redline | 46f7703b64da282a1af27b1733fffdf45b4eabf796ebc3c024bc991eb54a3cbf

Analysis

max time kernel
151s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46f7703b64da282a1af27b1733fffdf45b4eabf796ebc3c024bc991eb54a3cbf.exe
Size

1.5MB
MD5

4c34a96069d4c09bca3c659f093998fe
SHA1

39c07ecff0c8f13b54d5cf18f169f58cb4857a0b
SHA256

46f7703b64da282a1af27b1733fffdf45b4eabf796ebc3c024bc991eb54a3cbf
SHA512

450b214a6734e478a1fc7a12e42f03aa54d593432bd9a9258cd9e59af94d45cef91d7859298e544a04b77dacb7e1267fbf9f4896a4ff12e7e36f497b822254ac
SSDEEP

24576:iyrkZNKLJF5KAkDYR1oK5LMH+Dd/g2cYLnWcVyhFlcywbbtcgKIJtwR8h:JyiAAkDYR1p+i/9jIhn2tczww

Score

10^/10

redline mazda evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mazda

217.196.96.56:4138

Attributes

auth_value
3d2870537d84a4c6d7aeecd002871c51

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3860-218-0x000000000B170000-0x000000000B788000-memory.dmp	redline_stealer
behavioral2/memory/3860-225-0x000000000AFE0000-0x000000000B046000-memory.dmp	redline_stealer
behavioral2/memory/3860-226-0x000000000BE10000-0x000000000BFD2000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a4201582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4201582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4201582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4201582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4201582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4201582.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
3004	v3628574.exe
3776	v8807014.exe
220	v8938035.exe
4984	v3259951.exe
3936	a4201582.exe
3860	b8291918.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a4201582.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4201582.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	46f7703b64da282a1af27b1733fffdf45b4eabf796ebc3c024bc991eb54a3cbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	46f7703b64da282a1af27b1733fffdf45b4eabf796ebc3c024bc991eb54a3cbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8938035.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3259951.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3628574.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3628574.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8807014.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8807014.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8938035.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3259951.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1960	3936	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3936	a4201582.exe
3936	a4201582.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	a4201582.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 3004	4236	46f7703b64da282a1af27b1733fffdf45b4eabf796ebc3c024bc991eb54a3cbf.exe	85
PID 4236 wrote to memory of 3004	4236	46f7703b64da282a1af27b1733fffdf45b4eabf796ebc3c024bc991eb54a3cbf.exe	85
PID 4236 wrote to memory of 3004	4236	46f7703b64da282a1af27b1733fffdf45b4eabf796ebc3c024bc991eb54a3cbf.exe	85
PID 3004 wrote to memory of 3776	3004	v3628574.exe	86
PID 3004 wrote to memory of 3776	3004	v3628574.exe	86
PID 3004 wrote to memory of 3776	3004	v3628574.exe	86
PID 3776 wrote to memory of 220	3776	v8807014.exe	87
PID 3776 wrote to memory of 220	3776	v8807014.exe	87
PID 3776 wrote to memory of 220	3776	v8807014.exe	87
PID 220 wrote to memory of 4984	220	v8938035.exe	88
PID 220 wrote to memory of 4984	220	v8938035.exe	88
PID 220 wrote to memory of 4984	220	v8938035.exe	88
PID 4984 wrote to memory of 3936	4984	v3259951.exe	90
PID 4984 wrote to memory of 3936	4984	v3259951.exe	90
PID 4984 wrote to memory of 3936	4984	v3259951.exe	90
PID 4984 wrote to memory of 3860	4984	v3259951.exe	93
PID 4984 wrote to memory of 3860	4984	v3259951.exe	93
PID 4984 wrote to memory of 3860	4984	v3259951.exe	93

C:\Users\Admin\AppData\Local\Temp\46f7703b64da282a1af27b1733fffdf45b4eabf796ebc3c024bc991eb54a3cbf.exe
"C:\Users\Admin\AppData\Local\Temp\46f7703b64da282a1af27b1733fffdf45b4eabf796ebc3c024bc991eb54a3cbf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3628574.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3628574.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8807014.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8807014.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8938035.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8938035.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3259951.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3259951.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4984
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4201582.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4201582.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1100
        7⤵
        Program crash
        
        PID:1960
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8291918.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8291918.exe
        6⤵
        Executes dropped EXE
        
        PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3936 -ip 3936
1⤵
PID:3376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3628574.exe

Filesize
1.3MB

MD5
4d35de1265eb6fc7ac61fd1d78dccd65

SHA1
a936662168b47eecec70f6ac64abf6f2498c7056

SHA256
8740c1cdce004fa1207303ace19a29e9c950d9e6310f7042b17b0803ffa82152

SHA512
eb670a6054507042674e1426420d601e1c116b1f9b14c483d8afca849c3fc99d8109d62541e7455c35508ce5e488bac3265ef0756528fab5bfdebf4086ca4458

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3628574.exe

Filesize
1.3MB

MD5
4d35de1265eb6fc7ac61fd1d78dccd65

SHA1
a936662168b47eecec70f6ac64abf6f2498c7056

SHA256
8740c1cdce004fa1207303ace19a29e9c950d9e6310f7042b17b0803ffa82152

SHA512
eb670a6054507042674e1426420d601e1c116b1f9b14c483d8afca849c3fc99d8109d62541e7455c35508ce5e488bac3265ef0756528fab5bfdebf4086ca4458

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8807014.exe

Filesize
868KB

MD5
c22af7833d3be59ce9bf414b84d56bc5

SHA1
aaec7fa6e3d706620eb680efb7e214de6f55c8e5

SHA256
82cf99d6754abe002c0fa115cb8a64564ed0ceb3dc70fb62298ad91152c4203e

SHA512
26319981578251c48cee69f19014be5fcc9f1f01bdeef1b910ac82522799504f05dd190e8f40c758abefd6bb4e37a10c4b9618f53219b7e7260d8a6023f72fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8807014.exe

Filesize
868KB

MD5
c22af7833d3be59ce9bf414b84d56bc5

SHA1
aaec7fa6e3d706620eb680efb7e214de6f55c8e5

SHA256
82cf99d6754abe002c0fa115cb8a64564ed0ceb3dc70fb62298ad91152c4203e

SHA512
26319981578251c48cee69f19014be5fcc9f1f01bdeef1b910ac82522799504f05dd190e8f40c758abefd6bb4e37a10c4b9618f53219b7e7260d8a6023f72fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8938035.exe

Filesize
664KB

MD5
a1e6934d400b6bd9b6fee1459669ea43

SHA1
c40444f2eefa58992eccc26cb6da11905dfaed9a

SHA256
8d60c2e414a0bdca20e260ab8ab1ec08415cb76e9b707e78693d31cba694146d

SHA512
1d8ea741d29357076dfce8869de6522a98a9813c4cf90fd3a9576660eeaa1810236b3bbc27d3a956a9aeb0f8df459b3f192eb4a2cf6b8c93f41a9c6b13605c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8938035.exe

Filesize
664KB

MD5
a1e6934d400b6bd9b6fee1459669ea43

SHA1
c40444f2eefa58992eccc26cb6da11905dfaed9a

SHA256
8d60c2e414a0bdca20e260ab8ab1ec08415cb76e9b707e78693d31cba694146d

SHA512
1d8ea741d29357076dfce8869de6522a98a9813c4cf90fd3a9576660eeaa1810236b3bbc27d3a956a9aeb0f8df459b3f192eb4a2cf6b8c93f41a9c6b13605c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3259951.exe

Filesize
394KB

MD5
5d3fe876dde9d4d5d8e64e74f1e0f010

SHA1
151b90329df8568002a3c53e0b4dd4c602dfb63a

SHA256
eef1835bd954f52e87c94ebcbbf4a1075dbed8df6fa3e2ce6b7fa03019206c43

SHA512
37c3ef74caf5477df164b9104854533ea989dbbf166147392a361274037ae00875ce076f978527359b0f4fe3013ada09293f5a3bf304c3a50917518a19001b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3259951.exe

Filesize
394KB

MD5
5d3fe876dde9d4d5d8e64e74f1e0f010

SHA1
151b90329df8568002a3c53e0b4dd4c602dfb63a

SHA256
eef1835bd954f52e87c94ebcbbf4a1075dbed8df6fa3e2ce6b7fa03019206c43

SHA512
37c3ef74caf5477df164b9104854533ea989dbbf166147392a361274037ae00875ce076f978527359b0f4fe3013ada09293f5a3bf304c3a50917518a19001b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4201582.exe

Filesize
315KB

MD5
cf6e0824244b28224aa401ce3ddbc319

SHA1
a5461318a3b17851db20def376aaed358e4fd63f

SHA256
e99b1c66941ed8fceab8ff57e5aee3cbb8880d48c6a3a7c0b4ce1f68f4c9d2e2

SHA512
7ef26e320b26460f4660a977ff691ff14f3f16fe12586e54adc0db298b0bf78c81c7c843db5d468939170408a4eee4fcd04764b7fc0a5e7ee530c712de0e2d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4201582.exe

Filesize
315KB

MD5
cf6e0824244b28224aa401ce3ddbc319

SHA1
a5461318a3b17851db20def376aaed358e4fd63f

SHA256
e99b1c66941ed8fceab8ff57e5aee3cbb8880d48c6a3a7c0b4ce1f68f4c9d2e2

SHA512
7ef26e320b26460f4660a977ff691ff14f3f16fe12586e54adc0db298b0bf78c81c7c843db5d468939170408a4eee4fcd04764b7fc0a5e7ee530c712de0e2d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8291918.exe

Filesize
168KB

MD5
9c577974bc93086517632293e51bfb7e

SHA1
cbba6a362e76bc688e139f209ad88308eb36e48b

SHA256
f219ff523c88b83f1568d218a25804f11f7ed004e043c3f3c1f80c6d43349724

SHA512
d90c71541c51c0e65022f2219be8dd9f04be08071e40a8918503b448860c7a4bbd39140c2588e0190eeddfe43ecf4155d488c04f399291450c024666a997a71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8291918.exe

Filesize
168KB

MD5
9c577974bc93086517632293e51bfb7e

SHA1
cbba6a362e76bc688e139f209ad88308eb36e48b

SHA256
f219ff523c88b83f1568d218a25804f11f7ed004e043c3f3c1f80c6d43349724

SHA512
d90c71541c51c0e65022f2219be8dd9f04be08071e40a8918503b448860c7a4bbd39140c2588e0190eeddfe43ecf4155d488c04f399291450c024666a997a71d

Download Submit
memory/3860-227-0x000000000CC20000-0x000000000D14C000-memory.dmp

Filesize
5.2MB

Download
memory/3860-225-0x000000000AFE0000-0x000000000B046000-memory.dmp

Filesize
408KB

Download
memory/3860-224-0x000000000B080000-0x000000000B112000-memory.dmp

Filesize
584KB

Download
memory/3860-223-0x000000000AF60000-0x000000000AFD6000-memory.dmp

Filesize
472KB

Download
memory/3860-222-0x000000000AC50000-0x000000000AC8C000-memory.dmp

Filesize
240KB

Download
memory/3860-221-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/3860-220-0x000000000ABF0000-0x000000000AC02000-memory.dmp

Filesize
72KB

Download
memory/3860-219-0x000000000ACC0000-0x000000000ADCA000-memory.dmp

Filesize
1.0MB

Download
memory/3860-218-0x000000000B170000-0x000000000B788000-memory.dmp

Filesize
6.1MB

Download
memory/3860-217-0x0000000000E80000-0x0000000000EB0000-memory.dmp

Filesize
192KB

Download
memory/3860-226-0x000000000BE10000-0x000000000BFD2000-memory.dmp

Filesize
1.8MB

Download
memory/3936-170-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/3936-192-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3936-194-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3936-196-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3936-198-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3936-200-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3936-201-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3936-202-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/3936-203-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/3936-206-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3936-190-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3936-188-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3936-186-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3936-184-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3936-182-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3936-180-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3936-178-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3936-176-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3936-174-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3936-173-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3936-172-0x0000000004B80000-0x0000000005124000-memory.dmp

Filesize
5.6MB

Download
memory/3936-171-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/3936-169-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download