redline | 620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c

Analysis

max time kernel
140s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe
Size

1.4MB
MD5

5c861fa7e8aa8e48c458ce7453352748
SHA1

6a131184636d6efbf0d9d705c7d5d547f1745863
SHA256

620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c
SHA512

ea89f6ec9c78136667cdc99e09d410875802d4ef586208873174cc13a990293c8afb50ee99f2ba0ae84c41540711fcb9e42ec668859eec45fe33b0cd6464f4d5
SSDEEP

24576:Ty3DuAnDD9qfk6ft6J/iYVhw8DIAu4YR1TtrlEy9gK8n6S83w5d4j6J3:myU/7qa1uZR1Tq56Sewjb

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/2380-169-0x000000000B000000-0x000000000B618000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i89324392.exei07777833.exei33379376.exei52230489.exea40413450.exe

pid process

4576 i89324392.exe
3492 i07777833.exe
312 i33379376.exe
4968 i52230489.exe
2380 a40413450.exe

pid	process
4576	i89324392.exe
3492	i07777833.exe
312	i33379376.exe
4968	i52230489.exe
2380	a40413450.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exei89324392.exei07777833.exei33379376.exei52230489.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i89324392.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i07777833.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i07777833.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i33379376.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i52230489.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i52230489.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i89324392.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i33379376.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exei89324392.exei07777833.exei33379376.exei52230489.exe

description	pid	process	target process
PID 1044 wrote to memory of 4576	1044	620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe	i89324392.exe
PID 1044 wrote to memory of 4576	1044	620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe	i89324392.exe
PID 1044 wrote to memory of 4576	1044	620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe	i89324392.exe
PID 4576 wrote to memory of 3492	4576	i89324392.exe	i07777833.exe
PID 4576 wrote to memory of 3492	4576	i89324392.exe	i07777833.exe
PID 4576 wrote to memory of 3492	4576	i89324392.exe	i07777833.exe
PID 3492 wrote to memory of 312	3492	i07777833.exe	i33379376.exe
PID 3492 wrote to memory of 312	3492	i07777833.exe	i33379376.exe
PID 3492 wrote to memory of 312	3492	i07777833.exe	i33379376.exe
PID 312 wrote to memory of 4968	312	i33379376.exe	i52230489.exe
PID 312 wrote to memory of 4968	312	i33379376.exe	i52230489.exe
PID 312 wrote to memory of 4968	312	i33379376.exe	i52230489.exe
PID 4968 wrote to memory of 2380	4968	i52230489.exe	a40413450.exe
PID 4968 wrote to memory of 2380	4968	i52230489.exe	a40413450.exe
PID 4968 wrote to memory of 2380	4968	i52230489.exe	a40413450.exe

C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe
"C:\Users\Admin\AppData\Local\Temp\620c76595b820e9a6237559717fe1f9d3fde247a7c1b6e5f1127c14df885a82c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3492

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:312

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe
6⤵
- Executes dropped EXE
PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe
Filesize
1.3MB

MD5
56f99dcf4769ad94475b2a3e385df7d6

SHA1
ed74096779e730c722936fb5d801eed8f5954690

SHA256
22bfe184cfd7cdaa688996a4bd0f9905df5974f8593db8f4653b5cf067445647

SHA512
c260df906606a895f848a9edad464670eca5fcc903382dfb56171e830c20a5371804e7a1da8010ed1bb224c408263ed911df2ac2d9fb174784fa0b8fd3500e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i89324392.exe
Filesize
1.3MB

MD5
56f99dcf4769ad94475b2a3e385df7d6

SHA1
ed74096779e730c722936fb5d801eed8f5954690

SHA256
22bfe184cfd7cdaa688996a4bd0f9905df5974f8593db8f4653b5cf067445647

SHA512
c260df906606a895f848a9edad464670eca5fcc903382dfb56171e830c20a5371804e7a1da8010ed1bb224c408263ed911df2ac2d9fb174784fa0b8fd3500e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe
Filesize
1000KB

MD5
30b50206b81e64e42387a3978250a621

SHA1
706973766bd1ac82df56582cf7373c863d9c5968

SHA256
ebc43d9668df22cdce448f429903b80039f814cca8819fcae555cb33c3e14c54

SHA512
94e803afec1013ed773fb2f0c41dea46720c6c8398ed1d66ca7464634b17fa44ca9b662ef6a188a8a20d9f8e8ee90ae70514710ea17058aab0226440cbe60e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07777833.exe
Filesize
1000KB

MD5
30b50206b81e64e42387a3978250a621

SHA1
706973766bd1ac82df56582cf7373c863d9c5968

SHA256
ebc43d9668df22cdce448f429903b80039f814cca8819fcae555cb33c3e14c54

SHA512
94e803afec1013ed773fb2f0c41dea46720c6c8398ed1d66ca7464634b17fa44ca9b662ef6a188a8a20d9f8e8ee90ae70514710ea17058aab0226440cbe60e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe
Filesize
828KB

MD5
1ab762700633e3d5986313b195d2f943

SHA1
8b072b0b0524d8550533d2197eed3ddc3a719556

SHA256
3df7a12fe0e2395c6e1843ba0affbd3f1f0aaa6a73c86759eddfad9f6d66a851

SHA512
154d80251596de6a4a20c40f8aa7a8c23a9533c96c156181b4dec937c1ca23e6cf12560f35554ce84598ac9db637bf11ff5efe4b757b83c0f5eda4b625d91177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i33379376.exe
Filesize
828KB

MD5
1ab762700633e3d5986313b195d2f943

SHA1
8b072b0b0524d8550533d2197eed3ddc3a719556

SHA256
3df7a12fe0e2395c6e1843ba0affbd3f1f0aaa6a73c86759eddfad9f6d66a851

SHA512
154d80251596de6a4a20c40f8aa7a8c23a9533c96c156181b4dec937c1ca23e6cf12560f35554ce84598ac9db637bf11ff5efe4b757b83c0f5eda4b625d91177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe
Filesize
363KB

MD5
1b4f78619e0b825ec684b6ec596677b9

SHA1
2165630b91acbf5b4cd054fcfee91f60741fc31a

SHA256
cdcddd98edcfdf812d6d135766a2c5112626a0bc55e7074f15cfca59d86c725a

SHA512
5e9eb2a950549541555995ab5ddd284c50454103f74214cffb348268ebeac559d65129aff37ed2f2fddb686db1a9dd64ff3d44035260d05b0b89c2a1ae8f204d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i52230489.exe
Filesize
363KB

MD5
1b4f78619e0b825ec684b6ec596677b9

SHA1
2165630b91acbf5b4cd054fcfee91f60741fc31a

SHA256
cdcddd98edcfdf812d6d135766a2c5112626a0bc55e7074f15cfca59d86c725a

SHA512
5e9eb2a950549541555995ab5ddd284c50454103f74214cffb348268ebeac559d65129aff37ed2f2fddb686db1a9dd64ff3d44035260d05b0b89c2a1ae8f204d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe
Filesize
169KB

MD5
42c797dd79cf627f18bdafc02154aaac

SHA1
4bc76f54be567295d68d78bfcd766944b1229f49

SHA256
922d50cb151fb9f0d087982b84bea6d9ef37879989d06146f3876222060950ee

SHA512
c3328b4eae57991a4d9c3d08ecd92679758b9cb435669eeda5bfa25357acf13f8a04b085e9344b50f7df322ee1cba22b1768e128514d23a6dfc0a0f9afae411b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40413450.exe
Filesize
169KB

MD5
42c797dd79cf627f18bdafc02154aaac

SHA1
4bc76f54be567295d68d78bfcd766944b1229f49

SHA256
922d50cb151fb9f0d087982b84bea6d9ef37879989d06146f3876222060950ee

SHA512
c3328b4eae57991a4d9c3d08ecd92679758b9cb435669eeda5bfa25357acf13f8a04b085e9344b50f7df322ee1cba22b1768e128514d23a6dfc0a0f9afae411b

Download Submit
memory/2380-168-0x0000000000B70000-0x0000000000BA0000-memory.dmp

Filesize
192KB

Download
memory/2380-169-0x000000000B000000-0x000000000B618000-memory.dmp

Filesize
6.1MB

Download
memory/2380-170-0x000000000AAF0000-0x000000000ABFA000-memory.dmp

Filesize
1.0MB

Download
memory/2380-171-0x000000000AA20000-0x000000000AA32000-memory.dmp

Filesize
72KB

Download
memory/2380-172-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/2380-173-0x000000000AA80000-0x000000000AABC000-memory.dmp

Filesize
240KB

Download
memory/2380-174-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download