redline | 6057b1afc6a01afed47e2869d3f24432726f7b54a3430c6a26f33ba2bfa37bcf

Analysis

max time kernel
139s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6057b1afc6a01afed47e2869d3f24432726f7b54a3430c6a26f33ba2bfa37bcf.exe
Size

1.5MB
MD5

7ba56580f39de5f3f16a924ca5a1b152
SHA1

51b37e4a09eea4b47507e11f9409e35df04b57ee
SHA256

6057b1afc6a01afed47e2869d3f24432726f7b54a3430c6a26f33ba2bfa37bcf
SHA512

f26bd527cde96bc1e205de95c10f44ab6d0f869a36ee0a9b12b0a9c6f395856d9c39b6a27b3a41d868868f12f15ff1298b75899e7b4836c937d22f0163f125e6
SSDEEP

24576:pyGnwsaWKF3PlypDjJXPAA1Xz2ayL73ztfpr9mJG5uVMQ7egjIPP/7cjWMeEcDj6:cGnraWal4rVzqfBhX5cMiRj64jWMkDj7

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4040-169-0x000000000A7B0000-0x000000000ADC8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i31546767.exei29453821.exei43005277.exei01775930.exea44515302.exe

pid process

1064 i31546767.exe
3044 i29453821.exe
3484 i43005277.exe
5016 i01775930.exe
4040 a44515302.exe

pid	process
1064	i31546767.exe
3044	i29453821.exe
3484	i43005277.exe
5016	i01775930.exe
4040	a44515302.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

i29453821.exei43005277.exei01775930.exe6057b1afc6a01afed47e2869d3f24432726f7b54a3430c6a26f33ba2bfa37bcf.exei31546767.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i29453821.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i29453821.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i43005277.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i01775930.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6057b1afc6a01afed47e2869d3f24432726f7b54a3430c6a26f33ba2bfa37bcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6057b1afc6a01afed47e2869d3f24432726f7b54a3430c6a26f33ba2bfa37bcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i31546767.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i31546767.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i43005277.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i01775930.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

6057b1afc6a01afed47e2869d3f24432726f7b54a3430c6a26f33ba2bfa37bcf.exei31546767.exei29453821.exei43005277.exei01775930.exe

description	pid	process	target process
PID 4232 wrote to memory of 1064	4232	6057b1afc6a01afed47e2869d3f24432726f7b54a3430c6a26f33ba2bfa37bcf.exe	i31546767.exe
PID 4232 wrote to memory of 1064	4232	6057b1afc6a01afed47e2869d3f24432726f7b54a3430c6a26f33ba2bfa37bcf.exe	i31546767.exe
PID 4232 wrote to memory of 1064	4232	6057b1afc6a01afed47e2869d3f24432726f7b54a3430c6a26f33ba2bfa37bcf.exe	i31546767.exe
PID 1064 wrote to memory of 3044	1064	i31546767.exe	i29453821.exe
PID 1064 wrote to memory of 3044	1064	i31546767.exe	i29453821.exe
PID 1064 wrote to memory of 3044	1064	i31546767.exe	i29453821.exe
PID 3044 wrote to memory of 3484	3044	i29453821.exe	i43005277.exe
PID 3044 wrote to memory of 3484	3044	i29453821.exe	i43005277.exe
PID 3044 wrote to memory of 3484	3044	i29453821.exe	i43005277.exe
PID 3484 wrote to memory of 5016	3484	i43005277.exe	i01775930.exe
PID 3484 wrote to memory of 5016	3484	i43005277.exe	i01775930.exe
PID 3484 wrote to memory of 5016	3484	i43005277.exe	i01775930.exe
PID 5016 wrote to memory of 4040	5016	i01775930.exe	a44515302.exe
PID 5016 wrote to memory of 4040	5016	i01775930.exe	a44515302.exe
PID 5016 wrote to memory of 4040	5016	i01775930.exe	a44515302.exe

C:\Users\Admin\AppData\Local\Temp\6057b1afc6a01afed47e2869d3f24432726f7b54a3430c6a26f33ba2bfa37bcf.exe
"C:\Users\Admin\AppData\Local\Temp\6057b1afc6a01afed47e2869d3f24432726f7b54a3430c6a26f33ba2bfa37bcf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4232

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31546767.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31546767.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29453821.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29453821.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i43005277.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i43005277.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3484

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i01775930.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i01775930.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a44515302.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a44515302.exe
6⤵
- Executes dropped EXE
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31546767.exe
Filesize
1.3MB

MD5
10b621161335b43157a4b16135d70073

SHA1
3f96950a9db2093be8c77558d3f4a2707cee72f6

SHA256
888b66c4910f9d9f311e52840c603da7bec5fe0533cf10aef4babb5e1689aa54

SHA512
6272e35ffe01e6e78b659bbe8a5f7793b493c0a249183ea28a5f1a0f9818e6ab69672984c5ac1522d6c728fd9bc8c601fdf2846e46203f810a3d20f0ed222726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31546767.exe
Filesize
1.3MB

MD5
10b621161335b43157a4b16135d70073

SHA1
3f96950a9db2093be8c77558d3f4a2707cee72f6

SHA256
888b66c4910f9d9f311e52840c603da7bec5fe0533cf10aef4babb5e1689aa54

SHA512
6272e35ffe01e6e78b659bbe8a5f7793b493c0a249183ea28a5f1a0f9818e6ab69672984c5ac1522d6c728fd9bc8c601fdf2846e46203f810a3d20f0ed222726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29453821.exe
Filesize
1016KB

MD5
b55032c69c374fbe81dc0b809f7129f7

SHA1
31921432a27ffc7865e422469ccfd1f8fcafd41e

SHA256
71d3b03c43e21f6a04975514e4cf8e41f6115ec0f3b5fbcc8b30a8ba61f1fe03

SHA512
c5eaf09e93b083a4ed0bcd21506b2ae38e023a08cbba64bf3a2c59c426a7501192ced352e2c44aa1482fa652660c2135abe3eb113880c43c017e830ff930a912

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29453821.exe
Filesize
1016KB

MD5
b55032c69c374fbe81dc0b809f7129f7

SHA1
31921432a27ffc7865e422469ccfd1f8fcafd41e

SHA256
71d3b03c43e21f6a04975514e4cf8e41f6115ec0f3b5fbcc8b30a8ba61f1fe03

SHA512
c5eaf09e93b083a4ed0bcd21506b2ae38e023a08cbba64bf3a2c59c426a7501192ced352e2c44aa1482fa652660c2135abe3eb113880c43c017e830ff930a912

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i43005277.exe
Filesize
844KB

MD5
7c3083066cb1e57ec9095cd9bbde40e8

SHA1
7d208b9def0ac84fef25acf6175ea227259cdd0e

SHA256
2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304

SHA512
da724b541c9b34ac9a3ffd4b93dc47e4fb8437a620c09439c186cd24b3fb1977eda64c7f3c6828c124dfb7ef6ecb8b60dfc98302a3d1d530d41a9ab8727c65a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i43005277.exe
Filesize
844KB

MD5
7c3083066cb1e57ec9095cd9bbde40e8

SHA1
7d208b9def0ac84fef25acf6175ea227259cdd0e

SHA256
2feef775458f51e7c2bf43aada451c189eeee4406dad3160d56e55b8f3cf6304

SHA512
da724b541c9b34ac9a3ffd4b93dc47e4fb8437a620c09439c186cd24b3fb1977eda64c7f3c6828c124dfb7ef6ecb8b60dfc98302a3d1d530d41a9ab8727c65a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i01775930.exe
Filesize
371KB

MD5
9d2532b1549e63da09d929f6190cae3e

SHA1
abd26bb9d8cdf96accae9d8f4248220b6718dc99

SHA256
6f4240bf7de5bdd09d5171c0b8fe99e473e9e84ad06e7f6e03eaad1229eb0755

SHA512
ce67ad2010d2d425d1676dc9ad00225264633273f98b8336be307a984279eeee6f85fbec8b90b4e223179f167b9ed4598e69cdbcf63a5f35d0c26712d210dd1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i01775930.exe
Filesize
371KB

MD5
9d2532b1549e63da09d929f6190cae3e

SHA1
abd26bb9d8cdf96accae9d8f4248220b6718dc99

SHA256
6f4240bf7de5bdd09d5171c0b8fe99e473e9e84ad06e7f6e03eaad1229eb0755

SHA512
ce67ad2010d2d425d1676dc9ad00225264633273f98b8336be307a984279eeee6f85fbec8b90b4e223179f167b9ed4598e69cdbcf63a5f35d0c26712d210dd1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a44515302.exe
Filesize
169KB

MD5
4f30d45c4f13c8373a973a05149bdd88

SHA1
0c01217a32d9f57da818a844eb16cb9a6653d0ff

SHA256
0d12faa677cb5cf0a9dfd6e713664f0a5dcfd88c4fd813724288e860ffb69f0d

SHA512
c855b212fe29c8b091672b783fe20ed8841eafc7577e89b6d543db61d3c08c5587fdc487033f113b3ace270d8325eb10c7f3cbac9f8b4aef660b632b69185c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a44515302.exe
Filesize
169KB

MD5
4f30d45c4f13c8373a973a05149bdd88

SHA1
0c01217a32d9f57da818a844eb16cb9a6653d0ff

SHA256
0d12faa677cb5cf0a9dfd6e713664f0a5dcfd88c4fd813724288e860ffb69f0d

SHA512
c855b212fe29c8b091672b783fe20ed8841eafc7577e89b6d543db61d3c08c5587fdc487033f113b3ace270d8325eb10c7f3cbac9f8b4aef660b632b69185c07

Download Submit
memory/4040-168-0x0000000000380000-0x00000000003B0000-memory.dmp

Filesize
192KB

Download
memory/4040-169-0x000000000A7B0000-0x000000000ADC8000-memory.dmp

Filesize
6.1MB

Download
memory/4040-170-0x000000000A300000-0x000000000A40A000-memory.dmp

Filesize
1.0MB

Download
memory/4040-171-0x000000000A230000-0x000000000A242000-memory.dmp

Filesize
72KB

Download
memory/4040-172-0x000000000A290000-0x000000000A2CC000-memory.dmp

Filesize
240KB

Download
memory/4040-173-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/4040-174-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download