redline | a406785e586ba1e8fb7657de5a4482c1a22edd1f4036108d569f6877f33f8463

Analysis

max time kernel
145s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a406785e586ba1e8fb7657de5a4482c1a22edd1f4036108d569f6877f33f8463.exe
Size

1.2MB
MD5

6131bfccaf592c50258fa154fa70d18a
SHA1

5e8ba418215dbce0d1f75a3e2a569550bdf26f2d
SHA256

a406785e586ba1e8fb7657de5a4482c1a22edd1f4036108d569f6877f33f8463
SHA512

6d363e88582877ceca4bc184318726ee5db9c26dfc99db81954d6875fba6164db504f704672697b12eb4053fa787abe0a411a3ae43fd925fdc49645f6d9f0147
SSDEEP

24576:uymqbpM2IjKEBkuSMYAC2IQ8w1TKSoQQiSnojJIHhs:9zWbku1cBi5jmH

Score

10^/10

redline luser evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luser

185.161.248.73:4164

Attributes

auth_value
cf14a84de9a3b6b7b8981202f3b616fb

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4072-205-0x0000000005200000-0x0000000005818000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	s64801238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	s64801238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	s64801238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	s64801238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	s64801238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	s64801238.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
464	z58565789.exe
224	z13712864.exe
4132	z58956835.exe
4144	s64801238.exe
4072	t24263402.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	s64801238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	s64801238.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a406785e586ba1e8fb7657de5a4482c1a22edd1f4036108d569f6877f33f8463.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z58565789.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z58565789.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z13712864.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z13712864.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z58956835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z58956835.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a406785e586ba1e8fb7657de5a4482c1a22edd1f4036108d569f6877f33f8463.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4144	s64801238.exe
4144	s64801238.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4144	s64801238.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 464	3612	a406785e586ba1e8fb7657de5a4482c1a22edd1f4036108d569f6877f33f8463.exe	85
PID 3612 wrote to memory of 464	3612	a406785e586ba1e8fb7657de5a4482c1a22edd1f4036108d569f6877f33f8463.exe	85
PID 3612 wrote to memory of 464	3612	a406785e586ba1e8fb7657de5a4482c1a22edd1f4036108d569f6877f33f8463.exe	85
PID 464 wrote to memory of 224	464	z58565789.exe	86
PID 464 wrote to memory of 224	464	z58565789.exe	86
PID 464 wrote to memory of 224	464	z58565789.exe	86
PID 224 wrote to memory of 4132	224	z13712864.exe	87
PID 224 wrote to memory of 4132	224	z13712864.exe	87
PID 224 wrote to memory of 4132	224	z13712864.exe	87
PID 4132 wrote to memory of 4144	4132	z58956835.exe	88
PID 4132 wrote to memory of 4144	4132	z58956835.exe	88
PID 4132 wrote to memory of 4144	4132	z58956835.exe	88
PID 4132 wrote to memory of 4072	4132	z58956835.exe	89
PID 4132 wrote to memory of 4072	4132	z58956835.exe	89
PID 4132 wrote to memory of 4072	4132	z58956835.exe	89

C:\Users\Admin\AppData\Local\Temp\a406785e586ba1e8fb7657de5a4482c1a22edd1f4036108d569f6877f33f8463.exe
"C:\Users\Admin\AppData\Local\Temp\a406785e586ba1e8fb7657de5a4482c1a22edd1f4036108d569f6877f33f8463.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z58565789.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z58565789.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z13712864.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z13712864.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z58956835.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z58956835.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4132
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s64801238.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s64801238.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t24263402.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t24263402.exe
        5⤵
        Executes dropped EXE
        
        PID:4072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z58565789.exe

Filesize
1.0MB

MD5
4e52de345ae2819e0b5f349f3a56030b

SHA1
ae552e820df9a0246e310b14b678d1e7726dd698

SHA256
1fe5636a5d85a4dbdfedab53a8ddefd85e2cfe034d40d470efaaa16db0cb2a0a

SHA512
934992cbf49e19a94628ce138a1ec4eefa472f85b90b2bfd5f306ccefad94719c961d5dece6ad3f71cb583ed73b7aee71a80b1f0bd57623d2ff406d72ddbce51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z58565789.exe

Filesize
1.0MB

MD5
4e52de345ae2819e0b5f349f3a56030b

SHA1
ae552e820df9a0246e310b14b678d1e7726dd698

SHA256
1fe5636a5d85a4dbdfedab53a8ddefd85e2cfe034d40d470efaaa16db0cb2a0a

SHA512
934992cbf49e19a94628ce138a1ec4eefa472f85b90b2bfd5f306ccefad94719c961d5dece6ad3f71cb583ed73b7aee71a80b1f0bd57623d2ff406d72ddbce51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z13712864.exe

Filesize
850KB

MD5
4139cea28334f67386a7e3ac26c6ee3e

SHA1
1cb70b00ebbd19b5f2e7a5e9297d4b78eb69aa26

SHA256
db29005e149d51cb6c4cb5d3d5eb2fa3c385f71882170d1eee31064105e67f12

SHA512
7e860a53b2bb0f234125f2576402eed3590cd940c43e5d8e5679942723f0b82e4b575005aea88a3f367641aac1dc7d62bcf104ef647f78b09f30a059af8414b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z13712864.exe

Filesize
850KB

MD5
4139cea28334f67386a7e3ac26c6ee3e

SHA1
1cb70b00ebbd19b5f2e7a5e9297d4b78eb69aa26

SHA256
db29005e149d51cb6c4cb5d3d5eb2fa3c385f71882170d1eee31064105e67f12

SHA512
7e860a53b2bb0f234125f2576402eed3590cd940c43e5d8e5679942723f0b82e4b575005aea88a3f367641aac1dc7d62bcf104ef647f78b09f30a059af8414b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z58956835.exe

Filesize
385KB

MD5
1d2cb7cb044ccafe10d7e10cf82dee30

SHA1
b036438f6cb15be534a3bfe5dbe0436df9af5074

SHA256
d58c999660448473bc797a2a6dbc900c400a41ed75cc5202bebe0af83d7e62bc

SHA512
bf753403aaaf48aa4c2df9878f45945ca814bf6f2ac0030b1d10161586699118fbd012a440942034b9898b3f10429fb55fc38674f7cfef8f0210ae7475d2b18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z58956835.exe

Filesize
385KB

MD5
1d2cb7cb044ccafe10d7e10cf82dee30

SHA1
b036438f6cb15be534a3bfe5dbe0436df9af5074

SHA256
d58c999660448473bc797a2a6dbc900c400a41ed75cc5202bebe0af83d7e62bc

SHA512
bf753403aaaf48aa4c2df9878f45945ca814bf6f2ac0030b1d10161586699118fbd012a440942034b9898b3f10429fb55fc38674f7cfef8f0210ae7475d2b18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s64801238.exe

Filesize
291KB

MD5
be99587277060cd198c3124f49bee8f6

SHA1
1ecb25455aa39c848fd220df584f62f1432f770e

SHA256
47652ea29d25c78ccf67448047e9d5e4ea6e530c4d0f1f6560615522432d2e23

SHA512
13fb4fcc6bee494d61f274810f875a779cfa8fa7651270c5032e3f1cc3da9c5cc34c9f414387495770259f7a6da87fe283aaf13de7ad37a7f893efd488d033ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s64801238.exe

Filesize
291KB

MD5
be99587277060cd198c3124f49bee8f6

SHA1
1ecb25455aa39c848fd220df584f62f1432f770e

SHA256
47652ea29d25c78ccf67448047e9d5e4ea6e530c4d0f1f6560615522432d2e23

SHA512
13fb4fcc6bee494d61f274810f875a779cfa8fa7651270c5032e3f1cc3da9c5cc34c9f414387495770259f7a6da87fe283aaf13de7ad37a7f893efd488d033ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t24263402.exe

Filesize
168KB

MD5
85f064cd255965c7a5cdfd69fc8c4f87

SHA1
2e0e43951a4529b8fcce7a8a3eca185cdfaaf777

SHA256
50c0d2863c1435d751aeb6c4f80aaa57ea40ac1eb5d185a7ec17e74d924a89e9

SHA512
0d898bda7fa0be6094910e9bd20b842db4406b517344e97e2069776132741b724d0aa915850af459b577da2af2d6e3de12abe5e237c04b4906af733354851c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t24263402.exe

Filesize
168KB

MD5
85f064cd255965c7a5cdfd69fc8c4f87

SHA1
2e0e43951a4529b8fcce7a8a3eca185cdfaaf777

SHA256
50c0d2863c1435d751aeb6c4f80aaa57ea40ac1eb5d185a7ec17e74d924a89e9

SHA512
0d898bda7fa0be6094910e9bd20b842db4406b517344e97e2069776132741b724d0aa915850af459b577da2af2d6e3de12abe5e237c04b4906af733354851c02

Download Submit
memory/4072-210-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/4072-207-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4072-206-0x0000000004CF0000-0x0000000004DFA000-memory.dmp

Filesize
1.0MB

Download
memory/4072-205-0x0000000005200000-0x0000000005818000-memory.dmp

Filesize
6.1MB

Download
memory/4072-204-0x0000000000160000-0x000000000018E000-memory.dmp

Filesize
184KB

Download
memory/4072-208-0x0000000004C60000-0x0000000004C9C000-memory.dmp

Filesize
240KB

Download
memory/4072-209-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/4144-180-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4144-197-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/4144-178-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4144-174-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4144-182-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4144-184-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4144-186-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4144-188-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4144-190-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4144-192-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4144-194-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4144-195-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/4144-196-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/4144-176-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4144-198-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/4144-200-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/4144-172-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4144-170-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4144-168-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4144-167-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/4144-166-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/4144-164-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/4144-165-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/4144-163-0x0000000004D30000-0x00000000052D4000-memory.dmp

Filesize
5.6MB

Download
memory/4144-162-0x00000000006D0000-0x00000000006FD000-memory.dmp

Filesize
180KB

Download