redline | feb84e247fa3deaf7f9af2f236f7ef78989413ce696b1a7f3cdad73157def0f1

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feb84e247fa3deaf7f9af2f236f7ef78989413ce696b1a7f3cdad73157def0f1.exe
Size

1.5MB
MD5

39f25229cbb0b657e5bc216fd971ef78
SHA1

34b7b8e3b3d19f978f6791ae105d84207a75e56a
SHA256

feb84e247fa3deaf7f9af2f236f7ef78989413ce696b1a7f3cdad73157def0f1
SHA512

c8e6e044b87a9a1d43a773d9aafedd4fbe3358405711566352def7390233ee2a94361a278596b1e4e10498534b651cb25333c197e8b3d50e6331c9d57e9497b9
SSDEEP

24576:QyidtR6Tw0P7rl8R6Iot6tPOrfjt12aBSVjbcec95S8/ef35Qv44qmnwMfL116qR:Xi3R6tP7m1WmPkf2aBSVjboXWfPmwMf5

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/2936-169-0x000000000ABE0000-0x000000000B1F8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i34391336.exei60648841.exei38872526.exei08095794.exea46737547.exe

pid process

1048 i34391336.exe
4192 i60648841.exe
3228 i38872526.exe
1232 i08095794.exe
2936 a46737547.exe

pid	process
1048	i34391336.exe
4192	i60648841.exe
3228	i38872526.exe
1232	i08095794.exe
2936	a46737547.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

i38872526.exefeb84e247fa3deaf7f9af2f236f7ef78989413ce696b1a7f3cdad73157def0f1.exei34391336.exei60648841.exei08095794.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i38872526.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	feb84e247fa3deaf7f9af2f236f7ef78989413ce696b1a7f3cdad73157def0f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	feb84e247fa3deaf7f9af2f236f7ef78989413ce696b1a7f3cdad73157def0f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i34391336.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i60648841.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i08095794.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i34391336.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i60648841.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i38872526.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i08095794.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

feb84e247fa3deaf7f9af2f236f7ef78989413ce696b1a7f3cdad73157def0f1.exei34391336.exei60648841.exei38872526.exei08095794.exe

description	pid	process	target process
PID 4352 wrote to memory of 1048	4352	feb84e247fa3deaf7f9af2f236f7ef78989413ce696b1a7f3cdad73157def0f1.exe	i34391336.exe
PID 4352 wrote to memory of 1048	4352	feb84e247fa3deaf7f9af2f236f7ef78989413ce696b1a7f3cdad73157def0f1.exe	i34391336.exe
PID 4352 wrote to memory of 1048	4352	feb84e247fa3deaf7f9af2f236f7ef78989413ce696b1a7f3cdad73157def0f1.exe	i34391336.exe
PID 1048 wrote to memory of 4192	1048	i34391336.exe	i60648841.exe
PID 1048 wrote to memory of 4192	1048	i34391336.exe	i60648841.exe
PID 1048 wrote to memory of 4192	1048	i34391336.exe	i60648841.exe
PID 4192 wrote to memory of 3228	4192	i60648841.exe	i38872526.exe
PID 4192 wrote to memory of 3228	4192	i60648841.exe	i38872526.exe
PID 4192 wrote to memory of 3228	4192	i60648841.exe	i38872526.exe
PID 3228 wrote to memory of 1232	3228	i38872526.exe	i08095794.exe
PID 3228 wrote to memory of 1232	3228	i38872526.exe	i08095794.exe
PID 3228 wrote to memory of 1232	3228	i38872526.exe	i08095794.exe
PID 1232 wrote to memory of 2936	1232	i08095794.exe	a46737547.exe
PID 1232 wrote to memory of 2936	1232	i08095794.exe	a46737547.exe
PID 1232 wrote to memory of 2936	1232	i08095794.exe	a46737547.exe

C:\Users\Admin\AppData\Local\Temp\feb84e247fa3deaf7f9af2f236f7ef78989413ce696b1a7f3cdad73157def0f1.exe
"C:\Users\Admin\AppData\Local\Temp\feb84e247fa3deaf7f9af2f236f7ef78989413ce696b1a7f3cdad73157def0f1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4352

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i34391336.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i34391336.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i60648841.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i60648841.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i38872526.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i38872526.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3228

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i08095794.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i08095794.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46737547.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46737547.exe
6⤵
- Executes dropped EXE
PID:2936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i34391336.exe
Filesize
1.3MB

MD5
740a4101d813f14636b0cf8189fa765f

SHA1
d2b2cb716654fe1567b4c2d54ed497ce684f4942

SHA256
ee198e061f1b56d11a12d3c469c1bd997da4e977c5a5f381ae829897fc74e4f8

SHA512
bdbf65dec404a54830fb56ff2db6e4de6e41c91d77745922f72b69cc4e560c8c6fcbb36b9d5a193d0da938e2d577cdec37617cca437e87db5f26bff92eb1ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i34391336.exe
Filesize
1.3MB

MD5
740a4101d813f14636b0cf8189fa765f

SHA1
d2b2cb716654fe1567b4c2d54ed497ce684f4942

SHA256
ee198e061f1b56d11a12d3c469c1bd997da4e977c5a5f381ae829897fc74e4f8

SHA512
bdbf65dec404a54830fb56ff2db6e4de6e41c91d77745922f72b69cc4e560c8c6fcbb36b9d5a193d0da938e2d577cdec37617cca437e87db5f26bff92eb1ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i60648841.exe
Filesize
1014KB

MD5
5f1c2cb050107dbe9e6aea184adddc05

SHA1
37ea1b452d1fc28f7ab05ce3ccf9321a8fd6db3f

SHA256
a9afed52fe81af80235583840ca99279db7ab6725606518b2202298c613d3a44

SHA512
56885e6dcd3e2082ab72d3c7057f0fb1f08333e9b44d65d59e60d2f7c5ad22f0bdcdebcdba8a80d8f4d4dfd90a7a43d43adc7258b3237e8899e9985ccfce9d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i60648841.exe
Filesize
1014KB

MD5
5f1c2cb050107dbe9e6aea184adddc05

SHA1
37ea1b452d1fc28f7ab05ce3ccf9321a8fd6db3f

SHA256
a9afed52fe81af80235583840ca99279db7ab6725606518b2202298c613d3a44

SHA512
56885e6dcd3e2082ab72d3c7057f0fb1f08333e9b44d65d59e60d2f7c5ad22f0bdcdebcdba8a80d8f4d4dfd90a7a43d43adc7258b3237e8899e9985ccfce9d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i38872526.exe
Filesize
842KB

MD5
13e859aeada9a721ad05477a4471a855

SHA1
85d1458cbb3173d9ac756a939f8f4c5e6f4887ab

SHA256
d3cda7ec959d6c765c06428b7dd83a5129793ae95236480ea75efdb2aa066340

SHA512
df083ed666394816dab949d29a1b1d08e191bf11a546bcf9a7eb60f3cfba14d084bceadc7505e9941e2fbdbbc149a7fa50d7e77dda0770a836957917e65906bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i38872526.exe
Filesize
842KB

MD5
13e859aeada9a721ad05477a4471a855

SHA1
85d1458cbb3173d9ac756a939f8f4c5e6f4887ab

SHA256
d3cda7ec959d6c765c06428b7dd83a5129793ae95236480ea75efdb2aa066340

SHA512
df083ed666394816dab949d29a1b1d08e191bf11a546bcf9a7eb60f3cfba14d084bceadc7505e9941e2fbdbbc149a7fa50d7e77dda0770a836957917e65906bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i08095794.exe
Filesize
370KB

MD5
b074c4ca0dff70ecd993f5c10d1e0019

SHA1
b2db0358a18aee9fc16b457ba34810b8b3a8981d

SHA256
42a332613e34152aeeca70f107e54555876afab552529c0391b4f58ea4e22678

SHA512
c3a777bd31741f6ecd0a88eae2e5487666cf5481385257782481d2bde5fa998d17a1228c5247a5db405afbf55c341321d22de21e808504d4e75f02f7d6f754f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i08095794.exe
Filesize
370KB

MD5
b074c4ca0dff70ecd993f5c10d1e0019

SHA1
b2db0358a18aee9fc16b457ba34810b8b3a8981d

SHA256
42a332613e34152aeeca70f107e54555876afab552529c0391b4f58ea4e22678

SHA512
c3a777bd31741f6ecd0a88eae2e5487666cf5481385257782481d2bde5fa998d17a1228c5247a5db405afbf55c341321d22de21e808504d4e75f02f7d6f754f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46737547.exe
Filesize
169KB

MD5
9d652ccd5dfbf9c2a386ac48c4585484

SHA1
8e3edbdd10cfa7d9bdefe15d28c3a5e63f939042

SHA256
30125a09ff15535c8a20e9edbc8f332a77572dd8d4428cfa08d5c22461d8a713

SHA512
48969f6a1305379d45d12d4c97702d62e7fd66a931de6c6e64ce1b1408591fa4964d1641272a5223a95ec618171206bb1f654034617d10f1dd4941727417fe25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a46737547.exe
Filesize
169KB

MD5
9d652ccd5dfbf9c2a386ac48c4585484

SHA1
8e3edbdd10cfa7d9bdefe15d28c3a5e63f939042

SHA256
30125a09ff15535c8a20e9edbc8f332a77572dd8d4428cfa08d5c22461d8a713

SHA512
48969f6a1305379d45d12d4c97702d62e7fd66a931de6c6e64ce1b1408591fa4964d1641272a5223a95ec618171206bb1f654034617d10f1dd4941727417fe25

Download Submit
memory/2936-168-0x00000000007F0000-0x0000000000820000-memory.dmp

Filesize
192KB

Download
memory/2936-169-0x000000000ABE0000-0x000000000B1F8000-memory.dmp

Filesize
6.1MB

Download
memory/2936-170-0x000000000A6D0000-0x000000000A7DA000-memory.dmp

Filesize
1.0MB

Download
memory/2936-171-0x00000000050D0000-0x00000000050E2000-memory.dmp

Filesize
72KB

Download
memory/2936-172-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/2936-173-0x000000000A5C0000-0x000000000A5FC000-memory.dmp

Filesize
240KB

Download
memory/2936-174-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download