redline | 5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf

Analysis

max time kernel
138s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe
Size

1.5MB
MD5

e4245f3cf0ca75b89369818589d1e650
SHA1

e9f2c879830f433f30674584819e6a578ebc59bf
SHA256

5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf
SHA512

6db91e32e17ce9130e416713436ac498a67662f8c68de60ee9c99c759ab41cd80384c402bbdc3971780affcb82625974cbd67624d1efa7de3a2c9657f59f10c7
SSDEEP

24576:GyxtUH6baH77b/yDSp0gSsLhRSsYNMOzblHwoIAHSJBjBpRoWHQVwG9KV2P:VxtaffrsSpP6vMOzhHwlAHGZBpRoThK

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/3336-169-0x000000000B240000-0x000000000B858000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i65774150.exei65202804.exei93838554.exei29398549.exea65385482.exe

pid process

412 i65774150.exe
4948 i65202804.exe
1104 i93838554.exe
2056 i29398549.exe
3336 a65385482.exe

pid	process
412	i65774150.exe
4948	i65202804.exe
1104	i93838554.exe
2056	i29398549.exe
3336	a65385482.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

i65202804.exei93838554.exei29398549.exe5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exei65774150.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i65202804.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i93838554.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i29398549.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i65774150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i65202804.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i93838554.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i29398549.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i65774150.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exei65774150.exei65202804.exei93838554.exei29398549.exe

description	pid	process	target process
PID 628 wrote to memory of 412	628	5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe	i65774150.exe
PID 628 wrote to memory of 412	628	5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe	i65774150.exe
PID 628 wrote to memory of 412	628	5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe	i65774150.exe
PID 412 wrote to memory of 4948	412	i65774150.exe	i65202804.exe
PID 412 wrote to memory of 4948	412	i65774150.exe	i65202804.exe
PID 412 wrote to memory of 4948	412	i65774150.exe	i65202804.exe
PID 4948 wrote to memory of 1104	4948	i65202804.exe	i93838554.exe
PID 4948 wrote to memory of 1104	4948	i65202804.exe	i93838554.exe
PID 4948 wrote to memory of 1104	4948	i65202804.exe	i93838554.exe
PID 1104 wrote to memory of 2056	1104	i93838554.exe	i29398549.exe
PID 1104 wrote to memory of 2056	1104	i93838554.exe	i29398549.exe
PID 1104 wrote to memory of 2056	1104	i93838554.exe	i29398549.exe
PID 2056 wrote to memory of 3336	2056	i29398549.exe	a65385482.exe
PID 2056 wrote to memory of 3336	2056	i29398549.exe	a65385482.exe
PID 2056 wrote to memory of 3336	2056	i29398549.exe	a65385482.exe

C:\Users\Admin\AppData\Local\Temp\5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe
"C:\Users\Admin\AppData\Local\Temp\5e5cbd5a6557d146149b771a1b9e150bedc2328753b5c37f10a583961c3135cf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i65774150.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i65774150.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i65202804.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i65202804.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4948

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93838554.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93838554.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29398549.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29398549.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a65385482.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a65385482.exe
6⤵
- Executes dropped EXE
PID:3336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i65774150.exe
Filesize
1.3MB

MD5
8465796bc9d253b0b3d4ec3de751d5c5

SHA1
fd52fe589fd51b7244d48e890248085c9e104bb7

SHA256
d33faed55db69e6b843f9d375fb628093c7f9ed3a6375ab7e9cf332b90e71818

SHA512
e5a2dbecb48e072c4ae95e19688081df9488b394bd7343e4dbf70719d8cba58ed0325110d797fca55c310b59e622d4928c0a20f34f43d4d94345db3d74effebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i65774150.exe
Filesize
1.3MB

MD5
8465796bc9d253b0b3d4ec3de751d5c5

SHA1
fd52fe589fd51b7244d48e890248085c9e104bb7

SHA256
d33faed55db69e6b843f9d375fb628093c7f9ed3a6375ab7e9cf332b90e71818

SHA512
e5a2dbecb48e072c4ae95e19688081df9488b394bd7343e4dbf70719d8cba58ed0325110d797fca55c310b59e622d4928c0a20f34f43d4d94345db3d74effebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i65202804.exe
Filesize
1014KB

MD5
f9434700eb7a240e1c2795e89f12d664

SHA1
e14104193ce2f49cb00f5f59a1c11ae44403f7fd

SHA256
f5a40e22994705b3a646a77c0d318e69ba7fecbd8e9a081fabd31c77215a29f7

SHA512
f73f7e6c4a7bdb14683c538657983db4b060166c899eb469874c3f32f8442b591148ff18c324dcf1f89c1a3af98c27deebe43e13a0824922493d5c1e917d328e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i65202804.exe
Filesize
1014KB

MD5
f9434700eb7a240e1c2795e89f12d664

SHA1
e14104193ce2f49cb00f5f59a1c11ae44403f7fd

SHA256
f5a40e22994705b3a646a77c0d318e69ba7fecbd8e9a081fabd31c77215a29f7

SHA512
f73f7e6c4a7bdb14683c538657983db4b060166c899eb469874c3f32f8442b591148ff18c324dcf1f89c1a3af98c27deebe43e13a0824922493d5c1e917d328e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93838554.exe
Filesize
842KB

MD5
29725d5ac4bc9199bdd1bb029b6acfb5

SHA1
0dd7bf18d36ffe14dfd4c1f5985d464a1e098e06

SHA256
c5518dbbb9cac917cd6d1049d9e762f6292699bd5de7a93f0fec3ff3e57b7ce5

SHA512
006cec334d1336d0a02fae33cb9c40d7fb43e617a458f6dfe5bf0a876f748fc297c3a51860989ed8bb72cad8429d1ecd8b4d46765c75a9c9ffcf9c25c9726481

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i93838554.exe
Filesize
842KB

MD5
29725d5ac4bc9199bdd1bb029b6acfb5

SHA1
0dd7bf18d36ffe14dfd4c1f5985d464a1e098e06

SHA256
c5518dbbb9cac917cd6d1049d9e762f6292699bd5de7a93f0fec3ff3e57b7ce5

SHA512
006cec334d1336d0a02fae33cb9c40d7fb43e617a458f6dfe5bf0a876f748fc297c3a51860989ed8bb72cad8429d1ecd8b4d46765c75a9c9ffcf9c25c9726481

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29398549.exe
Filesize
370KB

MD5
cc4f73325e02fe2dafb63a21bc4d7403

SHA1
f14bc6e373310a1fd07b0d3153267a09c76dcdaf

SHA256
8f2b64b11b6ce370f133e2754d17ed0c5cb4f0c3f57b1d4fe64b1034e4b7940e

SHA512
255891eac9082925e0727e220795c84745c5d386748a94406755ebc28f2a7adf1ca4e800ea2d41614e084be8f586e631f9fd909e9b2400a576f4882a4d54ebbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29398549.exe
Filesize
370KB

MD5
cc4f73325e02fe2dafb63a21bc4d7403

SHA1
f14bc6e373310a1fd07b0d3153267a09c76dcdaf

SHA256
8f2b64b11b6ce370f133e2754d17ed0c5cb4f0c3f57b1d4fe64b1034e4b7940e

SHA512
255891eac9082925e0727e220795c84745c5d386748a94406755ebc28f2a7adf1ca4e800ea2d41614e084be8f586e631f9fd909e9b2400a576f4882a4d54ebbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a65385482.exe
Filesize
169KB

MD5
5222a3cc0ec8ddb2a6eb9ac7bc3d3336

SHA1
65903e0dfdf285011f847965d11add7fda392e4a

SHA256
7c4983c415ba48d6423e6a5cd6a66a0836f46457cd0f17f82e9bca86361f07e5

SHA512
15f3987f64df0534f9338aa0e30104e81aae53a959dfc43669d2d7af719457c39c15b2ab01d5d05936d4cc1ffe9aedb402e538148abbf446821b65ea1db5ccff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a65385482.exe
Filesize
169KB

MD5
5222a3cc0ec8ddb2a6eb9ac7bc3d3336

SHA1
65903e0dfdf285011f847965d11add7fda392e4a

SHA256
7c4983c415ba48d6423e6a5cd6a66a0836f46457cd0f17f82e9bca86361f07e5

SHA512
15f3987f64df0534f9338aa0e30104e81aae53a959dfc43669d2d7af719457c39c15b2ab01d5d05936d4cc1ffe9aedb402e538148abbf446821b65ea1db5ccff

Download Submit
memory/3336-168-0x0000000000DF0000-0x0000000000E20000-memory.dmp

Filesize
192KB

Download
memory/3336-169-0x000000000B240000-0x000000000B858000-memory.dmp

Filesize
6.1MB

Download
memory/3336-170-0x000000000AD70000-0x000000000AE7A000-memory.dmp

Filesize
1.0MB

Download
memory/3336-171-0x000000000ACA0000-0x000000000ACB2000-memory.dmp

Filesize
72KB

Download
memory/3336-172-0x000000000AD00000-0x000000000AD3C000-memory.dmp

Filesize
240KB

Download
memory/3336-173-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/3336-174-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download