redline | 0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe
Size

1.4MB
MD5

5c5c81a650f941f0556c909020d75ea7
SHA1

317c7551be7d2f76ffc0a368827a0e9a50ce47c3
SHA256

0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3
SHA512

0088abf0ed9f8b9310ce1626008552eb7f206bbabf074fb7bb534d2bb91b41ff18034036f24f41225932ed4dd91cade1e5250ff875ab968a501448f48cf6d679
SSDEEP

24576:/ymjwlunBYcCZyMcwrGHKCL1LSrAlC4TbzS/Qpi2PDZkNhupi5VM:Kmjwsxf9wKP1LSrMTbOQDaUpG

Score

10^/10

redline mask evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mask

217.196.96.56:4138

Attributes

auth_value
31aef25be0febb8e491794ef7f502c50

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2124-212-0x000000000B200000-0x000000000B818000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1718313.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1718313.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1718313.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a1718313.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1718313.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1718313.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1532	v5954638.exe
580	v3854008.exe
800	v3243674.exe
1168	v1416645.exe
3508	a1718313.exe
2124	b2023792.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1718313.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a1718313.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1416645.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5954638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5954638.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3854008.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3243674.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1416645.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3854008.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3243674.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5064	3508	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3508	a1718313.exe
3508	a1718313.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3508	a1718313.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 1532	4216	0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe	83
PID 4216 wrote to memory of 1532	4216	0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe	83
PID 4216 wrote to memory of 1532	4216	0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe	83
PID 1532 wrote to memory of 580	1532	v5954638.exe	84
PID 1532 wrote to memory of 580	1532	v5954638.exe	84
PID 1532 wrote to memory of 580	1532	v5954638.exe	84
PID 580 wrote to memory of 800	580	v3854008.exe	85
PID 580 wrote to memory of 800	580	v3854008.exe	85
PID 580 wrote to memory of 800	580	v3854008.exe	85
PID 800 wrote to memory of 1168	800	v3243674.exe	86
PID 800 wrote to memory of 1168	800	v3243674.exe	86
PID 800 wrote to memory of 1168	800	v3243674.exe	86
PID 1168 wrote to memory of 3508	1168	v1416645.exe	87
PID 1168 wrote to memory of 3508	1168	v1416645.exe	87
PID 1168 wrote to memory of 3508	1168	v1416645.exe	87
PID 1168 wrote to memory of 2124	1168	v1416645.exe	90
PID 1168 wrote to memory of 2124	1168	v1416645.exe	90
PID 1168 wrote to memory of 2124	1168	v1416645.exe	90

C:\Users\Admin\AppData\Local\Temp\0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe
"C:\Users\Admin\AppData\Local\Temp\0691043dbf7247f369440bcb1a429e8df6ffd3457f30aac5e2820715f62537f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5954638.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5954638.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3854008.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3854008.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3243674.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3243674.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:800
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1416645.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1416645.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1718313.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1718313.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1084
        7⤵
        Program crash
        
        PID:5064
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2023792.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2023792.exe
        6⤵
        Executes dropped EXE
        
        PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3508 -ip 3508
1⤵
PID:3152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5954638.exe

Filesize
1.3MB

MD5
39f390424af3c834a2fb34df1285f893

SHA1
afa8cd1c6e303f61c31fd9cdbad0f41eca083a78

SHA256
c0decc379fc0ea4b3cdff24d222db7127538004f7b98e13b4bc33ee2a63f5a44

SHA512
93404b77fbe3e1e1d5baf4d6303d64557b7f41d9e86e9a8f7054fe1be8e71c37ea9ed01d9b83bb0984b8d322599c6efd87a77169e6de47e7dfc1e20ce607302b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5954638.exe

Filesize
1.3MB

MD5
39f390424af3c834a2fb34df1285f893

SHA1
afa8cd1c6e303f61c31fd9cdbad0f41eca083a78

SHA256
c0decc379fc0ea4b3cdff24d222db7127538004f7b98e13b4bc33ee2a63f5a44

SHA512
93404b77fbe3e1e1d5baf4d6303d64557b7f41d9e86e9a8f7054fe1be8e71c37ea9ed01d9b83bb0984b8d322599c6efd87a77169e6de47e7dfc1e20ce607302b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3854008.exe

Filesize
846KB

MD5
4835642a1871bdb58b15c4d634170e54

SHA1
28ae24516568c58a0c9546388d1c9754514e1c55

SHA256
5d3c12499aaeafbd6985415b6adce1955ee4bdc6a09e00cd46f6d91bde666a78

SHA512
3463fd927b596017c61c62700e7d2a889c7c1bf378b1d8eddb293755755a733e09d4d2f44273bf349576cf25f3049275d2df4159faba52f80599ad294ea15bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3854008.exe

Filesize
846KB

MD5
4835642a1871bdb58b15c4d634170e54

SHA1
28ae24516568c58a0c9546388d1c9754514e1c55

SHA256
5d3c12499aaeafbd6985415b6adce1955ee4bdc6a09e00cd46f6d91bde666a78

SHA512
3463fd927b596017c61c62700e7d2a889c7c1bf378b1d8eddb293755755a733e09d4d2f44273bf349576cf25f3049275d2df4159faba52f80599ad294ea15bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3243674.exe

Filesize
641KB

MD5
66a4b4482761e46b6e499e132724ad90

SHA1
b99a595cd4147c513c30df1e42ed167d67db3c8b

SHA256
4a4dcf4fc6bad026498c56502a7d621e013001432545cf63c88103f1a7d140d3

SHA512
3d3f7f65a19029887a85596a76721ae7fbdd5b94fa070f468b8fc4363a5c806ec7cfad56dbe761ed0134fe7a29d66105abb297c1b0be32f5fbd391e179acf1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3243674.exe

Filesize
641KB

MD5
66a4b4482761e46b6e499e132724ad90

SHA1
b99a595cd4147c513c30df1e42ed167d67db3c8b

SHA256
4a4dcf4fc6bad026498c56502a7d621e013001432545cf63c88103f1a7d140d3

SHA512
3d3f7f65a19029887a85596a76721ae7fbdd5b94fa070f468b8fc4363a5c806ec7cfad56dbe761ed0134fe7a29d66105abb297c1b0be32f5fbd391e179acf1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1416645.exe

Filesize
383KB

MD5
e9fb12c4cef4c40b376d35ee37385a1a

SHA1
178ec92941574b2f2d1e9480fd50e100c68f9e1d

SHA256
186035ac643913904f9db5b461d2b35a3ee0a5bfb271af3e84608d49daedb6d0

SHA512
f91b9c090e0214e72c6f5e9959b5b925c10c52e9e3b3db5188fb0575223e3f2faff8b024b997c111b58958f284ea81cf02926bfcded5eb9e4df50445de19d93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1416645.exe

Filesize
383KB

MD5
e9fb12c4cef4c40b376d35ee37385a1a

SHA1
178ec92941574b2f2d1e9480fd50e100c68f9e1d

SHA256
186035ac643913904f9db5b461d2b35a3ee0a5bfb271af3e84608d49daedb6d0

SHA512
f91b9c090e0214e72c6f5e9959b5b925c10c52e9e3b3db5188fb0575223e3f2faff8b024b997c111b58958f284ea81cf02926bfcded5eb9e4df50445de19d93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1718313.exe

Filesize
289KB

MD5
3a237a6b7ad93e72b009a2c44c14c215

SHA1
90901129c255f6c1a0c4391ee8d7d782c4b38734

SHA256
1ca6f447d989782f3db7c7f3fa4813ceab3f734d2989b25eb46035338dcb0f01

SHA512
f3e7a104a9229e857ad6ff565ece45adbd7c43902e64f4e82e108111bab8ea6b8a2a3f5d89dafa42abbcf7baa5bd6d2685118793a365e213108f69557b62dd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1718313.exe

Filesize
289KB

MD5
3a237a6b7ad93e72b009a2c44c14c215

SHA1
90901129c255f6c1a0c4391ee8d7d782c4b38734

SHA256
1ca6f447d989782f3db7c7f3fa4813ceab3f734d2989b25eb46035338dcb0f01

SHA512
f3e7a104a9229e857ad6ff565ece45adbd7c43902e64f4e82e108111bab8ea6b8a2a3f5d89dafa42abbcf7baa5bd6d2685118793a365e213108f69557b62dd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2023792.exe

Filesize
168KB

MD5
90c79ba8c6d6512b08f4c636f77df522

SHA1
e3eb640989d37d5c6dfe554a1652f56810c1d13b

SHA256
6f443d3e6aa6ccbc6d6b2e98b0948dc448bd8ba19bdc17fcaa4621862f81bdc5

SHA512
9344a1f8ec9c0c1793babdb8564bc10699a950298091c3bb0c2e2687b70886770d90fe36aeaa273027b915a6a1928754e022706a7bd74bb36e53c8bf9719ac0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2023792.exe

Filesize
168KB

MD5
90c79ba8c6d6512b08f4c636f77df522

SHA1
e3eb640989d37d5c6dfe554a1652f56810c1d13b

SHA256
6f443d3e6aa6ccbc6d6b2e98b0948dc448bd8ba19bdc17fcaa4621862f81bdc5

SHA512
9344a1f8ec9c0c1793babdb8564bc10699a950298091c3bb0c2e2687b70886770d90fe36aeaa273027b915a6a1928754e022706a7bd74bb36e53c8bf9719ac0a

Download Submit
memory/2124-217-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/2124-216-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/2124-215-0x000000000AC00000-0x000000000AC3C000-memory.dmp

Filesize
240KB

Download
memory/2124-214-0x000000000ABE0000-0x000000000ABF2000-memory.dmp

Filesize
72KB

Download
memory/2124-213-0x000000000ACF0000-0x000000000ADFA000-memory.dmp

Filesize
1.0MB

Download
memory/2124-212-0x000000000B200000-0x000000000B818000-memory.dmp

Filesize
6.1MB

Download
memory/2124-211-0x0000000000D20000-0x0000000000D50000-memory.dmp

Filesize
192KB

Download
memory/3508-184-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3508-202-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3508-186-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3508-188-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3508-190-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3508-192-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3508-194-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3508-196-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3508-198-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3508-200-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3508-201-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3508-182-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3508-203-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3508-204-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3508-206-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3508-180-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3508-178-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3508-176-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3508-174-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3508-173-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3508-172-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3508-171-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3508-170-0x0000000000550000-0x000000000057D000-memory.dmp

Filesize
180KB

Download
memory/3508-169-0x0000000004990000-0x0000000004F34000-memory.dmp

Filesize
5.6MB

Download