redline | d86187af56d7695235d19a0e4162227272b38f1938de06d3b46dbf141dd423fc

Analysis

max time kernel
139s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d86187af56d7695235d19a0e4162227272b38f1938de06d3b46dbf141dd423fc.exe
Size

1.2MB
MD5

8fe7b28cc71375ef262cc697d8708a2e
SHA1

dd83db447fdb457283f708f1bfae856253c8cfcb
SHA256

d86187af56d7695235d19a0e4162227272b38f1938de06d3b46dbf141dd423fc
SHA512

f4124ca5997b8943f689e8452069c7aaf4e776f3161262b80fd5d8b481e130f76219af2298895131a4ffef819dc1f6e9df224938dc8d15cd60b406b5d7ac4831
SSDEEP

24576:Syfe6f/qKhsFlm6HOGlMCq6lo1oqPA86TVi/DnPlN7sG:526f/VgHOGlFPa6V+P37s

Score

10^/10

redline lupa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lupa

217.196.96.56:4138

Attributes

auth_value
fcb02fce9bc10c56a9841d56974bd7b8

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1492-209-0x0000000005680000-0x0000000005C98000-memory.dmp	redline_stealer
behavioral2/memory/1492-217-0x0000000005EF0000-0x0000000005F56000-memory.dmp	redline_stealer
behavioral2/memory/1492-219-0x0000000006BF0000-0x0000000006DB2000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	n5448433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	n5448433.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	n5448433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	n5448433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	n5448433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	n5448433.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3428	z3849801.exe
4120	z8935781.exe
3132	z5701024.exe
3408	n5448433.exe
1492	o4186199.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	n5448433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	n5448433.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5701024.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d86187af56d7695235d19a0e4162227272b38f1938de06d3b46dbf141dd423fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d86187af56d7695235d19a0e4162227272b38f1938de06d3b46dbf141dd423fc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3849801.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3849801.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z8935781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8935781.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5701024.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3408	n5448433.exe
3408	n5448433.exe
1492	o4186199.exe
1492	o4186199.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3408	n5448433.exe
Token: SeDebugPrivilege	1492	o4186199.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 3428	3724	d86187af56d7695235d19a0e4162227272b38f1938de06d3b46dbf141dd423fc.exe	79
PID 3724 wrote to memory of 3428	3724	d86187af56d7695235d19a0e4162227272b38f1938de06d3b46dbf141dd423fc.exe	79
PID 3724 wrote to memory of 3428	3724	d86187af56d7695235d19a0e4162227272b38f1938de06d3b46dbf141dd423fc.exe	79
PID 3428 wrote to memory of 4120	3428	z3849801.exe	80
PID 3428 wrote to memory of 4120	3428	z3849801.exe	80
PID 3428 wrote to memory of 4120	3428	z3849801.exe	80
PID 4120 wrote to memory of 3132	4120	z8935781.exe	81
PID 4120 wrote to memory of 3132	4120	z8935781.exe	81
PID 4120 wrote to memory of 3132	4120	z8935781.exe	81
PID 3132 wrote to memory of 3408	3132	z5701024.exe	82
PID 3132 wrote to memory of 3408	3132	z5701024.exe	82
PID 3132 wrote to memory of 3408	3132	z5701024.exe	82
PID 3132 wrote to memory of 1492	3132	z5701024.exe	85
PID 3132 wrote to memory of 1492	3132	z5701024.exe	85
PID 3132 wrote to memory of 1492	3132	z5701024.exe	85

C:\Users\Admin\AppData\Local\Temp\d86187af56d7695235d19a0e4162227272b38f1938de06d3b46dbf141dd423fc.exe
"C:\Users\Admin\AppData\Local\Temp\d86187af56d7695235d19a0e4162227272b38f1938de06d3b46dbf141dd423fc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3849801.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3849801.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8935781.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8935781.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5701024.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5701024.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n5448433.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n5448433.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3408
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o4186199.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o4186199.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3849801.exe

Filesize
1.0MB

MD5
f1755ec31ab7e77a1c5344c0e2806f25

SHA1
b4252412d964a12fe19983b2c08bef40bcfc6fae

SHA256
22c75f862f181c50bf0b992865eff7d2e73b9d7fb2c4973fa7de4f7ccb11dab7

SHA512
8bca893f5e41d2f1e944941fcfcf69afc59bc93e501bba92611b05417fbd61a210b208dbb0a4b7768fc5b4f8d33d6727108339416ce0d064523523657c19f849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3849801.exe

Filesize
1.0MB

MD5
f1755ec31ab7e77a1c5344c0e2806f25

SHA1
b4252412d964a12fe19983b2c08bef40bcfc6fae

SHA256
22c75f862f181c50bf0b992865eff7d2e73b9d7fb2c4973fa7de4f7ccb11dab7

SHA512
8bca893f5e41d2f1e944941fcfcf69afc59bc93e501bba92611b05417fbd61a210b208dbb0a4b7768fc5b4f8d33d6727108339416ce0d064523523657c19f849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8935781.exe

Filesize
590KB

MD5
4971f906eb8b059050d2cdb83325f0f7

SHA1
56d45c0d5b23045ad79fc2353df3de4f7c60e0d5

SHA256
c243071697805304c3f7b47a78b9d0c08b2cc9ea1f9a0b3317d6dd1199edf65f

SHA512
9202f75fa3c2991bcbae5cb3259a91e585a679e12ee09e4bc6e59e50eec292467a55efeeb6e7421d94c00d878498871d6af3a5f082fc2736ec0e3db03676c915

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8935781.exe

Filesize
590KB

MD5
4971f906eb8b059050d2cdb83325f0f7

SHA1
56d45c0d5b23045ad79fc2353df3de4f7c60e0d5

SHA256
c243071697805304c3f7b47a78b9d0c08b2cc9ea1f9a0b3317d6dd1199edf65f

SHA512
9202f75fa3c2991bcbae5cb3259a91e585a679e12ee09e4bc6e59e50eec292467a55efeeb6e7421d94c00d878498871d6af3a5f082fc2736ec0e3db03676c915

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5701024.exe

Filesize
386KB

MD5
43f6043604b34428b38fc2d890d45c78

SHA1
6788585451cf8ec12a0e96b3128373cf02eec026

SHA256
ead2067f6c588736f79fa3c54200d14483723df85503b70133917417104ba6bf

SHA512
ebcd592dd231edd1f861e2d75ea8d4f37ed7d0865e08da3f45011d1ec8e95ab84ea0d99703aff7116c25bb0a441478e64cc293472c7e2665674f0ddba1276a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5701024.exe

Filesize
386KB

MD5
43f6043604b34428b38fc2d890d45c78

SHA1
6788585451cf8ec12a0e96b3128373cf02eec026

SHA256
ead2067f6c588736f79fa3c54200d14483723df85503b70133917417104ba6bf

SHA512
ebcd592dd231edd1f861e2d75ea8d4f37ed7d0865e08da3f45011d1ec8e95ab84ea0d99703aff7116c25bb0a441478e64cc293472c7e2665674f0ddba1276a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n5448433.exe

Filesize
286KB

MD5
958ecef5a42ba65cb19e4e98decea671

SHA1
1ee8304888dd573d5dc6b31304383bfc6b96e771

SHA256
63168b4a1bd6c45d80803ca60af1357233131a71fa3e7c0c0d82fddc82d75293

SHA512
dee527ff9a046ca5f591baf8b8c3f40ec2b15d1a1d4b291bffd46616c3cc78a498a389ee8124575ea6cc1ae59a7d40dfba1d4c4626bf571a725fed01b4ff09aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n5448433.exe

Filesize
286KB

MD5
958ecef5a42ba65cb19e4e98decea671

SHA1
1ee8304888dd573d5dc6b31304383bfc6b96e771

SHA256
63168b4a1bd6c45d80803ca60af1357233131a71fa3e7c0c0d82fddc82d75293

SHA512
dee527ff9a046ca5f591baf8b8c3f40ec2b15d1a1d4b291bffd46616c3cc78a498a389ee8124575ea6cc1ae59a7d40dfba1d4c4626bf571a725fed01b4ff09aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o4186199.exe

Filesize
169KB

MD5
0e15c9afb39a920963155fe2e09474a3

SHA1
480d649ebb44c302f40bced1e6ccc8a847c1144c

SHA256
e497b3da206c6f2c9614a3d5f2115c2bafbf03dece64b2e4f11178da4c6512d7

SHA512
b7f51b862ad74d1a0381dcbbaf02964dd938d7821df7ef3bf8896798d217b22a930746c3e31579a54d3e5ba7bc693c079ae5315345acd72ae1635e6a4b94941c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o4186199.exe

Filesize
169KB

MD5
0e15c9afb39a920963155fe2e09474a3

SHA1
480d649ebb44c302f40bced1e6ccc8a847c1144c

SHA256
e497b3da206c6f2c9614a3d5f2115c2bafbf03dece64b2e4f11178da4c6512d7

SHA512
b7f51b862ad74d1a0381dcbbaf02964dd938d7821df7ef3bf8896798d217b22a930746c3e31579a54d3e5ba7bc693c079ae5315345acd72ae1635e6a4b94941c

Download Submit
memory/1492-218-0x00000000062F0000-0x0000000006340000-memory.dmp

Filesize
320KB

Download
memory/1492-217-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/1492-219-0x0000000006BF0000-0x0000000006DB2000-memory.dmp

Filesize
1.8MB

Download
memory/1492-216-0x0000000005E50000-0x0000000005EE2000-memory.dmp

Filesize
584KB

Download
memory/1492-215-0x0000000005D30000-0x0000000005DA6000-memory.dmp

Filesize
472KB

Download
memory/1492-214-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/1492-213-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/1492-212-0x0000000005060000-0x000000000509C000-memory.dmp

Filesize
240KB

Download
memory/1492-211-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

Filesize
72KB

Download
memory/1492-210-0x0000000005170000-0x000000000527A000-memory.dmp

Filesize
1.0MB

Download
memory/1492-209-0x0000000005680000-0x0000000005C98000-memory.dmp

Filesize
6.1MB

Download
memory/1492-208-0x0000000000560000-0x000000000058E000-memory.dmp

Filesize
184KB

Download
memory/1492-220-0x0000000008810000-0x0000000008D3C000-memory.dmp

Filesize
5.2MB

Download
memory/3408-169-0x0000000000550000-0x000000000057D000-memory.dmp

Filesize
180KB

Download
memory/3408-177-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3408-190-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3408-192-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3408-194-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3408-196-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3408-198-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3408-199-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3408-200-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3408-204-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3408-186-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3408-184-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3408-182-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3408-188-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3408-178-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3408-180-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3408-175-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3408-174-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3408-173-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3408-170-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3408-167-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3408-166-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3408-164-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3408-163-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/3408-162-0x0000000004BA0000-0x0000000005144000-memory.dmp

Filesize
5.6MB

Download