redline | 5d1b1da48af6d41814c2ea62604f31b23e50a57664c0a6d87f3bca22221ff0aa

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d1b1da48af6d41814c2ea62604f31b23e50a57664c0a6d87f3bca22221ff0aa.exe
Size

1.5MB
MD5

6ce9003fe4721d6ea23570fbfaa513f7
SHA1

5448e8d42f064fad37f00315a10874cc8cd926be
SHA256

5d1b1da48af6d41814c2ea62604f31b23e50a57664c0a6d87f3bca22221ff0aa
SHA512

48f3678114a9667a7ee93e39b695f04e44207fdb8bf8c08fcef1c33dfbda190fe429e717bea80e219c7a1c5ce71ecbdd9a8bf87555910705360b72f207a6c95e
SSDEEP

24576:RkyuEiwjbF/vDErytDfitLY7ER+EXEAmn92ZGtM0b2C866ThACbeqNSNjJ:tuwPFDsEDfn7ER+EXEvncgt52CPgJINj

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/1896-169-0x000000000AAC0000-0x000000000B0D8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i22967087.exei67062146.exei85661470.exei32354548.exea73859397.exe

pid process

776 i22967087.exe
5100 i67062146.exe
4272 i85661470.exe
1360 i32354548.exe
1896 a73859397.exe

pid	process
776	i22967087.exe
5100	i67062146.exe
4272	i85661470.exe
1360	i32354548.exe
1896	a73859397.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

i67062146.exei85661470.exei32354548.exe5d1b1da48af6d41814c2ea62604f31b23e50a57664c0a6d87f3bca22221ff0aa.exei22967087.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i67062146.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i85661470.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i85661470.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i32354548.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5d1b1da48af6d41814c2ea62604f31b23e50a57664c0a6d87f3bca22221ff0aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i22967087.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i67062146.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i32354548.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5d1b1da48af6d41814c2ea62604f31b23e50a57664c0a6d87f3bca22221ff0aa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i22967087.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5d1b1da48af6d41814c2ea62604f31b23e50a57664c0a6d87f3bca22221ff0aa.exei22967087.exei67062146.exei85661470.exei32354548.exe

description	pid	process	target process
PID 4864 wrote to memory of 776	4864	5d1b1da48af6d41814c2ea62604f31b23e50a57664c0a6d87f3bca22221ff0aa.exe	i22967087.exe
PID 4864 wrote to memory of 776	4864	5d1b1da48af6d41814c2ea62604f31b23e50a57664c0a6d87f3bca22221ff0aa.exe	i22967087.exe
PID 4864 wrote to memory of 776	4864	5d1b1da48af6d41814c2ea62604f31b23e50a57664c0a6d87f3bca22221ff0aa.exe	i22967087.exe
PID 776 wrote to memory of 5100	776	i22967087.exe	i67062146.exe
PID 776 wrote to memory of 5100	776	i22967087.exe	i67062146.exe
PID 776 wrote to memory of 5100	776	i22967087.exe	i67062146.exe
PID 5100 wrote to memory of 4272	5100	i67062146.exe	i85661470.exe
PID 5100 wrote to memory of 4272	5100	i67062146.exe	i85661470.exe
PID 5100 wrote to memory of 4272	5100	i67062146.exe	i85661470.exe
PID 4272 wrote to memory of 1360	4272	i85661470.exe	i32354548.exe
PID 4272 wrote to memory of 1360	4272	i85661470.exe	i32354548.exe
PID 4272 wrote to memory of 1360	4272	i85661470.exe	i32354548.exe
PID 1360 wrote to memory of 1896	1360	i32354548.exe	a73859397.exe
PID 1360 wrote to memory of 1896	1360	i32354548.exe	a73859397.exe
PID 1360 wrote to memory of 1896	1360	i32354548.exe	a73859397.exe

C:\Users\Admin\AppData\Local\Temp\5d1b1da48af6d41814c2ea62604f31b23e50a57664c0a6d87f3bca22221ff0aa.exe
"C:\Users\Admin\AppData\Local\Temp\5d1b1da48af6d41814c2ea62604f31b23e50a57664c0a6d87f3bca22221ff0aa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i22967087.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i22967087.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i67062146.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i67062146.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i85661470.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i85661470.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4272

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i32354548.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i32354548.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a73859397.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a73859397.exe
6⤵
- Executes dropped EXE
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i22967087.exe
Filesize
1.3MB

MD5
695662dddcb52da7d5e6599da2c5d493

SHA1
a8f56ecb619854bb3e75810d8a737cd4fce0577e

SHA256
c0e0574c8698c907d0e31ba560bbde063e597fac5a24a2895e5d5f0a51df31a6

SHA512
772cf7142a1814a5876c72191580edea3d195bc65d9fce5de12c9ea7aec988f7d9b645459372a1e5f86707b8787c1ab590a276247a5d54d9f11795734eba587f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i22967087.exe
Filesize
1.3MB

MD5
695662dddcb52da7d5e6599da2c5d493

SHA1
a8f56ecb619854bb3e75810d8a737cd4fce0577e

SHA256
c0e0574c8698c907d0e31ba560bbde063e597fac5a24a2895e5d5f0a51df31a6

SHA512
772cf7142a1814a5876c72191580edea3d195bc65d9fce5de12c9ea7aec988f7d9b645459372a1e5f86707b8787c1ab590a276247a5d54d9f11795734eba587f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i67062146.exe
Filesize
1015KB

MD5
d962f121f1e3b5eba286b414f8a8c0a1

SHA1
d1a43b4c39ac7657a7af62e3a29392772b57f7b4

SHA256
def83fe6ee46d9a02d0a1406aaab40e46a3f9ee2121fef9af5569263f445841e

SHA512
7f78c7cdf0ff658a0162f9278df6e47f8906e5c5d63a6849722718875c9acda96d4d301d948a8ecb5db2a791c270361a09abe0ee7d2422b9f9a030daacccc7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i67062146.exe
Filesize
1015KB

MD5
d962f121f1e3b5eba286b414f8a8c0a1

SHA1
d1a43b4c39ac7657a7af62e3a29392772b57f7b4

SHA256
def83fe6ee46d9a02d0a1406aaab40e46a3f9ee2121fef9af5569263f445841e

SHA512
7f78c7cdf0ff658a0162f9278df6e47f8906e5c5d63a6849722718875c9acda96d4d301d948a8ecb5db2a791c270361a09abe0ee7d2422b9f9a030daacccc7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i85661470.exe
Filesize
843KB

MD5
e862628f17f127baa50f733c9e05af05

SHA1
d1490f629eec732071b8066c63e3a5e28e61e1c1

SHA256
2bc44c51d21f9c2799aa16f4d5b62753cce458666552389388b67a92101fd491

SHA512
73ec9ed4916d62f333cb43eda320e2c2d16751015445821ad29b675495e27ac1bad4ca37583dc6a445c5cc75003706d6d30dc8bdc064684a6112d454ea573fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i85661470.exe
Filesize
843KB

MD5
e862628f17f127baa50f733c9e05af05

SHA1
d1490f629eec732071b8066c63e3a5e28e61e1c1

SHA256
2bc44c51d21f9c2799aa16f4d5b62753cce458666552389388b67a92101fd491

SHA512
73ec9ed4916d62f333cb43eda320e2c2d16751015445821ad29b675495e27ac1bad4ca37583dc6a445c5cc75003706d6d30dc8bdc064684a6112d454ea573fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i32354548.exe
Filesize
371KB

MD5
e2e3f491e1cb27df2822559c6083ef60

SHA1
e15693573e69d99c73dfae7993b0c797cbf4dffe

SHA256
b76770cbaf6f7919551b577c01b87a9e455b1f731562fb025828ff6e15d465e4

SHA512
a98193f5d5d70114f758521d248cb019596b67430f683c78ec0c4a5b469ca8e81961b31fd4f4901b0da4025730c1666e27d83df5c297e15e4bfc0c730a27f676

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i32354548.exe
Filesize
371KB

MD5
e2e3f491e1cb27df2822559c6083ef60

SHA1
e15693573e69d99c73dfae7993b0c797cbf4dffe

SHA256
b76770cbaf6f7919551b577c01b87a9e455b1f731562fb025828ff6e15d465e4

SHA512
a98193f5d5d70114f758521d248cb019596b67430f683c78ec0c4a5b469ca8e81961b31fd4f4901b0da4025730c1666e27d83df5c297e15e4bfc0c730a27f676

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a73859397.exe
Filesize
169KB

MD5
e1c799790c609eae9fc21c2e88e8cbba

SHA1
b21aef2624735dbf327c94f6161fdfe571be4fa2

SHA256
3608ae93edbd5733fccd162cd645162d6075a618ce43ed7f8515a39489c03a7e

SHA512
0b7aab0942ffb27285dd6d609c8f1df35b265b4bba336777ee0e05e03ab7e5fd6288d2599294cbbd9f6961cd9702dcd552a5bff40aea5ff21b9a52e600849649

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a73859397.exe
Filesize
169KB

MD5
e1c799790c609eae9fc21c2e88e8cbba

SHA1
b21aef2624735dbf327c94f6161fdfe571be4fa2

SHA256
3608ae93edbd5733fccd162cd645162d6075a618ce43ed7f8515a39489c03a7e

SHA512
0b7aab0942ffb27285dd6d609c8f1df35b265b4bba336777ee0e05e03ab7e5fd6288d2599294cbbd9f6961cd9702dcd552a5bff40aea5ff21b9a52e600849649

Download Submit
memory/1896-168-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/1896-169-0x000000000AAC0000-0x000000000B0D8000-memory.dmp

Filesize
6.1MB

Download
memory/1896-170-0x000000000A5B0000-0x000000000A6BA000-memory.dmp

Filesize
1.0MB

Download
memory/1896-171-0x0000000004FE0000-0x0000000004FF2000-memory.dmp

Filesize
72KB

Download
memory/1896-172-0x000000000A4E0000-0x000000000A51C000-memory.dmp

Filesize
240KB

Download
memory/1896-173-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1896-174-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download