redline | d766509ed69f458ea39b23f065e1f66a7563d6549de756b4d8cb992abfb3b796

Analysis

max time kernel
184s
max time network
229s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d766509ed69f458ea39b23f065e1f66a7563d6549de756b4d8cb992abfb3b796.exe
Size

793KB
MD5

b122aedf7b3b67d7c0af32075b6bc141
SHA1

349c9e7ce8481ef02f1441af343a17081f2a0b13
SHA256

d766509ed69f458ea39b23f065e1f66a7563d6549de756b4d8cb992abfb3b796
SHA512

52392a5579efa373b43d200818bcdb081a04f8b57f0177cc78ebfd1f19367b75de87e5a42d8ba9f52b935bbfe4cf057678313e2d7eeca03769c2478aedba2a84
SSDEEP

12288:vy90JaFHTdEWbr6vFweDF5Cd6ccVrFrmtJlMRBVkpkIJ27m34AQMVXDC:vy0aFzdEgrGu6CqWLMdLI0i4AZDC

Score

10^/10

redline dork gena infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dork

185.161.248.73:4164

Attributes

auth_value
e81be7d6cfb453cc812e1b4890eeadad

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/668-2318-0x0000000005FB0000-0x00000000065C8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

m19944774.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	m19944774.exe

Executes dropped EXE 4 IoCs

Processes:

x91895577.exem19944774.exe1.exen63791524.exe

pid process

228 x91895577.exe
1260 m19944774.exe
668 1.exe
4944 n63791524.exe

pid	process
228	x91895577.exe
1260	m19944774.exe
668	1.exe
4944	n63791524.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d766509ed69f458ea39b23f065e1f66a7563d6549de756b4d8cb992abfb3b796.exex91895577.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d766509ed69f458ea39b23f065e1f66a7563d6549de756b4d8cb992abfb3b796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d766509ed69f458ea39b23f065e1f66a7563d6549de756b4d8cb992abfb3b796.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x91895577.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x91895577.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2460 1260 WerFault.exe m19944774.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

m19944774.exe

description pid process

Token: SeDebugPrivilege 1260 m19944774.exe

pid	pid_target	process	target process
2460	1260	WerFault.exe	m19944774.exe

description	pid	process
Token: SeDebugPrivilege	1260	m19944774.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d766509ed69f458ea39b23f065e1f66a7563d6549de756b4d8cb992abfb3b796.exex91895577.exem19944774.exe

description	pid	process	target process
PID 4924 wrote to memory of 228	4924	d766509ed69f458ea39b23f065e1f66a7563d6549de756b4d8cb992abfb3b796.exe	x91895577.exe
PID 4924 wrote to memory of 228	4924	d766509ed69f458ea39b23f065e1f66a7563d6549de756b4d8cb992abfb3b796.exe	x91895577.exe
PID 4924 wrote to memory of 228	4924	d766509ed69f458ea39b23f065e1f66a7563d6549de756b4d8cb992abfb3b796.exe	x91895577.exe
PID 228 wrote to memory of 1260	228	x91895577.exe	m19944774.exe
PID 228 wrote to memory of 1260	228	x91895577.exe	m19944774.exe
PID 228 wrote to memory of 1260	228	x91895577.exe	m19944774.exe
PID 1260 wrote to memory of 668	1260	m19944774.exe	1.exe
PID 1260 wrote to memory of 668	1260	m19944774.exe	1.exe
PID 1260 wrote to memory of 668	1260	m19944774.exe	1.exe
PID 228 wrote to memory of 4944	228	x91895577.exe	n63791524.exe
PID 228 wrote to memory of 4944	228	x91895577.exe	n63791524.exe
PID 228 wrote to memory of 4944	228	x91895577.exe	n63791524.exe

C:\Users\Admin\AppData\Local\Temp\d766509ed69f458ea39b23f065e1f66a7563d6549de756b4d8cb992abfb3b796.exe
"C:\Users\Admin\AppData\Local\Temp\d766509ed69f458ea39b23f065e1f66a7563d6549de756b4d8cb992abfb3b796.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x91895577.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x91895577.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:228

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m19944774.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m19944774.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1388
4⤵
- Program crash
PID:2460

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n63791524.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n63791524.exe
3⤵
- Executes dropped EXE
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1260 -ip 1260
1⤵
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x91895577.exe
Filesize
589KB

MD5
7fb36948d81ebcb3b71ad795a95e4258

SHA1
fc7a04dc467dec0fd281a670c602b6e21be9f53e

SHA256
dfc005366e446a0264b4922e57418d02c10d2d2558cd0b624da6b3f603ab8d03

SHA512
df454d78c23a254f7e683594b7855caa093f9fe91827a633c46edf0cad7d2e80a65482bc500ca66e95dd429de664fb747064fbaa7931e83e39ba1c01d6ba3e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x91895577.exe
Filesize
589KB

MD5
7fb36948d81ebcb3b71ad795a95e4258

SHA1
fc7a04dc467dec0fd281a670c602b6e21be9f53e

SHA256
dfc005366e446a0264b4922e57418d02c10d2d2558cd0b624da6b3f603ab8d03

SHA512
df454d78c23a254f7e683594b7855caa093f9fe91827a633c46edf0cad7d2e80a65482bc500ca66e95dd429de664fb747064fbaa7931e83e39ba1c01d6ba3e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m19944774.exe
Filesize
530KB

MD5
0cf427d3f55649fab7f699e24e42c9e4

SHA1
ddaa9b25d727c34eba8592f89af5d62e69be32c5

SHA256
9b4d690b9bbaed0d1761d4d0d904d19a2ee7b7f02bc4be6ebd61fce864463dfc

SHA512
c5d6b92d0e12766a51f579d558b8c7c14932fbfc842e651e8e285f0bd72296a6131f5a9bf87dc9e898931e43d60152a9c114152e73297944a6de4e2a20bb3258

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m19944774.exe
Filesize
530KB

MD5
0cf427d3f55649fab7f699e24e42c9e4

SHA1
ddaa9b25d727c34eba8592f89af5d62e69be32c5

SHA256
9b4d690b9bbaed0d1761d4d0d904d19a2ee7b7f02bc4be6ebd61fce864463dfc

SHA512
c5d6b92d0e12766a51f579d558b8c7c14932fbfc842e651e8e285f0bd72296a6131f5a9bf87dc9e898931e43d60152a9c114152e73297944a6de4e2a20bb3258

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n63791524.exe
Filesize
168KB

MD5
09a041f66d6445d31592b5ac0ca4e26f

SHA1
e0695beccaf17dbfd7d0dae33594e9aa7efb5b68

SHA256
02fdadd2380f0a3c22b837697f3ed322bcc718caeef282765240f6a8cab9d749

SHA512
d2819e5511f07c49d90ddfdadab35bc90d1788fd446b811cb1e2c931b7b68f111ea7814c91812be36eefde18bc1f82689316abc26780942eed85eadc295ac322

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n63791524.exe
Filesize
168KB

MD5
09a041f66d6445d31592b5ac0ca4e26f

SHA1
e0695beccaf17dbfd7d0dae33594e9aa7efb5b68

SHA256
02fdadd2380f0a3c22b837697f3ed322bcc718caeef282765240f6a8cab9d749

SHA512
d2819e5511f07c49d90ddfdadab35bc90d1788fd446b811cb1e2c931b7b68f111ea7814c91812be36eefde18bc1f82689316abc26780942eed85eadc295ac322

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/668-2321-0x00000000059D0000-0x0000000005A0C000-memory.dmp

Filesize
240KB

Download
memory/668-2319-0x0000000005AA0000-0x0000000005BAA000-memory.dmp

Filesize
1.0MB

Download
memory/668-2318-0x0000000005FB0000-0x00000000065C8000-memory.dmp

Filesize
6.1MB

Download
memory/668-2316-0x0000000000ED0000-0x0000000000EFE000-memory.dmp

Filesize
184KB

Download
memory/668-2320-0x0000000005850000-0x0000000005862000-memory.dmp

Filesize
72KB

Download
memory/668-2323-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/668-2330-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/1260-192-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-210-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-172-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-174-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-176-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-178-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-180-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-182-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-184-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-186-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-188-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-190-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-168-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-194-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-196-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-200-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-198-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-202-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-204-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-206-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-208-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-170-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-212-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-214-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-2298-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/1260-2300-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/1260-2303-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/1260-166-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-164-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-162-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-160-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-158-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-156-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-154-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-152-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-151-0x00000000058A0000-0x0000000005900000-memory.dmp

Filesize
384KB

Download
memory/1260-150-0x00000000052F0000-0x0000000005894000-memory.dmp

Filesize
5.6MB

Download
memory/1260-149-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/1260-148-0x0000000002750000-0x00000000027AB000-memory.dmp

Filesize
364KB

Download
memory/4944-2329-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4944-2328-0x00000000004B0000-0x00000000004E0000-memory.dmp

Filesize
192KB

Download
memory/4944-2331-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download