redline | 6ca05235a5946b540c8e7b8339d938a176dce2f7ec5a1b0ba44519a160333311

Analysis

max time kernel
151s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ca05235a5946b540c8e7b8339d938a176dce2f7ec5a1b0ba44519a160333311.exe
Size

1.2MB
MD5

b94d24de15f1cf31b109174df8e371da
SHA1

3f12cb41f677dca63e7ce3159054972ee593e8f4
SHA256

6ca05235a5946b540c8e7b8339d938a176dce2f7ec5a1b0ba44519a160333311
SHA512

cbcbb04fd28079686729b40c571f45bf93e98ffc2b0b39eec8d6ad31397c11853f3004bdf531d9ca7f968b8f2d2d10a0070375ef998020d2249a4f394dc9e17f
SSDEEP

24576:Lyk0MQzaPp60qBb2V4FIBqW5bdVCwyiqOkGc+SLtfhP1knMnjt8:+kPyaV4uqAbDyWkt3hh6nSt

Score

10^/10

redline lofa evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lofa

185.161.248.73:4164

Attributes

auth_value
3442ba767c6a30cde747101942f34a3a

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1180-201-0x000000000A7F0000-0x000000000AE08000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	s67606871.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	s67606871.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	s67606871.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	s67606871.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	s67606871.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	s67606871.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1560	z05894032.exe
3464	z86207961.exe
228	z28328276.exe
4436	s67606871.exe
1180	t37746663.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	s67606871.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	s67606871.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6ca05235a5946b540c8e7b8339d938a176dce2f7ec5a1b0ba44519a160333311.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6ca05235a5946b540c8e7b8339d938a176dce2f7ec5a1b0ba44519a160333311.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z05894032.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z05894032.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z86207961.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z86207961.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z28328276.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z28328276.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4436	s67606871.exe
4436	s67606871.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	s67606871.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1560	1944	6ca05235a5946b540c8e7b8339d938a176dce2f7ec5a1b0ba44519a160333311.exe	83
PID 1944 wrote to memory of 1560	1944	6ca05235a5946b540c8e7b8339d938a176dce2f7ec5a1b0ba44519a160333311.exe	83
PID 1944 wrote to memory of 1560	1944	6ca05235a5946b540c8e7b8339d938a176dce2f7ec5a1b0ba44519a160333311.exe	83
PID 1560 wrote to memory of 3464	1560	z05894032.exe	84
PID 1560 wrote to memory of 3464	1560	z05894032.exe	84
PID 1560 wrote to memory of 3464	1560	z05894032.exe	84
PID 3464 wrote to memory of 228	3464	z86207961.exe	85
PID 3464 wrote to memory of 228	3464	z86207961.exe	85
PID 3464 wrote to memory of 228	3464	z86207961.exe	85
PID 228 wrote to memory of 4436	228	z28328276.exe	86
PID 228 wrote to memory of 4436	228	z28328276.exe	86
PID 228 wrote to memory of 4436	228	z28328276.exe	86
PID 228 wrote to memory of 1180	228	z28328276.exe	87
PID 228 wrote to memory of 1180	228	z28328276.exe	87
PID 228 wrote to memory of 1180	228	z28328276.exe	87

C:\Users\Admin\AppData\Local\Temp\6ca05235a5946b540c8e7b8339d938a176dce2f7ec5a1b0ba44519a160333311.exe
"C:\Users\Admin\AppData\Local\Temp\6ca05235a5946b540c8e7b8339d938a176dce2f7ec5a1b0ba44519a160333311.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z05894032.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z05894032.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z86207961.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z86207961.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z28328276.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z28328276.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s67606871.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s67606871.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t37746663.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t37746663.exe
        5⤵
        Executes dropped EXE
        
        PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z05894032.exe

Filesize
977KB

MD5
04de40623dd0ce381ed27575884834cb

SHA1
5eebc868e63da036aeac1779be24d1beef285b7c

SHA256
94232f9f6e4fa6683282417a4793bef39a6417e96603eda55036723fa070ede6

SHA512
fbb8c1d95f71bd1c26d98332776e4a8e3ae612bbe74ac9752e5d99721dc6e2fc8356703503d2b9d81d4321b3e53ff13701891c2dc3613f69593d4df712b1a82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z05894032.exe

Filesize
977KB

MD5
04de40623dd0ce381ed27575884834cb

SHA1
5eebc868e63da036aeac1779be24d1beef285b7c

SHA256
94232f9f6e4fa6683282417a4793bef39a6417e96603eda55036723fa070ede6

SHA512
fbb8c1d95f71bd1c26d98332776e4a8e3ae612bbe74ac9752e5d99721dc6e2fc8356703503d2b9d81d4321b3e53ff13701891c2dc3613f69593d4df712b1a82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z86207961.exe

Filesize
794KB

MD5
7694cbbb02e29dd6f3945a5d4c035d18

SHA1
530e6fbb8e89736f0ede289fad4b28b030d7bc72

SHA256
f7a938d64ba2b0e0f16f48751c60e27ea35c303c63d75e5b409ec12d44fb9150

SHA512
d0ce8a9cb6f8fb09a1c07d513b27704328608ca5e3a1ccb97d19de20c9b918ff00bec838ca3ae4c8c92c905fa97f0f4b588fa7b029024bdd23d068476e42cb5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z86207961.exe

Filesize
794KB

MD5
7694cbbb02e29dd6f3945a5d4c035d18

SHA1
530e6fbb8e89736f0ede289fad4b28b030d7bc72

SHA256
f7a938d64ba2b0e0f16f48751c60e27ea35c303c63d75e5b409ec12d44fb9150

SHA512
d0ce8a9cb6f8fb09a1c07d513b27704328608ca5e3a1ccb97d19de20c9b918ff00bec838ca3ae4c8c92c905fa97f0f4b588fa7b029024bdd23d068476e42cb5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z28328276.exe

Filesize
310KB

MD5
81def50961ebdec65b76d932ad50600d

SHA1
6afd8ed856379c515e56422e2ac5fd9536034c88

SHA256
2ea9817dafcbf917ed5abcee3f9e75db9628b8225633cbf7bc8e372964a5d228

SHA512
7de0bffe1c94a5edeeed3b63bdae85f8e56ba6a703527cb43cce1ce9ec9c023b2d2f1b2488faa6d91bff1c596c6b3f3fc130b970e1e663ab6ed8de08bdbb2ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z28328276.exe

Filesize
310KB

MD5
81def50961ebdec65b76d932ad50600d

SHA1
6afd8ed856379c515e56422e2ac5fd9536034c88

SHA256
2ea9817dafcbf917ed5abcee3f9e75db9628b8225633cbf7bc8e372964a5d228

SHA512
7de0bffe1c94a5edeeed3b63bdae85f8e56ba6a703527cb43cce1ce9ec9c023b2d2f1b2488faa6d91bff1c596c6b3f3fc130b970e1e663ab6ed8de08bdbb2ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s67606871.exe

Filesize
175KB

MD5
799abaf220aeac856052b7e370c01fd9

SHA1
c938b4abd36adc778bb8eb6832f383645dcac1c7

SHA256
ccfd4a99fed9713ff690462cd7b66c0db838167af50c24888ae08259152e8165

SHA512
19f93623d5b50f027d883b8f8cddd8b70327a374f40728ef75084378de5198c3ace70772cbd68a2f092832ab79b876aff947e797b1c40c4256e479df11bf7fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s67606871.exe

Filesize
175KB

MD5
799abaf220aeac856052b7e370c01fd9

SHA1
c938b4abd36adc778bb8eb6832f383645dcac1c7

SHA256
ccfd4a99fed9713ff690462cd7b66c0db838167af50c24888ae08259152e8165

SHA512
19f93623d5b50f027d883b8f8cddd8b70327a374f40728ef75084378de5198c3ace70772cbd68a2f092832ab79b876aff947e797b1c40c4256e479df11bf7fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t37746663.exe

Filesize
168KB

MD5
75491ec66930fe16dd62ffc67f8dc1db

SHA1
17826b39c6fb40e47a2ae32130b260e86c40fb9f

SHA256
55e6980eb39e875b0b31021232a01ff132f8294a96143aa717374fa30c6000c1

SHA512
44596978db46bcb3ddc52ab441738fa5f27498da44db9a9c1ed630fadd99cbd76673e48acd54990149eaa8fbdf59662992289f8b63049055eef12110c36d378e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t37746663.exe

Filesize
168KB

MD5
75491ec66930fe16dd62ffc67f8dc1db

SHA1
17826b39c6fb40e47a2ae32130b260e86c40fb9f

SHA256
55e6980eb39e875b0b31021232a01ff132f8294a96143aa717374fa30c6000c1

SHA512
44596978db46bcb3ddc52ab441738fa5f27498da44db9a9c1ed630fadd99cbd76673e48acd54990149eaa8fbdf59662992289f8b63049055eef12110c36d378e

Download Submit
memory/1180-206-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1180-203-0x000000000A270000-0x000000000A282000-memory.dmp

Filesize
72KB

Download
memory/1180-202-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/1180-201-0x000000000A7F0000-0x000000000AE08000-memory.dmp

Filesize
6.1MB

Download
memory/1180-200-0x0000000000500000-0x000000000052E000-memory.dmp

Filesize
184KB

Download
memory/1180-204-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1180-205-0x000000000A2D0000-0x000000000A30C000-memory.dmp

Filesize
240KB

Download
memory/4436-179-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4436-194-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/4436-181-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4436-183-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4436-185-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4436-187-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4436-189-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4436-190-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/4436-191-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/4436-192-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/4436-193-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/4436-177-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4436-195-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/4436-175-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4436-173-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4436-171-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4436-169-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4436-167-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4436-165-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4436-163-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4436-162-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/4436-161-0x0000000004A60000-0x0000000005004000-memory.dmp

Filesize
5.6MB

Download