redline | 1009180a099dea7dfefaac48586008563589e962df14dfb0e041cc8970690991

Analysis

max time kernel
137s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1009180a099dea7dfefaac48586008563589e962df14dfb0e041cc8970690991.exe
Size

792KB
MD5

2ea3e3f6af40ce6d06995807db65dca7
SHA1

d731c2f4b68c5bae48bcb6373ecc3b7ac1d465af
SHA256

1009180a099dea7dfefaac48586008563589e962df14dfb0e041cc8970690991
SHA512

962c7a93bfe48f95144f5b18b69bccada88b078ee5bfb1639dd7258d42bfea1d2c9ecb541970724f2b1584117317f81b75e2595588dfd2f6179183d77efb2fe7
SSDEEP

12288:Ay90pZV/qWjm/Ahsah3+V1ErCi1Tuf57x+4qisZTHR6vugJexqRUgJu9Wt:AyaZV/Y/AP3tKbUrZTx6WqK3Wt

Score

10^/10

redline dante gena discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dante

185.161.248.73:4164

Attributes

auth_value
f4066af6b8a6f23125c8ee48288a3f90

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3648-2169-0x00000000059C0000-0x00000000059F2000-memory.dmp	family_redline
C:\Windows\Temp\1.exe	family_redline
behavioral1/memory/6000-2182-0x0000000000A40000-0x0000000000A6E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n98385709.exe	family_redline
behavioral1/memory/5300-2196-0x0000000000CC0000-0x0000000000CF0000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

m62165835.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	m62165835.exe

Executes dropped EXE 4 IoCs

Processes:

x85460456.exem62165835.exe1.exen98385709.exe

pid process

960 x85460456.exe
3648 m62165835.exe
6000 1.exe
5300 n98385709.exe

pid	process
960	x85460456.exe
3648	m62165835.exe
6000	1.exe
5300	n98385709.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1009180a099dea7dfefaac48586008563589e962df14dfb0e041cc8970690991.exex85460456.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1009180a099dea7dfefaac48586008563589e962df14dfb0e041cc8970690991.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x85460456.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2460 3648 WerFault.exe m62165835.exe

pid	pid_target	process	target process
2460	3648	WerFault.exe	m62165835.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1.exen98385709.exe1009180a099dea7dfefaac48586008563589e962df14dfb0e041cc8970690991.exex85460456.exem62165835.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	n98385709.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1009180a099dea7dfefaac48586008563589e962df14dfb0e041cc8970690991.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x85460456.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	m62165835.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

m62165835.exe

description pid process

Token: SeDebugPrivilege 3648 m62165835.exe

description	pid	process
Token: SeDebugPrivilege	3648	m62165835.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1009180a099dea7dfefaac48586008563589e962df14dfb0e041cc8970690991.exex85460456.exem62165835.exe

description	pid	process	target process
PID 2716 wrote to memory of 960	2716	1009180a099dea7dfefaac48586008563589e962df14dfb0e041cc8970690991.exe	x85460456.exe
PID 2716 wrote to memory of 960	2716	1009180a099dea7dfefaac48586008563589e962df14dfb0e041cc8970690991.exe	x85460456.exe
PID 2716 wrote to memory of 960	2716	1009180a099dea7dfefaac48586008563589e962df14dfb0e041cc8970690991.exe	x85460456.exe
PID 960 wrote to memory of 3648	960	x85460456.exe	m62165835.exe
PID 960 wrote to memory of 3648	960	x85460456.exe	m62165835.exe
PID 960 wrote to memory of 3648	960	x85460456.exe	m62165835.exe
PID 3648 wrote to memory of 6000	3648	m62165835.exe	1.exe
PID 3648 wrote to memory of 6000	3648	m62165835.exe	1.exe
PID 3648 wrote to memory of 6000	3648	m62165835.exe	1.exe
PID 960 wrote to memory of 5300	960	x85460456.exe	n98385709.exe
PID 960 wrote to memory of 5300	960	x85460456.exe	n98385709.exe
PID 960 wrote to memory of 5300	960	x85460456.exe	n98385709.exe

C:\Users\Admin\AppData\Local\Temp\1009180a099dea7dfefaac48586008563589e962df14dfb0e041cc8970690991.exe
"C:\Users\Admin\AppData\Local\Temp\1009180a099dea7dfefaac48586008563589e962df14dfb0e041cc8970690991.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x85460456.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x85460456.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m62165835.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m62165835.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1384
      4⤵
      Program crash
      PID:2460
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n98385709.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n98385709.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3648 -ip 3648
1⤵
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x85460456.exe

Filesize
589KB

MD5
26896ef6b7f18e8822fd6d2186923a9d

SHA1
c9d7230365cfa95a42b05ab84577d61849cb7f04

SHA256
a2783b268784d9a2d8499ddc3d21523c84b4bafa1d97bd1ca1e899e9e1c72d1e

SHA512
636f1e9dd14ad205a359d8da6fd5d7e9e319a8ec90c9c5f1bf3a2789f194549afe27a2a48ccae1579b344d85c71acbd927bebb0d04a6d27287c037d03f4ce2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m62165835.exe

Filesize
530KB

MD5
10430edbab11e093c21b11328120a358

SHA1
7b410a65bb453639437e1c18d33a27e02255b614

SHA256
f966e8edc36736a8dd6811dc5178637d796c2c80ee165c70c41b054cfa2867fc

SHA512
d2fcea0e9fbc69fb51e623a7df9e4fdc9e81b4104ec46db4d1f058301fc10632813d4b2937a704495ee3039955a0979343f27c71104bb49bc394be51534a6399

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n98385709.exe

Filesize
168KB

MD5
917549c28532b01699f3759fe318c261

SHA1
e8034fd45d1fe976fb96ea1cbc5300b4411c3c53

SHA256
5be443e3cd0a0f2f1469adba7fdab4deac2ab9b7beb01721e09d59ba3399b755

SHA512
284ca20d852bdea8163fdac792acbed5954783cd0f39d6aaa46a11b6c3e049c0d7dfec320426fa6ce4fd5f0f1d87c506ba6813d9290b7b96fc8f26f69f1cb648

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/3648-51-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-2192-0x0000000000400000-0x0000000000A95000-memory.dmp

Filesize
6.6MB

Download
memory/3648-47-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-18-0x0000000000400000-0x0000000000A95000-memory.dmp

Filesize
6.6MB

Download
memory/3648-19-0x0000000005000000-0x0000000005068000-memory.dmp

Filesize
416KB

Download
memory/3648-20-0x0000000005180000-0x0000000005724000-memory.dmp

Filesize
5.6MB

Download
memory/3648-21-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/3648-65-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-75-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-85-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-83-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-81-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-79-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-77-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-73-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-71-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-69-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-67-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-63-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-61-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-59-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-57-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-55-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-53-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-15-0x0000000000BD0000-0x0000000000CD0000-memory.dmp

Filesize
1024KB

Download
memory/3648-49-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3648-43-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-16-0x0000000002700000-0x000000000275B000-memory.dmp

Filesize
364KB

Download
memory/3648-39-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-37-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-35-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-33-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-31-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-27-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-25-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-23-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-22-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-45-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-29-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/3648-2168-0x0000000000BD0000-0x0000000000CD0000-memory.dmp

Filesize
1024KB

Download
memory/3648-2169-0x00000000059C0000-0x00000000059F2000-memory.dmp

Filesize
200KB

Download
memory/3648-2187-0x0000000002700000-0x000000000275B000-memory.dmp

Filesize
364KB

Download
memory/3648-2191-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3648-41-0x0000000005770000-0x00000000057D0000-memory.dmp

Filesize
384KB

Download
memory/5300-2196-0x0000000000CC0000-0x0000000000CF0000-memory.dmp

Filesize
192KB

Download
memory/5300-2197-0x0000000002E20000-0x0000000002E26000-memory.dmp

Filesize
24KB

Download
memory/6000-2182-0x0000000000A40000-0x0000000000A6E000-memory.dmp

Filesize
184KB

Download
memory/6000-2183-0x0000000001080000-0x0000000001086000-memory.dmp

Filesize
24KB

Download
memory/6000-2184-0x0000000005A30000-0x0000000006048000-memory.dmp

Filesize
6.1MB

Download
memory/6000-2185-0x0000000005520000-0x000000000562A000-memory.dmp

Filesize
1.0MB

Download
memory/6000-2186-0x00000000052B0000-0x00000000052C2000-memory.dmp

Filesize
72KB

Download
memory/6000-2188-0x0000000005450000-0x000000000548C000-memory.dmp

Filesize
240KB

Download
memory/6000-2189-0x0000000005490000-0x00000000054DC000-memory.dmp

Filesize
304KB

Download