redline | 642e3439663a82f6acbe45cebceeb33038c5e32147b9f5b3702f1ed9f55c06b0

Analysis

max time kernel
154s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

642e3439663a82f6acbe45cebceeb33038c5e32147b9f5b3702f1ed9f55c06b0.exe
Size

1.4MB
MD5

103c2e2f438000173e7f3101dcc67209
SHA1

65441bb71aed935f31030ce567f5e62f93b54f12
SHA256

642e3439663a82f6acbe45cebceeb33038c5e32147b9f5b3702f1ed9f55c06b0
SHA512

04498a32cbcac966838b1f7f2920f4a882960de3e6e4a768de920f933b792ffd38bde9ffc5a8285ca8e27e5cca07959525d54718e20f26c3d2a07d897bffdef7
SSDEEP

24576:+yGuVrCNg4/e5eiINfHZmyxYLVZWH4zU4/U6gQ3dWQNRmJd/dvu/lpS+/llEqN:NGG586yxYLVZx0fQ37uj/dPzq

Score

10^/10

redline mask evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mask

217.196.96.56:4138

Attributes

auth_value
31aef25be0febb8e491794ef7f502c50

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2228-214-0x000000000A8B0000-0x000000000AEC8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8499471.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8499471.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8499471.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8499471.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8499471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a8499471.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4144	v7673122.exe
4384	v5701997.exe
4796	v9895797.exe
3496	v6381090.exe
2192	a8499471.exe
2228	b6344224.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8499471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a8499471.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5701997.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9895797.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6381090.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v6381090.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7673122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	642e3439663a82f6acbe45cebceeb33038c5e32147b9f5b3702f1ed9f55c06b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7673122.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5701997.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9895797.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	642e3439663a82f6acbe45cebceeb33038c5e32147b9f5b3702f1ed9f55c06b0.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4060	2192	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2192	a8499471.exe
2192	a8499471.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	a8499471.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4144	4972	642e3439663a82f6acbe45cebceeb33038c5e32147b9f5b3702f1ed9f55c06b0.exe	81
PID 4972 wrote to memory of 4144	4972	642e3439663a82f6acbe45cebceeb33038c5e32147b9f5b3702f1ed9f55c06b0.exe	81
PID 4972 wrote to memory of 4144	4972	642e3439663a82f6acbe45cebceeb33038c5e32147b9f5b3702f1ed9f55c06b0.exe	81
PID 4144 wrote to memory of 4384	4144	v7673122.exe	82
PID 4144 wrote to memory of 4384	4144	v7673122.exe	82
PID 4144 wrote to memory of 4384	4144	v7673122.exe	82
PID 4384 wrote to memory of 4796	4384	v5701997.exe	83
PID 4384 wrote to memory of 4796	4384	v5701997.exe	83
PID 4384 wrote to memory of 4796	4384	v5701997.exe	83
PID 4796 wrote to memory of 3496	4796	v9895797.exe	84
PID 4796 wrote to memory of 3496	4796	v9895797.exe	84
PID 4796 wrote to memory of 3496	4796	v9895797.exe	84
PID 3496 wrote to memory of 2192	3496	v6381090.exe	85
PID 3496 wrote to memory of 2192	3496	v6381090.exe	85
PID 3496 wrote to memory of 2192	3496	v6381090.exe	85
PID 3496 wrote to memory of 2228	3496	v6381090.exe	91
PID 3496 wrote to memory of 2228	3496	v6381090.exe	91
PID 3496 wrote to memory of 2228	3496	v6381090.exe	91

C:\Users\Admin\AppData\Local\Temp\642e3439663a82f6acbe45cebceeb33038c5e32147b9f5b3702f1ed9f55c06b0.exe
"C:\Users\Admin\AppData\Local\Temp\642e3439663a82f6acbe45cebceeb33038c5e32147b9f5b3702f1ed9f55c06b0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7673122.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7673122.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5701997.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5701997.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9895797.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9895797.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6381090.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6381090.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3496
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8499471.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8499471.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 1088
        7⤵
        Program crash
        
        PID:4060
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6344224.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6344224.exe
        6⤵
        Executes dropped EXE
        
        PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2192 -ip 2192
1⤵
PID:4624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7673122.exe

Filesize
1.3MB

MD5
11b8f88f4e7c478bf2f059502f32f1b8

SHA1
23d119999e475c0e49c3c6afb1324ad70efb4192

SHA256
3c1ec353559c5ef30e45d2feb25facdb54482745c6987fe184d5a63ac4ad7637

SHA512
c9bfbc3c7a7d1af8dc7f0adafe4c5d392dd18c444044a3cf950c089e9f313406893926492ee101bc9f3d69b225f9e06c8ecf95f428b9782912b02a34f99a7e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7673122.exe

Filesize
1.3MB

MD5
11b8f88f4e7c478bf2f059502f32f1b8

SHA1
23d119999e475c0e49c3c6afb1324ad70efb4192

SHA256
3c1ec353559c5ef30e45d2feb25facdb54482745c6987fe184d5a63ac4ad7637

SHA512
c9bfbc3c7a7d1af8dc7f0adafe4c5d392dd18c444044a3cf950c089e9f313406893926492ee101bc9f3d69b225f9e06c8ecf95f428b9782912b02a34f99a7e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5701997.exe

Filesize
845KB

MD5
c59535d9b12afc5a2d5aaa8a22d4ddda

SHA1
23445e468a3bd60b2cde7044682ccaeda9199b17

SHA256
9bcb8d83be80741b5aa720740533c1533e3b057deb6a0f56b24839b3a0cfa813

SHA512
a6992af7a51a41e6b94887f44a473444efa05b37be5031c016e8e480bbe84efba917d86b3cec859067e8ec1131bc28d138c2e11a17380946433bd276ff715966

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5701997.exe

Filesize
845KB

MD5
c59535d9b12afc5a2d5aaa8a22d4ddda

SHA1
23445e468a3bd60b2cde7044682ccaeda9199b17

SHA256
9bcb8d83be80741b5aa720740533c1533e3b057deb6a0f56b24839b3a0cfa813

SHA512
a6992af7a51a41e6b94887f44a473444efa05b37be5031c016e8e480bbe84efba917d86b3cec859067e8ec1131bc28d138c2e11a17380946433bd276ff715966

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9895797.exe

Filesize
641KB

MD5
af4408db541ca5a4f842e1ce2a02d7ae

SHA1
a8e9ed2c1eb4d0856db7ba4dbece24b9dff75517

SHA256
f3357510e76300360d3adc1ba7af7856a261525103902e4afb7aeb6b3bc8256b

SHA512
7eba6ecd53548a31d5d18704de34ea781a4dd44ae3cab3fc042e7d107f0bfb4a2121f47a9e1a9c759651c5b3bd0f5d85387d619cd3ec3d3df640e5b0b95ec3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9895797.exe

Filesize
641KB

MD5
af4408db541ca5a4f842e1ce2a02d7ae

SHA1
a8e9ed2c1eb4d0856db7ba4dbece24b9dff75517

SHA256
f3357510e76300360d3adc1ba7af7856a261525103902e4afb7aeb6b3bc8256b

SHA512
7eba6ecd53548a31d5d18704de34ea781a4dd44ae3cab3fc042e7d107f0bfb4a2121f47a9e1a9c759651c5b3bd0f5d85387d619cd3ec3d3df640e5b0b95ec3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6381090.exe

Filesize
383KB

MD5
00fc0b9dcde48acdfc84b889145c7ae5

SHA1
51f5f29bf9cf98c3eaa859be9136981e61f80f90

SHA256
982b8a55aca99efbe728b801bb58a2180fe646cb88371fe18e095215832bd825

SHA512
c06c6f581c2f44bc54940f1008089569212a554af6f23d1fa081a2cbb64f86f5dac0fb659e701da8d84f480dd2821498a254529a32b8560bba983152b578ba0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6381090.exe

Filesize
383KB

MD5
00fc0b9dcde48acdfc84b889145c7ae5

SHA1
51f5f29bf9cf98c3eaa859be9136981e61f80f90

SHA256
982b8a55aca99efbe728b801bb58a2180fe646cb88371fe18e095215832bd825

SHA512
c06c6f581c2f44bc54940f1008089569212a554af6f23d1fa081a2cbb64f86f5dac0fb659e701da8d84f480dd2821498a254529a32b8560bba983152b578ba0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8499471.exe

Filesize
289KB

MD5
83e99af17aab61558912335cc98ac17f

SHA1
57a1bb160393f69344020f46522aa0a38062f062

SHA256
ee3be50598850f5ea0a520442e4aaa078a1d69540cd404aa7025b28722ee02a9

SHA512
9c103241e9c2ba838ee485417c4e0542297e2f7bd0df10a744ca91920d208463849c798544e6de91b88f930c89953115f0b9b778b082ed9200bbfe2b285ca741

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8499471.exe

Filesize
289KB

MD5
83e99af17aab61558912335cc98ac17f

SHA1
57a1bb160393f69344020f46522aa0a38062f062

SHA256
ee3be50598850f5ea0a520442e4aaa078a1d69540cd404aa7025b28722ee02a9

SHA512
9c103241e9c2ba838ee485417c4e0542297e2f7bd0df10a744ca91920d208463849c798544e6de91b88f930c89953115f0b9b778b082ed9200bbfe2b285ca741

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6344224.exe

Filesize
168KB

MD5
54d6e42967cd4de3b6e6bc112ceabe90

SHA1
833e3f00fb9d8760db235433a3cf92afb320d2be

SHA256
5b69ea70c4a4c69cce432576c000894da8d9db4375bb352154c52be899f54d34

SHA512
628ae08a8a62634afb819ff5d5982139c80f8ce62bc674272299bb8e123fe4eee79fa5b882d8816685ebf90623f5313d20803a1f694764f67053270767687947

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6344224.exe

Filesize
168KB

MD5
54d6e42967cd4de3b6e6bc112ceabe90

SHA1
833e3f00fb9d8760db235433a3cf92afb320d2be

SHA256
5b69ea70c4a4c69cce432576c000894da8d9db4375bb352154c52be899f54d34

SHA512
628ae08a8a62634afb819ff5d5982139c80f8ce62bc674272299bb8e123fe4eee79fa5b882d8816685ebf90623f5313d20803a1f694764f67053270767687947

Download Submit
memory/2192-187-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2192-197-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2192-171-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2192-174-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2192-175-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2192-177-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2192-179-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2192-181-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2192-183-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2192-185-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2192-173-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2192-189-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2192-191-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2192-193-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2192-195-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2192-172-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2192-199-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2192-201-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2192-202-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2192-203-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2192-204-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2192-205-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2192-208-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2192-170-0x0000000004CB0000-0x0000000005254000-memory.dmp

Filesize
5.6MB

Download
memory/2192-169-0x0000000000480000-0x00000000004AD000-memory.dmp

Filesize
180KB

Download
memory/2228-213-0x00000000004B0000-0x00000000004E0000-memory.dmp

Filesize
192KB

Download
memory/2228-214-0x000000000A8B0000-0x000000000AEC8000-memory.dmp

Filesize
6.1MB

Download
memory/2228-215-0x000000000A430000-0x000000000A53A000-memory.dmp

Filesize
1.0MB

Download
memory/2228-216-0x000000000A360000-0x000000000A372000-memory.dmp

Filesize
72KB

Download
memory/2228-217-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/2228-218-0x000000000A3C0000-0x000000000A3FC000-memory.dmp

Filesize
240KB

Download
memory/2228-219-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download