redline | fb40b111f9fd6b2b711468fc0648619c24cef3af770edf851dfb782ed135cbe9

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb40b111f9fd6b2b711468fc0648619c24cef3af770edf851dfb782ed135cbe9.exe
Size

850KB
MD5

4b017bab91eb4336f08231251b0c6372
SHA1

1eb15f7e81faaa1403dfcdef4a0b5ace782b61f7
SHA256

fb40b111f9fd6b2b711468fc0648619c24cef3af770edf851dfb782ed135cbe9
SHA512

f7c87c4b111945e5683f8611abedfec69e11e9053cbc8cbce3ea8f2178a19efed1e28996ed2a4957d8dc3b44a50539f1d25193acd44ed10923640614e170d964
SSDEEP

24576:myoewHIr7Die3C4Wz0QFvjN4T7/xo22k/BjCs98GyRk78:1dZr7BS8Q9W75x2k/BesJyRo

Score

10^/10

redline danko gena infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

danko

185.161.248.73:4164

Attributes

auth_value
784d42a6c1eb1a5060b8bcd3696f5f1e

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/2936-2317-0x0000000005B10000-0x0000000006128000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

p52343105.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	p52343105.exe

Executes dropped EXE 4 IoCs

Processes:

y01355059.exep52343105.exe1.exer88707750.exe

pid process

988 y01355059.exe
1612 p52343105.exe
2936 1.exe
1056 r88707750.exe

pid	process
988	y01355059.exe
1612	p52343105.exe
2936	1.exe
1056	r88707750.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

y01355059.exefb40b111f9fd6b2b711468fc0648619c24cef3af770edf851dfb782ed135cbe9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y01355059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y01355059.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fb40b111f9fd6b2b711468fc0648619c24cef3af770edf851dfb782ed135cbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fb40b111f9fd6b2b711468fc0648619c24cef3af770edf851dfb782ed135cbe9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1420 1612 WerFault.exe p52343105.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

p52343105.exe

description pid process

Token: SeDebugPrivilege 1612 p52343105.exe

pid	pid_target	process	target process
1420	1612	WerFault.exe	p52343105.exe

description	pid	process
Token: SeDebugPrivilege	1612	p52343105.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fb40b111f9fd6b2b711468fc0648619c24cef3af770edf851dfb782ed135cbe9.exey01355059.exep52343105.exe

description	pid	process	target process
PID 4476 wrote to memory of 988	4476	fb40b111f9fd6b2b711468fc0648619c24cef3af770edf851dfb782ed135cbe9.exe	y01355059.exe
PID 4476 wrote to memory of 988	4476	fb40b111f9fd6b2b711468fc0648619c24cef3af770edf851dfb782ed135cbe9.exe	y01355059.exe
PID 4476 wrote to memory of 988	4476	fb40b111f9fd6b2b711468fc0648619c24cef3af770edf851dfb782ed135cbe9.exe	y01355059.exe
PID 988 wrote to memory of 1612	988	y01355059.exe	p52343105.exe
PID 988 wrote to memory of 1612	988	y01355059.exe	p52343105.exe
PID 988 wrote to memory of 1612	988	y01355059.exe	p52343105.exe
PID 1612 wrote to memory of 2936	1612	p52343105.exe	1.exe
PID 1612 wrote to memory of 2936	1612	p52343105.exe	1.exe
PID 1612 wrote to memory of 2936	1612	p52343105.exe	1.exe
PID 988 wrote to memory of 1056	988	y01355059.exe	r88707750.exe
PID 988 wrote to memory of 1056	988	y01355059.exe	r88707750.exe
PID 988 wrote to memory of 1056	988	y01355059.exe	r88707750.exe

C:\Users\Admin\AppData\Local\Temp\fb40b111f9fd6b2b711468fc0648619c24cef3af770edf851dfb782ed135cbe9.exe
"C:\Users\Admin\AppData\Local\Temp\fb40b111f9fd6b2b711468fc0648619c24cef3af770edf851dfb782ed135cbe9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4476

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y01355059.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y01355059.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p52343105.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p52343105.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
4⤵
- Executes dropped EXE
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1376
4⤵
- Program crash
PID:1420

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r88707750.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r88707750.exe
3⤵
- Executes dropped EXE
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1612 -ip 1612
1⤵
PID:908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y01355059.exe
Filesize
570KB

MD5
d51a821116139664ff92f6810950c5ab

SHA1
f9af5bf5c559cc0a78d7c986d037e8be6984fd51

SHA256
6e6432698a518d938f40a9678ca7fb5828f133cee1ada58e0014be448dbaf778

SHA512
796b644009d00595d01be50eeaf90d1fc6025b86a2da6ec318df210b778b0f7d26f13ceae5d22cb2a7c8a2de69f36a075880cac957d90b0b4510ac5f1677bf3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y01355059.exe
Filesize
570KB

MD5
d51a821116139664ff92f6810950c5ab

SHA1
f9af5bf5c559cc0a78d7c986d037e8be6984fd51

SHA256
6e6432698a518d938f40a9678ca7fb5828f133cee1ada58e0014be448dbaf778

SHA512
796b644009d00595d01be50eeaf90d1fc6025b86a2da6ec318df210b778b0f7d26f13ceae5d22cb2a7c8a2de69f36a075880cac957d90b0b4510ac5f1677bf3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p52343105.exe
Filesize
479KB

MD5
918269bc97b96c75ac03f610ed237235

SHA1
da94b7268fd4a64c01495cba5b94cd560cbf0b69

SHA256
52140c649f4cad248a1134b4764d201424ad159d6448703e8fd83e6b577c9789

SHA512
7ecbcabcf8ea31ed8c73c6bfdbbbd5d57b8efffc8816cb7da7069de0f5dd586409ad44058155cccda12f83811c8691a9f2fe181ce6849bb0beaca96feedb3265

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p52343105.exe
Filesize
479KB

MD5
918269bc97b96c75ac03f610ed237235

SHA1
da94b7268fd4a64c01495cba5b94cd560cbf0b69

SHA256
52140c649f4cad248a1134b4764d201424ad159d6448703e8fd83e6b577c9789

SHA512
7ecbcabcf8ea31ed8c73c6bfdbbbd5d57b8efffc8816cb7da7069de0f5dd586409ad44058155cccda12f83811c8691a9f2fe181ce6849bb0beaca96feedb3265

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r88707750.exe
Filesize
169KB

MD5
1e6606bbdd848c439b3f4a32465e5ffe

SHA1
40a884cf66ebbc880526583f466b3b5537c66bd9

SHA256
328db8b74a7c8d0f73f3580c632c08a7c2b3541fecb79a388c3666d49b77016d

SHA512
2154eda4d6b75a92635975f4e079e937bae8027059ba029df5271f8da6e2626444a264b430825f84ebc0e3a0dacccc8de2c57d518a6ff610cf2ef3cd22f3938b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r88707750.exe
Filesize
169KB

MD5
1e6606bbdd848c439b3f4a32465e5ffe

SHA1
40a884cf66ebbc880526583f466b3b5537c66bd9

SHA256
328db8b74a7c8d0f73f3580c632c08a7c2b3541fecb79a388c3666d49b77016d

SHA512
2154eda4d6b75a92635975f4e079e937bae8027059ba029df5271f8da6e2626444a264b430825f84ebc0e3a0dacccc8de2c57d518a6ff610cf2ef3cd22f3938b

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe
Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/1056-2329-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1056-2327-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1056-2326-0x0000000000380000-0x00000000003B0000-memory.dmp

Filesize
192KB

Download
memory/1612-164-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-208-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-162-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-158-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-166-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-168-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-170-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-172-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-174-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-176-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-178-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-180-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-182-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-184-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-186-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-188-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-190-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-194-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-196-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-198-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-192-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-200-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-202-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-204-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-206-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-160-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-210-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-212-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-214-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-216-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-154-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-2308-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/1612-156-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-153-0x0000000004F40000-0x0000000004FA0000-memory.dmp

Filesize
384KB

Download
memory/1612-148-0x0000000005030000-0x00000000055D4000-memory.dmp

Filesize
5.6MB

Download
memory/1612-2314-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/1612-150-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/1612-2316-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/1612-2315-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/1612-149-0x0000000000950000-0x00000000009AB000-memory.dmp

Filesize
364KB

Download
memory/1612-151-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/1612-152-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/2936-2321-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2936-2320-0x00000000054F0000-0x000000000552C000-memory.dmp

Filesize
240KB

Download
memory/2936-2319-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/2936-2318-0x0000000005600000-0x000000000570A000-memory.dmp

Filesize
1.0MB

Download
memory/2936-2317-0x0000000005B10000-0x0000000006128000-memory.dmp

Filesize
6.1MB

Download
memory/2936-2328-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2936-2313-0x0000000000B40000-0x0000000000B6E000-memory.dmp

Filesize
184KB

Download