redline | 14656a7f8c5a007bc00c2a48085f0c0c83b2e16616b046e5b223471c6db4e744

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14656a7f8c5a007bc00c2a48085f0c0c83b2e16616b046e5b223471c6db4e744.exe
Size

1.2MB
MD5

e6503e99a5ec0ec9c4b6ea542cce17ab
SHA1

70a457aece1b398bdaeca23287308be4e2aa14ab
SHA256

14656a7f8c5a007bc00c2a48085f0c0c83b2e16616b046e5b223471c6db4e744
SHA512

daeb6385855070423785f96d9ac16790ecb2e7e4fc243851865387ac475ca30e4d6deec28a339c263e8e799936e09f670a7e440bcaf8da1d6f0405258453794b
SSDEEP

24576:dy1G22qT4lPzFAXQSXX2cq3I0DWnJE1r8LxHlKPcnP4A:41PBMlbgv2caIKAqV8ZwP

Score

10^/10

redline lofa evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lofa

185.161.248.73:4164

Attributes

auth_value
3442ba767c6a30cde747101942f34a3a

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3124-201-0x000000000AAB0000-0x000000000B0C8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	s69918260.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	s69918260.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	s69918260.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	s69918260.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	s69918260.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	s69918260.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4888	z37947390.exe
2664	z77304489.exe
4332	z70922630.exe
2596	s69918260.exe
3124	t73113683.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	s69918260.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	s69918260.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z70922630.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z70922630.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	14656a7f8c5a007bc00c2a48085f0c0c83b2e16616b046e5b223471c6db4e744.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	14656a7f8c5a007bc00c2a48085f0c0c83b2e16616b046e5b223471c6db4e744.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z37947390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z37947390.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z77304489.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z77304489.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2596	s69918260.exe
2596	s69918260.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	s69918260.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 4888	4800	14656a7f8c5a007bc00c2a48085f0c0c83b2e16616b046e5b223471c6db4e744.exe	81
PID 4800 wrote to memory of 4888	4800	14656a7f8c5a007bc00c2a48085f0c0c83b2e16616b046e5b223471c6db4e744.exe	81
PID 4800 wrote to memory of 4888	4800	14656a7f8c5a007bc00c2a48085f0c0c83b2e16616b046e5b223471c6db4e744.exe	81
PID 4888 wrote to memory of 2664	4888	z37947390.exe	82
PID 4888 wrote to memory of 2664	4888	z37947390.exe	82
PID 4888 wrote to memory of 2664	4888	z37947390.exe	82
PID 2664 wrote to memory of 4332	2664	z77304489.exe	83
PID 2664 wrote to memory of 4332	2664	z77304489.exe	83
PID 2664 wrote to memory of 4332	2664	z77304489.exe	83
PID 4332 wrote to memory of 2596	4332	z70922630.exe	84
PID 4332 wrote to memory of 2596	4332	z70922630.exe	84
PID 4332 wrote to memory of 2596	4332	z70922630.exe	84
PID 4332 wrote to memory of 3124	4332	z70922630.exe	87
PID 4332 wrote to memory of 3124	4332	z70922630.exe	87
PID 4332 wrote to memory of 3124	4332	z70922630.exe	87

C:\Users\Admin\AppData\Local\Temp\14656a7f8c5a007bc00c2a48085f0c0c83b2e16616b046e5b223471c6db4e744.exe
"C:\Users\Admin\AppData\Local\Temp\14656a7f8c5a007bc00c2a48085f0c0c83b2e16616b046e5b223471c6db4e744.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z37947390.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z37947390.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z77304489.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z77304489.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z70922630.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z70922630.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s69918260.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s69918260.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t73113683.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t73113683.exe
        5⤵
        Executes dropped EXE
        
        PID:3124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z37947390.exe

Filesize
977KB

MD5
6f7f1c3d5263a6f93c7c903d077a770b

SHA1
e7609ac36be56adc9ac81458dddf594b77461c88

SHA256
bf384e39584c6dd1f18f7ab6134ebe21853409b6ff2bbcddfaa1133ae3ad97b8

SHA512
4105e790e94c9bb07ed41e62de3a810e07ece9bbfa665b666bfd6fffa494b6970a6b79863b5731944656ea1f141535e03e67f8de7fd238fd92df8e4590429edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z37947390.exe

Filesize
977KB

MD5
6f7f1c3d5263a6f93c7c903d077a770b

SHA1
e7609ac36be56adc9ac81458dddf594b77461c88

SHA256
bf384e39584c6dd1f18f7ab6134ebe21853409b6ff2bbcddfaa1133ae3ad97b8

SHA512
4105e790e94c9bb07ed41e62de3a810e07ece9bbfa665b666bfd6fffa494b6970a6b79863b5731944656ea1f141535e03e67f8de7fd238fd92df8e4590429edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z77304489.exe

Filesize
795KB

MD5
a623203b8a5c663da05c5fd63ef12586

SHA1
ecfc887b1d013a080871a7765704527b3eefee7c

SHA256
4662b5906b6d171c8c394e0e1a749bddf1aa9e5789f29c6494d4b351d201b79d

SHA512
42857eb6173776bfe48b9725e12896a53cd37085ce29b154756c688c14c65c9a04ebc04ea97afd2461b6d4af7bfb27211572460e0c7a7a1fde048b1c13f4821a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z77304489.exe

Filesize
795KB

MD5
a623203b8a5c663da05c5fd63ef12586

SHA1
ecfc887b1d013a080871a7765704527b3eefee7c

SHA256
4662b5906b6d171c8c394e0e1a749bddf1aa9e5789f29c6494d4b351d201b79d

SHA512
42857eb6173776bfe48b9725e12896a53cd37085ce29b154756c688c14c65c9a04ebc04ea97afd2461b6d4af7bfb27211572460e0c7a7a1fde048b1c13f4821a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z70922630.exe

Filesize
310KB

MD5
b262b665c720e15342bb413b15fa8a4c

SHA1
8a5899eceaa07e96c7b8705971ad41bfbade78fc

SHA256
73e5f6bc880180cb8fc2fcaa26edf959b4853227d429579871a03141ae51f310

SHA512
f8f40aeb97746db943aefefb4a7019bdc486c8600c9bfb6324f8364546721061f2e14805134ee5487e2f631afaaaed06cda61b7e873f8374ae489cf034d27f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z70922630.exe

Filesize
310KB

MD5
b262b665c720e15342bb413b15fa8a4c

SHA1
8a5899eceaa07e96c7b8705971ad41bfbade78fc

SHA256
73e5f6bc880180cb8fc2fcaa26edf959b4853227d429579871a03141ae51f310

SHA512
f8f40aeb97746db943aefefb4a7019bdc486c8600c9bfb6324f8364546721061f2e14805134ee5487e2f631afaaaed06cda61b7e873f8374ae489cf034d27f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s69918260.exe

Filesize
176KB

MD5
711ec7b73a48604e88f6666b9963b2e4

SHA1
1da877e011316ad4249ff30da0a5ab544a746cc0

SHA256
241d23410c347d7ceef78379a9043206ff61177a40e7301b427edf1f162bb13b

SHA512
e3897fc43e3de0e48781cc3edf984da5ad0b1826f02b111f713637d169f0aa77b24088ad859c4142bed29ab010dfbf614c6f9e0a9732924ce702c457a93f82ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s69918260.exe

Filesize
176KB

MD5
711ec7b73a48604e88f6666b9963b2e4

SHA1
1da877e011316ad4249ff30da0a5ab544a746cc0

SHA256
241d23410c347d7ceef78379a9043206ff61177a40e7301b427edf1f162bb13b

SHA512
e3897fc43e3de0e48781cc3edf984da5ad0b1826f02b111f713637d169f0aa77b24088ad859c4142bed29ab010dfbf614c6f9e0a9732924ce702c457a93f82ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t73113683.exe

Filesize
168KB

MD5
6d45e53d319f2017b0339ab17f1cc396

SHA1
631e5f116c308414a209aa86b531c6adc6d98d11

SHA256
bccd8d4cc1049d03f31bee69b596f779a2a8a05ef93d8d830180a38943689f12

SHA512
55913e7d918ed342935bc440e7ff31de6e97f2895a60e74095e0c21e4590b723498de407f5d7f5fd94daf07cb751afc83357236a06634e5633819ac536b40077

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t73113683.exe

Filesize
168KB

MD5
6d45e53d319f2017b0339ab17f1cc396

SHA1
631e5f116c308414a209aa86b531c6adc6d98d11

SHA256
bccd8d4cc1049d03f31bee69b596f779a2a8a05ef93d8d830180a38943689f12

SHA512
55913e7d918ed342935bc440e7ff31de6e97f2895a60e74095e0c21e4590b723498de407f5d7f5fd94daf07cb751afc83357236a06634e5633819ac536b40077

Download Submit
memory/2596-176-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2596-190-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2596-165-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2596-166-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2596-168-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2596-170-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2596-172-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2596-174-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2596-164-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2596-178-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2596-180-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2596-182-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2596-184-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2596-186-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2596-188-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2596-163-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2596-192-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2596-193-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2596-194-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2596-195-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2596-162-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2596-161-0x0000000004CB0000-0x0000000005254000-memory.dmp

Filesize
5.6MB

Download
memory/3124-200-0x0000000000580000-0x00000000005AE000-memory.dmp

Filesize
184KB

Download
memory/3124-201-0x000000000AAB0000-0x000000000B0C8000-memory.dmp

Filesize
6.1MB

Download
memory/3124-202-0x000000000A5A0000-0x000000000A6AA000-memory.dmp

Filesize
1.0MB

Download
memory/3124-203-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3124-204-0x000000000A490000-0x000000000A4CC000-memory.dmp

Filesize
240KB

Download
memory/3124-205-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3124-206-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download