redline | 0a4baca16b2b78a380b0b8d2ffdef1d8bade7dc97234291fdf9375d13a456333

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a4baca16b2b78a380b0b8d2ffdef1d8bade7dc97234291fdf9375d13a456333.exe
Size

1.5MB
MD5

f0f8e192041e9304f8b7a300a46768d7
SHA1

88610849c0bdfcde44927c359b59f87f902b99ab
SHA256

0a4baca16b2b78a380b0b8d2ffdef1d8bade7dc97234291fdf9375d13a456333
SHA512

2da331ff7311da0c88b4dd49c91baf542c7969ae969fe761b7a4102e34c1fdeabb02d9dd4b665938490766f1a54e120331b943d9ce4fa7534ffafe832c5e7648
SSDEEP

49152:nr9Rq9sYvi2kMj8gw21AeoVWi4hUxqWqgQQ8Hlx5jP:5RqWh+IvO5KxZq3Q8H

Score

10^/10

redline maza evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maza

185.161.248.73:4164

Attributes

auth_value
474d54c1c2f5291290c53f8378acd684

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2772-212-0x000000000A810000-0x000000000AE28000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a92879505.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a92879505.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a92879505.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a92879505.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a92879505.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a92879505.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
3612	i83829663.exe
3252	i08601835.exe
3392	i52312525.exe
3672	i01804528.exe
1700	a92879505.exe
2772	b19312658.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a92879505.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a92879505.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i52312525.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i01804528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0a4baca16b2b78a380b0b8d2ffdef1d8bade7dc97234291fdf9375d13a456333.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i08601835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i08601835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i52312525.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i01804528.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0a4baca16b2b78a380b0b8d2ffdef1d8bade7dc97234291fdf9375d13a456333.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i83829663.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i83829663.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5008	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4216	1700	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1700	a92879505.exe
1700	a92879505.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	a92879505.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 3612	4548	0a4baca16b2b78a380b0b8d2ffdef1d8bade7dc97234291fdf9375d13a456333.exe	85
PID 4548 wrote to memory of 3612	4548	0a4baca16b2b78a380b0b8d2ffdef1d8bade7dc97234291fdf9375d13a456333.exe	85
PID 4548 wrote to memory of 3612	4548	0a4baca16b2b78a380b0b8d2ffdef1d8bade7dc97234291fdf9375d13a456333.exe	85
PID 3612 wrote to memory of 3252	3612	i83829663.exe	86
PID 3612 wrote to memory of 3252	3612	i83829663.exe	86
PID 3612 wrote to memory of 3252	3612	i83829663.exe	86
PID 3252 wrote to memory of 3392	3252	i08601835.exe	87
PID 3252 wrote to memory of 3392	3252	i08601835.exe	87
PID 3252 wrote to memory of 3392	3252	i08601835.exe	87
PID 3392 wrote to memory of 3672	3392	i52312525.exe	88
PID 3392 wrote to memory of 3672	3392	i52312525.exe	88
PID 3392 wrote to memory of 3672	3392	i52312525.exe	88
PID 3672 wrote to memory of 1700	3672	i01804528.exe	89
PID 3672 wrote to memory of 1700	3672	i01804528.exe	89
PID 3672 wrote to memory of 1700	3672	i01804528.exe	89
PID 3672 wrote to memory of 2772	3672	i01804528.exe	95
PID 3672 wrote to memory of 2772	3672	i01804528.exe	95
PID 3672 wrote to memory of 2772	3672	i01804528.exe	95

C:\Users\Admin\AppData\Local\Temp\0a4baca16b2b78a380b0b8d2ffdef1d8bade7dc97234291fdf9375d13a456333.exe
"C:\Users\Admin\AppData\Local\Temp\0a4baca16b2b78a380b0b8d2ffdef1d8bade7dc97234291fdf9375d13a456333.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i83829663.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i83829663.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i08601835.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i08601835.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52312525.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52312525.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3392
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i01804528.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i01804528.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3672
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a92879505.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a92879505.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 1100
        7⤵
        Program crash
        
        PID:4216
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b19312658.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b19312658.exe
        6⤵
        Executes dropped EXE
        
        PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1700 -ip 1700
1⤵
PID:3988

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:5008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i83829663.exe

Filesize
1.3MB

MD5
3d62127dbade7a6d741c493e18469360

SHA1
1c088c1cdf237da70e471d176e700679a331023b

SHA256
68c4cb7237feff4027c95e7484f6a3f7e55e0500820dd386ba43f3aaffa3b140

SHA512
9390a1ac314e12e0f046b92446734d910503005d9c8283ea3d17e7609926f1f5071f0b75a05b4c2ea8ac9da4e169c14be65f0c7b815e465c81b7c6284eb5eead

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i83829663.exe

Filesize
1.3MB

MD5
3d62127dbade7a6d741c493e18469360

SHA1
1c088c1cdf237da70e471d176e700679a331023b

SHA256
68c4cb7237feff4027c95e7484f6a3f7e55e0500820dd386ba43f3aaffa3b140

SHA512
9390a1ac314e12e0f046b92446734d910503005d9c8283ea3d17e7609926f1f5071f0b75a05b4c2ea8ac9da4e169c14be65f0c7b815e465c81b7c6284eb5eead

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i08601835.exe

Filesize
1.1MB

MD5
a015e8076fab2ef27d35dff6ffb4cbe6

SHA1
3cc18d3f268b9d947f7148f33da756dc82fd36ab

SHA256
5df1b8e480d03fff7e07ccddec8538c4343188a33561947ded8e5b5dfaa550dc

SHA512
19159d2ab8961fce76f4c749db5ec628e8ed00d76ff71789a166c2573ba39abb975382d11ac575e19f4740ef2ba0c611625e687b3725a63e96c0e1655ff95b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i08601835.exe

Filesize
1.1MB

MD5
a015e8076fab2ef27d35dff6ffb4cbe6

SHA1
3cc18d3f268b9d947f7148f33da756dc82fd36ab

SHA256
5df1b8e480d03fff7e07ccddec8538c4343188a33561947ded8e5b5dfaa550dc

SHA512
19159d2ab8961fce76f4c749db5ec628e8ed00d76ff71789a166c2573ba39abb975382d11ac575e19f4740ef2ba0c611625e687b3725a63e96c0e1655ff95b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52312525.exe

Filesize
687KB

MD5
d8c204d3a63f08066c2d5fd72ba716cc

SHA1
49855a4fac7812299f1b767d94707ebcc4059a8a

SHA256
33515a062b6cf0a28eb90f3f801ba40e0bd06f8b3afd7c0adc0b7faa83a320f8

SHA512
bc28c84681d286f99d55222501d10a0acbd8a66f039f0a52da543da7d66a259e7ad9f725d3df116d4360884271cbd5a1e6b0344ca0052a492d9187888a3e0d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i52312525.exe

Filesize
687KB

MD5
d8c204d3a63f08066c2d5fd72ba716cc

SHA1
49855a4fac7812299f1b767d94707ebcc4059a8a

SHA256
33515a062b6cf0a28eb90f3f801ba40e0bd06f8b3afd7c0adc0b7faa83a320f8

SHA512
bc28c84681d286f99d55222501d10a0acbd8a66f039f0a52da543da7d66a259e7ad9f725d3df116d4360884271cbd5a1e6b0344ca0052a492d9187888a3e0d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i01804528.exe

Filesize
404KB

MD5
8b181a9411679f76cb2000c79f8aa528

SHA1
98c524494d6c37b22c0bbd2b40adf07c76280ad2

SHA256
7549bdde54cf99f6cae2c1b901a31f66844d6a6b0036a1be0f3cc2f7df13a427

SHA512
d87aa4fef9a256793513744c3b41c2b3e76dfa0524e6fd032eaadc684b152afbe112140c7feeacbb535f2f0f82416da215a9b024057168520d926acdac7d28d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i01804528.exe

Filesize
404KB

MD5
8b181a9411679f76cb2000c79f8aa528

SHA1
98c524494d6c37b22c0bbd2b40adf07c76280ad2

SHA256
7549bdde54cf99f6cae2c1b901a31f66844d6a6b0036a1be0f3cc2f7df13a427

SHA512
d87aa4fef9a256793513744c3b41c2b3e76dfa0524e6fd032eaadc684b152afbe112140c7feeacbb535f2f0f82416da215a9b024057168520d926acdac7d28d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a92879505.exe

Filesize
344KB

MD5
8398d00fe15a1dbdc12e3930c692b54f

SHA1
a04b64e48340d157d241342e21d6ab1b397c1fbf

SHA256
fd2cc17947ecf7ff17fa99c36c3ee9c134445075d93474552eebb97fd00b3c56

SHA512
dd4b27244095dba4a49c3139088fba92ab634c5afabc08bfd4515924edcef79efb56b1b6bd0b4742f6ae13fb4dbd0c20ec2edb63e7bb4af08688abcdca3ddddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a92879505.exe

Filesize
344KB

MD5
8398d00fe15a1dbdc12e3930c692b54f

SHA1
a04b64e48340d157d241342e21d6ab1b397c1fbf

SHA256
fd2cc17947ecf7ff17fa99c36c3ee9c134445075d93474552eebb97fd00b3c56

SHA512
dd4b27244095dba4a49c3139088fba92ab634c5afabc08bfd4515924edcef79efb56b1b6bd0b4742f6ae13fb4dbd0c20ec2edb63e7bb4af08688abcdca3ddddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b19312658.exe

Filesize
168KB

MD5
8aa3a25649110ad9d0bc324f194d04ae

SHA1
38b957d8b3fbfea35cbd90b59bfcf6d16e2f1b0a

SHA256
57cee6de2be17c6590f8ef62bf78503ad9ec27986d1921551cc5165bd4613d7c

SHA512
b33732598ca20e4e9b597f11d2bf855be7ff2113d2801980db3b7c348969b811959dc4de5329e26900558b8311c7f89226494293d99159187a3d7bf84981d935

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b19312658.exe

Filesize
168KB

MD5
8aa3a25649110ad9d0bc324f194d04ae

SHA1
38b957d8b3fbfea35cbd90b59bfcf6d16e2f1b0a

SHA256
57cee6de2be17c6590f8ef62bf78503ad9ec27986d1921551cc5165bd4613d7c

SHA512
b33732598ca20e4e9b597f11d2bf855be7ff2113d2801980db3b7c348969b811959dc4de5329e26900558b8311c7f89226494293d99159187a3d7bf84981d935

Download Submit
memory/1700-187-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1700-201-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1700-173-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1700-174-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1700-175-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1700-177-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1700-179-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1700-181-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1700-183-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1700-185-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1700-171-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1700-189-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1700-191-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1700-193-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1700-195-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1700-172-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1700-199-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1700-197-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1700-202-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1700-203-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1700-204-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1700-205-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1700-207-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1700-170-0x0000000005290000-0x0000000005834000-memory.dmp

Filesize
5.6MB

Download
memory/1700-169-0x0000000000BB0000-0x0000000000BDD000-memory.dmp

Filesize
180KB

Download
memory/2772-211-0x0000000000550000-0x000000000057E000-memory.dmp

Filesize
184KB

Download
memory/2772-212-0x000000000A810000-0x000000000AE28000-memory.dmp

Filesize
6.1MB

Download
memory/2772-213-0x000000000A390000-0x000000000A49A000-memory.dmp

Filesize
1.0MB

Download
memory/2772-214-0x000000000A2C0000-0x000000000A2D2000-memory.dmp

Filesize
72KB

Download
memory/2772-215-0x000000000A320000-0x000000000A35C000-memory.dmp

Filesize
240KB

Download
memory/2772-216-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2772-217-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download