redline | 44b4b3bfa5115f272c905b2cbf5b6fb92bfdc8b78aacc4d7e5a511d2e63a768c

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

44b4b3bfa5115f272c905b2cbf5b6fb92bfdc8b78aacc4d7e5a511d2e63a768c.exe
Size

892KB
MD5

69b3e65ee8600f3577ce3674737ca45c
SHA1

8e1590ddf500a123e64219e123a8cb4b7fef08bd
SHA256

44b4b3bfa5115f272c905b2cbf5b6fb92bfdc8b78aacc4d7e5a511d2e63a768c
SHA512

65f761e58c19fbc78b12564447017dbdd6b35410c6bd71160a8928be070f46423c088b5fbddac51ae8c0e4b64d85960f01bd7865f45a90916ed13a40bca711bc
SSDEEP

24576:byCv/F+oYutoeWT98+aHv8R//Ar/lW2Xp+Nm:OCXR7tbWT9oHa2Xp+N

Score

10^/10

redline dark evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dark

185.161.248.73:4164

Attributes

auth_value
ae85b01f66afe8770afeed560513fc2d

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/844-4463-0x000000000AC70000-0x000000000B288000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	07464973.exe

Executes dropped EXE 5 IoCs

pid	Process
1696	st173147.exe
876	07464973.exe
1400	1.exe
1208	kp256863.exe
844	lr894191.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st173147.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	44b4b3bfa5115f272c905b2cbf5b6fb92bfdc8b78aacc4d7e5a511d2e63a768c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	44b4b3bfa5115f272c905b2cbf5b6fb92bfdc8b78aacc4d7e5a511d2e63a768c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st173147.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5004	1208	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1400	1.exe
1400	1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	07464973.exe
Token: SeDebugPrivilege	1208	kp256863.exe
Token: SeDebugPrivilege	1400	1.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 1696	4240	44b4b3bfa5115f272c905b2cbf5b6fb92bfdc8b78aacc4d7e5a511d2e63a768c.exe	82
PID 4240 wrote to memory of 1696	4240	44b4b3bfa5115f272c905b2cbf5b6fb92bfdc8b78aacc4d7e5a511d2e63a768c.exe	82
PID 4240 wrote to memory of 1696	4240	44b4b3bfa5115f272c905b2cbf5b6fb92bfdc8b78aacc4d7e5a511d2e63a768c.exe	82
PID 1696 wrote to memory of 876	1696	st173147.exe	83
PID 1696 wrote to memory of 876	1696	st173147.exe	83
PID 1696 wrote to memory of 876	1696	st173147.exe	83
PID 876 wrote to memory of 1400	876	07464973.exe	85
PID 876 wrote to memory of 1400	876	07464973.exe	85
PID 1696 wrote to memory of 1208	1696	st173147.exe	86
PID 1696 wrote to memory of 1208	1696	st173147.exe	86
PID 1696 wrote to memory of 1208	1696	st173147.exe	86
PID 4240 wrote to memory of 844	4240	44b4b3bfa5115f272c905b2cbf5b6fb92bfdc8b78aacc4d7e5a511d2e63a768c.exe	89
PID 4240 wrote to memory of 844	4240	44b4b3bfa5115f272c905b2cbf5b6fb92bfdc8b78aacc4d7e5a511d2e63a768c.exe	89
PID 4240 wrote to memory of 844	4240	44b4b3bfa5115f272c905b2cbf5b6fb92bfdc8b78aacc4d7e5a511d2e63a768c.exe	89

C:\Users\Admin\AppData\Local\Temp\44b4b3bfa5115f272c905b2cbf5b6fb92bfdc8b78aacc4d7e5a511d2e63a768c.exe
"C:\Users\Admin\AppData\Local\Temp\44b4b3bfa5115f272c905b2cbf5b6fb92bfdc8b78aacc4d7e5a511d2e63a768c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st173147.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st173147.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\07464973.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\07464973.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1400
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp256863.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp256863.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1292
      4⤵
      Program crash
      PID:5004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr894191.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr894191.exe
  2⤵
  - Executes dropped EXE
  PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1208 -ip 1208
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr894191.exe

Filesize
170KB

MD5
ac77383cc8ef4ee0d4e1c157105a1a76

SHA1
683863b17e58234233a07702695b113125333370

SHA256
944b38980ba802ff118bbf85d72dd08245c1c4060de1c36a1d08ee1d82e59b1e

SHA512
baeef2d6f1bba2c09def4a6cc2fd80d1573944275169fb9171f02106fc2991c22257657c3677bdfb231afb7dbda0ebd6dcc6e26ebfd0ed0d1480f0093a69a81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr894191.exe

Filesize
170KB

MD5
ac77383cc8ef4ee0d4e1c157105a1a76

SHA1
683863b17e58234233a07702695b113125333370

SHA256
944b38980ba802ff118bbf85d72dd08245c1c4060de1c36a1d08ee1d82e59b1e

SHA512
baeef2d6f1bba2c09def4a6cc2fd80d1573944275169fb9171f02106fc2991c22257657c3677bdfb231afb7dbda0ebd6dcc6e26ebfd0ed0d1480f0093a69a81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st173147.exe

Filesize
739KB

MD5
43457ac3c70c28afb76bcd8064fd40cc

SHA1
fdc0df87169004abfa6e294f510e39e8b36c4024

SHA256
0268e5a46c3f38ccce058ee7a97e4d5304bbbf9998da6d20b150a9cbc3421a1c

SHA512
cc3c259e124a1cf66c04be95ddb66157745faff7c26c57d1f4dfaf418970e98ca90654674d3dcb160ca6f9adcb6644e8dbb858101b2d04f2820f3c43cc3a8e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st173147.exe

Filesize
739KB

MD5
43457ac3c70c28afb76bcd8064fd40cc

SHA1
fdc0df87169004abfa6e294f510e39e8b36c4024

SHA256
0268e5a46c3f38ccce058ee7a97e4d5304bbbf9998da6d20b150a9cbc3421a1c

SHA512
cc3c259e124a1cf66c04be95ddb66157745faff7c26c57d1f4dfaf418970e98ca90654674d3dcb160ca6f9adcb6644e8dbb858101b2d04f2820f3c43cc3a8e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\07464973.exe

Filesize
302KB

MD5
945354a03d7931f8c927086d5f32a72d

SHA1
a5cc77a74400b151e8ac6c5d458ed942d9bdf75a

SHA256
341256bfd0a0cb9267912a13aeb073f77562e82343d54e01772b6c8b99362d44

SHA512
2019bd09003eeda97ad1de934172a6eaf80ba2634b7540e1d8943c17b4e4093eb9abb5c24898ff2cf1cee5266a0c711f4136aba50d81d28537577ed1f9545e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\07464973.exe

Filesize
302KB

MD5
945354a03d7931f8c927086d5f32a72d

SHA1
a5cc77a74400b151e8ac6c5d458ed942d9bdf75a

SHA256
341256bfd0a0cb9267912a13aeb073f77562e82343d54e01772b6c8b99362d44

SHA512
2019bd09003eeda97ad1de934172a6eaf80ba2634b7540e1d8943c17b4e4093eb9abb5c24898ff2cf1cee5266a0c711f4136aba50d81d28537577ed1f9545e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp256863.exe

Filesize
576KB

MD5
20502afdcedb2eb096cdc80e8a4f6aba

SHA1
8419269396d297a6bdec1cd5744a8f0b26f725e2

SHA256
64b54521730fe982a131aac826281d78a71208536a1b3087d563a4659cccf3f0

SHA512
8113ff7e7b9913de47322ba059a5193eceeca0248faa12838d7c17812c665fa95c9908665295504e8e581de3f2b86a2bacc7794fe7c148673b194dde01e2a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp256863.exe

Filesize
576KB

MD5
20502afdcedb2eb096cdc80e8a4f6aba

SHA1
8419269396d297a6bdec1cd5744a8f0b26f725e2

SHA256
64b54521730fe982a131aac826281d78a71208536a1b3087d563a4659cccf3f0

SHA512
8113ff7e7b9913de47322ba059a5193eceeca0248faa12838d7c17812c665fa95c9908665295504e8e581de3f2b86a2bacc7794fe7c148673b194dde01e2a9f5

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/844-4466-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/844-4465-0x000000000A720000-0x000000000A732000-memory.dmp

Filesize
72KB

Download
memory/844-4464-0x000000000A7F0000-0x000000000A8FA000-memory.dmp

Filesize
1.0MB

Download
memory/844-4463-0x000000000AC70000-0x000000000B288000-memory.dmp

Filesize
6.1MB

Download
memory/844-4462-0x0000000000870000-0x00000000008A0000-memory.dmp

Filesize
192KB

Download
memory/844-4467-0x000000000A780000-0x000000000A7BC000-memory.dmp

Filesize
240KB

Download
memory/844-4468-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/876-192-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-210-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-164-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-166-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-168-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-170-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-172-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-174-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-176-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-178-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-180-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-182-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-184-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-186-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-188-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-190-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-160-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-194-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-196-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-198-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-200-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-202-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-204-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-206-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-208-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-162-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-212-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-214-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-2035-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/876-2280-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/876-2281-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/876-147-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/876-148-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/876-149-0x0000000004AA0000-0x0000000005044000-memory.dmp

Filesize
5.6MB

Download
memory/876-150-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/876-152-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-151-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-154-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-156-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/876-158-0x00000000050B0000-0x0000000005101000-memory.dmp

Filesize
324KB

Download
memory/1208-4454-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/1208-4457-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/1208-4452-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/1208-4453-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/1208-4450-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/1208-4449-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/1208-2503-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/1208-2501-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/1208-2499-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/1208-2498-0x0000000000840000-0x000000000089B000-memory.dmp

Filesize
364KB

Download
memory/1400-2589-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download