redline | a45b3ac0d54f74237c09e1722fd234b7beb1cc560408a5846234ae2ce952fa3b

Analysis

max time kernel
135s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a45b3ac0d54f74237c09e1722fd234b7beb1cc560408a5846234ae2ce952fa3b.exe
Size

1.3MB
MD5

cbedc989ed8d9872f1d696366848d10e
SHA1

a7467f46e03678b5a4a81dcac94bf4c091e8856b
SHA256

a45b3ac0d54f74237c09e1722fd234b7beb1cc560408a5846234ae2ce952fa3b
SHA512

56c3a8fef58a48fe16bc4e49ae7d59302a16b32d91895a1aa4fe56362f8c9cdcf94972ff9fd9895560ab2991a917fcf14c10960f50fc759da6af33706d855474
SSDEEP

24576:kyi/egwMjKKF/Mfj9YnmBFNJysmxU0UtuUmON8o86AuopvBkJf4lW:z6egVKc0fj+nmR85TU8qPAuGud4

Score

10^/10

redline luser evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luser

185.161.248.73:4164

Attributes

auth_value
cf14a84de9a3b6b7b8981202f3b616fb

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3640-204-0x000000000AC00000-0x000000000B218000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	s49833757.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	s49833757.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	s49833757.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	s49833757.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	s49833757.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	s49833757.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2548	z92145068.exe
1544	z68677973.exe
1756	z52559985.exe
4704	s49833757.exe
3640	t79882300.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	s49833757.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	s49833757.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z52559985.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a45b3ac0d54f74237c09e1722fd234b7beb1cc560408a5846234ae2ce952fa3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a45b3ac0d54f74237c09e1722fd234b7beb1cc560408a5846234ae2ce952fa3b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z92145068.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z92145068.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z68677973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z68677973.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z52559985.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4876	4704	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4704	s49833757.exe
4704	s49833757.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4704	s49833757.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2548	2292	a45b3ac0d54f74237c09e1722fd234b7beb1cc560408a5846234ae2ce952fa3b.exe	82
PID 2292 wrote to memory of 2548	2292	a45b3ac0d54f74237c09e1722fd234b7beb1cc560408a5846234ae2ce952fa3b.exe	82
PID 2292 wrote to memory of 2548	2292	a45b3ac0d54f74237c09e1722fd234b7beb1cc560408a5846234ae2ce952fa3b.exe	82
PID 2548 wrote to memory of 1544	2548	z92145068.exe	83
PID 2548 wrote to memory of 1544	2548	z92145068.exe	83
PID 2548 wrote to memory of 1544	2548	z92145068.exe	83
PID 1544 wrote to memory of 1756	1544	z68677973.exe	84
PID 1544 wrote to memory of 1756	1544	z68677973.exe	84
PID 1544 wrote to memory of 1756	1544	z68677973.exe	84
PID 1756 wrote to memory of 4704	1756	z52559985.exe	85
PID 1756 wrote to memory of 4704	1756	z52559985.exe	85
PID 1756 wrote to memory of 4704	1756	z52559985.exe	85
PID 1756 wrote to memory of 3640	1756	z52559985.exe	96
PID 1756 wrote to memory of 3640	1756	z52559985.exe	96
PID 1756 wrote to memory of 3640	1756	z52559985.exe	96

C:\Users\Admin\AppData\Local\Temp\a45b3ac0d54f74237c09e1722fd234b7beb1cc560408a5846234ae2ce952fa3b.exe
"C:\Users\Admin\AppData\Local\Temp\a45b3ac0d54f74237c09e1722fd234b7beb1cc560408a5846234ae2ce952fa3b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z92145068.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z92145068.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z68677973.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z68677973.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z52559985.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z52559985.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s49833757.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s49833757.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1084
        6⤵
        Program crash
        
        PID:4876
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t79882300.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t79882300.exe
        5⤵
        Executes dropped EXE
        
        PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4704 -ip 4704
1⤵
PID:3852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z92145068.exe

Filesize
1.1MB

MD5
cefef0c5c49d094b952cdbc9afc486f3

SHA1
beaa4dcf85dfaa86e7f718dd7994d8c15d7a79ee

SHA256
ed487e245c698b104ae2db1138858a4c38e83e8400e477ef415f015be83203bf

SHA512
aed531a3dd28c919e0a037009d2cf53ff4a06a8e2ec463441e70db9030acc92b1c6836b23b38f06690e9350004b37a8b80553c32608d29f137b9c649f2e516ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z92145068.exe

Filesize
1.1MB

MD5
cefef0c5c49d094b952cdbc9afc486f3

SHA1
beaa4dcf85dfaa86e7f718dd7994d8c15d7a79ee

SHA256
ed487e245c698b104ae2db1138858a4c38e83e8400e477ef415f015be83203bf

SHA512
aed531a3dd28c919e0a037009d2cf53ff4a06a8e2ec463441e70db9030acc92b1c6836b23b38f06690e9350004b37a8b80553c32608d29f137b9c649f2e516ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z68677973.exe

Filesize
895KB

MD5
b5cd3919fde92f3d441f43c24f4a88ce

SHA1
62b9097e2d9e41a6b7e30de690ef7da54aaafe41

SHA256
1be527bc2ee8a7d40f45cc6a5959cab9cc7459dd4e23163cdcf8e3e94cf64dcc

SHA512
f1665c38970614a42a319a0251c8b3f79cf1ecbf4d8eed66ac93dde2118e53574befe6838fc95cba1de4d57a19306c762a10f10e8da18edf94a6a18f7663df35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z68677973.exe

Filesize
895KB

MD5
b5cd3919fde92f3d441f43c24f4a88ce

SHA1
62b9097e2d9e41a6b7e30de690ef7da54aaafe41

SHA256
1be527bc2ee8a7d40f45cc6a5959cab9cc7459dd4e23163cdcf8e3e94cf64dcc

SHA512
f1665c38970614a42a319a0251c8b3f79cf1ecbf4d8eed66ac93dde2118e53574befe6838fc95cba1de4d57a19306c762a10f10e8da18edf94a6a18f7663df35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z52559985.exe

Filesize
410KB

MD5
5b7db11974a25a79f395ff425cb61b8e

SHA1
587b660abaddc27e0d728047d05e40f01e959274

SHA256
3bbba3929a2a916580e573e6811cc67938b27cdde94935ad169c4f9d54bf0256

SHA512
e5037212b3c44246893936bc559e86ee5bf4a88889a5b8b0b0394bcbfe0658d17de51c3f35ff4996d6efbd439ac9db60c25175d0e440d0370d7a4a6ded9853a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z52559985.exe

Filesize
410KB

MD5
5b7db11974a25a79f395ff425cb61b8e

SHA1
587b660abaddc27e0d728047d05e40f01e959274

SHA256
3bbba3929a2a916580e573e6811cc67938b27cdde94935ad169c4f9d54bf0256

SHA512
e5037212b3c44246893936bc559e86ee5bf4a88889a5b8b0b0394bcbfe0658d17de51c3f35ff4996d6efbd439ac9db60c25175d0e440d0370d7a4a6ded9853a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s49833757.exe

Filesize
347KB

MD5
1bc6419a91b007056d89b8868e46b537

SHA1
c1cef88f3b9dc6f987f03374616b6fa76d74b7c5

SHA256
466ef23fa27b4bb5ad3fe87208c17246faa94255c488ff16c30a9c3a075a1457

SHA512
7847ccb8f8d71cf93daaf9cca5a26226d7129eb02c418ec6a64fddadbace6f5f6946a867fc84038ec74e95ddadfadde395b703f6ddb8c13450d4229736449377

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s49833757.exe

Filesize
347KB

MD5
1bc6419a91b007056d89b8868e46b537

SHA1
c1cef88f3b9dc6f987f03374616b6fa76d74b7c5

SHA256
466ef23fa27b4bb5ad3fe87208c17246faa94255c488ff16c30a9c3a075a1457

SHA512
7847ccb8f8d71cf93daaf9cca5a26226d7129eb02c418ec6a64fddadbace6f5f6946a867fc84038ec74e95ddadfadde395b703f6ddb8c13450d4229736449377

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t79882300.exe

Filesize
168KB

MD5
b8b66c5068d42dfe5a5881afee5255d6

SHA1
d64180fa8c84df12980cd512c5558e64570f05c1

SHA256
4e99dbd9e05496bd8f2f310a03d5ae714fe0b10ad20c906c81b23d74df7d7af8

SHA512
28e96750076d6ad1dd1c4ca54965f95b2edf19ff601f02901f2671751cc2a262ceda31ca4b3b9eb60ac0f571ce75cf1b98916de8125440fa54ac1869eb469b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t79882300.exe

Filesize
168KB

MD5
b8b66c5068d42dfe5a5881afee5255d6

SHA1
d64180fa8c84df12980cd512c5558e64570f05c1

SHA256
4e99dbd9e05496bd8f2f310a03d5ae714fe0b10ad20c906c81b23d74df7d7af8

SHA512
28e96750076d6ad1dd1c4ca54965f95b2edf19ff601f02901f2671751cc2a262ceda31ca4b3b9eb60ac0f571ce75cf1b98916de8125440fa54ac1869eb469b6e

Download Submit
memory/3640-209-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/3640-206-0x000000000A6B0000-0x000000000A6C2000-memory.dmp

Filesize
72KB

Download
memory/3640-205-0x000000000A780000-0x000000000A88A000-memory.dmp

Filesize
1.0MB

Download
memory/3640-204-0x000000000AC00000-0x000000000B218000-memory.dmp

Filesize
6.1MB

Download
memory/3640-203-0x0000000000800000-0x000000000082E000-memory.dmp

Filesize
184KB

Download
memory/3640-208-0x000000000A710000-0x000000000A74C000-memory.dmp

Filesize
240KB

Download
memory/3640-207-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/4704-181-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/4704-195-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4704-179-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/4704-173-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/4704-183-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/4704-185-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/4704-187-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/4704-189-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/4704-191-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/4704-193-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/4704-194-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4704-166-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/4704-196-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4704-197-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4704-199-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4704-177-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/4704-170-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4704-175-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/4704-171-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/4704-168-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4704-167-0x00000000005D0000-0x00000000005FD000-memory.dmp

Filesize
180KB

Download
memory/4704-164-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/4704-163-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/4704-162-0x0000000004B40000-0x00000000050E4000-memory.dmp

Filesize
5.6MB

Download