redline | d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa

Analysis

max time kernel
237s
max time network
246s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa.exe
Size

930KB
MD5

198488ccbd6bf1eb1e2627642659dfd1
SHA1

5a2433a2ace450f461b301d8e3b14c44edaac8c9
SHA256

d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa
SHA512

c960031346f661955add5bd07f9b480a3fccba1feb6b2799113de31de0459e21f8bef8b8312b2a039b46ce346fc75c455f1f15dda479aa4bc0e3b0008f09d397
SSDEEP

12288:ey90o5CSbqTYixb2gPny9W58Z/42fKOtNKEAFOO9ncxXaAmztd9ffBE0BpJC5yyg:eytXqNJbqJRBt8l9nchaL9REIZll

Score

10^/10

redline dark discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dark

185.161.248.73:4164

Attributes

auth_value
ae85b01f66afe8770afeed560513fc2d

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/5096-4468-0x000000000A460000-0x000000000AA78000-memory.dmp	redline_stealer
behavioral2/memory/5096-4475-0x0000000004A30000-0x0000000004A96000-memory.dmp	redline_stealer
behavioral2/memory/5096-4476-0x000000000B920000-0x000000000BAE2000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	68675793.exe

Executes dropped EXE 5 IoCs

pid	Process
1236	st139521.exe
3984	68675793.exe
4476	1.exe
2004	kp800960.exe
5096	lr287846.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st139521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st139521.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
620	2004	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4476	1.exe
4476	1.exe
5096	lr287846.exe
5096	lr287846.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3984	68675793.exe
Token: SeDebugPrivilege	4476	1.exe
Token: SeDebugPrivilege	2004	kp800960.exe
Token: SeDebugPrivilege	5096	lr287846.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 1236	4380	d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa.exe	80
PID 4380 wrote to memory of 1236	4380	d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa.exe	80
PID 4380 wrote to memory of 1236	4380	d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa.exe	80
PID 1236 wrote to memory of 3984	1236	st139521.exe	81
PID 1236 wrote to memory of 3984	1236	st139521.exe	81
PID 1236 wrote to memory of 3984	1236	st139521.exe	81
PID 3984 wrote to memory of 4476	3984	68675793.exe	82
PID 3984 wrote to memory of 4476	3984	68675793.exe	82
PID 1236 wrote to memory of 2004	1236	st139521.exe	83
PID 1236 wrote to memory of 2004	1236	st139521.exe	83
PID 1236 wrote to memory of 2004	1236	st139521.exe	83
PID 4380 wrote to memory of 5096	4380	d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa.exe	87
PID 4380 wrote to memory of 5096	4380	d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa.exe	87
PID 4380 wrote to memory of 5096	4380	d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa.exe	87

C:\Users\Admin\AppData\Local\Temp\d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa.exe
"C:\Users\Admin\AppData\Local\Temp\d5bcbf7a78cb04f57a934e02be485bba2c42e53e9f82ec44c88a1c8369b97baa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st139521.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st139521.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\68675793.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\68675793.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4476
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp800960.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp800960.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 1272
      4⤵
      Program crash
      PID:620
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr287846.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr287846.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2004 -ip 2004
1⤵
PID:4000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr287846.exe

Filesize
168KB

MD5
16cf18c8ef1d4be89b36e27c8fb88e9d

SHA1
7811ba84f75a1adc6d995c2c1121ec996d1cc003

SHA256
116156cc3af0bf4d81d9b2fba83c569cf9f4c9055b9c9cd5731538de036417e8

SHA512
4cb9e29db63d28c802c7c1799fd53e00b5facdc0b63d08b76d619c7a9be6cc06f11c0d435ad035bf3f9c3c96687e03e5157ae2ce7494a621c0762bc8083d9fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr287846.exe

Filesize
168KB

MD5
16cf18c8ef1d4be89b36e27c8fb88e9d

SHA1
7811ba84f75a1adc6d995c2c1121ec996d1cc003

SHA256
116156cc3af0bf4d81d9b2fba83c569cf9f4c9055b9c9cd5731538de036417e8

SHA512
4cb9e29db63d28c802c7c1799fd53e00b5facdc0b63d08b76d619c7a9be6cc06f11c0d435ad035bf3f9c3c96687e03e5157ae2ce7494a621c0762bc8083d9fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st139521.exe

Filesize
777KB

MD5
1e000b19e66cc219ef86ab22a6138733

SHA1
26c2ee2b42531f3cf98a2ba496a7192a4b409eff

SHA256
5fc431c32cfaaea7a3f81697416096a3619c0cfbf45d87eb4cf9780d011c130d

SHA512
f731027ac4e898036bd9ada78f65312d0cf34d74c2be5565614d11d16f2397a734b8c243aa6f5dbd5a14cc6a88494171bc01f0d931a72304b418c426644132fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st139521.exe

Filesize
777KB

MD5
1e000b19e66cc219ef86ab22a6138733

SHA1
26c2ee2b42531f3cf98a2ba496a7192a4b409eff

SHA256
5fc431c32cfaaea7a3f81697416096a3619c0cfbf45d87eb4cf9780d011c130d

SHA512
f731027ac4e898036bd9ada78f65312d0cf34d74c2be5565614d11d16f2397a734b8c243aa6f5dbd5a14cc6a88494171bc01f0d931a72304b418c426644132fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\68675793.exe

Filesize
299KB

MD5
77fed822d8705ba474bb9cc0e48ea8ee

SHA1
03eb75e2cebed09f554d6533eedf938a3bba75c6

SHA256
16376c564d6695ec93e6133af6bc561c82377cf997ed21fd3d8467284b09b846

SHA512
cc89e5f43e19f4d6cf8ec3f9208f05af48866696123424fa3c86ccc7064a5f5809379ee50d03fffabd0d89c8411727142b57745c539ac6c0e15385182cdda4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\68675793.exe

Filesize
299KB

MD5
77fed822d8705ba474bb9cc0e48ea8ee

SHA1
03eb75e2cebed09f554d6533eedf938a3bba75c6

SHA256
16376c564d6695ec93e6133af6bc561c82377cf997ed21fd3d8467284b09b846

SHA512
cc89e5f43e19f4d6cf8ec3f9208f05af48866696123424fa3c86ccc7064a5f5809379ee50d03fffabd0d89c8411727142b57745c539ac6c0e15385182cdda4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp800960.exe

Filesize
589KB

MD5
759a1fc0c5de36cf21be294ddec2cce5

SHA1
73f7d7175b04385c72aa7e328b227491767c805a

SHA256
44d81cb98a5268cd36f552c7676f03c1a10680a01198782adc19ae6db67bc30a

SHA512
03d091e6b9fd455a44e4d20ece607157115765f82bba45747e616667150a77f719d91865fba7e08c4928ec4abfc17bb83e19f2eb8a2c30a11af2a07b1c5fb179

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp800960.exe

Filesize
589KB

MD5
759a1fc0c5de36cf21be294ddec2cce5

SHA1
73f7d7175b04385c72aa7e328b227491767c805a

SHA256
44d81cb98a5268cd36f552c7676f03c1a10680a01198782adc19ae6db67bc30a

SHA512
03d091e6b9fd455a44e4d20ece607157115765f82bba45747e616667150a77f719d91865fba7e08c4928ec4abfc17bb83e19f2eb8a2c30a11af2a07b1c5fb179

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/2004-4449-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2004-2304-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2004-2301-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2004-2299-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2004-2297-0x0000000000970000-0x00000000009CB000-memory.dmp

Filesize
364KB

Download
memory/2004-4448-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2004-4450-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2004-4451-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2004-4453-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2004-4455-0x00000000057C0000-0x0000000005852000-memory.dmp

Filesize
584KB

Download
memory/3984-164-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-168-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-180-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-182-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-184-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-186-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-188-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-190-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-192-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-194-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-196-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-198-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-200-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-202-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-204-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-206-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-208-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-210-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-212-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-214-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-2280-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/3984-176-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-174-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-172-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-170-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-178-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-147-0x0000000004A80000-0x0000000005024000-memory.dmp

Filesize
5.6MB

Download
memory/3984-166-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-162-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-160-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-158-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-156-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-154-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-152-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-151-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3984-150-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/3984-149-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/3984-148-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/4476-2295-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

Filesize
40KB

Download
memory/5096-4467-0x0000000000010000-0x0000000000040000-memory.dmp

Filesize
192KB

Download
memory/5096-4468-0x000000000A460000-0x000000000AA78000-memory.dmp

Filesize
6.1MB

Download
memory/5096-4469-0x0000000009F90000-0x000000000A09A000-memory.dmp

Filesize
1.0MB

Download
memory/5096-4470-0x0000000009EC0000-0x0000000009ED2000-memory.dmp

Filesize
72KB

Download
memory/5096-4471-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/5096-4472-0x0000000009F20000-0x0000000009F5C000-memory.dmp

Filesize
240KB

Download
memory/5096-4473-0x000000000AB00000-0x000000000AB76000-memory.dmp

Filesize
472KB

Download
memory/5096-4474-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/5096-4475-0x0000000004A30000-0x0000000004A96000-memory.dmp

Filesize
408KB

Download
memory/5096-4476-0x000000000B920000-0x000000000BAE2000-memory.dmp

Filesize
1.8MB

Download
memory/5096-4477-0x000000000C020000-0x000000000C54C000-memory.dmp

Filesize
5.2MB

Download