redline | 3db34dcd4ac0fb6c0d258f26bfe5a85e5dc17aa8bf967cf7c13b7f38055897bf

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3db34dcd4ac0fb6c0d258f26bfe5a85e5dc17aa8bf967cf7c13b7f38055897bf.exe
Size

913KB
MD5

6f18fa40e8da6357abd6a2428d782cad
SHA1

d4f3db9e472e9d7a350629740851be3309da2b6d
SHA256

3db34dcd4ac0fb6c0d258f26bfe5a85e5dc17aa8bf967cf7c13b7f38055897bf
SHA512

92c2ad694fa6b3ccbd2653bafde778392a7ceee0b01d8b87b397fc6e161524af56c13dc2951708faa9ea144d5d46dd60709aa5d0ba811654b9410b77e3769496
SSDEEP

24576:yySrVoIruGgtMl/lJupWEXoXVY3IRauIoOCdpxRW:ZaVosuntk/lNguKIRnI5q

Score

10^/10

redline dark evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dark

185.161.248.73:4164

Attributes

auth_value
ae85b01f66afe8770afeed560513fc2d

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3880-4460-0x000000000A8F0000-0x000000000AF08000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	08446637.exe

Executes dropped EXE 5 IoCs

pid	Process
4292	st071084.exe
5044	08446637.exe
4868	1.exe
4240	kp610974.exe
3880	lr492701.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3db34dcd4ac0fb6c0d258f26bfe5a85e5dc17aa8bf967cf7c13b7f38055897bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3db34dcd4ac0fb6c0d258f26bfe5a85e5dc17aa8bf967cf7c13b7f38055897bf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st071084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st071084.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5084	4240	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4868	1.exe
4868	1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	08446637.exe
Token: SeDebugPrivilege	4240	kp610974.exe
Token: SeDebugPrivilege	4868	1.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 4292	4964	3db34dcd4ac0fb6c0d258f26bfe5a85e5dc17aa8bf967cf7c13b7f38055897bf.exe	86
PID 4964 wrote to memory of 4292	4964	3db34dcd4ac0fb6c0d258f26bfe5a85e5dc17aa8bf967cf7c13b7f38055897bf.exe	86
PID 4964 wrote to memory of 4292	4964	3db34dcd4ac0fb6c0d258f26bfe5a85e5dc17aa8bf967cf7c13b7f38055897bf.exe	86
PID 4292 wrote to memory of 5044	4292	st071084.exe	87
PID 4292 wrote to memory of 5044	4292	st071084.exe	87
PID 4292 wrote to memory of 5044	4292	st071084.exe	87
PID 5044 wrote to memory of 4868	5044	08446637.exe	90
PID 5044 wrote to memory of 4868	5044	08446637.exe	90
PID 4292 wrote to memory of 4240	4292	st071084.exe	91
PID 4292 wrote to memory of 4240	4292	st071084.exe	91
PID 4292 wrote to memory of 4240	4292	st071084.exe	91
PID 4964 wrote to memory of 3880	4964	3db34dcd4ac0fb6c0d258f26bfe5a85e5dc17aa8bf967cf7c13b7f38055897bf.exe	96
PID 4964 wrote to memory of 3880	4964	3db34dcd4ac0fb6c0d258f26bfe5a85e5dc17aa8bf967cf7c13b7f38055897bf.exe	96
PID 4964 wrote to memory of 3880	4964	3db34dcd4ac0fb6c0d258f26bfe5a85e5dc17aa8bf967cf7c13b7f38055897bf.exe	96

C:\Users\Admin\AppData\Local\Temp\3db34dcd4ac0fb6c0d258f26bfe5a85e5dc17aa8bf967cf7c13b7f38055897bf.exe
"C:\Users\Admin\AppData\Local\Temp\3db34dcd4ac0fb6c0d258f26bfe5a85e5dc17aa8bf967cf7c13b7f38055897bf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st071084.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st071084.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08446637.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08446637.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4868
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp610974.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp610974.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1260
      4⤵
      Program crash
      PID:5084
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492701.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492701.exe
  2⤵
  - Executes dropped EXE
  PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4240 -ip 4240
1⤵
PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492701.exe

Filesize
168KB

MD5
16cf18c8ef1d4be89b36e27c8fb88e9d

SHA1
7811ba84f75a1adc6d995c2c1121ec996d1cc003

SHA256
116156cc3af0bf4d81d9b2fba83c569cf9f4c9055b9c9cd5731538de036417e8

SHA512
4cb9e29db63d28c802c7c1799fd53e00b5facdc0b63d08b76d619c7a9be6cc06f11c0d435ad035bf3f9c3c96687e03e5157ae2ce7494a621c0762bc8083d9fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr492701.exe

Filesize
168KB

MD5
16cf18c8ef1d4be89b36e27c8fb88e9d

SHA1
7811ba84f75a1adc6d995c2c1121ec996d1cc003

SHA256
116156cc3af0bf4d81d9b2fba83c569cf9f4c9055b9c9cd5731538de036417e8

SHA512
4cb9e29db63d28c802c7c1799fd53e00b5facdc0b63d08b76d619c7a9be6cc06f11c0d435ad035bf3f9c3c96687e03e5157ae2ce7494a621c0762bc8083d9fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st071084.exe

Filesize
760KB

MD5
217f9f57e7fa72dbdaf7b4b77e03c023

SHA1
d473bedf4a5b3eef39663658860f11f6ca2d492b

SHA256
c542778b76cd59c117a3f9926595fb369cd1d5ef6c5fc38b80afdb06aca1ede9

SHA512
64a91571579f99afdcb6b22f9ec1c8f1a5180e806a1c74a52eab46ffcdd738937c370885f3bd13645c68b2df80b499610f8ad0e5f78ad0f588c860a729819092

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st071084.exe

Filesize
760KB

MD5
217f9f57e7fa72dbdaf7b4b77e03c023

SHA1
d473bedf4a5b3eef39663658860f11f6ca2d492b

SHA256
c542778b76cd59c117a3f9926595fb369cd1d5ef6c5fc38b80afdb06aca1ede9

SHA512
64a91571579f99afdcb6b22f9ec1c8f1a5180e806a1c74a52eab46ffcdd738937c370885f3bd13645c68b2df80b499610f8ad0e5f78ad0f588c860a729819092

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08446637.exe

Filesize
300KB

MD5
d9bcf48a17fec3ed179871c6b7bb3203

SHA1
35fc933fbd6d92e3594ad7431739c4bbd2b6401e

SHA256
cca3a9e45914139d7b514c8ebb2f98c561ff475bd850d2fa42cbb8900735452b

SHA512
95186c2d0392058ca0c21e3871d0bdf909b491f9f16aa784cf9483484989eb701630c0bba48e08f8c45e92e1c9f735ad91dfe6af75e5f8fbbdfda6aefc6f4219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08446637.exe

Filesize
300KB

MD5
d9bcf48a17fec3ed179871c6b7bb3203

SHA1
35fc933fbd6d92e3594ad7431739c4bbd2b6401e

SHA256
cca3a9e45914139d7b514c8ebb2f98c561ff475bd850d2fa42cbb8900735452b

SHA512
95186c2d0392058ca0c21e3871d0bdf909b491f9f16aa784cf9483484989eb701630c0bba48e08f8c45e92e1c9f735ad91dfe6af75e5f8fbbdfda6aefc6f4219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp610974.exe

Filesize
539KB

MD5
89cefc136f03bad562de4fc7cd5827e4

SHA1
4432cc9f1246b57ea3c41097e08589f97f88bcc7

SHA256
e5eee07d0857eb87eb9e6bce3ac4a1181dd886c0bb49025ec7bf45472c78dd15

SHA512
2d09017db5e319457f6e26b8444a65043e61e3b482f91b691c0fe1a77dd00ca3a278c5b473b4d430a49c78aba156574a13e6196af77ba202d28bf07f640c5843

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp610974.exe

Filesize
539KB

MD5
89cefc136f03bad562de4fc7cd5827e4

SHA1
4432cc9f1246b57ea3c41097e08589f97f88bcc7

SHA256
e5eee07d0857eb87eb9e6bce3ac4a1181dd886c0bb49025ec7bf45472c78dd15

SHA512
2d09017db5e319457f6e26b8444a65043e61e3b482f91b691c0fe1a77dd00ca3a278c5b473b4d430a49c78aba156574a13e6196af77ba202d28bf07f640c5843

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/3880-4463-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/3880-4459-0x00000000004F0000-0x0000000000520000-memory.dmp

Filesize
192KB

Download
memory/3880-4465-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/3880-4464-0x000000000A400000-0x000000000A43C000-memory.dmp

Filesize
240KB

Download
memory/3880-4462-0x000000000A3A0000-0x000000000A3B2000-memory.dmp

Filesize
72KB

Download
memory/3880-4460-0x000000000A8F0000-0x000000000AF08000-memory.dmp

Filesize
6.1MB

Download
memory/3880-4461-0x000000000A470000-0x000000000A57A000-memory.dmp

Filesize
1.0MB

Download
memory/4240-4446-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/4240-2299-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4240-2298-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4240-2297-0x0000000000830000-0x000000000088B000-memory.dmp

Filesize
364KB

Download
memory/4240-4447-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4240-4451-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4240-4452-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4240-4453-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4868-2292-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/5044-166-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-180-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-192-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-194-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-196-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-198-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-200-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-202-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-204-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-206-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-208-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-210-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-212-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-214-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-2279-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/5044-188-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-186-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-184-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-182-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-190-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-178-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-176-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-174-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-172-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-170-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-168-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-164-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-162-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-160-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-158-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-156-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-154-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-152-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-151-0x0000000004F70000-0x0000000004FC1000-memory.dmp

Filesize
324KB

Download
memory/5044-150-0x00000000049C0000-0x0000000004F64000-memory.dmp

Filesize
5.6MB

Download
memory/5044-149-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/5044-148-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/5044-147-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download