redline | 060ab8886c368c3f36070b042eaa2a625f8d3206ad931b7922bb2d919a83c277

Analysis

max time kernel
157s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

060ab8886c368c3f36070b042eaa2a625f8d3206ad931b7922bb2d919a83c277.exe
Size

1.2MB
MD5

65801f4ca5f825e3535c9b15eebfc061
SHA1

fb02567098428daae54edaa035ffe8c2814e4c17
SHA256

060ab8886c368c3f36070b042eaa2a625f8d3206ad931b7922bb2d919a83c277
SHA512

4579cfdc4d81677690a9356fb3af8cd5d0f9dc2d5dea31680ab72117526d74713b8d3f196ce9c47bbb63aabd20b878620e04df289f2510f8a1d543dcb85c300d
SSDEEP

24576:2ynnoqpSzGXvuxaWwGkLLDwip+mEBv7K/LKATeT3Ys/Nv0oQpT62hx+MYlgo+6:FnoWAUaaWDkLLB34v7K/LKr3Xxp2hx+1

Score

10^/10

redline luser evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luser

185.161.248.73:4164

Attributes

auth_value
cf14a84de9a3b6b7b8981202f3b616fb

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3048-208-0x000000000A390000-0x000000000A9A8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	s21247620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	s21247620.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	s21247620.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	s21247620.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	s21247620.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	s21247620.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1352	z20699477.exe
4756	z85031656.exe
316	z68875718.exe
4460	s21247620.exe
3048	t67257630.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	s21247620.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	s21247620.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z20699477.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z20699477.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z85031656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z85031656.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z68875718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z68875718.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	060ab8886c368c3f36070b042eaa2a625f8d3206ad931b7922bb2d919a83c277.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	060ab8886c368c3f36070b042eaa2a625f8d3206ad931b7922bb2d919a83c277.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
796	4460	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4460	s21247620.exe
4460	s21247620.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	s21247620.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1352	2008	060ab8886c368c3f36070b042eaa2a625f8d3206ad931b7922bb2d919a83c277.exe	79
PID 2008 wrote to memory of 1352	2008	060ab8886c368c3f36070b042eaa2a625f8d3206ad931b7922bb2d919a83c277.exe	79
PID 2008 wrote to memory of 1352	2008	060ab8886c368c3f36070b042eaa2a625f8d3206ad931b7922bb2d919a83c277.exe	79
PID 1352 wrote to memory of 4756	1352	z20699477.exe	80
PID 1352 wrote to memory of 4756	1352	z20699477.exe	80
PID 1352 wrote to memory of 4756	1352	z20699477.exe	80
PID 4756 wrote to memory of 316	4756	z85031656.exe	81
PID 4756 wrote to memory of 316	4756	z85031656.exe	81
PID 4756 wrote to memory of 316	4756	z85031656.exe	81
PID 316 wrote to memory of 4460	316	z68875718.exe	82
PID 316 wrote to memory of 4460	316	z68875718.exe	82
PID 316 wrote to memory of 4460	316	z68875718.exe	82
PID 316 wrote to memory of 3048	316	z68875718.exe	89
PID 316 wrote to memory of 3048	316	z68875718.exe	89
PID 316 wrote to memory of 3048	316	z68875718.exe	89

C:\Users\Admin\AppData\Local\Temp\060ab8886c368c3f36070b042eaa2a625f8d3206ad931b7922bb2d919a83c277.exe
"C:\Users\Admin\AppData\Local\Temp\060ab8886c368c3f36070b042eaa2a625f8d3206ad931b7922bb2d919a83c277.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z20699477.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z20699477.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z85031656.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z85031656.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68875718.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68875718.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s21247620.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s21247620.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1016
        6⤵
        Program crash
        
        PID:796
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t67257630.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t67257630.exe
        5⤵
        Executes dropped EXE
        
        PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4460 -ip 4460
1⤵
PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z20699477.exe

Filesize
1.0MB

MD5
4b9208f0b84d3de928881709b9e336fc

SHA1
7023ee6dfc6f4bbc63bbd52b8856edf01e1a1e11

SHA256
c3d0daab63c272d669b2351bae97199fa785062e64756a1b60236a804310add7

SHA512
9d3d47c6cce3f3c3270e708ac17e87e178cfab4f021740ea1b0a7a57d55bb6a8caa7bfe388e789c28f22450ea2e0a224a112be0ed75abc46e7c456ff42d4c856

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z20699477.exe

Filesize
1.0MB

MD5
4b9208f0b84d3de928881709b9e336fc

SHA1
7023ee6dfc6f4bbc63bbd52b8856edf01e1a1e11

SHA256
c3d0daab63c272d669b2351bae97199fa785062e64756a1b60236a804310add7

SHA512
9d3d47c6cce3f3c3270e708ac17e87e178cfab4f021740ea1b0a7a57d55bb6a8caa7bfe388e789c28f22450ea2e0a224a112be0ed75abc46e7c456ff42d4c856

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z85031656.exe

Filesize
890KB

MD5
4de377cfeba517cbcf0588dfc209f9da

SHA1
12274aea5a548c5f4ba36dd8a705fd370460dc13

SHA256
9e7934a27c655ad6d4b27f3ef19ee59ede73c662942fdf2733c17dc4f6ac889f

SHA512
f9d094b344009513e7613b7759377ffb2e3cd1d0a140fafb39b613ec6ae13317e0d1167c885138421589f28c41b8e376c6bc062b8537e80be4749aa3e72d4087

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z85031656.exe

Filesize
890KB

MD5
4de377cfeba517cbcf0588dfc209f9da

SHA1
12274aea5a548c5f4ba36dd8a705fd370460dc13

SHA256
9e7934a27c655ad6d4b27f3ef19ee59ede73c662942fdf2733c17dc4f6ac889f

SHA512
f9d094b344009513e7613b7759377ffb2e3cd1d0a140fafb39b613ec6ae13317e0d1167c885138421589f28c41b8e376c6bc062b8537e80be4749aa3e72d4087

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68875718.exe

Filesize
405KB

MD5
26e2ffd027ccf7347941d4615a29681d

SHA1
2cf7d03be8cecd6723d6b417ee8a36502c58d59d

SHA256
f81c4fc186ead2d3e70f97468b40e232a37aceb02d8083a8a2894f334dd7ff8b

SHA512
b86ce561a3988bae9d9aaaa7acdaf82ef6d3158bdca53c0480e0d7e691f63960e983e475efce2b0e0c8f1ced17a2970ac9201ffe32c033e9d526ec5a452175ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z68875718.exe

Filesize
405KB

MD5
26e2ffd027ccf7347941d4615a29681d

SHA1
2cf7d03be8cecd6723d6b417ee8a36502c58d59d

SHA256
f81c4fc186ead2d3e70f97468b40e232a37aceb02d8083a8a2894f334dd7ff8b

SHA512
b86ce561a3988bae9d9aaaa7acdaf82ef6d3158bdca53c0480e0d7e691f63960e983e475efce2b0e0c8f1ced17a2970ac9201ffe32c033e9d526ec5a452175ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s21247620.exe

Filesize
345KB

MD5
9c0cd4c0f978ad7ee3ec664064908df0

SHA1
e19cf0835d7adad40c5da4421ad018a7d6850681

SHA256
5ddba1ad7c22a300fbe7cdc2876a3d3ddb71c8d42d6f2140463f64ae355043b8

SHA512
d7474fdc174cf928e1ea12af44782f780ca8500405b15fb7b88c2e1aa798589df7bc385782ec3e075f62da3184e6871a1284c2cb992f94d756342a8206465562

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s21247620.exe

Filesize
345KB

MD5
9c0cd4c0f978ad7ee3ec664064908df0

SHA1
e19cf0835d7adad40c5da4421ad018a7d6850681

SHA256
5ddba1ad7c22a300fbe7cdc2876a3d3ddb71c8d42d6f2140463f64ae355043b8

SHA512
d7474fdc174cf928e1ea12af44782f780ca8500405b15fb7b88c2e1aa798589df7bc385782ec3e075f62da3184e6871a1284c2cb992f94d756342a8206465562

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t67257630.exe

Filesize
168KB

MD5
85e192104aab95515178075adb2f6f35

SHA1
9d51b91cdee6204bc9fdc766ae80174629586167

SHA256
47507931855261b6b875eb15a40ab81e7108e287143bf07398336cc2947a820b

SHA512
e068a9c49603409eb632f54c7b8a1fd84c541943a40cbdeed392043a9fd87ff14927f91b6b729512fdea5c5f7a0b798adfec7bb631481e5444593a3263c0417a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t67257630.exe

Filesize
168KB

MD5
85e192104aab95515178075adb2f6f35

SHA1
9d51b91cdee6204bc9fdc766ae80174629586167

SHA256
47507931855261b6b875eb15a40ab81e7108e287143bf07398336cc2947a820b

SHA512
e068a9c49603409eb632f54c7b8a1fd84c541943a40cbdeed392043a9fd87ff14927f91b6b729512fdea5c5f7a0b798adfec7bb631481e5444593a3263c0417a

Download Submit
memory/3048-213-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/3048-210-0x0000000009E40000-0x0000000009E52000-memory.dmp

Filesize
72KB

Download
memory/3048-209-0x0000000009F10000-0x000000000A01A000-memory.dmp

Filesize
1.0MB

Download
memory/3048-208-0x000000000A390000-0x000000000A9A8000-memory.dmp

Filesize
6.1MB

Download
memory/3048-207-0x00000000000D0000-0x00000000000FE000-memory.dmp

Filesize
184KB

Download
memory/3048-211-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/3048-212-0x0000000009EA0000-0x0000000009EDC000-memory.dmp

Filesize
240KB

Download
memory/4460-180-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/4460-198-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4460-178-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/4460-174-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/4460-182-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/4460-184-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/4460-186-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/4460-188-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/4460-190-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/4460-192-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/4460-194-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/4460-195-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/4460-197-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4460-176-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/4460-199-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4460-202-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/4460-172-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/4460-170-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/4460-167-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/4460-168-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/4460-166-0x0000000005190000-0x0000000005734000-memory.dmp

Filesize
5.6MB

Download
memory/4460-165-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4460-164-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4460-163-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4460-162-0x00000000026B0000-0x00000000026DD000-memory.dmp

Filesize
180KB

Download