redline | 6fc4ec98c405c5acb2d380a80c81a4e36519c22f8c563cea0c49da37f795baf7

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fc4ec98c405c5acb2d380a80c81a4e36519c22f8c563cea0c49da37f795baf7.exe
Size

1.2MB
MD5

68c9e889e04f750801a49045a1d1cfba
SHA1

3a54b6f9b88809637bddcbd324bbe056b3c49f0b
SHA256

6fc4ec98c405c5acb2d380a80c81a4e36519c22f8c563cea0c49da37f795baf7
SHA512

cfd45ae5f53a108fda6aad6408fd71b1017b62dbb429806e6df9c9581f76b8380bb8433cd5f308cdcad5ee91dc013e798f4dc40ded8d14aaf598885f5a73420f
SSDEEP

24576:gytET5kWlnO3qKpq7EIwTI4rMd6DmtevIMsriftcjTdrTdv9E+D:nt+5nQ9zIwE4rDmteQVscv1dv9E

Score

10^/10

redline lakio evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lakio

217.196.96.56:4138

Attributes

auth_value
5a2372e90cce274157a245c74afe9d6e

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3148-205-0x000000000AFD0000-0x000000000B5E8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	n3015531.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	n3015531.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	n3015531.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	n3015531.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	n3015531.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	n3015531.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2428	z7832724.exe
4848	z9516070.exe
3356	z3106440.exe
2608	n3015531.exe
3148	o1275407.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	n3015531.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	n3015531.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7832724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7832724.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9516070.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9516070.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3106440.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z3106440.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6fc4ec98c405c5acb2d380a80c81a4e36519c22f8c563cea0c49da37f795baf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6fc4ec98c405c5acb2d380a80c81a4e36519c22f8c563cea0c49da37f795baf7.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3956	2608	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2608	n3015531.exe
2608	n3015531.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	n3015531.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 2428	3408	6fc4ec98c405c5acb2d380a80c81a4e36519c22f8c563cea0c49da37f795baf7.exe	85
PID 3408 wrote to memory of 2428	3408	6fc4ec98c405c5acb2d380a80c81a4e36519c22f8c563cea0c49da37f795baf7.exe	85
PID 3408 wrote to memory of 2428	3408	6fc4ec98c405c5acb2d380a80c81a4e36519c22f8c563cea0c49da37f795baf7.exe	85
PID 2428 wrote to memory of 4848	2428	z7832724.exe	86
PID 2428 wrote to memory of 4848	2428	z7832724.exe	86
PID 2428 wrote to memory of 4848	2428	z7832724.exe	86
PID 4848 wrote to memory of 3356	4848	z9516070.exe	87
PID 4848 wrote to memory of 3356	4848	z9516070.exe	87
PID 4848 wrote to memory of 3356	4848	z9516070.exe	87
PID 3356 wrote to memory of 2608	3356	z3106440.exe	88
PID 3356 wrote to memory of 2608	3356	z3106440.exe	88
PID 3356 wrote to memory of 2608	3356	z3106440.exe	88
PID 3356 wrote to memory of 3148	3356	z3106440.exe	92
PID 3356 wrote to memory of 3148	3356	z3106440.exe	92
PID 3356 wrote to memory of 3148	3356	z3106440.exe	92

C:\Users\Admin\AppData\Local\Temp\6fc4ec98c405c5acb2d380a80c81a4e36519c22f8c563cea0c49da37f795baf7.exe
"C:\Users\Admin\AppData\Local\Temp\6fc4ec98c405c5acb2d380a80c81a4e36519c22f8c563cea0c49da37f795baf7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7832724.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7832724.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9516070.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9516070.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3106440.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3106440.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3356
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n3015531.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n3015531.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1084
        6⤵
        Program crash
        
        PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o1275407.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o1275407.exe
        5⤵
        Executes dropped EXE
        
        PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2608 -ip 2608
1⤵
PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7832724.exe

Filesize
1.0MB

MD5
b4293764e718da0e2b4027bef9e63c24

SHA1
2863a25c9d2711daf7feff7418655c76bb22caa6

SHA256
9c10ce00a437210ccb3fb50bbab8928d83153cfca3b722c8851cc146d61bfead

SHA512
52ce83768b26227e254fa2c246b7f36d6431d9d6f3f59b63dfb232f82664541c3ee242a5fb04881299f9b7cd664f39327b8b9c27fbee8b893dcf5cc3c8e8db7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7832724.exe

Filesize
1.0MB

MD5
b4293764e718da0e2b4027bef9e63c24

SHA1
2863a25c9d2711daf7feff7418655c76bb22caa6

SHA256
9c10ce00a437210ccb3fb50bbab8928d83153cfca3b722c8851cc146d61bfead

SHA512
52ce83768b26227e254fa2c246b7f36d6431d9d6f3f59b63dfb232f82664541c3ee242a5fb04881299f9b7cd664f39327b8b9c27fbee8b893dcf5cc3c8e8db7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9516070.exe

Filesize
597KB

MD5
a019d98b7b20e07d29070556c2bad9a3

SHA1
6f8da36b17377db91a70a8634a75b2dd4043ea3f

SHA256
140c0f254ae138dfbaf1e17be541093394ea43e40d1dba68e4d49c07a596470f

SHA512
c22412bc20e5f9cac8912d3989a1fda146ea2c85b4a58fc554222a826e1365872ee7af915fb5f3eec35b0222695eb8e72b874656c03e0437823c6605a8749a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9516070.exe

Filesize
597KB

MD5
a019d98b7b20e07d29070556c2bad9a3

SHA1
6f8da36b17377db91a70a8634a75b2dd4043ea3f

SHA256
140c0f254ae138dfbaf1e17be541093394ea43e40d1dba68e4d49c07a596470f

SHA512
c22412bc20e5f9cac8912d3989a1fda146ea2c85b4a58fc554222a826e1365872ee7af915fb5f3eec35b0222695eb8e72b874656c03e0437823c6605a8749a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3106440.exe

Filesize
394KB

MD5
18481eeca2a96739a1d2de0d8270c093

SHA1
6388a1355da7c747878ea68d9a61d97795c7d249

SHA256
cc6d3cc41bbdd60154b5e3f8d280071760c9bb2090db824260e73511c87f8128

SHA512
52ad2b09956b7cd8ee260e9a25dd6bad7ff9e8df36db300bc35397418f490cf0f9d453fd0b8b34e7de70318cf5ba17d0b7183c61f2b0e6458a0c853ac790ae85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3106440.exe

Filesize
394KB

MD5
18481eeca2a96739a1d2de0d8270c093

SHA1
6388a1355da7c747878ea68d9a61d97795c7d249

SHA256
cc6d3cc41bbdd60154b5e3f8d280071760c9bb2090db824260e73511c87f8128

SHA512
52ad2b09956b7cd8ee260e9a25dd6bad7ff9e8df36db300bc35397418f490cf0f9d453fd0b8b34e7de70318cf5ba17d0b7183c61f2b0e6458a0c853ac790ae85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n3015531.exe

Filesize
315KB

MD5
f844986faf33571e1d1eb37463d6bddd

SHA1
644cb506d99bfcee4c8aa0c7e6f5c155f5b6be38

SHA256
d51f7fbaeb3a36b065cdc0b0e351bcd8658498165c333a0dbf0ffccdbd18a358

SHA512
f4a25cfc7487a0fed1f03e5e961752e78002883ed0552b046ab12cffa67bdbdf8a43f36002a5408a978065f89bce756b35850fe7bec3168965f47500337d688e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n3015531.exe

Filesize
315KB

MD5
f844986faf33571e1d1eb37463d6bddd

SHA1
644cb506d99bfcee4c8aa0c7e6f5c155f5b6be38

SHA256
d51f7fbaeb3a36b065cdc0b0e351bcd8658498165c333a0dbf0ffccdbd18a358

SHA512
f4a25cfc7487a0fed1f03e5e961752e78002883ed0552b046ab12cffa67bdbdf8a43f36002a5408a978065f89bce756b35850fe7bec3168965f47500337d688e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o1275407.exe

Filesize
168KB

MD5
d748ebf8cbf7907afb70480697490091

SHA1
d2ca1857ea1639460ddff2f3260f5795f1ced7ce

SHA256
6f2a64b8448fce28cdcf19a0c5201364bdaec7b055e2dca923b77aee90d92049

SHA512
17a1945026f7ce40b3a12bea31b29caf00ba8b0372e412b50b761f5993248ab88363381bc683af17fef5d0c6785d1fcf1fa2e6a016abf780bc3b8fbfc064f853

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o1275407.exe

Filesize
168KB

MD5
d748ebf8cbf7907afb70480697490091

SHA1
d2ca1857ea1639460ddff2f3260f5795f1ced7ce

SHA256
6f2a64b8448fce28cdcf19a0c5201364bdaec7b055e2dca923b77aee90d92049

SHA512
17a1945026f7ce40b3a12bea31b29caf00ba8b0372e412b50b761f5993248ab88363381bc683af17fef5d0c6785d1fcf1fa2e6a016abf780bc3b8fbfc064f853

Download Submit
memory/2608-180-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/2608-190-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/2608-166-0x0000000004C10000-0x00000000051B4000-memory.dmp

Filesize
5.6MB

Download
memory/2608-168-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/2608-167-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/2608-170-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/2608-172-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/2608-174-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/2608-176-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/2608-178-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/2608-164-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/2608-182-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/2608-184-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/2608-186-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/2608-188-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/2608-165-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/2608-192-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/2608-194-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/2608-195-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2608-196-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/2608-197-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/2608-198-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/2608-200-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2608-163-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/2608-162-0x0000000000490000-0x00000000004BD000-memory.dmp

Filesize
180KB

Download
memory/3148-204-0x0000000000BD0000-0x0000000000BFE000-memory.dmp

Filesize
184KB

Download
memory/3148-205-0x000000000AFD0000-0x000000000B5E8000-memory.dmp

Filesize
6.1MB

Download
memory/3148-206-0x000000000AB50000-0x000000000AC5A000-memory.dmp

Filesize
1.0MB

Download
memory/3148-207-0x000000000AA80000-0x000000000AA92000-memory.dmp

Filesize
72KB

Download
memory/3148-208-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/3148-209-0x000000000AAE0000-0x000000000AB1C000-memory.dmp

Filesize
240KB

Download
memory/3148-210-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download