redline | ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe
Size

1.5MB
MD5

7e2b7b900ac9b38d9d8bdc7098508b06
SHA1

015a269069616f7f46d9f6256b49fe067b6854cb
SHA256

ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180
SHA512

d8ade0ccfaf1a515f6ecfa0e9f8d337d99b278a1a261d2380a9b21e158145460e564e08407bf5b93104ee689d948942fdf1e8116aa0b25db40797a14b8fa5bac
SSDEEP

24576:cywUin5Eo3Nl3ifgCj4AgRf2Jk9lS853c+h2H6GgRu6pEJ1BVsiupslv5gJdw:LwUin6GC7gRf2MlhTh2Ho1MVLIIan

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/5072-169-0x000000000B420000-0x000000000BA38000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i98290231.exei48968505.exei63212516.exei24494922.exea87529677.exe

pid process

2328 i98290231.exe
4744 i48968505.exe
2176 i63212516.exe
792 i24494922.exe
5072 a87529677.exe

pid	process
2328	i98290231.exe
4744	i48968505.exe
2176	i63212516.exe
792	i24494922.exe
5072	a87529677.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

i24494922.exeff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exei98290231.exei48968505.exei63212516.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i24494922.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i98290231.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i48968505.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i63212516.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i63212516.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i24494922.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i98290231.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i48968505.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exei98290231.exei48968505.exei63212516.exei24494922.exe

description	pid	process	target process
PID 1724 wrote to memory of 2328	1724	ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe	i98290231.exe
PID 1724 wrote to memory of 2328	1724	ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe	i98290231.exe
PID 1724 wrote to memory of 2328	1724	ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe	i98290231.exe
PID 2328 wrote to memory of 4744	2328	i98290231.exe	i48968505.exe
PID 2328 wrote to memory of 4744	2328	i98290231.exe	i48968505.exe
PID 2328 wrote to memory of 4744	2328	i98290231.exe	i48968505.exe
PID 4744 wrote to memory of 2176	4744	i48968505.exe	i63212516.exe
PID 4744 wrote to memory of 2176	4744	i48968505.exe	i63212516.exe
PID 4744 wrote to memory of 2176	4744	i48968505.exe	i63212516.exe
PID 2176 wrote to memory of 792	2176	i63212516.exe	i24494922.exe
PID 2176 wrote to memory of 792	2176	i63212516.exe	i24494922.exe
PID 2176 wrote to memory of 792	2176	i63212516.exe	i24494922.exe
PID 792 wrote to memory of 5072	792	i24494922.exe	a87529677.exe
PID 792 wrote to memory of 5072	792	i24494922.exe	a87529677.exe
PID 792 wrote to memory of 5072	792	i24494922.exe	a87529677.exe

C:\Users\Admin\AppData\Local\Temp\ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe
"C:\Users\Admin\AppData\Local\Temp\ff038fa336664d22efa85bb61be1db0c2a7f5e91f4a57c542008c90bcd37d180.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98290231.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98290231.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2328

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i48968505.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i48968505.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4744

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i63212516.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i63212516.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24494922.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24494922.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87529677.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87529677.exe
6⤵
- Executes dropped EXE
PID:5072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98290231.exe
Filesize
1.3MB

MD5
56107feddcf8add915ae2daacc34d26d

SHA1
d62868f3d8628c16cf3ade302fed4e5d0dac0793

SHA256
04053357fe848286a6a36b46cdb02ff33f2f8bf24e276414c5848d97a2de6c5c

SHA512
c2f5747f529f81fface9dc16e54fdd7fafad23c94f01f41dc5b64f30aa19943566487765f6219363299ff28eb09e612fd1a78e84cf7e05c874a07a27d8804c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i98290231.exe
Filesize
1.3MB

MD5
56107feddcf8add915ae2daacc34d26d

SHA1
d62868f3d8628c16cf3ade302fed4e5d0dac0793

SHA256
04053357fe848286a6a36b46cdb02ff33f2f8bf24e276414c5848d97a2de6c5c

SHA512
c2f5747f529f81fface9dc16e54fdd7fafad23c94f01f41dc5b64f30aa19943566487765f6219363299ff28eb09e612fd1a78e84cf7e05c874a07a27d8804c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i48968505.exe
Filesize
1022KB

MD5
5ad40f98343d381c8d8fc4c5953e23ff

SHA1
fba0aca40319ef3d67109051ba7f370ade4731db

SHA256
f3f0e156763a8384894dbc4266598537dc7d4c9ed70aa9d8490d6adc0dd9ac0d

SHA512
140df349baf168c426f684ef6a22b21e0483f9442b622e00943ebbba48fb55b4311fffe8ced1e11ab658b7eb19bffccaeb5c94cb06ffcff883c1fa7b136e3a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i48968505.exe
Filesize
1022KB

MD5
5ad40f98343d381c8d8fc4c5953e23ff

SHA1
fba0aca40319ef3d67109051ba7f370ade4731db

SHA256
f3f0e156763a8384894dbc4266598537dc7d4c9ed70aa9d8490d6adc0dd9ac0d

SHA512
140df349baf168c426f684ef6a22b21e0483f9442b622e00943ebbba48fb55b4311fffe8ced1e11ab658b7eb19bffccaeb5c94cb06ffcff883c1fa7b136e3a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i63212516.exe
Filesize
851KB

MD5
ff517560b07a482c46b0bf24f7764e2a

SHA1
ef2ff861b33c0596e36ec9b1681e524a36b466bd

SHA256
33dd5ac3c3ca5ecacf6c865def4ba33ab0556badb8fe1eb369ae3fedd38be65a

SHA512
94cbe1705f0290f917f5b407bc21efdf72b44cf19caa978b346ff507704645b3ca304e8c3f00ced7dc454c6ddcca5c13842b09c02694842c5392233d3edaf28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i63212516.exe
Filesize
851KB

MD5
ff517560b07a482c46b0bf24f7764e2a

SHA1
ef2ff861b33c0596e36ec9b1681e524a36b466bd

SHA256
33dd5ac3c3ca5ecacf6c865def4ba33ab0556badb8fe1eb369ae3fedd38be65a

SHA512
94cbe1705f0290f917f5b407bc21efdf72b44cf19caa978b346ff507704645b3ca304e8c3f00ced7dc454c6ddcca5c13842b09c02694842c5392233d3edaf28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24494922.exe
Filesize
374KB

MD5
eff83950d51f3ed7328dd922ef98dc4b

SHA1
1e858a61b5dd65d56d7550825e11f80d50093a74

SHA256
8cdc63d47bc863ecb0b7a07b441d3c9b2fe922302dbab958620198f83ecd249b

SHA512
67c89c8fecbd511d4297e7f5cdf51da84ba08580a2faaf1bdd6e34c560ec1a37f11fa6d8d1ce4583ccc451e89f45e3d8368693b98fdf6c2d1038ec8c7fb553a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i24494922.exe
Filesize
374KB

MD5
eff83950d51f3ed7328dd922ef98dc4b

SHA1
1e858a61b5dd65d56d7550825e11f80d50093a74

SHA256
8cdc63d47bc863ecb0b7a07b441d3c9b2fe922302dbab958620198f83ecd249b

SHA512
67c89c8fecbd511d4297e7f5cdf51da84ba08580a2faaf1bdd6e34c560ec1a37f11fa6d8d1ce4583ccc451e89f45e3d8368693b98fdf6c2d1038ec8c7fb553a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87529677.exe
Filesize
169KB

MD5
2ce696a18a92f6b4bfc9f11badd5850b

SHA1
d59c17a2c4eac19fa1c3ea54d89f226f6cd757b1

SHA256
0bb8e9c09b8d5d4d149e9f844f2e5fd62633323c5b88196e0428fe75a440159d

SHA512
e485e013385fcce3730aa65bf12229c1b354878796b47d2ec19e0026e6f78bc22146b9b92527f73fc0987584cb64726ceb3a3129782384007869b4e7836efb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a87529677.exe
Filesize
169KB

MD5
2ce696a18a92f6b4bfc9f11badd5850b

SHA1
d59c17a2c4eac19fa1c3ea54d89f226f6cd757b1

SHA256
0bb8e9c09b8d5d4d149e9f844f2e5fd62633323c5b88196e0428fe75a440159d

SHA512
e485e013385fcce3730aa65bf12229c1b354878796b47d2ec19e0026e6f78bc22146b9b92527f73fc0987584cb64726ceb3a3129782384007869b4e7836efb13

Download Submit
memory/5072-168-0x0000000000FD0000-0x0000000001000000-memory.dmp

Filesize
192KB

Download
memory/5072-169-0x000000000B420000-0x000000000BA38000-memory.dmp

Filesize
6.1MB

Download
memory/5072-170-0x000000000AF50000-0x000000000B05A000-memory.dmp

Filesize
1.0MB

Download
memory/5072-171-0x000000000AE80000-0x000000000AE92000-memory.dmp

Filesize
72KB

Download
memory/5072-172-0x000000000AEE0000-0x000000000AF1C000-memory.dmp

Filesize
240KB

Download
memory/5072-173-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/5072-174-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download