redline | 056799ed67dfa2013350c87d4cb30e186e52dad07e69b3abeb79500f14da4083

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

056799ed67dfa2013350c87d4cb30e186e52dad07e69b3abeb79500f14da4083.exe
Size

1.3MB
MD5

88e4e12ced4e3ac7f75f81c38509e73a
SHA1

e7b9dd0f84f6faa890d009609460362d02d7fa9f
SHA256

056799ed67dfa2013350c87d4cb30e186e52dad07e69b3abeb79500f14da4083
SHA512

d48bf88a32db0514054138037247012f0d9a90b25b1a4e5d4f034b3154c03fa5a6d9f4922dc7b8602346b3a4c9a32833b0696003f0d8223f026e1b4282ff99c6
SSDEEP

24576:0y51nIaThQaBV/fTgwsOzHcSNeFHynLExsYmSN/Os3IWpyuCQO+XbF:DX/XXTgv4NcHso3rcNhK

Score

10^/10

redline luser evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luser

185.161.248.73:4164

Attributes

auth_value
cf14a84de9a3b6b7b8981202f3b616fb

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4732-205-0x000000000B170000-0x000000000B788000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	s73455445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	s73455445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	s73455445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	s73455445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	s73455445.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	s73455445.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1180	z50259362.exe
3332	z13300071.exe
1068	z76832183.exe
3904	s73455445.exe
4732	t11926209.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	s73455445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	s73455445.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z13300071.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z13300071.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z76832183.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z76832183.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	056799ed67dfa2013350c87d4cb30e186e52dad07e69b3abeb79500f14da4083.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	056799ed67dfa2013350c87d4cb30e186e52dad07e69b3abeb79500f14da4083.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z50259362.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z50259362.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3412	3904	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3904	s73455445.exe
3904	s73455445.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3904	s73455445.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 1180	3888	056799ed67dfa2013350c87d4cb30e186e52dad07e69b3abeb79500f14da4083.exe	85
PID 3888 wrote to memory of 1180	3888	056799ed67dfa2013350c87d4cb30e186e52dad07e69b3abeb79500f14da4083.exe	85
PID 3888 wrote to memory of 1180	3888	056799ed67dfa2013350c87d4cb30e186e52dad07e69b3abeb79500f14da4083.exe	85
PID 1180 wrote to memory of 3332	1180	z50259362.exe	86
PID 1180 wrote to memory of 3332	1180	z50259362.exe	86
PID 1180 wrote to memory of 3332	1180	z50259362.exe	86
PID 3332 wrote to memory of 1068	3332	z13300071.exe	87
PID 3332 wrote to memory of 1068	3332	z13300071.exe	87
PID 3332 wrote to memory of 1068	3332	z13300071.exe	87
PID 1068 wrote to memory of 3904	1068	z76832183.exe	88
PID 1068 wrote to memory of 3904	1068	z76832183.exe	88
PID 1068 wrote to memory of 3904	1068	z76832183.exe	88
PID 1068 wrote to memory of 4732	1068	z76832183.exe	91
PID 1068 wrote to memory of 4732	1068	z76832183.exe	91
PID 1068 wrote to memory of 4732	1068	z76832183.exe	91

C:\Users\Admin\AppData\Local\Temp\056799ed67dfa2013350c87d4cb30e186e52dad07e69b3abeb79500f14da4083.exe
"C:\Users\Admin\AppData\Local\Temp\056799ed67dfa2013350c87d4cb30e186e52dad07e69b3abeb79500f14da4083.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z50259362.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z50259362.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z13300071.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z13300071.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z76832183.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z76832183.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s73455445.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s73455445.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 1084
        6⤵
        Program crash
        
        PID:3412
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t11926209.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t11926209.exe
        5⤵
        Executes dropped EXE
        
        PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3904 -ip 3904
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z50259362.exe

Filesize
1.1MB

MD5
7eca7d4b26a3138e75c2237bef3d2fc7

SHA1
ac1cb37d64ab1c247466707d35f7a765fccb3f2c

SHA256
24469294f28d41c8068acd1fcb1c4f8f3716f41d4a1f58c7621c6c98a9f51884

SHA512
a62cb34a163401f7b0b6d1c09d58cff261d41f9569b5ba744f26989e62aec9473efe505b54332bb8ac671b1afdb3e0e442601f46c5c34e26877c575e5a1ca1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z50259362.exe

Filesize
1.1MB

MD5
7eca7d4b26a3138e75c2237bef3d2fc7

SHA1
ac1cb37d64ab1c247466707d35f7a765fccb3f2c

SHA256
24469294f28d41c8068acd1fcb1c4f8f3716f41d4a1f58c7621c6c98a9f51884

SHA512
a62cb34a163401f7b0b6d1c09d58cff261d41f9569b5ba744f26989e62aec9473efe505b54332bb8ac671b1afdb3e0e442601f46c5c34e26877c575e5a1ca1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z13300071.exe

Filesize
894KB

MD5
2ecbca8090faf82fea79f2594b1e8f83

SHA1
64e8519d6f20cb742a740bc8952ff9dc00961442

SHA256
894d69659ba0499d21d976665ba44dd5a15691e84ac777984115683255689a2a

SHA512
608152d46ad8d3dc17bde187395d3da29acbb74040f23cf9b6ce9cd43f31a634b12639cd9b1dac2b094939fe2fa7d74a83feb3726fe6195a4629bc0ca9529a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z13300071.exe

Filesize
894KB

MD5
2ecbca8090faf82fea79f2594b1e8f83

SHA1
64e8519d6f20cb742a740bc8952ff9dc00961442

SHA256
894d69659ba0499d21d976665ba44dd5a15691e84ac777984115683255689a2a

SHA512
608152d46ad8d3dc17bde187395d3da29acbb74040f23cf9b6ce9cd43f31a634b12639cd9b1dac2b094939fe2fa7d74a83feb3726fe6195a4629bc0ca9529a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z76832183.exe

Filesize
409KB

MD5
48188ddc17eea674d879777245de7ac3

SHA1
49d359c5ee4d138b732bcb8e68f7b2f62abfd79f

SHA256
e2f0bbf1f9eff353f305ef6961cd433fc6e7a17d25d916e8047530b5fa2a4a0e

SHA512
f94b7bdf6df99cd223578ce10cb8b0672469fed1a702bc6883abcd8df17f50c1ee831ed605b7382351d8cb9aa7da8d2bbf46b7046480ad837aaecf3671fda970

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z76832183.exe

Filesize
409KB

MD5
48188ddc17eea674d879777245de7ac3

SHA1
49d359c5ee4d138b732bcb8e68f7b2f62abfd79f

SHA256
e2f0bbf1f9eff353f305ef6961cd433fc6e7a17d25d916e8047530b5fa2a4a0e

SHA512
f94b7bdf6df99cd223578ce10cb8b0672469fed1a702bc6883abcd8df17f50c1ee831ed605b7382351d8cb9aa7da8d2bbf46b7046480ad837aaecf3671fda970

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s73455445.exe

Filesize
347KB

MD5
4fd0d8d0189df8043596a97c309d8b99

SHA1
04bf0804a94ecd1e97bb9f113f5220cd2e3952c1

SHA256
fc57bff8eab9d823636a1d7c70d3af00ff9d04a6836a8b27cccafdf5f57efe98

SHA512
dad7a514aec75bd91c9c16c9ee0278ca6ca1740935d4c3d7538f08f69148a77eca3cc4b3e74ee9d5983283237e15d634a586a087c450007587a2875101775529

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s73455445.exe

Filesize
347KB

MD5
4fd0d8d0189df8043596a97c309d8b99

SHA1
04bf0804a94ecd1e97bb9f113f5220cd2e3952c1

SHA256
fc57bff8eab9d823636a1d7c70d3af00ff9d04a6836a8b27cccafdf5f57efe98

SHA512
dad7a514aec75bd91c9c16c9ee0278ca6ca1740935d4c3d7538f08f69148a77eca3cc4b3e74ee9d5983283237e15d634a586a087c450007587a2875101775529

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t11926209.exe

Filesize
168KB

MD5
6498ad083a2291d2e50c573ca1a67d32

SHA1
4b4761a966fe343598d1a04d654e7d33098ff3d2

SHA256
820b012f47585789e56c34d08b78cdc183a1d53004cc65b180800aa5b1aa0f09

SHA512
dfa838736e2fed8e1b09bed82c2bb6c93557b63bfbdb357dfeac8a1a93d7dbc1a8399ef5e6453a29ad19e379bf765900ad0592468e2b5ffec0a041636d80d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t11926209.exe

Filesize
168KB

MD5
6498ad083a2291d2e50c573ca1a67d32

SHA1
4b4761a966fe343598d1a04d654e7d33098ff3d2

SHA256
820b012f47585789e56c34d08b78cdc183a1d53004cc65b180800aa5b1aa0f09

SHA512
dfa838736e2fed8e1b09bed82c2bb6c93557b63bfbdb357dfeac8a1a93d7dbc1a8399ef5e6453a29ad19e379bf765900ad0592468e2b5ffec0a041636d80d9b8

Download Submit
memory/3904-176-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3904-186-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3904-166-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3904-168-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3904-170-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3904-167-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3904-172-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3904-174-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3904-178-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3904-180-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3904-164-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3904-182-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3904-184-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3904-190-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3904-188-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3904-165-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3904-192-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3904-194-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/3904-195-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3904-196-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3904-197-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3904-198-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/3904-200-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3904-163-0x0000000004A10000-0x0000000004FB4000-memory.dmp

Filesize
5.6MB

Download
memory/3904-162-0x00000000005C0000-0x00000000005ED000-memory.dmp

Filesize
180KB

Download
memory/4732-204-0x0000000000D50000-0x0000000000D7E000-memory.dmp

Filesize
184KB

Download
memory/4732-205-0x000000000B170000-0x000000000B788000-memory.dmp

Filesize
6.1MB

Download
memory/4732-206-0x000000000ACD0000-0x000000000ADDA000-memory.dmp

Filesize
1.0MB

Download
memory/4732-207-0x000000000AC00000-0x000000000AC12000-memory.dmp

Filesize
72KB

Download
memory/4732-208-0x000000000AC60000-0x000000000AC9C000-memory.dmp

Filesize
240KB

Download
memory/4732-209-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/4732-210-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download