redline | 6e96748d1f93f53406b975d4bbc6b8cda351204932ab2473f802c644697fa80f

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e96748d1f93f53406b975d4bbc6b8cda351204932ab2473f802c644697fa80f.exe
Size

1.2MB
MD5

8b3eaa8f14c275b452d084531f34af6d
SHA1

bdb7c22cfa3a753bf28a5b17f11f851bb124466a
SHA256

6e96748d1f93f53406b975d4bbc6b8cda351204932ab2473f802c644697fa80f
SHA512

48502bb5ff66ab287bc0f583cfb77767a9e56341c1b0b840599d09b59dccbb7a5c98575bd9c4007d66a4660e47b90992e58d6f206db29bf88d96efdabe09a075
SSDEEP

24576:eyZdtOhCiWtF36eIwAl3JNs+4q172lZeA6khRxXxZMbedItcPTx7/eCUWFq:tv+ClfDAj4VTeAPhRtfxCc7Z/ew

Score

10^/10

redline lakio evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lakio

217.196.96.56:4138

Attributes

auth_value
5a2372e90cce274157a245c74afe9d6e

Signatures

Detects Redline Stealer samples 2 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3472-205-0x000000000AA40000-0x000000000B058000-memory.dmp	redline_stealer
behavioral2/memory/3472-208-0x0000000005090000-0x00000000050A0000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	n1478062.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	n1478062.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	n1478062.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	n1478062.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	n1478062.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	n1478062.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1828	z5695676.exe
764	z5016329.exe
3744	z4192400.exe
4076	n1478062.exe
3472	o2295037.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	n1478062.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	n1478062.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6e96748d1f93f53406b975d4bbc6b8cda351204932ab2473f802c644697fa80f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5695676.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5695676.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5016329.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5016329.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4192400.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z4192400.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6e96748d1f93f53406b975d4bbc6b8cda351204932ab2473f802c644697fa80f.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1608	4076	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4076	n1478062.exe
4076	n1478062.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	n1478062.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 1828	5036	6e96748d1f93f53406b975d4bbc6b8cda351204932ab2473f802c644697fa80f.exe	84
PID 5036 wrote to memory of 1828	5036	6e96748d1f93f53406b975d4bbc6b8cda351204932ab2473f802c644697fa80f.exe	84
PID 5036 wrote to memory of 1828	5036	6e96748d1f93f53406b975d4bbc6b8cda351204932ab2473f802c644697fa80f.exe	84
PID 1828 wrote to memory of 764	1828	z5695676.exe	85
PID 1828 wrote to memory of 764	1828	z5695676.exe	85
PID 1828 wrote to memory of 764	1828	z5695676.exe	85
PID 764 wrote to memory of 3744	764	z5016329.exe	86
PID 764 wrote to memory of 3744	764	z5016329.exe	86
PID 764 wrote to memory of 3744	764	z5016329.exe	86
PID 3744 wrote to memory of 4076	3744	z4192400.exe	87
PID 3744 wrote to memory of 4076	3744	z4192400.exe	87
PID 3744 wrote to memory of 4076	3744	z4192400.exe	87
PID 3744 wrote to memory of 3472	3744	z4192400.exe	93
PID 3744 wrote to memory of 3472	3744	z4192400.exe	93
PID 3744 wrote to memory of 3472	3744	z4192400.exe	93

C:\Users\Admin\AppData\Local\Temp\6e96748d1f93f53406b975d4bbc6b8cda351204932ab2473f802c644697fa80f.exe
"C:\Users\Admin\AppData\Local\Temp\6e96748d1f93f53406b975d4bbc6b8cda351204932ab2473f802c644697fa80f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5695676.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5695676.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5016329.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5016329.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4192400.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4192400.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n1478062.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n1478062.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1080
        6⤵
        Program crash
        
        PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o2295037.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o2295037.exe
        5⤵
        Executes dropped EXE
        
        PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4076 -ip 4076
1⤵
PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5695676.exe

Filesize
1.0MB

MD5
3200663462e997348e6633d13748234a

SHA1
31286a020ccf58eb73b18cfceb85a7c3e41f8ec8

SHA256
90f887da49cf4ae3a6c1163bfc0e07497ad643f37b0038fe7c6aebc4e25c1a2f

SHA512
0a1b745bde2ed4a521926c53a892b2377d7cb7919ae79116d6dad4fc835fadaa51ee2c87f2756e5fc247bc091700908705debc05dcbae2a1359a255605d089ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5695676.exe

Filesize
1.0MB

MD5
3200663462e997348e6633d13748234a

SHA1
31286a020ccf58eb73b18cfceb85a7c3e41f8ec8

SHA256
90f887da49cf4ae3a6c1163bfc0e07497ad643f37b0038fe7c6aebc4e25c1a2f

SHA512
0a1b745bde2ed4a521926c53a892b2377d7cb7919ae79116d6dad4fc835fadaa51ee2c87f2756e5fc247bc091700908705debc05dcbae2a1359a255605d089ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5016329.exe

Filesize
597KB

MD5
d7ac91a0d75bb955232365c1a31b29a0

SHA1
f283c9067aeb94215f0cb18da0e15ff9935628f2

SHA256
48db151fc353c74fc9ce35abbd373744d282db2c6d5c87c04f581393f8b43aa7

SHA512
96cb8b98f4ced160c4646dd5844c49622a3784c8486c543f8bebc831b3eb87d0be94877f72f26a9809aa896c8062a9d7b69b8d9742cb56baa1e9e367a4053700

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5016329.exe

Filesize
597KB

MD5
d7ac91a0d75bb955232365c1a31b29a0

SHA1
f283c9067aeb94215f0cb18da0e15ff9935628f2

SHA256
48db151fc353c74fc9ce35abbd373744d282db2c6d5c87c04f581393f8b43aa7

SHA512
96cb8b98f4ced160c4646dd5844c49622a3784c8486c543f8bebc831b3eb87d0be94877f72f26a9809aa896c8062a9d7b69b8d9742cb56baa1e9e367a4053700

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4192400.exe

Filesize
393KB

MD5
ec4da8217b74e0d0be3e036bc900480d

SHA1
c5f6b4b4085c037c4e907e2e22f025838affc5d6

SHA256
3e5bfbd1903a464e1f4a529a1c5d286d728dea26de90cff7d06dd5ef517f4784

SHA512
e11a7d4aa8d4c925d07f3c1abd064d5086feb52667a53c1c88fa96b59baf5a122f51722e2d8d65ec5abb07319a7958e3d441b49a3ab9645167c6b592edcc577e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4192400.exe

Filesize
393KB

MD5
ec4da8217b74e0d0be3e036bc900480d

SHA1
c5f6b4b4085c037c4e907e2e22f025838affc5d6

SHA256
3e5bfbd1903a464e1f4a529a1c5d286d728dea26de90cff7d06dd5ef517f4784

SHA512
e11a7d4aa8d4c925d07f3c1abd064d5086feb52667a53c1c88fa96b59baf5a122f51722e2d8d65ec5abb07319a7958e3d441b49a3ab9645167c6b592edcc577e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n1478062.exe

Filesize
315KB

MD5
93b2849d3616cae91aa194d4a444cbc5

SHA1
8d863c6fd33844674faf9107e4c7fe46b8fe28f0

SHA256
80ba299d2c9a29f1fd19eb946b8c8151d24053e32b885886583afa7aec9102ed

SHA512
1ba88b450a6238100b51de1e77130fc7c7a8fda4cc39c7153d93f13425856aeaabc2c1561e77b29dbd829c9c1bf13c3c177a687d5c42f634ecbce78793fea038

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n1478062.exe

Filesize
315KB

MD5
93b2849d3616cae91aa194d4a444cbc5

SHA1
8d863c6fd33844674faf9107e4c7fe46b8fe28f0

SHA256
80ba299d2c9a29f1fd19eb946b8c8151d24053e32b885886583afa7aec9102ed

SHA512
1ba88b450a6238100b51de1e77130fc7c7a8fda4cc39c7153d93f13425856aeaabc2c1561e77b29dbd829c9c1bf13c3c177a687d5c42f634ecbce78793fea038

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o2295037.exe

Filesize
168KB

MD5
5b914f9078cd5be1a32b580f6e90fad5

SHA1
265c67d0268949d90406ed2d6b2083c4cf91fdba

SHA256
5839e3842f5f2dcf9f7a4b0af16a1d602c2dc43bbd5226199d0785c5be7509b8

SHA512
b9274e5f343a43bbd3563b1b8a2c9e7a537333fb5f5be8173f1d13a90b1866357dc9efdbad7f3cf127f30de2732038df8348ca5c41d4d4c5a6634533248be628

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o2295037.exe

Filesize
168KB

MD5
5b914f9078cd5be1a32b580f6e90fad5

SHA1
265c67d0268949d90406ed2d6b2083c4cf91fdba

SHA256
5839e3842f5f2dcf9f7a4b0af16a1d602c2dc43bbd5226199d0785c5be7509b8

SHA512
b9274e5f343a43bbd3563b1b8a2c9e7a537333fb5f5be8173f1d13a90b1866357dc9efdbad7f3cf127f30de2732038df8348ca5c41d4d4c5a6634533248be628

Download Submit
memory/3472-210-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/3472-208-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/3472-206-0x000000000A530000-0x000000000A63A000-memory.dmp

Filesize
1.0MB

Download
memory/3472-205-0x000000000AA40000-0x000000000B058000-memory.dmp

Filesize
6.1MB

Download
memory/3472-204-0x00000000006C0000-0x00000000006EE000-memory.dmp

Filesize
184KB

Download
memory/3472-207-0x000000000A440000-0x000000000A452000-memory.dmp

Filesize
72KB

Download
memory/3472-209-0x000000000A4A0000-0x000000000A4DC000-memory.dmp

Filesize
240KB

Download
memory/4076-183-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/4076-199-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/4076-181-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/4076-177-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/4076-185-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/4076-187-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/4076-189-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/4076-191-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/4076-192-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/4076-193-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/4076-194-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/4076-195-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4076-198-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/4076-179-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/4076-197-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/4076-200-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4076-175-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/4076-173-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/4076-171-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/4076-169-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/4076-167-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/4076-165-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/4076-164-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/4076-163-0x0000000004C00000-0x00000000051A4000-memory.dmp

Filesize
5.6MB

Download
memory/4076-162-0x0000000000560000-0x000000000058D000-memory.dmp

Filesize
180KB

Download