redline | 4afecafd9263399c310ffb56d798ba6e051b80d42528dec575a44cddfd921827

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4afecafd9263399c310ffb56d798ba6e051b80d42528dec575a44cddfd921827.exe
Size

1.2MB
MD5

cbbf23173cf8bd5242f60a1ccbc45908
SHA1

b67264dc99de0dec524f4c6add8227fdaec22488
SHA256

4afecafd9263399c310ffb56d798ba6e051b80d42528dec575a44cddfd921827
SHA512

849e62bd6dcfc52aff5f3aaf63b226863cb1a0a0f70d3c1c1c4122946a3c3d4264d17f34863e3bb122f2d5f521a0d0070fda7a8b09a5f98aa5cfb1285597bea3
SSDEEP

24576:Ey9a7z+vNhAESkepzPK0d/soL3q7XLRBQ3+RpYW186UQS69MphJoABB4eaNycQ:Tw7UhGkeCQkQyk0186ZChJ/D4Ry

Score

10^/10

redline lisa evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lisa

185.161.248.73:4164

Attributes

auth_value
c2dc311db9820012377b054447d37949

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4692-200-0x000000000A580000-0x000000000AB98000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	s38675019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	s38675019.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	s38675019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	s38675019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	s38675019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	s38675019.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1512	z23873104.exe
2884	z42658170.exe
4084	z45010082.exe
2788	s38675019.exe
4692	t97918376.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	s38675019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	s38675019.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z23873104.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z23873104.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z42658170.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z42658170.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z45010082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z45010082.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4afecafd9263399c310ffb56d798ba6e051b80d42528dec575a44cddfd921827.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4afecafd9263399c310ffb56d798ba6e051b80d42528dec575a44cddfd921827.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2788	s38675019.exe
2788	s38675019.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	s38675019.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 1512	2472	4afecafd9263399c310ffb56d798ba6e051b80d42528dec575a44cddfd921827.exe	84
PID 2472 wrote to memory of 1512	2472	4afecafd9263399c310ffb56d798ba6e051b80d42528dec575a44cddfd921827.exe	84
PID 2472 wrote to memory of 1512	2472	4afecafd9263399c310ffb56d798ba6e051b80d42528dec575a44cddfd921827.exe	84
PID 1512 wrote to memory of 2884	1512	z23873104.exe	85
PID 1512 wrote to memory of 2884	1512	z23873104.exe	85
PID 1512 wrote to memory of 2884	1512	z23873104.exe	85
PID 2884 wrote to memory of 4084	2884	z42658170.exe	86
PID 2884 wrote to memory of 4084	2884	z42658170.exe	86
PID 2884 wrote to memory of 4084	2884	z42658170.exe	86
PID 4084 wrote to memory of 2788	4084	z45010082.exe	87
PID 4084 wrote to memory of 2788	4084	z45010082.exe	87
PID 4084 wrote to memory of 2788	4084	z45010082.exe	87
PID 4084 wrote to memory of 4692	4084	z45010082.exe	89
PID 4084 wrote to memory of 4692	4084	z45010082.exe	89
PID 4084 wrote to memory of 4692	4084	z45010082.exe	89

C:\Users\Admin\AppData\Local\Temp\4afecafd9263399c310ffb56d798ba6e051b80d42528dec575a44cddfd921827.exe
"C:\Users\Admin\AppData\Local\Temp\4afecafd9263399c310ffb56d798ba6e051b80d42528dec575a44cddfd921827.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z23873104.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z23873104.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z42658170.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z42658170.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z45010082.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z45010082.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s38675019.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s38675019.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t97918376.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t97918376.exe
        5⤵
        Executes dropped EXE
        
        PID:4692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z23873104.exe

Filesize
979KB

MD5
31953c9f076d1c69d513c2a618069d2c

SHA1
fe2859ad7d7c6732365c36697a2f7928a65f4467

SHA256
ef738c944a139974a74a721e84c3d362d2d98f7c7c7dffca3316678670b0ea17

SHA512
b3ec6f7671808628167b4cd462be5efccdf2f2dc04765d71a627656a2b9c018447cd2ed57650696b3467d3bf2b96d1679b0c2040b2d68b6580458130d102eb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z23873104.exe

Filesize
979KB

MD5
31953c9f076d1c69d513c2a618069d2c

SHA1
fe2859ad7d7c6732365c36697a2f7928a65f4467

SHA256
ef738c944a139974a74a721e84c3d362d2d98f7c7c7dffca3316678670b0ea17

SHA512
b3ec6f7671808628167b4cd462be5efccdf2f2dc04765d71a627656a2b9c018447cd2ed57650696b3467d3bf2b96d1679b0c2040b2d68b6580458130d102eb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z42658170.exe

Filesize
796KB

MD5
330ac57c86fec59668bdd9dae812c878

SHA1
12ab083683a90447c06e429826322356530ae652

SHA256
ecd6b351fde5b64310d30ffe755c6966e024ccdcec4e5a6ead2d2575e875c5b1

SHA512
3cb8ee193d6f426ba8b7c07fabc480d1eaf7f18bad1cbb9361c58d9e7e14352aa2317915061028a37c1ced294d49007cc261660efb660aa3337fac0113b1581b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z42658170.exe

Filesize
796KB

MD5
330ac57c86fec59668bdd9dae812c878

SHA1
12ab083683a90447c06e429826322356530ae652

SHA256
ecd6b351fde5b64310d30ffe755c6966e024ccdcec4e5a6ead2d2575e875c5b1

SHA512
3cb8ee193d6f426ba8b7c07fabc480d1eaf7f18bad1cbb9361c58d9e7e14352aa2317915061028a37c1ced294d49007cc261660efb660aa3337fac0113b1581b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z45010082.exe

Filesize
310KB

MD5
abca68df3f4f6466b63718b736d8d153

SHA1
2f56d7bf51a6873865584257e4332b4e06f9d866

SHA256
4e448d09ddc1d1180dcad1e48ef4de9203794a7a65b990431c8962eefa46d997

SHA512
2e66b9e2a03549674dd237418e753255caba4191511da55ff3b66353b5b402ad64739d1dd1e233b28841ef7bc5d5c4f19c079a6a675ab6d733e2ce850f44029e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z45010082.exe

Filesize
310KB

MD5
abca68df3f4f6466b63718b736d8d153

SHA1
2f56d7bf51a6873865584257e4332b4e06f9d866

SHA256
4e448d09ddc1d1180dcad1e48ef4de9203794a7a65b990431c8962eefa46d997

SHA512
2e66b9e2a03549674dd237418e753255caba4191511da55ff3b66353b5b402ad64739d1dd1e233b28841ef7bc5d5c4f19c079a6a675ab6d733e2ce850f44029e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s38675019.exe

Filesize
177KB

MD5
91d0c3b6e77179c684f13d8bbbc8cae8

SHA1
5c2ad6889d11f1c29ba0fa841c3183b55709d3d6

SHA256
381126de7389a9b5dc3573bd0e645a6496624bb59984c6d9c3a2c5fe88de0470

SHA512
b55fb7617d1b2dbd2842c49dbe71bc21fe3d96be7fe3cbedc341ec612d6dbc10706acad61ea35f4aa43487389fc0e32856185fbaa516e7ddd70b6318254b35ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s38675019.exe

Filesize
177KB

MD5
91d0c3b6e77179c684f13d8bbbc8cae8

SHA1
5c2ad6889d11f1c29ba0fa841c3183b55709d3d6

SHA256
381126de7389a9b5dc3573bd0e645a6496624bb59984c6d9c3a2c5fe88de0470

SHA512
b55fb7617d1b2dbd2842c49dbe71bc21fe3d96be7fe3cbedc341ec612d6dbc10706acad61ea35f4aa43487389fc0e32856185fbaa516e7ddd70b6318254b35ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t97918376.exe

Filesize
168KB

MD5
0d942096841d1785127b0230909eb11d

SHA1
40de3ec80f4f0decd8f047485b81004e937682a1

SHA256
d42d4b26a03b7e3f5c3561625b992e8673a28fb8a89f326a31c83b2d8568ce56

SHA512
962b2a2f22dd648326cd87acd554def66dc756d2b9dd4a0caa4496df96ceac10be1e6b8df28ed84799ac451362e59b64519ccda69adffee4d628f81c24cea3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t97918376.exe

Filesize
168KB

MD5
0d942096841d1785127b0230909eb11d

SHA1
40de3ec80f4f0decd8f047485b81004e937682a1

SHA256
d42d4b26a03b7e3f5c3561625b992e8673a28fb8a89f326a31c83b2d8568ce56

SHA512
962b2a2f22dd648326cd87acd554def66dc756d2b9dd4a0caa4496df96ceac10be1e6b8df28ed84799ac451362e59b64519ccda69adffee4d628f81c24cea3d7

Download Submit
memory/2788-177-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/2788-187-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/2788-165-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/2788-167-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/2788-169-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/2788-171-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/2788-173-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/2788-175-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/2788-163-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/2788-179-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/2788-181-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/2788-183-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/2788-185-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/2788-164-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/2788-189-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/2788-191-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/2788-192-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/2788-193-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/2788-194-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/2788-162-0x0000000004AF0000-0x0000000005094000-memory.dmp

Filesize
5.6MB

Download
memory/2788-161-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4692-199-0x0000000000150000-0x0000000000180000-memory.dmp

Filesize
192KB

Download
memory/4692-200-0x000000000A580000-0x000000000AB98000-memory.dmp

Filesize
6.1MB

Download
memory/4692-201-0x000000000A0D0000-0x000000000A1DA000-memory.dmp

Filesize
1.0MB

Download
memory/4692-202-0x000000000A000000-0x000000000A012000-memory.dmp

Filesize
72KB

Download
memory/4692-203-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4692-204-0x000000000A060000-0x000000000A09C000-memory.dmp

Filesize
240KB

Download
memory/4692-205-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download