redline | 0b47b14e356616bf30f9e0f7205f98fa1a8b5a115c9fcc1d968b4b86e0b08dd1

Analysis

max time kernel
154s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b47b14e356616bf30f9e0f7205f98fa1a8b5a115c9fcc1d968b4b86e0b08dd1.exe
Size

1.5MB
MD5

9b776b053559abac6e55df060e72d8fc
SHA1

8672d2d8b754e2fdfa11094864c09bdec59538a1
SHA256

0b47b14e356616bf30f9e0f7205f98fa1a8b5a115c9fcc1d968b4b86e0b08dd1
SHA512

e7555716429524573b15a6e8aa322da6c84e08b912f9674b7197bca271d6a09b706d5e96a8fa1ea1025d71010ec0d79c40e4950cb82ea491713415178e45b1f0
SSDEEP

24576:my/zgTVa/Is053sXwGrky/gPmORIpxl5ymjd7voB8GF+k1LdriVdQzzbaHjB0:1/zg0/I1j07KmORIvl5yk9voBJF+khB+

Score

10^/10

redline mask evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mask

217.196.96.56:4138

Attributes

auth_value
31aef25be0febb8e491794ef7f502c50

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4192-212-0x000000000B1D0000-0x000000000B7E8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a3122097.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3122097.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3122097.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3122097.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3122097.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3122097.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1692	v1379387.exe
3032	v9255864.exe
1876	v4317121.exe
2252	v3791748.exe
368	a3122097.exe
4192	b8126466.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a3122097.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3122097.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1379387.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9255864.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4317121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v4317121.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3791748.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0b47b14e356616bf30f9e0f7205f98fa1a8b5a115c9fcc1d968b4b86e0b08dd1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0b47b14e356616bf30f9e0f7205f98fa1a8b5a115c9fcc1d968b4b86e0b08dd1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1379387.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9255864.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3791748.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3892	368	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
368	a3122097.exe
368	a3122097.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	368	a3122097.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1692	1500	0b47b14e356616bf30f9e0f7205f98fa1a8b5a115c9fcc1d968b4b86e0b08dd1.exe	83
PID 1500 wrote to memory of 1692	1500	0b47b14e356616bf30f9e0f7205f98fa1a8b5a115c9fcc1d968b4b86e0b08dd1.exe	83
PID 1500 wrote to memory of 1692	1500	0b47b14e356616bf30f9e0f7205f98fa1a8b5a115c9fcc1d968b4b86e0b08dd1.exe	83
PID 1692 wrote to memory of 3032	1692	v1379387.exe	84
PID 1692 wrote to memory of 3032	1692	v1379387.exe	84
PID 1692 wrote to memory of 3032	1692	v1379387.exe	84
PID 3032 wrote to memory of 1876	3032	v9255864.exe	85
PID 3032 wrote to memory of 1876	3032	v9255864.exe	85
PID 3032 wrote to memory of 1876	3032	v9255864.exe	85
PID 1876 wrote to memory of 2252	1876	v4317121.exe	86
PID 1876 wrote to memory of 2252	1876	v4317121.exe	86
PID 1876 wrote to memory of 2252	1876	v4317121.exe	86
PID 2252 wrote to memory of 368	2252	v3791748.exe	88
PID 2252 wrote to memory of 368	2252	v3791748.exe	88
PID 2252 wrote to memory of 368	2252	v3791748.exe	88
PID 2252 wrote to memory of 4192	2252	v3791748.exe	99
PID 2252 wrote to memory of 4192	2252	v3791748.exe	99
PID 2252 wrote to memory of 4192	2252	v3791748.exe	99

C:\Users\Admin\AppData\Local\Temp\0b47b14e356616bf30f9e0f7205f98fa1a8b5a115c9fcc1d968b4b86e0b08dd1.exe
"C:\Users\Admin\AppData\Local\Temp\0b47b14e356616bf30f9e0f7205f98fa1a8b5a115c9fcc1d968b4b86e0b08dd1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1379387.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1379387.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9255864.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9255864.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4317121.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4317121.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1876
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3791748.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3791748.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3122097.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3122097.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1064
        7⤵
        Program crash
        
        PID:3892
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8126466.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8126466.exe
        6⤵
        Executes dropped EXE
        
        PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 368 -ip 368
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1379387.exe

Filesize
1.3MB

MD5
1ef7ed4ffd08f325fc900e53210c8c22

SHA1
4a424afb5a8d60d9e628e911111d695fcd2213fe

SHA256
312a7beb6f079a6d94d15ea4c695b12dd1dbf4eb2611c435381146570436b31e

SHA512
1a76b094d28bac41bc2f04bc504034bf167963f5d51a6362e9a91b7426a833e46bbd3acf8015a3f4b170d4bb7f330e79b2e8cfa69e9bbb8ba1df9dceb1a06325

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1379387.exe

Filesize
1.3MB

MD5
1ef7ed4ffd08f325fc900e53210c8c22

SHA1
4a424afb5a8d60d9e628e911111d695fcd2213fe

SHA256
312a7beb6f079a6d94d15ea4c695b12dd1dbf4eb2611c435381146570436b31e

SHA512
1a76b094d28bac41bc2f04bc504034bf167963f5d51a6362e9a91b7426a833e46bbd3acf8015a3f4b170d4bb7f330e79b2e8cfa69e9bbb8ba1df9dceb1a06325

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9255864.exe

Filesize
848KB

MD5
2f4f95a381b459d9eadac5efee532a98

SHA1
8912a4efcc10e54bb769ffc272a1c53be67c52a5

SHA256
8cc8b0aa8e0f3267e0be398c9821d84f639c1235d92496ec4320f403747d3d82

SHA512
c87325cec9e12850e71beea1f0c3eac91bd78d98859f209981d8a77aa982e7df97fd7b6477e383aa86d96fbfcea97e65021692c76040611803d2b64d2ccd6a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9255864.exe

Filesize
848KB

MD5
2f4f95a381b459d9eadac5efee532a98

SHA1
8912a4efcc10e54bb769ffc272a1c53be67c52a5

SHA256
8cc8b0aa8e0f3267e0be398c9821d84f639c1235d92496ec4320f403747d3d82

SHA512
c87325cec9e12850e71beea1f0c3eac91bd78d98859f209981d8a77aa982e7df97fd7b6477e383aa86d96fbfcea97e65021692c76040611803d2b64d2ccd6a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4317121.exe

Filesize
644KB

MD5
dfdc92a219932d0ef3498837c909f86e

SHA1
ef13483533697b8c6519cf31449a446108ff0185

SHA256
00503f0d96f0fd13f2209bcf6849a09b71d23e9b2b82ee6f77e0bacc15f03a6d

SHA512
1b9f717e0e1c8bfa46e368b50609d485c81fefc7ca306cb7d6e660d55185d1a00665cadd5b948fe6e41b16ffeaa12f4b8b9972bfb115ecb2be82eaf99701c5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4317121.exe

Filesize
644KB

MD5
dfdc92a219932d0ef3498837c909f86e

SHA1
ef13483533697b8c6519cf31449a446108ff0185

SHA256
00503f0d96f0fd13f2209bcf6849a09b71d23e9b2b82ee6f77e0bacc15f03a6d

SHA512
1b9f717e0e1c8bfa46e368b50609d485c81fefc7ca306cb7d6e660d55185d1a00665cadd5b948fe6e41b16ffeaa12f4b8b9972bfb115ecb2be82eaf99701c5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3791748.exe

Filesize
384KB

MD5
662dc5a861b6de23cad1076ae2511501

SHA1
e36558f2c7c13243519e3c224b537f11800b2aec

SHA256
634a9b45b9d0f66924f88cb8ccfe81420d5f4fa299f4766d6188e23297469678

SHA512
68cafe4b096ff053065d6b5f54a43a46c3966118853daf99ce35833dd0ee1beccfb2523ca8d0d062f3c49b1f10cf29056a278e9dbf9f3e2b1e497b5fdbd52d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3791748.exe

Filesize
384KB

MD5
662dc5a861b6de23cad1076ae2511501

SHA1
e36558f2c7c13243519e3c224b537f11800b2aec

SHA256
634a9b45b9d0f66924f88cb8ccfe81420d5f4fa299f4766d6188e23297469678

SHA512
68cafe4b096ff053065d6b5f54a43a46c3966118853daf99ce35833dd0ee1beccfb2523ca8d0d062f3c49b1f10cf29056a278e9dbf9f3e2b1e497b5fdbd52d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3122097.exe

Filesize
291KB

MD5
31672155f15c1004d634d94cfb5601ed

SHA1
2db73caf0fce8789ca30e7b887ad76692d7ef105

SHA256
85dc0b981ce04bc8c41cba3a7e22be154012beb2813a028c8145ea0bc72481e4

SHA512
764f7fbe66412f6acf364942e339161678d6b2fcfd566ad474903c3571990452277e6c60334922aadd9e19e3b43219391847f19d4c409d7aafb73f9011ae036b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3122097.exe

Filesize
291KB

MD5
31672155f15c1004d634d94cfb5601ed

SHA1
2db73caf0fce8789ca30e7b887ad76692d7ef105

SHA256
85dc0b981ce04bc8c41cba3a7e22be154012beb2813a028c8145ea0bc72481e4

SHA512
764f7fbe66412f6acf364942e339161678d6b2fcfd566ad474903c3571990452277e6c60334922aadd9e19e3b43219391847f19d4c409d7aafb73f9011ae036b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8126466.exe

Filesize
168KB

MD5
3bdba85b5933ce2da6a25f2cbd142cd6

SHA1
da2bf3da25ba86978be0e8b3d5b89f201c7cfb56

SHA256
8e5e3e182a0bcc2f109be800e07465d51482f678442e8d419eb57e24dbbe5135

SHA512
0c663f1f451420eb24f28cf17beeeda487f7ee7fa4de9614d1845175a5e06e36e23386e5a27a74d08ce2ca976e787b4e9b87c72910f529b783dacaadec64431b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8126466.exe

Filesize
168KB

MD5
3bdba85b5933ce2da6a25f2cbd142cd6

SHA1
da2bf3da25ba86978be0e8b3d5b89f201c7cfb56

SHA256
8e5e3e182a0bcc2f109be800e07465d51482f678442e8d419eb57e24dbbe5135

SHA512
0c663f1f451420eb24f28cf17beeeda487f7ee7fa4de9614d1845175a5e06e36e23386e5a27a74d08ce2ca976e787b4e9b87c72910f529b783dacaadec64431b

Download Submit
memory/368-184-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/368-198-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/368-174-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/368-173-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/368-176-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/368-178-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/368-180-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/368-182-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/368-171-0x0000000004BD0000-0x0000000005174000-memory.dmp

Filesize
5.6MB

Download
memory/368-186-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/368-188-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/368-190-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/368-192-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/368-194-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/368-196-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/368-172-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/368-200-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/368-201-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/368-202-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/368-203-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/368-204-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/368-206-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/368-170-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/368-169-0x0000000000550000-0x000000000057D000-memory.dmp

Filesize
180KB

Download
memory/4192-211-0x0000000000F10000-0x0000000000F40000-memory.dmp

Filesize
192KB

Download
memory/4192-212-0x000000000B1D0000-0x000000000B7E8000-memory.dmp

Filesize
6.1MB

Download
memory/4192-213-0x000000000AD50000-0x000000000AE5A000-memory.dmp

Filesize
1.0MB

Download
memory/4192-214-0x000000000AC80000-0x000000000AC92000-memory.dmp

Filesize
72KB

Download
memory/4192-215-0x000000000ACE0000-0x000000000AD1C000-memory.dmp

Filesize
240KB

Download
memory/4192-216-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/4192-217-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download