redline | e33a105a29f944308542b0f19ccae48959e086a28d12f48b0be98d3aa9e897b6

Analysis

max time kernel
142s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e33a105a29f944308542b0f19ccae48959e086a28d12f48b0be98d3aa9e897b6.exe
Size

892KB
MD5

9367f1dfd5707f3b04fd22571e8c2eb7
SHA1

176bc7c076599f826285e1885c291e7b68f65c32
SHA256

e33a105a29f944308542b0f19ccae48959e086a28d12f48b0be98d3aa9e897b6
SHA512

60ab39e5c33eee9634733b0efe07249ee0c653c27eb761acdb0abaac67a6f5ac2c8141894967c211ede6391e8d90a5d1461b09c48240b3f718e08a002465dc87
SSDEEP

12288:Ny90KB8I0F3ZHzO9U0Z/42gKztNK/AFzTLcU2GD7loX8l3hIURhVQ6kMz8KE+IGn:NyjBf0hB/0G6tFFwv8PIUZ79o+jgdv0

Score

10^/10

redline dark discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dark

185.161.248.73:4164

Attributes

auth_value
ae85b01f66afe8770afeed560513fc2d

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4404-4463-0x000000000AD10000-0x000000000B328000-memory.dmp	redline_stealer
behavioral2/memory/4404-4469-0x000000000AC90000-0x000000000ACF6000-memory.dmp	redline_stealer
behavioral2/memory/4404-4472-0x000000000C100000-0x000000000C2C2000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	24069073.exe

Executes dropped EXE 5 IoCs

pid	Process
4084	st851324.exe
832	24069073.exe
1592	1.exe
444	kp413656.exe
4404	lr819265.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st851324.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e33a105a29f944308542b0f19ccae48959e086a28d12f48b0be98d3aa9e897b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e33a105a29f944308542b0f19ccae48959e086a28d12f48b0be98d3aa9e897b6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st851324.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3356	444	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1592	1.exe
1592	1.exe
4404	lr819265.exe
4404	lr819265.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	832	24069073.exe
Token: SeDebugPrivilege	1592	1.exe
Token: SeDebugPrivilege	444	kp413656.exe
Token: SeDebugPrivilege	4404	lr819265.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 4084	3536	e33a105a29f944308542b0f19ccae48959e086a28d12f48b0be98d3aa9e897b6.exe	84
PID 3536 wrote to memory of 4084	3536	e33a105a29f944308542b0f19ccae48959e086a28d12f48b0be98d3aa9e897b6.exe	84
PID 3536 wrote to memory of 4084	3536	e33a105a29f944308542b0f19ccae48959e086a28d12f48b0be98d3aa9e897b6.exe	84
PID 4084 wrote to memory of 832	4084	st851324.exe	85
PID 4084 wrote to memory of 832	4084	st851324.exe	85
PID 4084 wrote to memory of 832	4084	st851324.exe	85
PID 832 wrote to memory of 1592	832	24069073.exe	86
PID 832 wrote to memory of 1592	832	24069073.exe	86
PID 4084 wrote to memory of 444	4084	st851324.exe	87
PID 4084 wrote to memory of 444	4084	st851324.exe	87
PID 4084 wrote to memory of 444	4084	st851324.exe	87
PID 3536 wrote to memory of 4404	3536	e33a105a29f944308542b0f19ccae48959e086a28d12f48b0be98d3aa9e897b6.exe	91
PID 3536 wrote to memory of 4404	3536	e33a105a29f944308542b0f19ccae48959e086a28d12f48b0be98d3aa9e897b6.exe	91
PID 3536 wrote to memory of 4404	3536	e33a105a29f944308542b0f19ccae48959e086a28d12f48b0be98d3aa9e897b6.exe	91

C:\Users\Admin\AppData\Local\Temp\e33a105a29f944308542b0f19ccae48959e086a28d12f48b0be98d3aa9e897b6.exe
"C:\Users\Admin\AppData\Local\Temp\e33a105a29f944308542b0f19ccae48959e086a28d12f48b0be98d3aa9e897b6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st851324.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st851324.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24069073.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24069073.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1592
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp413656.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp413656.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 1260
      4⤵
      Program crash
      PID:3356
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr819265.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr819265.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 444 -ip 444
1⤵
PID:3444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr819265.exe

Filesize
170KB

MD5
a81ab2d5924337dd5bb5808fb19219fe

SHA1
0f213de40de3acd20f0b0ad36504b65885049fec

SHA256
e270901f007143afaf4ffcce3bf3458385ee6542cfc0c5c7dc400ec913b99a49

SHA512
bf1473d588e5c9f54085380e0b32646f4a280eef97327ce65b43c13c59f232f8450489a3565ba9091e89b3a3bf79d7da9f8047deb9b803af4381137ececa46cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr819265.exe

Filesize
170KB

MD5
a81ab2d5924337dd5bb5808fb19219fe

SHA1
0f213de40de3acd20f0b0ad36504b65885049fec

SHA256
e270901f007143afaf4ffcce3bf3458385ee6542cfc0c5c7dc400ec913b99a49

SHA512
bf1473d588e5c9f54085380e0b32646f4a280eef97327ce65b43c13c59f232f8450489a3565ba9091e89b3a3bf79d7da9f8047deb9b803af4381137ececa46cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st851324.exe

Filesize
739KB

MD5
6e7517f9577c392708faad93cf1a191f

SHA1
c144545bee9c56052287ecb708fb92979d803180

SHA256
87ac4fcfe6f6bbf91cbcefe1e7ff6982c18a114a84d7e57e7882055cea2af698

SHA512
b7043512a9f06be08fdcd3b58feab2144ed760c38fdd45fce8add967f98f0b2474cc3bf56fc1437f537e4f7bd792acd47ef72e66949bf12b40b76a347d4c239e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st851324.exe

Filesize
739KB

MD5
6e7517f9577c392708faad93cf1a191f

SHA1
c144545bee9c56052287ecb708fb92979d803180

SHA256
87ac4fcfe6f6bbf91cbcefe1e7ff6982c18a114a84d7e57e7882055cea2af698

SHA512
b7043512a9f06be08fdcd3b58feab2144ed760c38fdd45fce8add967f98f0b2474cc3bf56fc1437f537e4f7bd792acd47ef72e66949bf12b40b76a347d4c239e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24069073.exe

Filesize
303KB

MD5
5dc544d72a0693e8924ca5b5d15b1d6a

SHA1
3d8b9b8f4e87e2f22b8a33f60f44bcdbe9bb1097

SHA256
036d937d8dee7a042b3395c4693c7a2cc2243cb52ba1ad56269bc35df21b54a6

SHA512
5b464317f7eaa753a415fded6f6d74e83719e5b0270743b8304d54954bed88a5c40ced580e26e18ec378b38fcc6ba41756fdfab0bd377c40d0e8c22d05dcde05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\24069073.exe

Filesize
303KB

MD5
5dc544d72a0693e8924ca5b5d15b1d6a

SHA1
3d8b9b8f4e87e2f22b8a33f60f44bcdbe9bb1097

SHA256
036d937d8dee7a042b3395c4693c7a2cc2243cb52ba1ad56269bc35df21b54a6

SHA512
5b464317f7eaa753a415fded6f6d74e83719e5b0270743b8304d54954bed88a5c40ced580e26e18ec378b38fcc6ba41756fdfab0bd377c40d0e8c22d05dcde05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp413656.exe

Filesize
576KB

MD5
a70df9141ccb81ab53771363eb005816

SHA1
3541c3af3e324e0b0140aef8f56032b159ba5231

SHA256
9b2a7968163a140626515cea4f47264b0397b75f456e87024c3b723e0ce7c49a

SHA512
8d22effef63dddfcc9ecce674e500beeab665b9975e100f87061b95765f63ce5e6bfbfb3bc626a9c3b4cad5554e8835af7f97575dca9e01f0e43152d025ec327

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp413656.exe

Filesize
576KB

MD5
a70df9141ccb81ab53771363eb005816

SHA1
3541c3af3e324e0b0140aef8f56032b159ba5231

SHA256
9b2a7968163a140626515cea4f47264b0397b75f456e87024c3b723e0ce7c49a

SHA512
8d22effef63dddfcc9ecce674e500beeab665b9975e100f87061b95765f63ce5e6bfbfb3bc626a9c3b4cad5554e8835af7f97575dca9e01f0e43152d025ec327

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/444-4450-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/444-2419-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/444-2416-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/444-2418-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/444-2414-0x0000000000950000-0x00000000009AB000-memory.dmp

Filesize
364KB

Download
memory/444-4448-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/444-4451-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/444-4452-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/444-4454-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/444-4456-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/832-170-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-166-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-180-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-182-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-184-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-186-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-188-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-190-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-192-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-194-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-196-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-198-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-200-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-202-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-204-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-206-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-208-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-210-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-212-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-214-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-2280-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/832-176-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-174-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-172-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-147-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/832-164-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-178-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-168-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-162-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-160-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-158-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-156-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-155-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/832-152-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-153-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/832-150-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-149-0x00000000050D0000-0x0000000005121000-memory.dmp

Filesize
324KB

Download
memory/832-148-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/1592-2292-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/4404-4467-0x000000000A7C0000-0x000000000A7FC000-memory.dmp

Filesize
240KB

Download
memory/4404-4463-0x000000000AD10000-0x000000000B328000-memory.dmp

Filesize
6.1MB

Download
memory/4404-4464-0x000000000A830000-0x000000000A93A000-memory.dmp

Filesize
1.0MB

Download
memory/4404-4465-0x000000000A760000-0x000000000A772000-memory.dmp

Filesize
72KB

Download
memory/4404-4466-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4404-4462-0x00000000008B0000-0x00000000008E0000-memory.dmp

Filesize
192KB

Download
memory/4404-4468-0x000000000AAD0000-0x000000000AB46000-memory.dmp

Filesize
472KB

Download
memory/4404-4469-0x000000000AC90000-0x000000000ACF6000-memory.dmp

Filesize
408KB

Download
memory/4404-4470-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4404-4471-0x000000000BEE0000-0x000000000BF30000-memory.dmp

Filesize
320KB

Download
memory/4404-4472-0x000000000C100000-0x000000000C2C2000-memory.dmp

Filesize
1.8MB

Download
memory/4404-4473-0x000000000C800000-0x000000000CD2C000-memory.dmp

Filesize
5.2MB

Download