redline | edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c

Analysis

max time kernel
137s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe
Size

1.2MB
MD5

4920b94ea7d0c18b5cc3a2915bb1cfba
SHA1

3e9b7ddd899110e5876e0b9461c1914251ed8a38
SHA256

edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c
SHA512

b0c62a842870dffc9d681164a8827a16becf882b0a1a615f28c60564e960a0d75c467037bcd719e2b1df2401eb04632f796bcf63b24fec0784153f790ea5ce90
SSDEEP

24576:DyB+6wPK4fCkSB2Dz1rEyoN/rZ6WZ0e2GVRWBLkYZT/ioOiMyvF1WTjUd:WBNwPJfU414yoNdz5OJ/iby9oTjU

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/548-2329-0x0000000005B10000-0x0000000006128000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s16166419.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	s16166419.exe

Executes dropped EXE 6 IoCs

Processes:

z78750995.exez19803407.exez29944310.exes16166419.exe1.exet94216193.exe

pid process

2044 z78750995.exe
4244 z19803407.exe
4668 z29944310.exe
2512 s16166419.exe
548 1.exe
2764 t94216193.exe

pid	process
2044	z78750995.exe
4244	z19803407.exe
4668	z29944310.exe
2512	s16166419.exe
548	1.exe
2764	t94216193.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z29944310.exeedd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exez78750995.exez19803407.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z29944310.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z29944310.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z78750995.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z78750995.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z19803407.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z19803407.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2884 2512 WerFault.exe s16166419.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s16166419.exe

description pid process

Token: SeDebugPrivilege 2512 s16166419.exe

pid	pid_target	process	target process
2884	2512	WerFault.exe	s16166419.exe

description	pid	process
Token: SeDebugPrivilege	2512	s16166419.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exez78750995.exez19803407.exez29944310.exes16166419.exe

description	pid	process	target process
PID 4240 wrote to memory of 2044	4240	edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe	z78750995.exe
PID 4240 wrote to memory of 2044	4240	edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe	z78750995.exe
PID 4240 wrote to memory of 2044	4240	edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe	z78750995.exe
PID 2044 wrote to memory of 4244	2044	z78750995.exe	z19803407.exe
PID 2044 wrote to memory of 4244	2044	z78750995.exe	z19803407.exe
PID 2044 wrote to memory of 4244	2044	z78750995.exe	z19803407.exe
PID 4244 wrote to memory of 4668	4244	z19803407.exe	z29944310.exe
PID 4244 wrote to memory of 4668	4244	z19803407.exe	z29944310.exe
PID 4244 wrote to memory of 4668	4244	z19803407.exe	z29944310.exe
PID 4668 wrote to memory of 2512	4668	z29944310.exe	s16166419.exe
PID 4668 wrote to memory of 2512	4668	z29944310.exe	s16166419.exe
PID 4668 wrote to memory of 2512	4668	z29944310.exe	s16166419.exe
PID 2512 wrote to memory of 548	2512	s16166419.exe	1.exe
PID 2512 wrote to memory of 548	2512	s16166419.exe	1.exe
PID 2512 wrote to memory of 548	2512	s16166419.exe	1.exe
PID 4668 wrote to memory of 2764	4668	z29944310.exe	t94216193.exe
PID 4668 wrote to memory of 2764	4668	z29944310.exe	t94216193.exe
PID 4668 wrote to memory of 2764	4668	z29944310.exe	t94216193.exe

C:\Users\Admin\AppData\Local\Temp\edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe
"C:\Users\Admin\AppData\Local\Temp\edd159a6ffc12eb2d1373c7f9be371c42b4b3157462fb0211d6d0d7cc2aaf86c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4240

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z78750995.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z78750995.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z19803407.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z19803407.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4244

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z29944310.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z29944310.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4668

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s16166419.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s16166419.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1496
6⤵
- Program crash
PID:2884

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t94216193.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t94216193.exe
5⤵
- Executes dropped EXE
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2512 -ip 2512
1⤵
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z78750995.exe
Filesize
1.0MB

MD5
b3fa776e9cccdfa79364675cbeb632b4

SHA1
dafffbc79bd87e3d5235d42fd06d70bfa9231fdb

SHA256
d392169f49c954d14be07c553b7992b02bdbc717cff9641cc7b217c514bcdeda

SHA512
f24ae65c85b142c46db93cc3fbe164dc33e2852973cf58717b695d9e53753c778d760435484a7f9c02546a06127945d6ac31afbd39f941cae1d73cf49b14c0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z78750995.exe
Filesize
1.0MB

MD5
b3fa776e9cccdfa79364675cbeb632b4

SHA1
dafffbc79bd87e3d5235d42fd06d70bfa9231fdb

SHA256
d392169f49c954d14be07c553b7992b02bdbc717cff9641cc7b217c514bcdeda

SHA512
f24ae65c85b142c46db93cc3fbe164dc33e2852973cf58717b695d9e53753c778d760435484a7f9c02546a06127945d6ac31afbd39f941cae1d73cf49b14c0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z19803407.exe
Filesize
764KB

MD5
aeb899bf39b4de18da0bb5db378c8a2d

SHA1
3a437d23bb1ce28c4b54e0efa5a1aa7e607e5503

SHA256
456a71ea9ba6ec6e9cd20d29548e13d2047a5697af6d6f5e04474dfeae16994b

SHA512
646c2d82aa94f2c31d460df847d53692038fad26637e6d06442d43997c926e7a4d555bddcfb71275d66662099ff25b9b1ef1b909043f3a89eb4e983e41664251

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z19803407.exe
Filesize
764KB

MD5
aeb899bf39b4de18da0bb5db378c8a2d

SHA1
3a437d23bb1ce28c4b54e0efa5a1aa7e607e5503

SHA256
456a71ea9ba6ec6e9cd20d29548e13d2047a5697af6d6f5e04474dfeae16994b

SHA512
646c2d82aa94f2c31d460df847d53692038fad26637e6d06442d43997c926e7a4d555bddcfb71275d66662099ff25b9b1ef1b909043f3a89eb4e983e41664251

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z29944310.exe
Filesize
581KB

MD5
35698cff3e94c33d3610b5626e368a44

SHA1
4b31580dc67373cfe6bad2e20f003a8cb33d7562

SHA256
37cfad99c413661b015d1c6875b19a35faf4c6bbb1488b2b5d25ab85a289e246

SHA512
e7cb913bf4b9ebe06d0c9afeed1a7928671132079f13c30f72c4a4e5c1e8b14ab6032e31897484387afb3da7668ea0020034570c3f153ca8d2ff2f51161c3e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z29944310.exe
Filesize
581KB

MD5
35698cff3e94c33d3610b5626e368a44

SHA1
4b31580dc67373cfe6bad2e20f003a8cb33d7562

SHA256
37cfad99c413661b015d1c6875b19a35faf4c6bbb1488b2b5d25ab85a289e246

SHA512
e7cb913bf4b9ebe06d0c9afeed1a7928671132079f13c30f72c4a4e5c1e8b14ab6032e31897484387afb3da7668ea0020034570c3f153ca8d2ff2f51161c3e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s16166419.exe
Filesize
580KB

MD5
2b7a09408462f72d37d0ad514f9c0458

SHA1
230db1374aa153f3d3edf275569043a59815dce7

SHA256
0b2f000d423cae62513a64ef15f4e8ccec1784be55a175f3fc43cafd024b2691

SHA512
15077015ddc9c7b67d1d828ce201ef1f904f7924a8f923e26d9d161a6453b8e9e02851e3430302dc3815f619c6656efbc69d7021b6f16756e6b25a3b4fc7ff5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s16166419.exe
Filesize
580KB

MD5
2b7a09408462f72d37d0ad514f9c0458

SHA1
230db1374aa153f3d3edf275569043a59815dce7

SHA256
0b2f000d423cae62513a64ef15f4e8ccec1784be55a175f3fc43cafd024b2691

SHA512
15077015ddc9c7b67d1d828ce201ef1f904f7924a8f923e26d9d161a6453b8e9e02851e3430302dc3815f619c6656efbc69d7021b6f16756e6b25a3b4fc7ff5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t94216193.exe
Filesize
169KB

MD5
97f5242a2c93f68b3b7978cef16b84bd

SHA1
8997ba1cce5c36d23a69aaaa8be71c92fff47461

SHA256
72455f337b2d7da9702594004b19e8e3b266dbfd5c6cffc1a455cbaea0a212a7

SHA512
10f11a0d9cc9725bbc85c7e87f7e9c7d37cbf2e3c166ac7e683cd9f976accebbc877edccf38fadd4d4e0a452239769a9403083456ece677839fbab20c1967a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t94216193.exe
Filesize
169KB

MD5
97f5242a2c93f68b3b7978cef16b84bd

SHA1
8997ba1cce5c36d23a69aaaa8be71c92fff47461

SHA256
72455f337b2d7da9702594004b19e8e3b266dbfd5c6cffc1a455cbaea0a212a7

SHA512
10f11a0d9cc9725bbc85c7e87f7e9c7d37cbf2e3c166ac7e683cd9f976accebbc877edccf38fadd4d4e0a452239769a9403083456ece677839fbab20c1967a55

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/548-2328-0x0000000000B30000-0x0000000000B5E000-memory.dmp

Filesize
184KB

Download
memory/548-2329-0x0000000005B10000-0x0000000006128000-memory.dmp

Filesize
6.1MB

Download
memory/548-2340-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/548-2333-0x00000000054F0000-0x000000000552C000-memory.dmp

Filesize
240KB

Download
memory/548-2332-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/548-2331-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/548-2330-0x0000000005600000-0x000000000570A000-memory.dmp

Filesize
1.0MB

Download
memory/2512-191-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-213-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-175-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-177-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-179-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-181-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-183-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-185-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-187-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-189-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-171-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-193-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-195-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-197-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-199-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-201-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-203-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-205-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-207-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-209-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-211-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-173-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-215-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-217-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-219-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-221-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-223-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-225-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-169-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-167-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-166-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-165-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/2512-164-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/2512-163-0x0000000005000000-0x00000000055A4000-memory.dmp

Filesize
5.6MB

Download
memory/2512-227-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-229-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2512-2313-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/2512-2314-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/2512-2316-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/2512-162-0x0000000000AB0000-0x0000000000B0B000-memory.dmp

Filesize
364KB

Download
memory/2764-2339-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2764-2338-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2764-2341-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download