redline | e70afe93ee61f9d6f4cbe3baaf6e027edc4b18affa11a4da47d2cc9ed024bbf5

Analysis

max time kernel
135s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e70afe93ee61f9d6f4cbe3baaf6e027edc4b18affa11a4da47d2cc9ed024bbf5.exe
Size

1.2MB
MD5

f2f1783f389df806a8b85e5456637223
SHA1

83413619f224f4348532db5a455655713c5b8f5f
SHA256

e70afe93ee61f9d6f4cbe3baaf6e027edc4b18affa11a4da47d2cc9ed024bbf5
SHA512

ddd0f2a411e37fd948de4408e662a6b390cebde7a92db4b853bce0ba093501336c177295ac9646841be2766ca69f91508351dc553cd37da5c98fe4d26870600a
SSDEEP

24576:gyaJG8TPlqHZr3HB6Jzv2vPe0U/fIDX69Allmts+02r7icN2i87mjt4Uox:na/9esxCPLUXSXxqSBMZUWty

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4764-2334-0x00000000054B0000-0x0000000005AC8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s93289741.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	s93289741.exe

Executes dropped EXE 6 IoCs

Processes:

z45864421.exez03274834.exez94845549.exes93289741.exe1.exet07561661.exe

pid process

4280 z45864421.exe
1936 z03274834.exe
380 z94845549.exe
2120 s93289741.exe
260 1.exe
4764 t07561661.exe

pid	process
4280	z45864421.exe
1936	z03274834.exe
380	z94845549.exe
2120	s93289741.exe
260	1.exe
4764	t07561661.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z45864421.exez03274834.exez94845549.exee70afe93ee61f9d6f4cbe3baaf6e027edc4b18affa11a4da47d2cc9ed024bbf5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z45864421.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z03274834.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z03274834.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z94845549.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z94845549.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e70afe93ee61f9d6f4cbe3baaf6e027edc4b18affa11a4da47d2cc9ed024bbf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e70afe93ee61f9d6f4cbe3baaf6e027edc4b18affa11a4da47d2cc9ed024bbf5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z45864421.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s93289741.exe

description pid process

Token: SeDebugPrivilege 2120 s93289741.exe

description	pid	process
Token: SeDebugPrivilege	2120	s93289741.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e70afe93ee61f9d6f4cbe3baaf6e027edc4b18affa11a4da47d2cc9ed024bbf5.exez45864421.exez03274834.exez94845549.exes93289741.exe

description	pid	process	target process
PID 1716 wrote to memory of 4280	1716	e70afe93ee61f9d6f4cbe3baaf6e027edc4b18affa11a4da47d2cc9ed024bbf5.exe	z45864421.exe
PID 1716 wrote to memory of 4280	1716	e70afe93ee61f9d6f4cbe3baaf6e027edc4b18affa11a4da47d2cc9ed024bbf5.exe	z45864421.exe
PID 1716 wrote to memory of 4280	1716	e70afe93ee61f9d6f4cbe3baaf6e027edc4b18affa11a4da47d2cc9ed024bbf5.exe	z45864421.exe
PID 4280 wrote to memory of 1936	4280	z45864421.exe	z03274834.exe
PID 4280 wrote to memory of 1936	4280	z45864421.exe	z03274834.exe
PID 4280 wrote to memory of 1936	4280	z45864421.exe	z03274834.exe
PID 1936 wrote to memory of 380	1936	z03274834.exe	z94845549.exe
PID 1936 wrote to memory of 380	1936	z03274834.exe	z94845549.exe
PID 1936 wrote to memory of 380	1936	z03274834.exe	z94845549.exe
PID 380 wrote to memory of 2120	380	z94845549.exe	s93289741.exe
PID 380 wrote to memory of 2120	380	z94845549.exe	s93289741.exe
PID 380 wrote to memory of 2120	380	z94845549.exe	s93289741.exe
PID 2120 wrote to memory of 260	2120	s93289741.exe	1.exe
PID 2120 wrote to memory of 260	2120	s93289741.exe	1.exe
PID 2120 wrote to memory of 260	2120	s93289741.exe	1.exe
PID 380 wrote to memory of 4764	380	z94845549.exe	t07561661.exe
PID 380 wrote to memory of 4764	380	z94845549.exe	t07561661.exe
PID 380 wrote to memory of 4764	380	z94845549.exe	t07561661.exe

C:\Users\Admin\AppData\Local\Temp\e70afe93ee61f9d6f4cbe3baaf6e027edc4b18affa11a4da47d2cc9ed024bbf5.exe
"C:\Users\Admin\AppData\Local\Temp\e70afe93ee61f9d6f4cbe3baaf6e027edc4b18affa11a4da47d2cc9ed024bbf5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z45864421.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z45864421.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z03274834.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z03274834.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z94845549.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z94845549.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:380

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s93289741.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s93289741.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
6⤵
- Executes dropped EXE
PID:260

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t07561661.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t07561661.exe
5⤵
- Executes dropped EXE
PID:4764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z45864421.exe
Filesize
1.0MB

MD5
24f6aa14573ffcd7fa338b8b5364e4ee

SHA1
cab80e7e81a648ff9f60d468446dc93448060b83

SHA256
5026f2a5c5bdede756d4ef2cfa98c54b1824c67ab69d9cbcdf8b2143703300c4

SHA512
1cca1914614f81fcb5cde77b1a08ae9f9e0f30829a20f9368f0d62705dbc01cb3b25e4706b2eb8b05a24df7372544fd73607912f543741a1489ae59fda2076e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z45864421.exe
Filesize
1.0MB

MD5
24f6aa14573ffcd7fa338b8b5364e4ee

SHA1
cab80e7e81a648ff9f60d468446dc93448060b83

SHA256
5026f2a5c5bdede756d4ef2cfa98c54b1824c67ab69d9cbcdf8b2143703300c4

SHA512
1cca1914614f81fcb5cde77b1a08ae9f9e0f30829a20f9368f0d62705dbc01cb3b25e4706b2eb8b05a24df7372544fd73607912f543741a1489ae59fda2076e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z03274834.exe
Filesize
764KB

MD5
63ce1f1986abb5548da58ddd4b6ee2cf

SHA1
3a66cbce1d43dd285c8faa7a8540d7ed46eea1b7

SHA256
dc30f84182b39157e67644e6fbfc3a8fadde680a8c3e3ecbb66b4b17c932b78c

SHA512
43125890b637e96365543ba91893c6ee880bef3e0f56afcf1f9d1b55b75d8a1572005f21a405867e9e66f880cbc2a6f28d7c82f37141635a1832d26f9964a7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z03274834.exe
Filesize
764KB

MD5
63ce1f1986abb5548da58ddd4b6ee2cf

SHA1
3a66cbce1d43dd285c8faa7a8540d7ed46eea1b7

SHA256
dc30f84182b39157e67644e6fbfc3a8fadde680a8c3e3ecbb66b4b17c932b78c

SHA512
43125890b637e96365543ba91893c6ee880bef3e0f56afcf1f9d1b55b75d8a1572005f21a405867e9e66f880cbc2a6f28d7c82f37141635a1832d26f9964a7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z94845549.exe
Filesize
582KB

MD5
eb67c4a0f59c53b4bcb9d935609a3f01

SHA1
a20ea65a6aae226eae22ca0d61aa6ffcda0310eb

SHA256
fd9de31b480091f3c3faae1ef6f223a94dbec40bc32dac3292ce18c8063be4af

SHA512
ae9c4c297dffa1e3c479a1ff5a4e6b64f281e4640a6cc5a55d9ecea44b84f6846021883fc7ecd35f0d9e6582f2c93a9d8a1f1ed98ff917e3040ea3100e5d077d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z94845549.exe
Filesize
582KB

MD5
eb67c4a0f59c53b4bcb9d935609a3f01

SHA1
a20ea65a6aae226eae22ca0d61aa6ffcda0310eb

SHA256
fd9de31b480091f3c3faae1ef6f223a94dbec40bc32dac3292ce18c8063be4af

SHA512
ae9c4c297dffa1e3c479a1ff5a4e6b64f281e4640a6cc5a55d9ecea44b84f6846021883fc7ecd35f0d9e6582f2c93a9d8a1f1ed98ff917e3040ea3100e5d077d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s93289741.exe
Filesize
582KB

MD5
f9fcf23b830d68d48a0732e9c638d11c

SHA1
f8a5ddea4c3e654106038764dadbcd00fafaa70e

SHA256
078f84fbed50bd9f0d6ac231530b76443988cb6e2fce820394259d6aeb982d3d

SHA512
cf0e563b33b0c2f1ad25cfda574d48c3eaf2e1524c7cba3f4fe0b13dabfad76cd43c748b4863a1b6c7ca6007fa984d06f0d7228ede5e205bfb32519f5fe04426

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s93289741.exe
Filesize
582KB

MD5
f9fcf23b830d68d48a0732e9c638d11c

SHA1
f8a5ddea4c3e654106038764dadbcd00fafaa70e

SHA256
078f84fbed50bd9f0d6ac231530b76443988cb6e2fce820394259d6aeb982d3d

SHA512
cf0e563b33b0c2f1ad25cfda574d48c3eaf2e1524c7cba3f4fe0b13dabfad76cd43c748b4863a1b6c7ca6007fa984d06f0d7228ede5e205bfb32519f5fe04426

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t07561661.exe
Filesize
169KB

MD5
721a9c49a54bc5bccc9b44e7ef3de972

SHA1
c7bcb7285c6f325c2076d597316dea3d93bee085

SHA256
8447e65fcd104544ab30cc87c8be87ddff8cd4082a429892e17c29e33d801e19

SHA512
1f87bdf64af2b69c4598a3edf4fd284efa904b883e767e6e8827e61328f6d5ae15d5a58e16249f7cb795d90fafcf86461c9c5392ef7eea609e6c17ef54c94377

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t07561661.exe
Filesize
169KB

MD5
721a9c49a54bc5bccc9b44e7ef3de972

SHA1
c7bcb7285c6f325c2076d597316dea3d93bee085

SHA256
8447e65fcd104544ab30cc87c8be87ddff8cd4082a429892e17c29e33d801e19

SHA512
1f87bdf64af2b69c4598a3edf4fd284efa904b883e767e6e8827e61328f6d5ae15d5a58e16249f7cb795d90fafcf86461c9c5392ef7eea609e6c17ef54c94377

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/260-2328-0x0000000000CF0000-0x0000000000D1E000-memory.dmp

Filesize
184KB

Download
memory/260-2341-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/260-2339-0x00000000057E0000-0x000000000581C000-memory.dmp

Filesize
240KB

Download
memory/260-2338-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/260-2335-0x0000000005850000-0x000000000595A000-memory.dmp

Filesize
1.0MB

Download
memory/2120-192-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/2120-208-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-174-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-176-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-178-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-180-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-182-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-184-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-186-0x0000000000A50000-0x0000000000AAB000-memory.dmp

Filesize
364KB

Download
memory/2120-188-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-187-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/2120-190-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/2120-170-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-191-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-194-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-196-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-198-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-200-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-202-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-204-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-206-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-172-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-210-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-212-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-214-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-216-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-218-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-220-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-222-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-168-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-224-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-226-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-228-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-230-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-2316-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/2120-162-0x0000000004FA0000-0x0000000005544000-memory.dmp

Filesize
5.6MB

Download
memory/2120-163-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-164-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/2120-166-0x0000000004E30000-0x0000000004E90000-memory.dmp

Filesize
384KB

Download
memory/4764-2336-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

Filesize
72KB

Download
memory/4764-2337-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4764-2334-0x00000000054B0000-0x0000000005AC8000-memory.dmp

Filesize
6.1MB

Download
memory/4764-2340-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4764-2333-0x0000000000590000-0x00000000005BE000-memory.dmp

Filesize
184KB

Download