912.exe
2044 i05432573.exe
696 i23945477.exe
2104 i57448399.exe
4436 a53195080.exe

pid	process
1268	i47548912.exe
2044	i05432573.exe
696	i23945477.exe
2104	i57448399.exe
4436	a53195080.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

i47548912.exei05432573.exei23945477.exei57448399.exe5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i47548912.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i05432573.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i23945477.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i23945477.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i57448399.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i47548912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i05432573.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i57448399.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exei47548912.exei05432573.exei23945477.exei57448399.exe

description	pid	process	target process
PID 1384 wrote to memory of 1268	1384	5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe	i47548912.exe
PID 1384 wrote to memory of 1268	1384	5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe	i47548912.exe
PID 1384 wrote to memory of 1268	1384	5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe	i47548912.exe
PID 1268 wrote to memory of 2044	1268	i47548912.exe	i05432573.exe
PID 1268 wrote to memory of 2044	1268	i47548912.exe	i05432573.exe
PID 1268 wrote to memory of 2044	1268	i47548912.exe	i05432573.exe
PID 2044 wrote to memory of 696	2044	i05432573.exe	i23945477.exe
PID 2044 wrote to memory of 696	2044	i05432573.exe	i23945477.exe
PID 2044 wrote to memory of 696	2044	i05432573.exe	i23945477.exe
PID 696 wrote to memory of 2104	696	i23945477.exe	i57448399.exe
PID 696 wrote to memory of 2104	696	i23945477.exe	i57448399.exe
PID 696 wrote to memory of 2104	696	i23945477.exe	i57448399.exe
PID 2104 wrote to memory of 4436	2104	i57448399.exe	a53195080.exe
PID 2104 wrote to memory of 4436	2104	i57448399.exe	a53195080.exe
PID 2104 wrote to memory of 4436	2104	i57448399.exe	a53195080.exe

C:\Users\Admin\AppData\Local\Temp\5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe
"C:\Users\Admin\AppData\Local\Temp\5e928e1288856cd5c5430f57d8c76bd11b0ff4f3d5cf0fdd382daad492880a54.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47548912.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47548912.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05432573.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05432573.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23945477.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23945477.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:696

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i57448399.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i57448399.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a53195080.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a53195080.exe
6⤵
- Executes dropped EXE
PID:4436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47548912.exe
Filesize
1.2MB

MD5
486fb071e58d4afcba8f5e477e2e9cd0

SHA1
b1b4aaf4f561735d594708ed49931d0ed56bab0b

SHA256
06b27d9119bab115ff7ce61ace3920fa8694d937f65347e55373bc08f7b5f58e

SHA512
167a4051b67bdbd3018984a6ce2ff062437d0e639f77f94c39fcede6823ae6701602e6000542a925261781adfbea59020b2cdb8ecdb3053bde7661ee115c4d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i47548912.exe
Filesize
1.2MB

MD5
486fb071e58d4afcba8f5e477e2e9cd0

SHA1
b1b4aaf4f561735d594708ed49931d0ed56bab0b

SHA256
06b27d9119bab115ff7ce61ace3920fa8694d937f65347e55373bc08f7b5f58e

SHA512
167a4051b67bdbd3018984a6ce2ff062437d0e639f77f94c39fcede6823ae6701602e6000542a925261781adfbea59020b2cdb8ecdb3053bde7661ee115c4d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05432573.exe
Filesize
1001KB

MD5
97d7fa20b0c34fc1c955200d3bac309d

SHA1
27bf9856c6792a7599d2d38cce9c485731d6b6e6

SHA256
07191226c19a17f819a3895a1e435537a19fe470621911109b029237e3989668

SHA512
75bdf797ccdc6722ab5d356669731461f1c5c662bb97e46ed4334170a7073a1a1fdc090da5e7bc844910beb2cbc3365cee541c5ad3276cac1c5c5a5b21f0596d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i05432573.exe
Filesize
1001KB

MD5
97d7fa20b0c34fc1c955200d3bac309d

SHA1
27bf9856c6792a7599d2d38cce9c485731d6b6e6

SHA256
07191226c19a17f819a3895a1e435537a19fe470621911109b029237e3989668

SHA512
75bdf797ccdc6722ab5d356669731461f1c5c662bb97e46ed4334170a7073a1a1fdc090da5e7bc844910beb2cbc3365cee541c5ad3276cac1c5c5a5b21f0596d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23945477.exe
Filesize
828KB

MD5
b1aa79a48ab8fb6c8ec7f373bca818d4

SHA1
1f49393bd7589fb9d7529f861d8a6c8102b70d02

SHA256
27f2087869c655603991832e84830bec4f5b6da01f906970997047da455c7383

SHA512
2896896bf431e7f33ff7fe061c81083c127c817bb281a09e6a57d4720649c87e28e951f3196162d27d449bf6438299f6b372aee11ba1d14d29e47ad68c7294f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i23945477.exe
Filesize
828KB

MD5
b1aa79a48ab8fb6c8ec7f373bca818d4

SHA1
1f49393bd7589fb9d7529f861d8a6c8102b70d02

SHA256
27f2087869c655603991832e84830bec4f5b6da01f906970997047da455c7383

SHA512
2896896bf431e7f33ff7fe061c81083c127c817bb281a09e6a57d4720649c87e28e951f3196162d27d449bf6438299f6b372aee11ba1d14d29e47ad68c7294f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i57448399.exe
Filesize
363KB

MD5
815e725d878a240f2881800068c1d052

SHA1
2e0178cce3226ff86283ada1d64d00d8fe545cc1

SHA256
5921374d62dc6c3f39e16c81f6e5f69853f44c98dda461822f8990c44e3eced1

SHA512
30cafe6944f4032c70bc6621dfd2f3cb4f402d885d0c88e592b75449070269e7382b7ac62a11ef93d7fad7cf849c42c4bcbf40433cf8d35983da93bf2eb83355

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i57448399.exe
Filesize
363KB

MD5
815e725d878a240f2881800068c1d052

SHA1
2e0178cce3226ff86283ada1d64d00d8fe545cc1

SHA256
5921374d62dc6c3f39e16c81f6e5f69853f44c98dda461822f8990c44e3eced1

SHA512
30cafe6944f4032c70bc6621dfd2f3cb4f402d885d0c88e592b75449070269e7382b7ac62a11ef93d7fad7cf849c42c4bcbf40433cf8d35983da93bf2eb83355

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a53195080.exe
Filesize
170KB

MD5
a8bd842f7bad18af1f59c52de50f491c

SHA1
601d33025964a556151d42cadb68137ad517cd4e

SHA256
362f3e1af9af0e6896f10b42c981a38f43317e542b1238375d4e718c4788f610

SHA512
8042546d3729c4378d90bbb3993eea11f082d518ee1ea71c458b8574bcb0b1e800b83f9aaaa07d762df3f1ac5b7b28b326d9145b23040e4c42548c6603f0502d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a53195080.exe
Filesize
170KB

MD5
a8bd842f7bad18af1f59c52de50f491c

SHA1
601d33025964a556151d42cadb68137ad517cd4e

SHA256
362f3e1af9af0e6896f10b42c981a38f43317e542b1238375d4e718c4788f610

SHA512
8042546d3729c4378d90bbb3993eea11f082d518ee1ea71c458b8574bcb0b1e800b83f9aaaa07d762df3f1ac5b7b28b326d9145b23040e4c42548c6603f0502d

Download Submit
memory/4436-168-0x0000000000930000-0x0000000000960000-memory.dmp

Filesize
192KB

Download
memory/4436-169-0x0000000005A60000-0x0000000006078000-memory.dmp

Filesize
6.1MB

Download
memory/4436-170-0x0000000005550000-0x000000000565A000-memory.dmp

Filesize
1.0MB

Download
memory/4436-171-0x00000000052B0000-0x00000000052C2000-memory.dmp

Filesize
72KB

Download
memory/4436-172-0x0000000005440000-0x000000000547C000-memory.dmp

Filesize
240KB

Download
memory/4436-173-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/4436-174-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download