redline | fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b

Analysis

max time kernel
156s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe
Size

1.5MB
MD5

36e99f18e054464b82a9364c07e68f2c
SHA1

e1c1274a0d6056247093d937cc878f8f02ad378b
SHA256

fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b
SHA512

23c35cf7b231d5c2c53ea3405dc8e3ceb5dc03f63039c07385d88e235dd43f3d00079ec58e10cba9b0633a2e84540a2b5799cf42f5f3e7c2b95603a41a3b9675
SSDEEP

24576:OyoL0lawCioVC30r/yd2yhLfsU4KPrluslSh/dPdX8qnm3fhfBnaq52ygASA8bkX:dw33x2ZlsHKPrlrIVFX8qnm33adgU1

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/644-169-0x000000000AB20000-0x000000000B138000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i32334905.exei83474618.exei78900770.exei31990444.exea33623661.exe

pid process

2156 i32334905.exe
1872 i83474618.exe
1988 i78900770.exe
1752 i31990444.exe
644 a33623661.exe

pid	process
2156	i32334905.exe
1872	i83474618.exe
1988	i78900770.exe
1752	i31990444.exe
644	a33623661.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

i31990444.exefc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exei32334905.exei83474618.exei78900770.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i31990444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i32334905.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i83474618.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i31990444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i78900770.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i32334905.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i83474618.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i78900770.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exei32334905.exei83474618.exei78900770.exei31990444.exe

description	pid	process	target process
PID 3544 wrote to memory of 2156	3544	fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe	i32334905.exe
PID 3544 wrote to memory of 2156	3544	fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe	i32334905.exe
PID 3544 wrote to memory of 2156	3544	fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe	i32334905.exe
PID 2156 wrote to memory of 1872	2156	i32334905.exe	i83474618.exe
PID 2156 wrote to memory of 1872	2156	i32334905.exe	i83474618.exe
PID 2156 wrote to memory of 1872	2156	i32334905.exe	i83474618.exe
PID 1872 wrote to memory of 1988	1872	i83474618.exe	i78900770.exe
PID 1872 wrote to memory of 1988	1872	i83474618.exe	i78900770.exe
PID 1872 wrote to memory of 1988	1872	i83474618.exe	i78900770.exe
PID 1988 wrote to memory of 1752	1988	i78900770.exe	i31990444.exe
PID 1988 wrote to memory of 1752	1988	i78900770.exe	i31990444.exe
PID 1988 wrote to memory of 1752	1988	i78900770.exe	i31990444.exe
PID 1752 wrote to memory of 644	1752	i31990444.exe	a33623661.exe
PID 1752 wrote to memory of 644	1752	i31990444.exe	a33623661.exe
PID 1752 wrote to memory of 644	1752	i31990444.exe	a33623661.exe

C:\Users\Admin\AppData\Local\Temp\fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe
"C:\Users\Admin\AppData\Local\Temp\fc68e04f62eaef727b44915efeb8005cae3b8368c9d4cefb1b8714e5b3fb7d3b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i32334905.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i32334905.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i83474618.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i83474618.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i78900770.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i78900770.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31990444.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31990444.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33623661.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33623661.exe
6⤵
- Executes dropped EXE
PID:644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i32334905.exe
Filesize
1.3MB

MD5
cf02fa4c8b776da5c5c2bb967d4c18bd

SHA1
cfd6e6c1080b4b21b2ad41c6a3e18742455f7d15

SHA256
d1808821150f1a2910771076feee5b0315c476a6e6aa1ced398465052a76a835

SHA512
bca6010b4d3aa7526e958f04548dda0cb4a2ace9ee18cc6e6ac889f2f9f80d5259b09db91d5274ec6e378540276c08bc0a391313fed04b438db19b86110ef9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i32334905.exe
Filesize
1.3MB

MD5
cf02fa4c8b776da5c5c2bb967d4c18bd

SHA1
cfd6e6c1080b4b21b2ad41c6a3e18742455f7d15

SHA256
d1808821150f1a2910771076feee5b0315c476a6e6aa1ced398465052a76a835

SHA512
bca6010b4d3aa7526e958f04548dda0cb4a2ace9ee18cc6e6ac889f2f9f80d5259b09db91d5274ec6e378540276c08bc0a391313fed04b438db19b86110ef9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i83474618.exe
Filesize
1015KB

MD5
e7db3c84a75c277f839dc012e14a591f

SHA1
b44fad91426fbb6c7375b77e71678c122b5d3b0c

SHA256
faef8199ce1935e6f5b5ced784a0d1a7559ca3fe13055cd1367389b185ab197e

SHA512
385e4c059313028aa524b045df0d922830fa5514a1a4d97886223bcb41dbed206658b28945dcd0ade859e9d07a178b7f1522887b6691de588cc1d1cc52ea1239

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i83474618.exe
Filesize
1015KB

MD5
e7db3c84a75c277f839dc012e14a591f

SHA1
b44fad91426fbb6c7375b77e71678c122b5d3b0c

SHA256
faef8199ce1935e6f5b5ced784a0d1a7559ca3fe13055cd1367389b185ab197e

SHA512
385e4c059313028aa524b045df0d922830fa5514a1a4d97886223bcb41dbed206658b28945dcd0ade859e9d07a178b7f1522887b6691de588cc1d1cc52ea1239

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i78900770.exe
Filesize
843KB

MD5
ecab5091774e3a225fb03fd5a0d7fa93

SHA1
0c2a44e41d5397aa0b3672ab9855104febbf7f38

SHA256
7b003153cac976428660ebfa8d19f79e21ef1241b017e7ff1bf616cc31efa4af

SHA512
009606c7df24bd1f6d9e10e745f9b1029019879d6d03e16d43ebea46f310d5aa3b9437969d66bb019191607d7cd9efd8043b4e15bee5677f4cbe529c37feefe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i78900770.exe
Filesize
843KB

MD5
ecab5091774e3a225fb03fd5a0d7fa93

SHA1
0c2a44e41d5397aa0b3672ab9855104febbf7f38

SHA256
7b003153cac976428660ebfa8d19f79e21ef1241b017e7ff1bf616cc31efa4af

SHA512
009606c7df24bd1f6d9e10e745f9b1029019879d6d03e16d43ebea46f310d5aa3b9437969d66bb019191607d7cd9efd8043b4e15bee5677f4cbe529c37feefe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31990444.exe
Filesize
371KB

MD5
35a3f331c92dbc4f52998795d213b92b

SHA1
6f6317f72c5df565113587b2bcae76eab297b4dd

SHA256
12bcd9dc1883d7a96a5b9817e72811ee6a0052af10d3f8faa638a0d81fe5b53d

SHA512
bcbda413da7f5e92d4e69b34fb238a487366e2636449161c01977d1a1739f3e6113b30dde9d46b8115b3e00fb0637872ee4cbed426bacd57b7755d4e10251cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i31990444.exe
Filesize
371KB

MD5
35a3f331c92dbc4f52998795d213b92b

SHA1
6f6317f72c5df565113587b2bcae76eab297b4dd

SHA256
12bcd9dc1883d7a96a5b9817e72811ee6a0052af10d3f8faa638a0d81fe5b53d

SHA512
bcbda413da7f5e92d4e69b34fb238a487366e2636449161c01977d1a1739f3e6113b30dde9d46b8115b3e00fb0637872ee4cbed426bacd57b7755d4e10251cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33623661.exe
Filesize
169KB

MD5
3034ee8e226ab293e8b9f13121434465

SHA1
45c328ac9268cbb76c1d37044d581fd40e902585

SHA256
25c6e1a35c12fd504218a30db9b522f729441f2780273b3834d54ec28e9ecc07

SHA512
a6d095a405ffa3ba354b7642af0d56957ccf905702be2843573684ac29edcb84700f2436c71008ee0aa7b64b292ef3d56484268e86907ed7a3ac30bb4a01fe99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a33623661.exe
Filesize
169KB

MD5
3034ee8e226ab293e8b9f13121434465

SHA1
45c328ac9268cbb76c1d37044d581fd40e902585

SHA256
25c6e1a35c12fd504218a30db9b522f729441f2780273b3834d54ec28e9ecc07

SHA512
a6d095a405ffa3ba354b7642af0d56957ccf905702be2843573684ac29edcb84700f2436c71008ee0aa7b64b292ef3d56484268e86907ed7a3ac30bb4a01fe99

Download Submit
memory/644-168-0x0000000000680000-0x00000000006B0000-memory.dmp

Filesize
192KB

Download
memory/644-169-0x000000000AB20000-0x000000000B138000-memory.dmp

Filesize
6.1MB

Download
memory/644-170-0x000000000A610000-0x000000000A71A000-memory.dmp

Filesize
1.0MB

Download
memory/644-171-0x000000000A530000-0x000000000A542000-memory.dmp

Filesize
72KB

Download
memory/644-172-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/644-173-0x000000000A590000-0x000000000A5CC000-memory.dmp

Filesize
240KB

Download
memory/644-174-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download