redline | 4afb5064403ce5b899a7d996a743b1e8c8b75fb64f614c285714861d1a2c6c86

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4afb5064403ce5b899a7d996a743b1e8c8b75fb64f614c285714861d1a2c6c86.exe
Size

894KB
MD5

c84c9aa6409b7b725eaeeb0dbffb6863
SHA1

a8a83c4e3049532ec16ae4714db822f689499f98
SHA256

4afb5064403ce5b899a7d996a743b1e8c8b75fb64f614c285714861d1a2c6c86
SHA512

aadb1adf1a607c889862d2a34560d84981ac4aa8a6a0efd09a0b576af30a02888280343b1bc0dbf1a9591581aa5fd2fd389e333fcd8791bcb47f826dbe024720
SSDEEP

12288:9y905FR5SaPIhxDAMpYRzOnnMq1xR5swRnPqZ1nejoZbF7KE0rLurHxtAc23fURD:9yEFPe5KwntR7RniZMj830r6rR23sN

Score

10^/10

redline dante gena discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dante

185.161.248.73:4164

Attributes

auth_value
f4066af6b8a6f23125c8ee48288a3f90

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1868-2169-0x0000000005B00000-0x0000000005B32000-memory.dmp	family_redline
behavioral1/files/0x0002000000022ab5-2174.dat	family_redline
behavioral1/memory/4176-2182-0x0000000000270000-0x000000000029E000-memory.dmp	family_redline
behavioral1/files/0x000a000000023b7c-2195.dat	family_redline
behavioral1/memory/1280-2196-0x0000000000A00000-0x0000000000A30000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	p46671733.exe

Executes dropped EXE 4 IoCs

pid	Process
3116	y26928112.exe
1868	p46671733.exe
4176	1.exe
1280	r56727924.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y26928112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4afb5064403ce5b899a7d996a743b1e8c8b75fb64f614c285714861d1a2c6c86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3572	1868	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	p46671733.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r56727924.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4afb5064403ce5b899a7d996a743b1e8c8b75fb64f614c285714861d1a2c6c86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y26928112.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	p46671733.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 3116	2296	4afb5064403ce5b899a7d996a743b1e8c8b75fb64f614c285714861d1a2c6c86.exe	83
PID 2296 wrote to memory of 3116	2296	4afb5064403ce5b899a7d996a743b1e8c8b75fb64f614c285714861d1a2c6c86.exe	83
PID 2296 wrote to memory of 3116	2296	4afb5064403ce5b899a7d996a743b1e8c8b75fb64f614c285714861d1a2c6c86.exe	83
PID 3116 wrote to memory of 1868	3116	y26928112.exe	84
PID 3116 wrote to memory of 1868	3116	y26928112.exe	84
PID 3116 wrote to memory of 1868	3116	y26928112.exe	84
PID 1868 wrote to memory of 4176	1868	p46671733.exe	93
PID 1868 wrote to memory of 4176	1868	p46671733.exe	93
PID 1868 wrote to memory of 4176	1868	p46671733.exe	93
PID 3116 wrote to memory of 1280	3116	y26928112.exe	98
PID 3116 wrote to memory of 1280	3116	y26928112.exe	98
PID 3116 wrote to memory of 1280	3116	y26928112.exe	98

C:\Users\Admin\AppData\Local\Temp\4afb5064403ce5b899a7d996a743b1e8c8b75fb64f614c285714861d1a2c6c86.exe
"C:\Users\Admin\AppData\Local\Temp\4afb5064403ce5b899a7d996a743b1e8c8b75fb64f614c285714861d1a2c6c86.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y26928112.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y26928112.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p46671733.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p46671733.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 1504
      4⤵
      Program crash
      PID:3572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r56727924.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r56727924.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1868 -ip 1868
1⤵
PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y26928112.exe

Filesize
590KB

MD5
4fd9a0c9aff7f3300ebb25d88549e197

SHA1
b08c27b99ff72fa112a1f83a1a46265ecf7ab860

SHA256
7c9cf586a38192da9a50bfe346735e5fea989e0cccb7f17c68a1a91d6d28d321

SHA512
cd5deb2f50e92a9731fc724ff093bc599dd614a01090fca205ff0de600c783951a7810df063663a2644923905034303d435494a36925e958f4291073f4fd04e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p46671733.exe

Filesize
530KB

MD5
ea7fd283ac4bba18e9657bd10bf17aec

SHA1
f7ac0269e820e7a250a8a8cab57f34f6326fbe04

SHA256
5291ddf2e14d039767ea64e4db90f0d66f74897714ba18e33d77da6d1c88b809

SHA512
130e45b9e5d13058791977e7519f14385cad5afa3b3bc92eda67241a373ab8d1138add80f20b6bc18af306a10fb0e7bab18520231fddaef8debcfa76b45e4e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r56727924.exe

Filesize
168KB

MD5
0979f9250e3a5e7e66f2f6a9ad569982

SHA1
2c5ad9bc539095d4639597eb39daacc3c30dbec0

SHA256
af274e030fc081ca665c32624324b7201f64a28a7f6a6e15012f4849dd640677

SHA512
92f259cf0387a98ac6d3c65d68138e7029cfa627f0504866f0d009d34542b784aada9eb2097354a9d3b2eb3842fd7548590b74cda43d3328c3b578c24ca01414

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/1280-2197-0x0000000002C50000-0x0000000002C56000-memory.dmp

Filesize
24KB

Download
memory/1280-2196-0x0000000000A00000-0x0000000000A30000-memory.dmp

Filesize
192KB

Download
memory/1868-57-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-20-0x0000000005360000-0x0000000005904000-memory.dmp

Filesize
5.6MB

Download
memory/1868-19-0x0000000002E40000-0x0000000002EA8000-memory.dmp

Filesize
416KB

Download
memory/1868-49-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-51-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-81-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-61-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-43-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-31-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-25-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-85-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-83-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-79-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-77-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-75-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-73-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-72-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-69-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-68-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-65-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-63-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-59-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1868-55-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-53-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-21-0x0000000002EB0000-0x0000000002F16000-memory.dmp

Filesize
408KB

Download
memory/1868-18-0x0000000000400000-0x0000000000A95000-memory.dmp

Filesize
6.6MB

Download
memory/1868-47-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-45-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-41-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-39-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-37-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-35-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-33-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-29-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-27-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-23-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-22-0x0000000002EB0000-0x0000000002F10000-memory.dmp

Filesize
384KB

Download
memory/1868-2168-0x0000000000C90000-0x0000000000D90000-memory.dmp

Filesize
1024KB

Download
memory/1868-2169-0x0000000005B00000-0x0000000005B32000-memory.dmp

Filesize
200KB

Download
memory/1868-2191-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1868-2192-0x0000000000400000-0x0000000000A95000-memory.dmp

Filesize
6.6MB

Download
memory/1868-2190-0x0000000002730000-0x000000000278B000-memory.dmp

Filesize
364KB

Download
memory/1868-15-0x0000000000C90000-0x0000000000D90000-memory.dmp

Filesize
1024KB

Download
memory/1868-16-0x0000000002730000-0x000000000278B000-memory.dmp

Filesize
364KB

Download
memory/4176-2184-0x00000000051A0000-0x00000000057B8000-memory.dmp

Filesize
6.1MB

Download
memory/4176-2183-0x0000000000BC0000-0x0000000000BC6000-memory.dmp

Filesize
24KB

Download
memory/4176-2182-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/4176-2185-0x0000000004CC0000-0x0000000004DCA000-memory.dmp

Filesize
1.0MB

Download
memory/4176-2186-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/4176-2187-0x0000000004C50000-0x0000000004C8C000-memory.dmp

Filesize
240KB

Download
memory/4176-2188-0x0000000004DD0000-0x0000000004E1C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads