redline | 5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe
Size

1.5MB
MD5

f5fbe007d36a35e1882a177e071d6d8b
SHA1

2e4d6f71552d1b10921bd0e5984a848200e7f6ca
SHA256

5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c
SHA512

95f0945e53dbdf7ac1c6e0da58675482f5eb1463d622bd4bb5b8765bd5eb52190333a9f5b12e7ba23daab4a3be100d0d78f67dc1d57bbc5f963e78383c2dca34
SSDEEP

24576:LySVXRIK2xUnFVvHgJokypBJPTxwxYS78dauD5Dk+QMKIO697ushjD7FvmYZEFO:+SVXRIK2oFx/FaxYS78cw5I+QpN6o2js

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/756-169-0x000000000A7F0000-0x000000000AE08000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i11647612.exei20476563.exei39727170.exei31836311.exea43944319.exe

pid process

4316 i11647612.exe
652 i20476563.exe
2184 i39727170.exe
2456 i31836311.exe
756 a43944319.exe

pid	process
4316	i11647612.exe
652	i20476563.exe
2184	i39727170.exe
2456	i31836311.exe
756	a43944319.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

i31836311.exe5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exei11647612.exei39727170.exei20476563.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i31836311.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i11647612.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i39727170.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i31836311.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i11647612.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i20476563.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i20476563.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i39727170.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exei11647612.exei20476563.exei39727170.exei31836311.exe

description	pid	process	target process
PID 656 wrote to memory of 4316	656	5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe	i11647612.exe
PID 656 wrote to memory of 4316	656	5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe	i11647612.exe
PID 656 wrote to memory of 4316	656	5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe	i11647612.exe
PID 4316 wrote to memory of 652	4316	i11647612.exe	i20476563.exe
PID 4316 wrote to memory of 652	4316	i11647612.exe	i20476563.exe
PID 4316 wrote to memory of 652	4316	i11647612.exe	i20476563.exe
PID 652 wrote to memory of 2184	652	i20476563.exe	i39727170.exe
PID 652 wrote to memory of 2184	652	i20476563.exe	i39727170.exe
PID 652 wrote to memory of 2184	652	i20476563.exe	i39727170.exe
PID 2184 wrote to memory of 2456	2184	i39727170.exe	i31836311.exe
PID 2184 wrote to memory of 2456	2184	i39727170.exe	i31836311.exe
PID 2184 wrote to memory of 2456	2184	i39727170.exe	i31836311.exe
PID 2456 wrote to memory of 756	2456	i31836311.exe	a43944319.exe
PID 2456 wrote to memory of 756	2456	i31836311.exe	a43944319.exe
PID 2456 wrote to memory of 756	2456	i31836311.exe	a43944319.exe

C:\Users\Admin\AppData\Local\Temp\5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe
"C:\Users\Admin\AppData\Local\Temp\5e7415ccba63cd2710bf99770951087a4a3ff007e23f173b7bc4f435773f769c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i11647612.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i11647612.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i20476563.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i20476563.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39727170.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39727170.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31836311.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31836311.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43944319.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43944319.exe
6⤵
- Executes dropped EXE
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i11647612.exe
Filesize
1.3MB

MD5
cee058fb140dde339dd06235f8efde27

SHA1
cadf25b99502fce4556f3d892ef6d8c35d304705

SHA256
7636c9d164f0dc7f365c8557a4302838db32a6379060097f15f063f2c0c4276f

SHA512
4d5084bae077c9c0affe80ac5c9977bbf8165eac56958a4db9e8a1b22151d3b93a911d3cf07b0835aef6084f5b4101cbdb0d9d625f70402c457dfa9d5a40a496

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i11647612.exe
Filesize
1.3MB

MD5
cee058fb140dde339dd06235f8efde27

SHA1
cadf25b99502fce4556f3d892ef6d8c35d304705

SHA256
7636c9d164f0dc7f365c8557a4302838db32a6379060097f15f063f2c0c4276f

SHA512
4d5084bae077c9c0affe80ac5c9977bbf8165eac56958a4db9e8a1b22151d3b93a911d3cf07b0835aef6084f5b4101cbdb0d9d625f70402c457dfa9d5a40a496

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i20476563.exe
Filesize
1023KB

MD5
45e905d38bd3699a5aca8f657a904fe4

SHA1
d1c66ceb2e4723bbbcc575b036e0b509903a9640

SHA256
475722e3a389b72c6f6775bd25d70d381ee8d72e12b9aa82d96a600d73350e81

SHA512
898b0036e86e315492864cd987d46411491e783a1ef840c728847318532aa67cc19b4b78e29bbbbe80b2573b939f61d481ec063aeacf24091ba4fdfb7a558a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i20476563.exe
Filesize
1023KB

MD5
45e905d38bd3699a5aca8f657a904fe4

SHA1
d1c66ceb2e4723bbbcc575b036e0b509903a9640

SHA256
475722e3a389b72c6f6775bd25d70d381ee8d72e12b9aa82d96a600d73350e81

SHA512
898b0036e86e315492864cd987d46411491e783a1ef840c728847318532aa67cc19b4b78e29bbbbe80b2573b939f61d481ec063aeacf24091ba4fdfb7a558a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39727170.exe
Filesize
852KB

MD5
455f77652c0c6219753c911231830489

SHA1
da4115e7c47161493b3e50499e19be65daa4461c

SHA256
467e9ae1ecd11d2e076d8b9a0fb51ea64b39b3056807e6d4dfa20bb6b60bf675

SHA512
3a0787c594d6b139fcbdab11dab9ef2294db3cfb69caaf0573cd8b4503384e2cbd6c21bcc694daa9723b1afd90123cac4057d0b1560628fdb86786dfe1232418

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39727170.exe
Filesize
852KB

MD5
455f77652c0c6219753c911231830489

SHA1
da4115e7c47161493b3e50499e19be65daa4461c

SHA256
467e9ae1ecd11d2e076d8b9a0fb51ea64b39b3056807e6d4dfa20bb6b60bf675

SHA512
3a0787c594d6b139fcbdab11dab9ef2294db3cfb69caaf0573cd8b4503384e2cbd6c21bcc694daa9723b1afd90123cac4057d0b1560628fdb86786dfe1232418

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31836311.exe
Filesize
375KB

MD5
5f259458024eb6246214115514a3dab1

SHA1
86b18b18fd8cbeb0daed9a06215a774b3c1709c5

SHA256
1c011b279814b3c6aa0febb3e3d681803172cbd72f84f0969cf04e74de0a9ea1

SHA512
7b62d71589889c2f1690d26e5d9c4448c6f7c1848b3423c447048b8f46db5f483762377dd4079b52224cdb667557a6b0950fefdc99d9d5681c84fa3283edc8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31836311.exe
Filesize
375KB

MD5
5f259458024eb6246214115514a3dab1

SHA1
86b18b18fd8cbeb0daed9a06215a774b3c1709c5

SHA256
1c011b279814b3c6aa0febb3e3d681803172cbd72f84f0969cf04e74de0a9ea1

SHA512
7b62d71589889c2f1690d26e5d9c4448c6f7c1848b3423c447048b8f46db5f483762377dd4079b52224cdb667557a6b0950fefdc99d9d5681c84fa3283edc8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43944319.exe
Filesize
169KB

MD5
cb70f1bd6418e111a88be218435283ba

SHA1
159dc1e22e6af3823a44571c7968de492441c558

SHA256
973f864c77f7655f359097562df97aeb8af29e63dfca08a7204d49bc1cf647bb

SHA512
66b5a870a65cf4bd82c5c116147d4cd7d1e4aa3d2c2bba32ecaea50a0f4c5ac51291654fab9974841e3e1608acc8042a96429c47ed2cba47399e12fad48215f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a43944319.exe
Filesize
169KB

MD5
cb70f1bd6418e111a88be218435283ba

SHA1
159dc1e22e6af3823a44571c7968de492441c558

SHA256
973f864c77f7655f359097562df97aeb8af29e63dfca08a7204d49bc1cf647bb

SHA512
66b5a870a65cf4bd82c5c116147d4cd7d1e4aa3d2c2bba32ecaea50a0f4c5ac51291654fab9974841e3e1608acc8042a96429c47ed2cba47399e12fad48215f4

Download Submit
memory/756-168-0x0000000000360000-0x0000000000390000-memory.dmp

Filesize
192KB

Download
memory/756-169-0x000000000A7F0000-0x000000000AE08000-memory.dmp

Filesize
6.1MB

Download
memory/756-170-0x000000000A2E0000-0x000000000A3EA000-memory.dmp

Filesize
1.0MB

Download
memory/756-171-0x000000000A210000-0x000000000A222000-memory.dmp

Filesize
72KB

Download
memory/756-172-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/756-173-0x000000000A270000-0x000000000A2AC000-memory.dmp

Filesize
240KB

Download
memory/756-174-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download