redline | 52f04294a4993be9bc3fbc9adf12a91dab572b627031fff17b9d05695f9fadc4

Analysis

max time kernel
158s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

52f04294a4993be9bc3fbc9adf12a91dab572b627031fff17b9d05695f9fadc4.exe
Size

1.5MB
MD5

8560da40693c96505d337898ad2ef5ae
SHA1

9713a8da08180ca8bd7417ff4721e2f54f56f634
SHA256

52f04294a4993be9bc3fbc9adf12a91dab572b627031fff17b9d05695f9fadc4
SHA512

40523d9fea9ecc69af16bb32dc6c9d43f4d0bc12bdb689dfd7504512fecd9a5e06e6b1a4448662a353760aa2215dd95e26de851056975b1851b0787035613cd6
SSDEEP

24576:Syq1eamsJ4GVb4NRO0ugHtUVtjR17i/LqwmwYUliCnzJG5LHa:5qEa74Eb4lugHtUjjR17i/GwmwD3G5LH

Score

10^/10

redline mask evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mask

217.196.96.56:4138

Attributes

auth_value
31aef25be0febb8e491794ef7f502c50

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4240-215-0x0000000005900000-0x0000000005F18000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a8203741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8203741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8203741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8203741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8203741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8203741.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1672	v3541719.exe
5072	v2788943.exe
4332	v2452275.exe
3480	v7367820.exe
3728	a8203741.exe
4240	b0042686.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a8203741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8203741.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	52f04294a4993be9bc3fbc9adf12a91dab572b627031fff17b9d05695f9fadc4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3541719.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2788943.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2788943.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2452275.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7367820.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	52f04294a4993be9bc3fbc9adf12a91dab572b627031fff17b9d05695f9fadc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3541719.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2452275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v7367820.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4180	3728	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3728	a8203741.exe
3728	a8203741.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3728	a8203741.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 1672	1536	52f04294a4993be9bc3fbc9adf12a91dab572b627031fff17b9d05695f9fadc4.exe	85
PID 1536 wrote to memory of 1672	1536	52f04294a4993be9bc3fbc9adf12a91dab572b627031fff17b9d05695f9fadc4.exe	85
PID 1536 wrote to memory of 1672	1536	52f04294a4993be9bc3fbc9adf12a91dab572b627031fff17b9d05695f9fadc4.exe	85
PID 1672 wrote to memory of 5072	1672	v3541719.exe	86
PID 1672 wrote to memory of 5072	1672	v3541719.exe	86
PID 1672 wrote to memory of 5072	1672	v3541719.exe	86
PID 5072 wrote to memory of 4332	5072	v2788943.exe	87
PID 5072 wrote to memory of 4332	5072	v2788943.exe	87
PID 5072 wrote to memory of 4332	5072	v2788943.exe	87
PID 4332 wrote to memory of 3480	4332	v2452275.exe	88
PID 4332 wrote to memory of 3480	4332	v2452275.exe	88
PID 4332 wrote to memory of 3480	4332	v2452275.exe	88
PID 3480 wrote to memory of 3728	3480	v7367820.exe	89
PID 3480 wrote to memory of 3728	3480	v7367820.exe	89
PID 3480 wrote to memory of 3728	3480	v7367820.exe	89
PID 3480 wrote to memory of 4240	3480	v7367820.exe	94
PID 3480 wrote to memory of 4240	3480	v7367820.exe	94
PID 3480 wrote to memory of 4240	3480	v7367820.exe	94

C:\Users\Admin\AppData\Local\Temp\52f04294a4993be9bc3fbc9adf12a91dab572b627031fff17b9d05695f9fadc4.exe
"C:\Users\Admin\AppData\Local\Temp\52f04294a4993be9bc3fbc9adf12a91dab572b627031fff17b9d05695f9fadc4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3541719.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3541719.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2788943.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2788943.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2452275.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2452275.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7367820.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7367820.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3480
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8203741.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8203741.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 1092
        7⤵
        Program crash
        
        PID:4180
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0042686.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0042686.exe
        6⤵
        Executes dropped EXE
        
        PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3728 -ip 3728
1⤵
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3541719.exe

Filesize
1.3MB

MD5
64bd9eb8857e2650997e233a5d2868cd

SHA1
ebd4e6e261634f5c6577bad29ac0056e9783c814

SHA256
cf9a050d5d32f28975f5903ab8ff7479b61a23eedff325d04c8a4063636ec1e8

SHA512
71ca384affaf68e92b4050a77e2dc38ae405bd6d3926651c620f5396e57614cef0dab84368e99be6218c49b302e400d91895d732d3ab6d49ce4f341975091440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3541719.exe

Filesize
1.3MB

MD5
64bd9eb8857e2650997e233a5d2868cd

SHA1
ebd4e6e261634f5c6577bad29ac0056e9783c814

SHA256
cf9a050d5d32f28975f5903ab8ff7479b61a23eedff325d04c8a4063636ec1e8

SHA512
71ca384affaf68e92b4050a77e2dc38ae405bd6d3926651c620f5396e57614cef0dab84368e99be6218c49b302e400d91895d732d3ab6d49ce4f341975091440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2788943.exe

Filesize
847KB

MD5
cb30827f66c7d4e433da680a547336e2

SHA1
76ee138120bdbc5d0ceb8840f7946e21ea70ae9e

SHA256
c038075a5fbb275d7aecfb3d186ed1e6ef18038693ceb542f459229663f41617

SHA512
df4f485ca1dddd84a18db361bd934a00138ab1ecdb61337f0dbba7a513d2ab1565686c88f6e6fd0280f0b4477752f198f69eb690db77f7ec91878efadf131a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2788943.exe

Filesize
847KB

MD5
cb30827f66c7d4e433da680a547336e2

SHA1
76ee138120bdbc5d0ceb8840f7946e21ea70ae9e

SHA256
c038075a5fbb275d7aecfb3d186ed1e6ef18038693ceb542f459229663f41617

SHA512
df4f485ca1dddd84a18db361bd934a00138ab1ecdb61337f0dbba7a513d2ab1565686c88f6e6fd0280f0b4477752f198f69eb690db77f7ec91878efadf131a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2452275.exe

Filesize
643KB

MD5
6b4283b7ef93db119bd8ae76923614a6

SHA1
1569295bb4e44388f92db42c4f6f39ab06f1f34b

SHA256
28168edd44d8102b57a47ddf270b176799398d6cd694eb9a09eadc25f14fb649

SHA512
6aa16c572c5c4829759ac1fad57c304eb746f500799357514c5d3682e40513bc0a7d9c3fba4df18bb6fc9a3801327d965e6fa3416a81fb51113d4d9d00b2aceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2452275.exe

Filesize
643KB

MD5
6b4283b7ef93db119bd8ae76923614a6

SHA1
1569295bb4e44388f92db42c4f6f39ab06f1f34b

SHA256
28168edd44d8102b57a47ddf270b176799398d6cd694eb9a09eadc25f14fb649

SHA512
6aa16c572c5c4829759ac1fad57c304eb746f500799357514c5d3682e40513bc0a7d9c3fba4df18bb6fc9a3801327d965e6fa3416a81fb51113d4d9d00b2aceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7367820.exe

Filesize
384KB

MD5
2d23f3727084c1e65dcb48891ea19e19

SHA1
8883b1822b319a2d6e6454b93a5ea594d47108ca

SHA256
49554d2e2bfb30ef09a233c18a73fb92f352d621e0a41c51fbbcb54ff5be0ace

SHA512
b590b7d71fdc65b4c521ec225a27ee7ef579c0d8fb69b5cba358ff6284b8172f4028c7b369ea1d19cd9a2adcacb4d1e07e188f42ab1dbd2d7b6eae6eff04f7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7367820.exe

Filesize
384KB

MD5
2d23f3727084c1e65dcb48891ea19e19

SHA1
8883b1822b319a2d6e6454b93a5ea594d47108ca

SHA256
49554d2e2bfb30ef09a233c18a73fb92f352d621e0a41c51fbbcb54ff5be0ace

SHA512
b590b7d71fdc65b4c521ec225a27ee7ef579c0d8fb69b5cba358ff6284b8172f4028c7b369ea1d19cd9a2adcacb4d1e07e188f42ab1dbd2d7b6eae6eff04f7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8203741.exe

Filesize
286KB

MD5
64cc94a84fa8753998f3a8a77b1d8758

SHA1
5b770db0054e3e59d87257d7709a888fab2de195

SHA256
508f443e94e198e64019a5b854adbe9e590e2b5ec76d1272db88fc030bdcb9e2

SHA512
50f2afe50f1014f5302779a9265e89a0ab457a24fd78a0995e723a8bce2a6802db2751dfcc3c7720cdfb4f7e6083201de6c90b2c25a3a948fccebc88b64c4b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8203741.exe

Filesize
286KB

MD5
64cc94a84fa8753998f3a8a77b1d8758

SHA1
5b770db0054e3e59d87257d7709a888fab2de195

SHA256
508f443e94e198e64019a5b854adbe9e590e2b5ec76d1272db88fc030bdcb9e2

SHA512
50f2afe50f1014f5302779a9265e89a0ab457a24fd78a0995e723a8bce2a6802db2751dfcc3c7720cdfb4f7e6083201de6c90b2c25a3a948fccebc88b64c4b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0042686.exe

Filesize
168KB

MD5
b1646b1fdd5a85a10b030203f9e01acc

SHA1
a4cdcc4df4d3f53b0d5a53622083c53bb3e42c4c

SHA256
5212142d787c0e682fc68ebfe44796d3c6ae4f41d03f9e90ec637e49f6c1b186

SHA512
4da914c1ba2503da220e6a6878f6b42e329b930651cffd2e17428265c75d26afa3b14f4dd177d0f726922637c95c45b67d0a3c4652915423818e86d27d9d6b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0042686.exe

Filesize
168KB

MD5
b1646b1fdd5a85a10b030203f9e01acc

SHA1
a4cdcc4df4d3f53b0d5a53622083c53bb3e42c4c

SHA256
5212142d787c0e682fc68ebfe44796d3c6ae4f41d03f9e90ec637e49f6c1b186

SHA512
4da914c1ba2503da220e6a6878f6b42e329b930651cffd2e17428265c75d26afa3b14f4dd177d0f726922637c95c45b67d0a3c4652915423818e86d27d9d6b5e

Download Submit
memory/3728-190-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3728-199-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/3728-174-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3728-176-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3728-178-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3728-180-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3728-182-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3728-184-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3728-186-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3728-188-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3728-171-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3728-192-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3728-194-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3728-196-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3728-198-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3728-172-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/3728-200-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/3728-201-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/3728-202-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3728-203-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/3728-204-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/3728-205-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/3728-209-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3728-170-0x0000000004B30000-0x00000000050D4000-memory.dmp

Filesize
5.6MB

Download
memory/3728-169-0x0000000000480000-0x00000000004AD000-memory.dmp

Filesize
180KB

Download
memory/4240-214-0x00000000008C0000-0x00000000008F0000-memory.dmp

Filesize
192KB

Download
memory/4240-215-0x0000000005900000-0x0000000005F18000-memory.dmp

Filesize
6.1MB

Download
memory/4240-216-0x00000000054F0000-0x00000000055FA000-memory.dmp

Filesize
1.0MB

Download
memory/4240-217-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4240-218-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/4240-219-0x00000000053E0000-0x000000000541C000-memory.dmp

Filesize
240KB

Download
memory/4240-220-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download