redline | f0684d52b76467516f90231b21f26be5742e7d10457398bcd46c7c4e41a3e93a

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0684d52b76467516f90231b21f26be5742e7d10457398bcd46c7c4e41a3e93a.exe
Size

889KB
MD5

202049b82d09ca1775367b542071bf20
SHA1

4b6f2c415f868e462e1f275e751096484f58e995
SHA256

f0684d52b76467516f90231b21f26be5742e7d10457398bcd46c7c4e41a3e93a
SHA512

37fee7cb772a490c9564e3dd867f8b97fd7e525a3f75ef718edbbddb8986cf5a1d8cccae7444f038be3a4e934c899939c8b08a7c24d2c7b70f8b05e8e57a444e
SSDEEP

24576:vyUyBVV3toECgxpJQGQ7c450XMsNTHWo6W:6U6toECgXJQGY50XMsNDWo6

Score

10^/10

redline dork gena infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dork

185.161.248.73:4164

Attributes

auth_value
e81be7d6cfb453cc812e1b4890eeadad

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4900-2318-0x0000000005E00000-0x0000000006418000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

p19355811.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	p19355811.exe

Executes dropped EXE 4 IoCs

Processes:

y61368319.exep19355811.exe1.exer37750270.exe

pid process

1504 y61368319.exe
352 p19355811.exe
4900 1.exe
4460 r37750270.exe

pid	process
1504	y61368319.exe
352	p19355811.exe
4900	1.exe
4460	r37750270.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f0684d52b76467516f90231b21f26be5742e7d10457398bcd46c7c4e41a3e93a.exey61368319.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f0684d52b76467516f90231b21f26be5742e7d10457398bcd46c7c4e41a3e93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f0684d52b76467516f90231b21f26be5742e7d10457398bcd46c7c4e41a3e93a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y61368319.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y61368319.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1488 352 WerFault.exe p19355811.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

p19355811.exe

description pid process

Token: SeDebugPrivilege 352 p19355811.exe

pid	pid_target	process	target process
1488	352	WerFault.exe	p19355811.exe

description	pid	process
Token: SeDebugPrivilege	352	p19355811.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f0684d52b76467516f90231b21f26be5742e7d10457398bcd46c7c4e41a3e93a.exey61368319.exep19355811.exe

description	pid	process	target process
PID 4828 wrote to memory of 1504	4828	f0684d52b76467516f90231b21f26be5742e7d10457398bcd46c7c4e41a3e93a.exe	y61368319.exe
PID 4828 wrote to memory of 1504	4828	f0684d52b76467516f90231b21f26be5742e7d10457398bcd46c7c4e41a3e93a.exe	y61368319.exe
PID 4828 wrote to memory of 1504	4828	f0684d52b76467516f90231b21f26be5742e7d10457398bcd46c7c4e41a3e93a.exe	y61368319.exe
PID 1504 wrote to memory of 352	1504	y61368319.exe	p19355811.exe
PID 1504 wrote to memory of 352	1504	y61368319.exe	p19355811.exe
PID 1504 wrote to memory of 352	1504	y61368319.exe	p19355811.exe
PID 352 wrote to memory of 4900	352	p19355811.exe	1.exe
PID 352 wrote to memory of 4900	352	p19355811.exe	1.exe
PID 352 wrote to memory of 4900	352	p19355811.exe	1.exe
PID 1504 wrote to memory of 4460	1504	y61368319.exe	r37750270.exe
PID 1504 wrote to memory of 4460	1504	y61368319.exe	r37750270.exe
PID 1504 wrote to memory of 4460	1504	y61368319.exe	r37750270.exe

C:\Users\Admin\AppData\Local\Temp\f0684d52b76467516f90231b21f26be5742e7d10457398bcd46c7c4e41a3e93a.exe
"C:\Users\Admin\AppData\Local\Temp\f0684d52b76467516f90231b21f26be5742e7d10457398bcd46c7c4e41a3e93a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y61368319.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y61368319.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p19355811.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p19355811.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 1384
4⤵
- Program crash
PID:1488

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r37750270.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r37750270.exe
3⤵
- Executes dropped EXE
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 352 -ip 352
1⤵
PID:2556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y61368319.exe
Filesize
589KB

MD5
2eca0ef5ab63e39a6ad87f9f008c9ad7

SHA1
ab6482419dbfd5dbb93ca58c88394dca75508330

SHA256
b6124ee8082e64b00ad6d9ec42c02233160380515a3845791ae7a958c5940f77

SHA512
4d3803c0c6e19a49a6c96ac00dd8a425aec3aaf4437bdbf77af93de55ba08436f80270ffade9ec5a964ccc856b28fbd7b8f36383a866b404c2cebb8c523f7c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y61368319.exe
Filesize
589KB

MD5
2eca0ef5ab63e39a6ad87f9f008c9ad7

SHA1
ab6482419dbfd5dbb93ca58c88394dca75508330

SHA256
b6124ee8082e64b00ad6d9ec42c02233160380515a3845791ae7a958c5940f77

SHA512
4d3803c0c6e19a49a6c96ac00dd8a425aec3aaf4437bdbf77af93de55ba08436f80270ffade9ec5a964ccc856b28fbd7b8f36383a866b404c2cebb8c523f7c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p19355811.exe
Filesize
530KB

MD5
7558ca2d82e515293801a4c039b8f2ba

SHA1
46a07920795aad05fbad9842bebcce256ca02457

SHA256
4c5ef3b8aa34b7ec3110d54e89191dd9d9dcbc5587eb387c08fb64ba61dd9718

SHA512
ea2353084f3216a3571b71276692112508dd12b7401a32e8c4c7f9d39711ea89cc898b62406b8ee11b8fa9f0736de2eaa662fd25188d43b0b6d3e277f8dbc3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p19355811.exe
Filesize
530KB

MD5
7558ca2d82e515293801a4c039b8f2ba

SHA1
46a07920795aad05fbad9842bebcce256ca02457

SHA256
4c5ef3b8aa34b7ec3110d54e89191dd9d9dcbc5587eb387c08fb64ba61dd9718

SHA512
ea2353084f3216a3571b71276692112508dd12b7401a32e8c4c7f9d39711ea89cc898b62406b8ee11b8fa9f0736de2eaa662fd25188d43b0b6d3e277f8dbc3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r37750270.exe
Filesize
169KB

MD5
61a20c0e4d3cdff93150b2f19dd4250c

SHA1
f5c5ad39a790b1656518de4e07f7663b469672ab

SHA256
ec0beb11c27a0922347ccf6a08404cd317bb14febedf9b11df2098475cae90b1

SHA512
84a10f7e6fe9237d3ef5feba8e1355eb377ac6e753be46b327155d68cfa8ce501769be8115d8cc44a4a24e93ac3aa0948fb68e6bf1be36b5a7b95693d506cea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r37750270.exe
Filesize
169KB

MD5
61a20c0e4d3cdff93150b2f19dd4250c

SHA1
f5c5ad39a790b1656518de4e07f7663b469672ab

SHA256
ec0beb11c27a0922347ccf6a08404cd317bb14febedf9b11df2098475cae90b1

SHA512
84a10f7e6fe9237d3ef5feba8e1355eb377ac6e753be46b327155d68cfa8ce501769be8115d8cc44a4a24e93ac3aa0948fb68e6bf1be36b5a7b95693d506cea8

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/352-164-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-202-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-158-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-159-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/352-162-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-161-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/352-154-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-166-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-168-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-170-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-172-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-174-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-176-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-178-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-180-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-182-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-184-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-186-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-188-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-190-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-192-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-194-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-196-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-198-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-200-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-156-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-204-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-206-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-208-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-210-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-212-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-214-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-216-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-2300-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/352-2301-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/352-2302-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/352-152-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-151-0x0000000002C00000-0x0000000002C60000-memory.dmp

Filesize
384KB

Download
memory/352-150-0x0000000005220000-0x00000000057C4000-memory.dmp

Filesize
5.6MB

Download
memory/352-148-0x00000000026E0000-0x000000000273B000-memory.dmp

Filesize
364KB

Download
memory/352-2316-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/352-149-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/4460-2330-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/4460-2331-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4460-2332-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4900-2319-0x00000000058F0000-0x00000000059FA000-memory.dmp

Filesize
1.0MB

Download
memory/4900-2320-0x00000000056A0000-0x00000000056B2000-memory.dmp

Filesize
72KB

Download
memory/4900-2321-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/4900-2322-0x0000000005820000-0x000000000585C000-memory.dmp

Filesize
240KB

Download
memory/4900-2324-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/4900-2318-0x0000000005E00000-0x0000000006418000-memory.dmp

Filesize
6.1MB

Download
memory/4900-2315-0x0000000000E60000-0x0000000000E8E000-memory.dmp

Filesize
184KB

Download