redline | 73b0da6fa1f12909c5720f7fa1370aacd428c6e41f324ce0e83c0eb542d62e36

Analysis

max time kernel
184s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73b0da6fa1f12909c5720f7fa1370aacd428c6e41f324ce0e83c0eb542d62e36.exe
Size

566KB
MD5

b7fd02cb4da6ab5cfeb3d17c57a9698c
SHA1

c8a5659285cf99f7a46b6e438cdd633d38f36e35
SHA256

73b0da6fa1f12909c5720f7fa1370aacd428c6e41f324ce0e83c0eb542d62e36
SHA512

7d8e4d94f4303da860bcfec6421059405db058008fbe99e3b464c2c013d178d983e48e2e5ca578fbb3bcb131d580b84065380c9ce1572e5790e6f22c298ba317
SSDEEP

12288:UMrty903gNedX5CBho5+/1DfI1+UEEkWHFFh+S:By0CBMU1DSTHXhh

Score

10^/10

redline darm discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

darm

217.196.96.56:4138

Attributes

auth_value
d88ac8ccc04ab9979b04b46313db1648

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3296-148-0x000000000B070000-0x000000000B688000-memory.dmp	redline_stealer
behavioral2/memory/3296-157-0x000000000B8D0000-0x000000000B936000-memory.dmp	redline_stealer
behavioral2/memory/3296-159-0x000000000C500000-0x000000000C6C2000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	l1016375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	l1016375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	l1016375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	l1016375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	l1016375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	l1016375.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
216	y2422670.exe
3296	k9216441.exe
2780	l1016375.exe
3480	m4809774.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	l1016375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	l1016375.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2422670.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	73b0da6fa1f12909c5720f7fa1370aacd428c6e41f324ce0e83c0eb542d62e36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	73b0da6fa1f12909c5720f7fa1370aacd428c6e41f324ce0e83c0eb542d62e36.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y2422670.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4140	3480	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3296	k9216441.exe
3296	k9216441.exe
2780	l1016375.exe
2780	l1016375.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3296	k9216441.exe
Token: SeDebugPrivilege	2780	l1016375.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 216	2304	73b0da6fa1f12909c5720f7fa1370aacd428c6e41f324ce0e83c0eb542d62e36.exe	79
PID 2304 wrote to memory of 216	2304	73b0da6fa1f12909c5720f7fa1370aacd428c6e41f324ce0e83c0eb542d62e36.exe	79
PID 2304 wrote to memory of 216	2304	73b0da6fa1f12909c5720f7fa1370aacd428c6e41f324ce0e83c0eb542d62e36.exe	79
PID 216 wrote to memory of 3296	216	y2422670.exe	80
PID 216 wrote to memory of 3296	216	y2422670.exe	80
PID 216 wrote to memory of 3296	216	y2422670.exe	80
PID 216 wrote to memory of 2780	216	y2422670.exe	81
PID 216 wrote to memory of 2780	216	y2422670.exe	81
PID 216 wrote to memory of 2780	216	y2422670.exe	81
PID 2304 wrote to memory of 3480	2304	73b0da6fa1f12909c5720f7fa1370aacd428c6e41f324ce0e83c0eb542d62e36.exe	82
PID 2304 wrote to memory of 3480	2304	73b0da6fa1f12909c5720f7fa1370aacd428c6e41f324ce0e83c0eb542d62e36.exe	82
PID 2304 wrote to memory of 3480	2304	73b0da6fa1f12909c5720f7fa1370aacd428c6e41f324ce0e83c0eb542d62e36.exe	82

C:\Users\Admin\AppData\Local\Temp\73b0da6fa1f12909c5720f7fa1370aacd428c6e41f324ce0e83c0eb542d62e36.exe
"C:\Users\Admin\AppData\Local\Temp\73b0da6fa1f12909c5720f7fa1370aacd428c6e41f324ce0e83c0eb542d62e36.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2422670.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2422670.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9216441.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9216441.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1016375.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1016375.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4809774.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4809774.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 696
    3⤵
    - Program crash
    PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3480 -ip 3480
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4809774.exe

Filesize
268KB

MD5
922b3c61964adab5984b0e0829da92ff

SHA1
9a03e38b7afef5975555107ce8eab223c273f92e

SHA256
8fec9fa61f8f058d7eca765f7ce7346e6ba47922854e2f1de12e9d0ba8023120

SHA512
0fbf49433cb7be6a0d7f3ea7ea677aa3cd13ae0bc47c168d57c5c06af48022d9841cf21c28bbe3e07c54323d147da747d08d2ce59648805133840591268a5ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4809774.exe

Filesize
268KB

MD5
922b3c61964adab5984b0e0829da92ff

SHA1
9a03e38b7afef5975555107ce8eab223c273f92e

SHA256
8fec9fa61f8f058d7eca765f7ce7346e6ba47922854e2f1de12e9d0ba8023120

SHA512
0fbf49433cb7be6a0d7f3ea7ea677aa3cd13ae0bc47c168d57c5c06af48022d9841cf21c28bbe3e07c54323d147da747d08d2ce59648805133840591268a5ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2422670.exe

Filesize
307KB

MD5
419a83bd63e10b568833639bff57f1bf

SHA1
41f28c279170fdef8d11d19ae6d918e1b4675f68

SHA256
e507a31f648e0b7f099ba303a84d9e4259eb12a8f9a4a818c75972699d36fa91

SHA512
82e023136e52e77c564ad7db5b14808db2ad9baf0bf9d9cdb010dba0e6cfa9a94c9f6d23e4b2a1b7cdc70dcff0335d6400227123018f70535e5b3e7e35df92c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2422670.exe

Filesize
307KB

MD5
419a83bd63e10b568833639bff57f1bf

SHA1
41f28c279170fdef8d11d19ae6d918e1b4675f68

SHA256
e507a31f648e0b7f099ba303a84d9e4259eb12a8f9a4a818c75972699d36fa91

SHA512
82e023136e52e77c564ad7db5b14808db2ad9baf0bf9d9cdb010dba0e6cfa9a94c9f6d23e4b2a1b7cdc70dcff0335d6400227123018f70535e5b3e7e35df92c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9216441.exe

Filesize
168KB

MD5
ea5155738937f41226830b719660ef26

SHA1
32517a80a9f10bff8ca8dcdf448ba17f21716ffa

SHA256
cf92215c8d8220cab06f421a7f2ac0dfdeaafa637138371253ae352dc02991c4

SHA512
78e5d612c1141be65b88ff3c9eceb47b32f59b95c438654334dd227edeac926baa518e39d823e72277c748aae496360378973399e9e844fc74319b86e90d304a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9216441.exe

Filesize
168KB

MD5
ea5155738937f41226830b719660ef26

SHA1
32517a80a9f10bff8ca8dcdf448ba17f21716ffa

SHA256
cf92215c8d8220cab06f421a7f2ac0dfdeaafa637138371253ae352dc02991c4

SHA512
78e5d612c1141be65b88ff3c9eceb47b32f59b95c438654334dd227edeac926baa518e39d823e72277c748aae496360378973399e9e844fc74319b86e90d304a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1016375.exe

Filesize
178KB

MD5
d7633f1e51d0c3807fb582fe8aada531

SHA1
94d143e38240a41638ddfe33259ee6e0a9f4151c

SHA256
9e8c524a469992ffc9e405bdc231f8df65e9257b4f076e39faeb0033a4fdd07a

SHA512
c29adee5c138256ac468cc2756307c07646ac731e129fd33b74599c556da77c3776b88f547d581fb257ac75a2f78a0046dc3ca307262dd86fe0c7c4e9f092535

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1016375.exe

Filesize
178KB

MD5
d7633f1e51d0c3807fb582fe8aada531

SHA1
94d143e38240a41638ddfe33259ee6e0a9f4151c

SHA256
9e8c524a469992ffc9e405bdc231f8df65e9257b4f076e39faeb0033a4fdd07a

SHA512
c29adee5c138256ac468cc2756307c07646ac731e129fd33b74599c556da77c3776b88f547d581fb257ac75a2f78a0046dc3ca307262dd86fe0c7c4e9f092535

Download Submit
memory/2780-190-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2780-194-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/2780-198-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/2780-196-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/2780-197-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/2780-195-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/2780-193-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/2780-192-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2780-188-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2780-186-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2780-184-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2780-182-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2780-165-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2780-166-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2780-168-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2780-170-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2780-172-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2780-174-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2780-176-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2780-178-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2780-180-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3296-156-0x000000000BD80000-0x000000000C324000-memory.dmp

Filesize
5.6MB

Download
memory/3296-155-0x000000000B730000-0x000000000B7C2000-memory.dmp

Filesize
584KB

Download
memory/3296-160-0x000000000CC00000-0x000000000D12C000-memory.dmp

Filesize
5.2MB

Download
memory/3296-159-0x000000000C500000-0x000000000C6C2000-memory.dmp

Filesize
1.8MB

Download
memory/3296-149-0x000000000ABE0000-0x000000000ACEA000-memory.dmp

Filesize
1.0MB

Download
memory/3296-158-0x000000000BA90000-0x000000000BAE0000-memory.dmp

Filesize
320KB

Download
memory/3296-151-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/3296-157-0x000000000B8D0000-0x000000000B936000-memory.dmp

Filesize
408KB

Download
memory/3296-150-0x000000000AB10000-0x000000000AB22000-memory.dmp

Filesize
72KB

Download
memory/3296-152-0x000000000AB70000-0x000000000ABAC000-memory.dmp

Filesize
240KB

Download
memory/3296-154-0x000000000AFC0000-0x000000000B036000-memory.dmp

Filesize
472KB

Download
memory/3296-153-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/3296-148-0x000000000B070000-0x000000000B688000-memory.dmp

Filesize
6.1MB

Download
memory/3296-147-0x0000000000C60000-0x0000000000C90000-memory.dmp

Filesize
192KB

Download
memory/3480-204-0x00000000006D0000-0x0000000000705000-memory.dmp

Filesize
212KB

Download
memory/3480-205-0x0000000000400000-0x00000000006C4000-memory.dmp

Filesize
2.8MB

Download