redline | 711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d

Analysis

max time kernel
130s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe
Size

1.2MB
MD5

d96887d27fddd55b6bc9cca39e8a8c01
SHA1

4f8b0b546788d376cfc3722a365b6125583d4de4
SHA256

711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d
SHA512

5a42d68742e8f87c4be1a1ceece71426f6cf5b1d8e61edba8d2112e9b10080343ef3ccfa64c7ae1d902fb9800594d1766d7251ebf0e93384f8e25a1ebccea143
SSDEEP

24576:5yxy+kRmJNCJPo9H7dvb6KkyY/TpQ3qK0u7lfdLh9DhRAkSUW93/aUE:sxyvMJNCho9H1bp87u6K5JhTzLo

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4100-2333-0x000000000AA30000-0x000000000B048000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s76867837.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	s76867837.exe

Executes dropped EXE 6 IoCs

Processes:

z32091292.exez57610492.exez25776460.exes76867837.exe1.exet31251887.exe

pid process

1924 z32091292.exe
3556 z57610492.exe
4172 z25776460.exe
3912 s76867837.exe
4100 1.exe
2536 t31251887.exe

pid	process
1924	z32091292.exe
3556	z57610492.exe
4172	z25776460.exe
3912	s76867837.exe
4100	1.exe
2536	t31251887.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z32091292.exez57610492.exez25776460.exe711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z32091292.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z57610492.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z57610492.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z25776460.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z25776460.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z32091292.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2444 3912 WerFault.exe s76867837.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s76867837.exe

description pid process

Token: SeDebugPrivilege 3912 s76867837.exe

pid	pid_target	process	target process
2444	3912	WerFault.exe	s76867837.exe

description	pid	process
Token: SeDebugPrivilege	3912	s76867837.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exez32091292.exez57610492.exez25776460.exes76867837.exe

description	pid	process	target process
PID 5116 wrote to memory of 1924	5116	711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe	z32091292.exe
PID 5116 wrote to memory of 1924	5116	711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe	z32091292.exe
PID 5116 wrote to memory of 1924	5116	711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe	z32091292.exe
PID 1924 wrote to memory of 3556	1924	z32091292.exe	z57610492.exe
PID 1924 wrote to memory of 3556	1924	z32091292.exe	z57610492.exe
PID 1924 wrote to memory of 3556	1924	z32091292.exe	z57610492.exe
PID 3556 wrote to memory of 4172	3556	z57610492.exe	z25776460.exe
PID 3556 wrote to memory of 4172	3556	z57610492.exe	z25776460.exe
PID 3556 wrote to memory of 4172	3556	z57610492.exe	z25776460.exe
PID 4172 wrote to memory of 3912	4172	z25776460.exe	s76867837.exe
PID 4172 wrote to memory of 3912	4172	z25776460.exe	s76867837.exe
PID 4172 wrote to memory of 3912	4172	z25776460.exe	s76867837.exe
PID 3912 wrote to memory of 4100	3912	s76867837.exe	1.exe
PID 3912 wrote to memory of 4100	3912	s76867837.exe	1.exe
PID 3912 wrote to memory of 4100	3912	s76867837.exe	1.exe
PID 4172 wrote to memory of 2536	4172	z25776460.exe	t31251887.exe
PID 4172 wrote to memory of 2536	4172	z25776460.exe	t31251887.exe
PID 4172 wrote to memory of 2536	4172	z25776460.exe	t31251887.exe

C:\Users\Admin\AppData\Local\Temp\711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe
"C:\Users\Admin\AppData\Local\Temp\711c6ec0df8a75228ea640aa14d259104b78a8e4ca116e178e2609261c145a9d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5116

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z32091292.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z32091292.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z57610492.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z57610492.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3556

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z25776460.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z25776460.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s76867837.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s76867837.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1192
6⤵
- Program crash
PID:2444

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t31251887.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t31251887.exe
5⤵
- Executes dropped EXE
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3912 -ip 3912
1⤵
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z32091292.exe
Filesize
1.0MB

MD5
b59664c5e03b1201c6a92aea6793aeaa

SHA1
41f8e54f097319aa70a6b3816e567cda4094621c

SHA256
6dd728d2f5532824dd4dd588ed50af9e35052e971013bf9f72d48f4f0a93cc00

SHA512
50033c3aa2d2cb0033ea2794de950d5042c7aa5c831b50f8d034ef57691d96c3afa4302d95d57af5dc45c0cdab0ce8fb1ca1453beeaab5bb7931154f8a5a232c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z32091292.exe
Filesize
1.0MB

MD5
b59664c5e03b1201c6a92aea6793aeaa

SHA1
41f8e54f097319aa70a6b3816e567cda4094621c

SHA256
6dd728d2f5532824dd4dd588ed50af9e35052e971013bf9f72d48f4f0a93cc00

SHA512
50033c3aa2d2cb0033ea2794de950d5042c7aa5c831b50f8d034ef57691d96c3afa4302d95d57af5dc45c0cdab0ce8fb1ca1453beeaab5bb7931154f8a5a232c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z57610492.exe
Filesize
759KB

MD5
2743d3e44eaa34ec2084d6660ae330c3

SHA1
197eebae2b65bbc6508a91a002d1e7d45a092c26

SHA256
d28f85a09497c9e3932b6e937f4d7811a72576ab7c76daf8bafa4617402e7995

SHA512
04802f5fd414a437c9576b29da56b06b1fd30f1a65b1ed61cf82ad5943399dbd5600dfce1e7be409dc2cf26dbdd8912e4f2b847142cbda3a72eb44f1babb03fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z57610492.exe
Filesize
759KB

MD5
2743d3e44eaa34ec2084d6660ae330c3

SHA1
197eebae2b65bbc6508a91a002d1e7d45a092c26

SHA256
d28f85a09497c9e3932b6e937f4d7811a72576ab7c76daf8bafa4617402e7995

SHA512
04802f5fd414a437c9576b29da56b06b1fd30f1a65b1ed61cf82ad5943399dbd5600dfce1e7be409dc2cf26dbdd8912e4f2b847142cbda3a72eb44f1babb03fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z25776460.exe
Filesize
577KB

MD5
39b419f7bd9faf4b3de5b86563b96e6b

SHA1
84d57108e4bd894d220565b2e6498d55622d5d51

SHA256
1f941a9e317d5a247657313a4e6b8ff2faa50d0d739f700e75d039a176594368

SHA512
03441e3786be527728d079f8f10e58d90406f92914456cf74add89372cf67312fa888348911c9453e1200108f0113d9204e83f65f0c1a9683aba9440a33f32ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z25776460.exe
Filesize
577KB

MD5
39b419f7bd9faf4b3de5b86563b96e6b

SHA1
84d57108e4bd894d220565b2e6498d55622d5d51

SHA256
1f941a9e317d5a247657313a4e6b8ff2faa50d0d739f700e75d039a176594368

SHA512
03441e3786be527728d079f8f10e58d90406f92914456cf74add89372cf67312fa888348911c9453e1200108f0113d9204e83f65f0c1a9683aba9440a33f32ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s76867837.exe
Filesize
574KB

MD5
d33a622ccec9deacf85544d3bfdd6d51

SHA1
42c841718d25db700dcc2a39c259a49b2712e94d

SHA256
aadff0cf486966cfd1b95bac878bb846dbc8a7dcc241ee5a0f7d5a8d28552b56

SHA512
2194978bc3b9ec40b122d887250838ae8fcf0643d1ea3ac43170d80e090727ec0dad92d62ee53b82038792ecd6a61ca78c674872534a479ad07510e3c79d1b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s76867837.exe
Filesize
574KB

MD5
d33a622ccec9deacf85544d3bfdd6d51

SHA1
42c841718d25db700dcc2a39c259a49b2712e94d

SHA256
aadff0cf486966cfd1b95bac878bb846dbc8a7dcc241ee5a0f7d5a8d28552b56

SHA512
2194978bc3b9ec40b122d887250838ae8fcf0643d1ea3ac43170d80e090727ec0dad92d62ee53b82038792ecd6a61ca78c674872534a479ad07510e3c79d1b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t31251887.exe
Filesize
169KB

MD5
c08c37777f13023b28774720d64b2960

SHA1
ca05b214d6f9e13d8461e3fa32b195570aa10ace

SHA256
b1ef107d3586167c60e351cb4ca94fb65694fdd7848b44a8ebffe7152fa37cb6

SHA512
c208e1802b196d4b1d8d62665b725f25c8183a3934f1a09aa7ef3a266a87d53cefb8972ea900e3bddb5c7ff247b5068835a378286be8b2f5eb53348eae6c2aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t31251887.exe
Filesize
169KB

MD5
c08c37777f13023b28774720d64b2960

SHA1
ca05b214d6f9e13d8461e3fa32b195570aa10ace

SHA256
b1ef107d3586167c60e351cb4ca94fb65694fdd7848b44a8ebffe7152fa37cb6

SHA512
c208e1802b196d4b1d8d62665b725f25c8183a3934f1a09aa7ef3a266a87d53cefb8972ea900e3bddb5c7ff247b5068835a378286be8b2f5eb53348eae6c2aab

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/2536-2345-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/2536-2343-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/2536-2342-0x00000000008B0000-0x00000000008DE000-memory.dmp

Filesize
184KB

Download
memory/3912-191-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-211-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-168-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-170-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-172-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-174-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-176-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-178-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-181-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-183-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/3912-184-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-180-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/3912-186-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/3912-187-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-189-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-193-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-165-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-195-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-197-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-199-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-201-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-205-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-203-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-207-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-209-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-166-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-213-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-215-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-217-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-219-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-221-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-223-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-225-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-227-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-229-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3912-2315-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/3912-2316-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/3912-2317-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/3912-2319-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/3912-162-0x0000000000910000-0x000000000096B000-memory.dmp

Filesize
364KB

Download
memory/3912-163-0x0000000000400000-0x0000000000835000-memory.dmp

Filesize
4.2MB

Download
memory/3912-164-0x0000000004F90000-0x0000000005534000-memory.dmp

Filesize
5.6MB

Download
memory/4100-2335-0x000000000A4B0000-0x000000000A4C2000-memory.dmp

Filesize
72KB

Download
memory/4100-2334-0x000000000A580000-0x000000000A68A000-memory.dmp

Filesize
1.0MB

Download
memory/4100-2333-0x000000000AA30000-0x000000000B048000-memory.dmp

Filesize
6.1MB

Download
memory/4100-2336-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4100-2337-0x000000000A510000-0x000000000A54C000-memory.dmp

Filesize
240KB

Download
memory/4100-2344-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4100-2332-0x0000000000740000-0x000000000076E000-memory.dmp

Filesize
184KB

Download