redline | 075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82 | Triage

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:45 UTC

Sharing

Report Analysis Logs

General

Target

075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe
Size

479KB
MD5

5577147c5b1aa1dd66b5b84982cf3ac8
SHA1

e4ab9506f13992d220905a63757b9e2c8b620cff
SHA256

075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82
SHA512

b1b9d057d9ea4a45fb7f27a6ac0a6450f9f4ddfbcfbeb47e4b46a8b4e81add0236b10f128af19d7b15094834eb959691dfc71a53e01f007c4ca4b85cd0a588ab
SSDEEP

12288:GMrfy90tmBpUQZuTzDMoDYmO6aW81OGDXGmRvJURd0uO+i:ByxpZZuIIWTh1OUWrdli

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

resource	yara_rule
behavioral2/memory/1608-187-0x00000000076B0000-0x0000000007CC8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

Modify Registry

Modify Existing Service

Disabling Security Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a8735883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8735883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8735883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8735883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8735883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8735883.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4592	v3950559.exe
2664	a8735883.exe
1608	b2762133.exe

Windows security modification 2 TTPs 2 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a8735883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8735883.exe

Adds Run key to start application 2 TTPs 4 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3950559.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3950559.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2664	a8735883.exe
2664	a8735883.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	a8735883.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 4592	2132	075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe	83
PID 2132 wrote to memory of 4592	2132	075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe	83
PID 2132 wrote to memory of 4592	2132	075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe	83
PID 4592 wrote to memory of 2664	4592	v3950559.exe	84
PID 4592 wrote to memory of 2664	4592	v3950559.exe	84
PID 4592 wrote to memory of 2664	4592	v3950559.exe	84
PID 4592 wrote to memory of 1608	4592	v3950559.exe	89
PID 4592 wrote to memory of 1608	4592	v3950559.exe	89
PID 4592 wrote to memory of 1608	4592	v3950559.exe	89

C:\Users\Admin\AppData\Local\Temp\075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe
"C:\Users\Admin\AppData\Local\Temp\075447ce64e305c8bb32c41a2cf5102f55803f76a2e6b52df991c489b01f9e82.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3950559.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3950559.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8735883.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8735883.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2762133.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2762133.exe
    3⤵
    - Executes dropped EXE
    PID:1608

Network

DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

123.108.74.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

123.108.74.40.in-addr.arpa

IN PTR

Response
DNS

73.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.31.126.40.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

86.8.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.8.109.52.in-addr.arpa

IN PTR

Response

77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
52.242.101.226:443

260 B
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
20.189.173.3:443

322 B
7
93.184.220.29:80

322 B
7
93.184.221.240:80

322 B
7
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
52.242.101.226:443

260 B
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
93.184.221.240:80

322 B
7
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
173.223.113.164:443

322 B
7
173.223.113.131:80

322 B
7
204.79.197.203:80

322 B
7
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
52.242.101.226:443

260 B
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
52.242.101.226:443

260 B
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
160 B
5
4
52.242.101.226:443

260 B
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
52.242.101.226:443

260 B
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

260 B
200 B
5
5
77.91.124.251:19069

b2762133.exe

156 B
120 B
3
3

8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

123.108.74.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

123.108.74.40.in-addr.arpa
8.8.8.8:53

73.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

73.31.126.40.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

86.8.109.52.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.8.109.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3950559.exe

Filesize
307KB

MD5
d16fa6e85dfb4ae46405453c71b75694

SHA1
20b06617901676d15ff5a3bed81ee196ff82e166

SHA256
c4196069172bf3a494ca7130ae3ad560745fe714cbdfbee56d4807bb7cd7d642

SHA512
9f519ec0fd9433c1d27938c5fc8d20a67e1b505b7f72cdc8ec9d0211ef12874bdc6cee24d1b77d37b9c40d52a211d828f4cfea26db4312163595b4ccd84aea01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3950559.exe

Filesize
307KB

MD5
d16fa6e85dfb4ae46405453c71b75694

SHA1
20b06617901676d15ff5a3bed81ee196ff82e166

SHA256
c4196069172bf3a494ca7130ae3ad560745fe714cbdfbee56d4807bb7cd7d642

SHA512
9f519ec0fd9433c1d27938c5fc8d20a67e1b505b7f72cdc8ec9d0211ef12874bdc6cee24d1b77d37b9c40d52a211d828f4cfea26db4312163595b4ccd84aea01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8735883.exe

Filesize
175KB

MD5
53103813f9b185c5775d4351c5c97e25

SHA1
9c286346ffee3b83e81ac8f6c5ef3143a35b3f9d

SHA256
2f824ce1b62be8a3c8df47fc37f345911f63117e56d6548586f987e345f54485

SHA512
d9d302370143d104000f9efe83b538524e1117e76aa0c6944f2fe231c139ddb8cefc66dc296f1d4dbe11c82eabf56cbc4e5cba78a605f2496dd226dd6bd68509

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8735883.exe

Filesize
175KB

MD5
53103813f9b185c5775d4351c5c97e25

SHA1
9c286346ffee3b83e81ac8f6c5ef3143a35b3f9d

SHA256
2f824ce1b62be8a3c8df47fc37f345911f63117e56d6548586f987e345f54485

SHA512
d9d302370143d104000f9efe83b538524e1117e76aa0c6944f2fe231c139ddb8cefc66dc296f1d4dbe11c82eabf56cbc4e5cba78a605f2496dd226dd6bd68509

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2762133.exe

Filesize
136KB

MD5
b1d06b88514d2e393201805baee9f188

SHA1
38147f086ba49868921d3f506cc3bae4e7b388f0

SHA256
c741f079ca08e2d1856bbd84f9501e27c1bce76b4dd0bb88e8e6e2d8fbc75ebf

SHA512
b8332bb813373dd4f167b5e1f5694073b1d39f93c5d26d64f21f55975f30b24f064ac474916cf643033b083cbbe45ed91436d8f705eb651b8ad89c5ef242d5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2762133.exe

Filesize
136KB

MD5
b1d06b88514d2e393201805baee9f188

SHA1
38147f086ba49868921d3f506cc3bae4e7b388f0

SHA256
c741f079ca08e2d1856bbd84f9501e27c1bce76b4dd0bb88e8e6e2d8fbc75ebf

SHA512
b8332bb813373dd4f167b5e1f5694073b1d39f93c5d26d64f21f55975f30b24f064ac474916cf643033b083cbbe45ed91436d8f705eb651b8ad89c5ef242d5bd

Download Submit
memory/1608-190-0x0000000007180000-0x00000000071BC000-memory.dmp

Filesize
240KB

Download
memory/1608-187-0x00000000076B0000-0x0000000007CC8000-memory.dmp

Filesize
6.1MB

Download
memory/1608-189-0x0000000007250000-0x000000000735A000-memory.dmp

Filesize
1.0MB

Download
memory/1608-188-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/1608-191-0x0000000007530000-0x0000000007540000-memory.dmp

Filesize
64KB

Download
memory/1608-186-0x00000000003F0000-0x0000000000418000-memory.dmp

Filesize
160KB

Download
memory/1608-192-0x0000000007530000-0x0000000007540000-memory.dmp

Filesize
64KB

Download
memory/2664-165-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/2664-180-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/2664-169-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/2664-157-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/2664-173-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/2664-171-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/2664-175-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/2664-176-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/2664-177-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/2664-178-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/2664-181-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/2664-167-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/2664-179-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/2664-163-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/2664-159-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/2664-161-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/2664-155-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/2664-153-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/2664-151-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/2664-148-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/2664-149-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/2664-147-0x0000000004A10000-0x0000000004FB4000-memory.dmp

Filesize
5.6MB

Download