redline | 54bda633f7806608e383aca26f5c0679637392b44878cfb106d3ffad50f70b21

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54bda633f7806608e383aca26f5c0679637392b44878cfb106d3ffad50f70b21.exe
Size

1.5MB
MD5

56a940f65410c9b385bf084652feabbb
SHA1

145d3750e37060f6d75495c31c3b62a1a92d75ff
SHA256

54bda633f7806608e383aca26f5c0679637392b44878cfb106d3ffad50f70b21
SHA512

b1f35e95402e270570297f8a45b0b810c006153f702599ec4bb6513164d6523514c50dccc21c08921102772b7d21898f539afb38ffd9c737b29f4bec6900f1bf
SSDEEP

49152:FWex3AvAjg1A7cDyM/n6JnPXMRJnz6QnmybWfny:3RAvKiA4NPjzz1Ay

Score

10^/10

redline maza evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maza

185.161.248.73:4164

Attributes

auth_value
474d54c1c2f5291290c53f8378acd684

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4400-208-0x00000000056D0000-0x0000000005CE8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a80973751.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a80973751.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a80973751.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a80973751.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a80973751.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a80973751.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
732	i97964920.exe
2172	i44767899.exe
1164	i28787017.exe
2572	i89694794.exe
1596	a80973751.exe
4400	b70465955.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a80973751.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a80973751.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i97964920.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i44767899.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i28787017.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i89694794.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i89694794.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	54bda633f7806608e383aca26f5c0679637392b44878cfb106d3ffad50f70b21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	54bda633f7806608e383aca26f5c0679637392b44878cfb106d3ffad50f70b21.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i97964920.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i44767899.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i28787017.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1596	a80973751.exe
1596	a80973751.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	a80973751.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 732	2344	54bda633f7806608e383aca26f5c0679637392b44878cfb106d3ffad50f70b21.exe	83
PID 2344 wrote to memory of 732	2344	54bda633f7806608e383aca26f5c0679637392b44878cfb106d3ffad50f70b21.exe	83
PID 2344 wrote to memory of 732	2344	54bda633f7806608e383aca26f5c0679637392b44878cfb106d3ffad50f70b21.exe	83
PID 732 wrote to memory of 2172	732	i97964920.exe	84
PID 732 wrote to memory of 2172	732	i97964920.exe	84
PID 732 wrote to memory of 2172	732	i97964920.exe	84
PID 2172 wrote to memory of 1164	2172	i44767899.exe	85
PID 2172 wrote to memory of 1164	2172	i44767899.exe	85
PID 2172 wrote to memory of 1164	2172	i44767899.exe	85
PID 1164 wrote to memory of 2572	1164	i28787017.exe	86
PID 1164 wrote to memory of 2572	1164	i28787017.exe	86
PID 1164 wrote to memory of 2572	1164	i28787017.exe	86
PID 2572 wrote to memory of 1596	2572	i89694794.exe	87
PID 2572 wrote to memory of 1596	2572	i89694794.exe	87
PID 2572 wrote to memory of 1596	2572	i89694794.exe	87
PID 2572 wrote to memory of 4400	2572	i89694794.exe	94
PID 2572 wrote to memory of 4400	2572	i89694794.exe	94
PID 2572 wrote to memory of 4400	2572	i89694794.exe	94

C:\Users\Admin\AppData\Local\Temp\54bda633f7806608e383aca26f5c0679637392b44878cfb106d3ffad50f70b21.exe
"C:\Users\Admin\AppData\Local\Temp\54bda633f7806608e383aca26f5c0679637392b44878cfb106d3ffad50f70b21.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i97964920.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i97964920.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44767899.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44767899.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28787017.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28787017.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89694794.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89694794.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a80973751.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a80973751.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b70465955.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b70465955.exe
        6⤵
        Executes dropped EXE
        
        PID:4400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i97964920.exe

Filesize
1.2MB

MD5
78a04ab09ddfcc3b678e21b3702e72e7

SHA1
880212079bed648524142c44fa2bbd1ad8143751

SHA256
66e4465e768b8a42e413c4747bbf61387f90ab9c9f0230f9ea854321c9634232

SHA512
9d983fd0ae6599d25196e6d546625e8920f8627141040fb0576549c23959affe8e58ce493565285b9b742bac242e892dcc803ce8857fcb5c3d311f1aa98056a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i97964920.exe

Filesize
1.2MB

MD5
78a04ab09ddfcc3b678e21b3702e72e7

SHA1
880212079bed648524142c44fa2bbd1ad8143751

SHA256
66e4465e768b8a42e413c4747bbf61387f90ab9c9f0230f9ea854321c9634232

SHA512
9d983fd0ae6599d25196e6d546625e8920f8627141040fb0576549c23959affe8e58ce493565285b9b742bac242e892dcc803ce8857fcb5c3d311f1aa98056a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44767899.exe

Filesize
1.1MB

MD5
acf00710f6e9e83abc916e39badefdfd

SHA1
ad2ca411346143f7b4468954114d2aaffe1e05d9

SHA256
781245471671bf239e1fc1586f5ba8fe3c4aaa713f4b83176a9e804bde21fdf8

SHA512
41e63b8497aa0427cce01cde1a1960bea8e52cabcf1ed79967063522a855c7652c687cf17a37c3c34a3faa35d2334b4f1ff193e8033e761d48bd371c0cf49679

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44767899.exe

Filesize
1.1MB

MD5
acf00710f6e9e83abc916e39badefdfd

SHA1
ad2ca411346143f7b4468954114d2aaffe1e05d9

SHA256
781245471671bf239e1fc1586f5ba8fe3c4aaa713f4b83176a9e804bde21fdf8

SHA512
41e63b8497aa0427cce01cde1a1960bea8e52cabcf1ed79967063522a855c7652c687cf17a37c3c34a3faa35d2334b4f1ff193e8033e761d48bd371c0cf49679

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28787017.exe

Filesize
594KB

MD5
b8cdfbccd2b13259116e14652dbbee21

SHA1
d1ff83ac572a45900cdf8bef482cd035c70c8598

SHA256
26d005871c33e7d81051a36ef8557466a197591fbcacd22775206a3c8a2c8813

SHA512
3c30014bc961ecc7d3f6a8f943921a87f48eab5be0419afdf35563760faa2419007cb485b6b6dbb76df00b8c20f7c51862ba17525fa0d64560e848b7a2435bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28787017.exe

Filesize
594KB

MD5
b8cdfbccd2b13259116e14652dbbee21

SHA1
d1ff83ac572a45900cdf8bef482cd035c70c8598

SHA256
26d005871c33e7d81051a36ef8557466a197591fbcacd22775206a3c8a2c8813

SHA512
3c30014bc961ecc7d3f6a8f943921a87f48eab5be0419afdf35563760faa2419007cb485b6b6dbb76df00b8c20f7c51862ba17525fa0d64560e848b7a2435bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89694794.exe

Filesize
310KB

MD5
319fdbace0c350a51eff748bed70e28e

SHA1
a49ad7bd6a7bc72730eaff095214f88d919d958c

SHA256
34cac2e19ae7d1814e2e06d8e71e888ead2e9e7d156e57e05e7c9161b4d15308

SHA512
e8e6939eea46b2c87b48a438ceafcdf8bcac3c06db927fb3dacb4e0ceb4b801c7c79797cdc721ab8536c19cf967cb37449f623141aaa875bfed177146c8d46bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i89694794.exe

Filesize
310KB

MD5
319fdbace0c350a51eff748bed70e28e

SHA1
a49ad7bd6a7bc72730eaff095214f88d919d958c

SHA256
34cac2e19ae7d1814e2e06d8e71e888ead2e9e7d156e57e05e7c9161b4d15308

SHA512
e8e6939eea46b2c87b48a438ceafcdf8bcac3c06db927fb3dacb4e0ceb4b801c7c79797cdc721ab8536c19cf967cb37449f623141aaa875bfed177146c8d46bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a80973751.exe

Filesize
175KB

MD5
3f2a1937d270cab8f72f0f80d082c49f

SHA1
467d2b0bd40ab4c805254c766a4b2e4210e4fda5

SHA256
c83d0bddcc5a137e0d710a11da52f2e6a7dac943668c9091d6852098f8315fe3

SHA512
b062a1c05f3c7d33453cfcf21036ebf15b22ab9e2de87efdc729e1b60edd6fa8b931d29eb58e7e525c4199f043030c713b71b000667e6d5f1c58bb2e347356f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a80973751.exe

Filesize
175KB

MD5
3f2a1937d270cab8f72f0f80d082c49f

SHA1
467d2b0bd40ab4c805254c766a4b2e4210e4fda5

SHA256
c83d0bddcc5a137e0d710a11da52f2e6a7dac943668c9091d6852098f8315fe3

SHA512
b062a1c05f3c7d33453cfcf21036ebf15b22ab9e2de87efdc729e1b60edd6fa8b931d29eb58e7e525c4199f043030c713b71b000667e6d5f1c58bb2e347356f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b70465955.exe

Filesize
168KB

MD5
0f33c07d3f689c177f3fb01814526d89

SHA1
8014922a1d85ec47121de9aea81e4eed9a192cd7

SHA256
33e32a3480829320465e646af7de8e02e7a766cf999ddfa13b8e2c4671fca679

SHA512
ec85f561d6c6646908f9580a55b3c39c4d6c816ad46d882a56ae358d41cdc3e1d3faaa818bd5a7df2ce55445d3476ed2360017bef814ad99f823ce27723ee9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b70465955.exe

Filesize
168KB

MD5
0f33c07d3f689c177f3fb01814526d89

SHA1
8014922a1d85ec47121de9aea81e4eed9a192cd7

SHA256
33e32a3480829320465e646af7de8e02e7a766cf999ddfa13b8e2c4671fca679

SHA512
ec85f561d6c6646908f9580a55b3c39c4d6c816ad46d882a56ae358d41cdc3e1d3faaa818bd5a7df2ce55445d3476ed2360017bef814ad99f823ce27723ee9fc

Download Submit
memory/1596-180-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1596-194-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1596-172-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/1596-173-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/1596-174-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/1596-175-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1596-176-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1596-178-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1596-171-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/1596-182-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1596-184-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1596-186-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1596-188-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1596-190-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1596-192-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1596-170-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/1596-196-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1596-198-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1596-200-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1596-202-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1596-169-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/1596-168-0x00000000049F0000-0x0000000004F94000-memory.dmp

Filesize
5.6MB

Download
memory/4400-207-0x0000000000630000-0x000000000065E000-memory.dmp

Filesize
184KB

Download
memory/4400-208-0x00000000056D0000-0x0000000005CE8000-memory.dmp

Filesize
6.1MB

Download
memory/4400-209-0x00000000051C0000-0x00000000052CA000-memory.dmp

Filesize
1.0MB

Download
memory/4400-210-0x00000000050D0000-0x00000000050E2000-memory.dmp

Filesize
72KB

Download
memory/4400-211-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4400-212-0x0000000005130000-0x000000000516C000-memory.dmp

Filesize
240KB

Download
memory/4400-213-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download