redline | ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155

Analysis

max time kernel
125s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe
Size

1.5MB
MD5

2a2216b605e12dcd36c580688eaa81e7
SHA1

35bf6a2abf0410f0b21ed318f7268cf0f4f57ced
SHA256

ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155
SHA512

442d967593ce0ea07b91d723b082851707dac15433c9e93715b72d08caed0c0ed4613eba8c46c862725907aa34afda2c822235d65ba73056a92bf758b24679c2
SSDEEP

24576:syt4JIJoKJsJ+PMz+eI7i8hEr6YhS/x3Xs77GhHoqLsKaKW+i3QtWMMLlpaqJK9z:btYko8PMVCih2n/xns7CBraCigtyLlpd

Score

10^/10

redline most infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

most

185.161.248.73:4164

Attributes

auth_value
7da4dfa153f2919e617aa016f7c36008

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/3128-169-0x000000000A690000-0x000000000ACA8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

i15915063.exei01671203.exei50561024.exei85282792.exea28836202.exe

pid process

4288 i15915063.exe
5000 i01671203.exe
2168 i50561024.exe
1436 i85282792.exe
3128 a28836202.exe

pid	process
4288	i15915063.exe
5000	i01671203.exe
2168	i50561024.exe
1436	i85282792.exe
3128	a28836202.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exei15915063.exei01671203.exei50561024.exei85282792.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i15915063.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i01671203.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i50561024.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i50561024.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i15915063.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i01671203.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i85282792.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i85282792.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exei15915063.exei01671203.exei50561024.exei85282792.exe

description	pid	process	target process
PID 2132 wrote to memory of 4288	2132	ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe	i15915063.exe
PID 2132 wrote to memory of 4288	2132	ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe	i15915063.exe
PID 2132 wrote to memory of 4288	2132	ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe	i15915063.exe
PID 4288 wrote to memory of 5000	4288	i15915063.exe	i01671203.exe
PID 4288 wrote to memory of 5000	4288	i15915063.exe	i01671203.exe
PID 4288 wrote to memory of 5000	4288	i15915063.exe	i01671203.exe
PID 5000 wrote to memory of 2168	5000	i01671203.exe	i50561024.exe
PID 5000 wrote to memory of 2168	5000	i01671203.exe	i50561024.exe
PID 5000 wrote to memory of 2168	5000	i01671203.exe	i50561024.exe
PID 2168 wrote to memory of 1436	2168	i50561024.exe	i85282792.exe
PID 2168 wrote to memory of 1436	2168	i50561024.exe	i85282792.exe
PID 2168 wrote to memory of 1436	2168	i50561024.exe	i85282792.exe
PID 1436 wrote to memory of 3128	1436	i85282792.exe	a28836202.exe
PID 1436 wrote to memory of 3128	1436	i85282792.exe	a28836202.exe
PID 1436 wrote to memory of 3128	1436	i85282792.exe	a28836202.exe

C:\Users\Admin\AppData\Local\Temp\ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe
"C:\Users\Admin\AppData\Local\Temp\ff953db8aa0a8d1e7a4c5bc8859a8a519ff2d4f8f6cbbb24289b198d62d76155.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i15915063.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i15915063.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4288

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01671203.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01671203.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i50561024.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i50561024.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i85282792.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i85282792.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a28836202.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a28836202.exe
6⤵
- Executes dropped EXE
PID:3128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i15915063.exe
Filesize
1.3MB

MD5
6f9516919aa643cad0b8d6d607fc2560

SHA1
35be3d81998333d6f47087c9530e8bc1cdc3b76d

SHA256
ae8a14f64fe2ea3bb827fa8f08c209c4aba3254f1c3acb894dffc79de621bab2

SHA512
5bdb218b9b9ef69aa426cecd12b46aff36c2f1235274637cb9f3dfbf9f9c67e5fb8471090e0854c0ada4a39b40697e8371bb588b7793a7c0e1fe4687673fde3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i15915063.exe
Filesize
1.3MB

MD5
6f9516919aa643cad0b8d6d607fc2560

SHA1
35be3d81998333d6f47087c9530e8bc1cdc3b76d

SHA256
ae8a14f64fe2ea3bb827fa8f08c209c4aba3254f1c3acb894dffc79de621bab2

SHA512
5bdb218b9b9ef69aa426cecd12b46aff36c2f1235274637cb9f3dfbf9f9c67e5fb8471090e0854c0ada4a39b40697e8371bb588b7793a7c0e1fe4687673fde3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01671203.exe
Filesize
1023KB

MD5
cbe4e6b9c1192bb27422585d478c7513

SHA1
10a6c270eae40808d49c6bf6fecad25b4fc6cbf3

SHA256
f79799a5f64b160e42652d4b25a897d87d03b323a57c38371ef6dabaaa6acca5

SHA512
09f455b001d6e673f760d630c741a4d5020d7f95165eacaa0e38f3b4930a54fa811a360c67242a9809d5e2a67e34aba449e839de23d74ebefdbdff70c77740e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i01671203.exe
Filesize
1023KB

MD5
cbe4e6b9c1192bb27422585d478c7513

SHA1
10a6c270eae40808d49c6bf6fecad25b4fc6cbf3

SHA256
f79799a5f64b160e42652d4b25a897d87d03b323a57c38371ef6dabaaa6acca5

SHA512
09f455b001d6e673f760d630c741a4d5020d7f95165eacaa0e38f3b4930a54fa811a360c67242a9809d5e2a67e34aba449e839de23d74ebefdbdff70c77740e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i50561024.exe
Filesize
852KB

MD5
e65a78ee22410808a42bb138234e7b57

SHA1
d96556f8d7f603bfecf69d22f7d9cb13b737647c

SHA256
f7735e9313660bfd4181cb7a7cd6ab2f8d74aa918ffa8b020b4541019a5f4041

SHA512
cb4e4b06271c7d83da5c6cbce420aca46618ba57136c16c0a4e0614e4a8334a089b4fb31cd6b49d05261ecb058a432a86225b6e9952aa0cacd4f6b5cc0105bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i50561024.exe
Filesize
852KB

MD5
e65a78ee22410808a42bb138234e7b57

SHA1
d96556f8d7f603bfecf69d22f7d9cb13b737647c

SHA256
f7735e9313660bfd4181cb7a7cd6ab2f8d74aa918ffa8b020b4541019a5f4041

SHA512
cb4e4b06271c7d83da5c6cbce420aca46618ba57136c16c0a4e0614e4a8334a089b4fb31cd6b49d05261ecb058a432a86225b6e9952aa0cacd4f6b5cc0105bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i85282792.exe
Filesize
375KB

MD5
2ad4946b18bf5c8017a3c96c675ce46d

SHA1
a5525f06bedd6b39832e0391b803b00aaae9a51f

SHA256
f37a0d93587c039b09b809e6cbca090caecae77ebac624383c775ef2b0382b0e

SHA512
5dd56567fd0404a91c1a7877676549e5dc2c39dadb622610865ffb72db436168344b6836cf4b15e6904c7c36f9cd7f947776b46b0e1b796ba52f568d05f0d2b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i85282792.exe
Filesize
375KB

MD5
2ad4946b18bf5c8017a3c96c675ce46d

SHA1
a5525f06bedd6b39832e0391b803b00aaae9a51f

SHA256
f37a0d93587c039b09b809e6cbca090caecae77ebac624383c775ef2b0382b0e

SHA512
5dd56567fd0404a91c1a7877676549e5dc2c39dadb622610865ffb72db436168344b6836cf4b15e6904c7c36f9cd7f947776b46b0e1b796ba52f568d05f0d2b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a28836202.exe
Filesize
169KB

MD5
d99d8df158eaa69d84edd709623c9f5f

SHA1
70bf9d02e8778f894c5ea343ffab716064d1efa2

SHA256
71fed9b4828b1e0938548feadc32a5a820c27b215722993461fd99196fc348db

SHA512
95d1480e24ae53652c57419c7077a7b4f08d973bcf7042f381202699729ffaf1a67496474aa67af2c5efa4a8340ad342d301d537b3c57f48dcbabe179417eab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a28836202.exe
Filesize
169KB

MD5
d99d8df158eaa69d84edd709623c9f5f

SHA1
70bf9d02e8778f894c5ea343ffab716064d1efa2

SHA256
71fed9b4828b1e0938548feadc32a5a820c27b215722993461fd99196fc348db

SHA512
95d1480e24ae53652c57419c7077a7b4f08d973bcf7042f381202699729ffaf1a67496474aa67af2c5efa4a8340ad342d301d537b3c57f48dcbabe179417eab7

Download Submit
memory/3128-168-0x00000000003B0000-0x00000000003E0000-memory.dmp

Filesize
192KB

Download
memory/3128-169-0x000000000A690000-0x000000000ACA8000-memory.dmp

Filesize
6.1MB

Download
memory/3128-170-0x000000000A1F0000-0x000000000A2FA000-memory.dmp

Filesize
1.0MB

Download
memory/3128-171-0x000000000A120000-0x000000000A132000-memory.dmp

Filesize
72KB

Download
memory/3128-172-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/3128-173-0x000000000A180000-0x000000000A1BC000-memory.dmp

Filesize
240KB

Download
memory/3128-174-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download