redline | 5cc38e7a1d61afb0599b4734f32d1ed4aceb87181c1300ac8c6c431a9ccc530e

Analysis

max time kernel
153s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cc38e7a1d61afb0599b4734f32d1ed4aceb87181c1300ac8c6c431a9ccc530e.exe
Size

1.5MB
MD5

a4740b24b7aa880af5e57b415381c6b4
SHA1

bf862774db6d9beec5869408b25ab74773955606
SHA256

5cc38e7a1d61afb0599b4734f32d1ed4aceb87181c1300ac8c6c431a9ccc530e
SHA512

09b42595c40e6b20347a7ba81b215e5442f3cf5fc11aff2eda2df7c49bb5c13f7f29c8222b19e54beac070f341eeb10ed3e21a295cfa805a51f5f0768a43a537
SSDEEP

24576:1ya+I2w8KdOj5tq4+SZSVu3n9lCx6dL1BSu/HO5NrClarZv7W4+Jjc:Qa+ID8K54bEVM9lCxiL1B/vQ+E

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/640-169-0x00000000060B0000-0x00000000066C8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i70987792.exei10627587.exei35607492.exei18625017.exea83845342.exe

pid process

4208 i70987792.exe
212 i10627587.exe
2452 i35607492.exe
2468 i18625017.exe
640 a83845342.exe

pid	process
4208	i70987792.exe
212	i10627587.exe
2452	i35607492.exe
2468	i18625017.exe
640	a83845342.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5cc38e7a1d61afb0599b4734f32d1ed4aceb87181c1300ac8c6c431a9ccc530e.exei35607492.exei70987792.exei10627587.exei18625017.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5cc38e7a1d61afb0599b4734f32d1ed4aceb87181c1300ac8c6c431a9ccc530e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i35607492.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i35607492.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5cc38e7a1d61afb0599b4734f32d1ed4aceb87181c1300ac8c6c431a9ccc530e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i70987792.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i70987792.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i10627587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i10627587.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i18625017.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i18625017.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5cc38e7a1d61afb0599b4734f32d1ed4aceb87181c1300ac8c6c431a9ccc530e.exei70987792.exei10627587.exei35607492.exei18625017.exe

description	pid	process	target process
PID 4040 wrote to memory of 4208	4040	5cc38e7a1d61afb0599b4734f32d1ed4aceb87181c1300ac8c6c431a9ccc530e.exe	i70987792.exe
PID 4040 wrote to memory of 4208	4040	5cc38e7a1d61afb0599b4734f32d1ed4aceb87181c1300ac8c6c431a9ccc530e.exe	i70987792.exe
PID 4040 wrote to memory of 4208	4040	5cc38e7a1d61afb0599b4734f32d1ed4aceb87181c1300ac8c6c431a9ccc530e.exe	i70987792.exe
PID 4208 wrote to memory of 212	4208	i70987792.exe	i10627587.exe
PID 4208 wrote to memory of 212	4208	i70987792.exe	i10627587.exe
PID 4208 wrote to memory of 212	4208	i70987792.exe	i10627587.exe
PID 212 wrote to memory of 2452	212	i10627587.exe	i35607492.exe
PID 212 wrote to memory of 2452	212	i10627587.exe	i35607492.exe
PID 212 wrote to memory of 2452	212	i10627587.exe	i35607492.exe
PID 2452 wrote to memory of 2468	2452	i35607492.exe	i18625017.exe
PID 2452 wrote to memory of 2468	2452	i35607492.exe	i18625017.exe
PID 2452 wrote to memory of 2468	2452	i35607492.exe	i18625017.exe
PID 2468 wrote to memory of 640	2468	i18625017.exe	a83845342.exe
PID 2468 wrote to memory of 640	2468	i18625017.exe	a83845342.exe
PID 2468 wrote to memory of 640	2468	i18625017.exe	a83845342.exe

C:\Users\Admin\AppData\Local\Temp\5cc38e7a1d61afb0599b4734f32d1ed4aceb87181c1300ac8c6c431a9ccc530e.exe
"C:\Users\Admin\AppData\Local\Temp\5cc38e7a1d61afb0599b4734f32d1ed4aceb87181c1300ac8c6c431a9ccc530e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4040

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i70987792.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i70987792.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4208

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i10627587.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i10627587.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35607492.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35607492.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i18625017.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i18625017.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a83845342.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a83845342.exe
6⤵
- Executes dropped EXE
PID:640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i70987792.exe
Filesize
1.3MB

MD5
513500fb5c29592843ccb3ce96c90aec

SHA1
f356e9a27f99c3e42a81ebed455b655cffef8b51

SHA256
1c22318ab489dc927188e176c8c0376ac0c87fe7531f0b966fc46c62090435c5

SHA512
663ad776b0194ffe9163f3c1b2a226a271827c51517eb7a5e0d7f24a9cc37445e5abbface6fffa0138e70a59d5988ffbd79e254a0e343f19300cef4b75067d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i70987792.exe
Filesize
1.3MB

MD5
513500fb5c29592843ccb3ce96c90aec

SHA1
f356e9a27f99c3e42a81ebed455b655cffef8b51

SHA256
1c22318ab489dc927188e176c8c0376ac0c87fe7531f0b966fc46c62090435c5

SHA512
663ad776b0194ffe9163f3c1b2a226a271827c51517eb7a5e0d7f24a9cc37445e5abbface6fffa0138e70a59d5988ffbd79e254a0e343f19300cef4b75067d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i10627587.exe
Filesize
1000KB

MD5
abd68c6a2d882470d3c278fef32432d6

SHA1
2c885b42d68bc65eb031ccc4790d1c3dc7c958d4

SHA256
701d3437aa3b303a90be4db2add868c94fff1f273f12b8d7e5f482bb5e4fed04

SHA512
65529b43102162b7f36785fefb7bf831bde5b4267005600d5470d7c437b4688a26310c8c84a554f4d2ea0329bbff087a3619b08ef701307f9ed8112ea3369183

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i10627587.exe
Filesize
1000KB

MD5
abd68c6a2d882470d3c278fef32432d6

SHA1
2c885b42d68bc65eb031ccc4790d1c3dc7c958d4

SHA256
701d3437aa3b303a90be4db2add868c94fff1f273f12b8d7e5f482bb5e4fed04

SHA512
65529b43102162b7f36785fefb7bf831bde5b4267005600d5470d7c437b4688a26310c8c84a554f4d2ea0329bbff087a3619b08ef701307f9ed8112ea3369183

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35607492.exe
Filesize
828KB

MD5
2533be9f44e9e1e2a06c600c2be4dd64

SHA1
9fa3cfe2f3575cc0c9744d9df95331240ee57045

SHA256
3570951467980e4d4b71a1db57dd077564c96d68f5cd9b9e123f8b513e91e14d

SHA512
7dad252c41e889ab653304ed86cee2b10fe920632210c6b70a9ed131548110966b570b8aa844fc939247f62c1f59ca27d60d90a7c9e37854275cd5468aa41534

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i35607492.exe
Filesize
828KB

MD5
2533be9f44e9e1e2a06c600c2be4dd64

SHA1
9fa3cfe2f3575cc0c9744d9df95331240ee57045

SHA256
3570951467980e4d4b71a1db57dd077564c96d68f5cd9b9e123f8b513e91e14d

SHA512
7dad252c41e889ab653304ed86cee2b10fe920632210c6b70a9ed131548110966b570b8aa844fc939247f62c1f59ca27d60d90a7c9e37854275cd5468aa41534

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i18625017.exe
Filesize
363KB

MD5
51567d7831bde2ee46bae174e3ef64cd

SHA1
4041ba31e64e950adcafb302254971afd970f6fc

SHA256
f8af411331eff22d35ef2f5d23bdf5383ef12f6783e065861f896a85153bedbb

SHA512
1b9c15d688b9e0c2882d28b13485852f9a4e396bba895be58254b6bd346d7a1299d75e12bdd64963915a0bc2bf62be52d5cf3f71380b493c91f773f520668b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i18625017.exe
Filesize
363KB

MD5
51567d7831bde2ee46bae174e3ef64cd

SHA1
4041ba31e64e950adcafb302254971afd970f6fc

SHA256
f8af411331eff22d35ef2f5d23bdf5383ef12f6783e065861f896a85153bedbb

SHA512
1b9c15d688b9e0c2882d28b13485852f9a4e396bba895be58254b6bd346d7a1299d75e12bdd64963915a0bc2bf62be52d5cf3f71380b493c91f773f520668b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a83845342.exe
Filesize
170KB

MD5
7c4989595f029b440a5294f50f8556bf

SHA1
abfbeb1c9710ee55aa2a2aa5b9fa51221563d153

SHA256
9fb90c4e3598051c910d10e282553ab43adbd7cbb86eb65e7c8c99199e39e056

SHA512
8bb3fe82f25b29e19f7120a87210b7b5c2bd76079b661de293d732a1ab59e3c7d5d64cd5c3163c6baa411fcb0a796f20839d77a3c1a4d54826221adae9f57e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a83845342.exe
Filesize
170KB

MD5
7c4989595f029b440a5294f50f8556bf

SHA1
abfbeb1c9710ee55aa2a2aa5b9fa51221563d153

SHA256
9fb90c4e3598051c910d10e282553ab43adbd7cbb86eb65e7c8c99199e39e056

SHA512
8bb3fe82f25b29e19f7120a87210b7b5c2bd76079b661de293d732a1ab59e3c7d5d64cd5c3163c6baa411fcb0a796f20839d77a3c1a4d54826221adae9f57e80

Download Submit
memory/640-168-0x0000000000FA0000-0x0000000000FD0000-memory.dmp

Filesize
192KB

Download
memory/640-169-0x00000000060B0000-0x00000000066C8000-memory.dmp

Filesize
6.1MB

Download
memory/640-170-0x0000000005BA0000-0x0000000005CAA000-memory.dmp

Filesize
1.0MB

Download
memory/640-171-0x0000000005A20000-0x0000000005A32000-memory.dmp

Filesize
72KB

Download
memory/640-172-0x0000000005A90000-0x0000000005ACC000-memory.dmp

Filesize
240KB

Download
memory/640-173-0x0000000005A80000-0x0000000005A90000-memory.dmp

Filesize
64KB

Download
memory/640-174-0x0000000005A80000-0x0000000005A90000-memory.dmp

Filesize
64KB

Download