redline | 57689ff4aa3286eedf063b4b3547c70ddba999def7960258f21207a725ba82de

Analysis

max time kernel
127s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52c5912f7ca5b628965265f7b8dbd77a.exe
Size

950KB
MD5

52c5912f7ca5b628965265f7b8dbd77a
SHA1

652251488d446d952d594c926c95c817c97f9f10
SHA256

57689ff4aa3286eedf063b4b3547c70ddba999def7960258f21207a725ba82de
SHA512

72c7dd81dd4b0700fb6b697df71bbc47a748d31ec6836d3255288715ed35f4ee44a9f1d4223acb2742013a540f59bff540abc64fcb15511892b6ab60a37e86ab
SSDEEP

24576:Wyu6VH9OKfKBiinIrDwntMREDVM3YlG9qHRJ7c:lBHAbiinPntMRkwYlUqHRJ7

Score

10^/10

redline dark evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dark

185.161.248.73:4164

Attributes

auth_value
ae85b01f66afe8770afeed560513fc2d

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4100-4468-0x000000000A820000-0x000000000AE38000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	62014584.exe

Executes dropped EXE 5 IoCs

pid	Process
4796	un168857.exe
1632	62014584.exe
3804	1.exe
3512	rk559853.exe
4100	si510567.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	52c5912f7ca5b628965265f7b8dbd77a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	52c5912f7ca5b628965265f7b8dbd77a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un168857.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un168857.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4928	1632	WerFault.exe	85
444	3512	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3804	1.exe
3804	1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	62014584.exe
Token: SeDebugPrivilege	3804	1.exe
Token: SeDebugPrivilege	3512	rk559853.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 4796	1512	52c5912f7ca5b628965265f7b8dbd77a.exe	84
PID 1512 wrote to memory of 4796	1512	52c5912f7ca5b628965265f7b8dbd77a.exe	84
PID 1512 wrote to memory of 4796	1512	52c5912f7ca5b628965265f7b8dbd77a.exe	84
PID 4796 wrote to memory of 1632	4796	un168857.exe	85
PID 4796 wrote to memory of 1632	4796	un168857.exe	85
PID 4796 wrote to memory of 1632	4796	un168857.exe	85
PID 1632 wrote to memory of 3804	1632	62014584.exe	86
PID 1632 wrote to memory of 3804	1632	62014584.exe	86
PID 4796 wrote to memory of 3512	4796	un168857.exe	93
PID 4796 wrote to memory of 3512	4796	un168857.exe	93
PID 4796 wrote to memory of 3512	4796	un168857.exe	93
PID 1512 wrote to memory of 4100	1512	52c5912f7ca5b628965265f7b8dbd77a.exe	96
PID 1512 wrote to memory of 4100	1512	52c5912f7ca5b628965265f7b8dbd77a.exe	96
PID 1512 wrote to memory of 4100	1512	52c5912f7ca5b628965265f7b8dbd77a.exe	96

C:\Users\Admin\AppData\Local\Temp\52c5912f7ca5b628965265f7b8dbd77a.exe
"C:\Users\Admin\AppData\Local\Temp\52c5912f7ca5b628965265f7b8dbd77a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un168857.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un168857.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62014584.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62014584.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 1508
      4⤵
      Program crash
      PID:4928
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk559853.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk559853.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 1260
      4⤵
      Program crash
      PID:444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si510567.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si510567.exe
  2⤵
  - Executes dropped EXE
  PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1632 -ip 1632
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3512 -ip 3512
1⤵
PID:404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si510567.exe

Filesize
168KB

MD5
5e6bbcee00b2119dff185498d9179ee5

SHA1
c89f5e6bb629822bad324c7351cd5de6de7864dc

SHA256
3c004a3e38ea4ce0ad1bee01eba22c6ddf57443a789cb4dbd957342838d8692e

SHA512
f100033e0b1c7735c2abf7d9e536a6510b44614ddeb4c2a4cdc222be8fe3e6d07842a49a340ca2648ff561746f89830294368d1278f969672844f03204c6662a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si510567.exe

Filesize
168KB

MD5
5e6bbcee00b2119dff185498d9179ee5

SHA1
c89f5e6bb629822bad324c7351cd5de6de7864dc

SHA256
3c004a3e38ea4ce0ad1bee01eba22c6ddf57443a789cb4dbd957342838d8692e

SHA512
f100033e0b1c7735c2abf7d9e536a6510b44614ddeb4c2a4cdc222be8fe3e6d07842a49a340ca2648ff561746f89830294368d1278f969672844f03204c6662a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un168857.exe

Filesize
796KB

MD5
e9222df4caa6ce7f74b851b974c6e5da

SHA1
ec51f6a94534b445ac9dcd4476fc49f2ca09c2e4

SHA256
dac70269d6d116041f18450a424f64aff4b2cb842e93f4691354626335cce63c

SHA512
a89d39d1652ba071b9767b6ff634fa73bbc06def186b14dfe13b1c900cae679d05b791c33d6f0bed382d1483532205cf09d779e8de508acd9d71d9ae39eb81a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un168857.exe

Filesize
796KB

MD5
e9222df4caa6ce7f74b851b974c6e5da

SHA1
ec51f6a94534b445ac9dcd4476fc49f2ca09c2e4

SHA256
dac70269d6d116041f18450a424f64aff4b2cb842e93f4691354626335cce63c

SHA512
a89d39d1652ba071b9767b6ff634fa73bbc06def186b14dfe13b1c900cae679d05b791c33d6f0bed382d1483532205cf09d779e8de508acd9d71d9ae39eb81a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62014584.exe

Filesize
479KB

MD5
1a09ab46e31ffa3102390d22ab38cee9

SHA1
9118e415cf2594154d0d848bf12e86750516b957

SHA256
bd51576d4ea6262b53083ec131c0b151d31c8a55cde539d73930947115675fde

SHA512
d79decd19d13496e0c9ec282af8831f0a66521a5d22f0c1575c84d5260322ea8d9f15289cdd6452600de5b48def76b62f6fd12f3e6172cf9e53ea9ea46c1027f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62014584.exe

Filesize
479KB

MD5
1a09ab46e31ffa3102390d22ab38cee9

SHA1
9118e415cf2594154d0d848bf12e86750516b957

SHA256
bd51576d4ea6262b53083ec131c0b151d31c8a55cde539d73930947115675fde

SHA512
d79decd19d13496e0c9ec282af8831f0a66521a5d22f0c1575c84d5260322ea8d9f15289cdd6452600de5b48def76b62f6fd12f3e6172cf9e53ea9ea46c1027f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk559853.exe

Filesize
539KB

MD5
b3af29a7159964d25d9c4ffb4be1b972

SHA1
731139d0a2cf70502a6a68a143ef5c09056d6bd2

SHA256
3d81563856e4f36baa410338c1aa091258d30eb450c4bbfdd87f70786b852e08

SHA512
ca31dd25db92164c5c9b89cf02369e40ed95c2cd1b652c35d39279628a588e41d98c935e5f2426d3e55ff2a26cf732379849ac18da85141ad61c15aaa74af85b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk559853.exe

Filesize
539KB

MD5
b3af29a7159964d25d9c4ffb4be1b972

SHA1
731139d0a2cf70502a6a68a143ef5c09056d6bd2

SHA256
3d81563856e4f36baa410338c1aa091258d30eb450c4bbfdd87f70786b852e08

SHA512
ca31dd25db92164c5c9b89cf02369e40ed95c2cd1b652c35d39279628a588e41d98c935e5f2426d3e55ff2a26cf732379849ac18da85141ad61c15aaa74af85b

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/1632-168-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-214-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-162-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-161-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1632-166-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-164-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-158-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-170-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-172-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-174-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-176-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-178-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-180-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-182-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-184-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-186-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-188-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-190-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-192-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-194-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-196-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-198-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-200-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-202-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-204-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-206-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-208-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-210-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-212-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-154-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-216-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-2282-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1632-159-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1632-157-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1632-155-0x0000000000A50000-0x0000000000A9C000-memory.dmp

Filesize
304KB

Download
memory/1632-148-0x0000000004FA0000-0x0000000005544000-memory.dmp

Filesize
5.6MB

Download
memory/1632-2296-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1632-2297-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1632-2298-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1632-2299-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1632-152-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-150-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/1632-149-0x0000000004F30000-0x0000000004F81000-memory.dmp

Filesize
324KB

Download
memory/3512-2440-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3512-2443-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3512-4455-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3512-4457-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/3512-4459-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3512-4460-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3512-4461-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3512-2439-0x0000000000950000-0x00000000009AB000-memory.dmp

Filesize
364KB

Download
memory/3804-2295-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/4100-4467-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/4100-4468-0x000000000A820000-0x000000000AE38000-memory.dmp

Filesize
6.1MB

Download
memory/4100-4469-0x000000000A350000-0x000000000A45A000-memory.dmp

Filesize
1.0MB

Download
memory/4100-4470-0x000000000A280000-0x000000000A292000-memory.dmp

Filesize
72KB

Download
memory/4100-4471-0x000000000A2E0000-0x000000000A31C000-memory.dmp

Filesize
240KB

Download
memory/4100-4472-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4100-4473-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download