redline | 0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d

Analysis

max time kernel
179s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe
Size

1.5MB
MD5

0057d24fb397126fb1f15370ec1da35f
SHA1

97a82b5bac9d2a8c4e7960297fb11e04c724e43d
SHA256

0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d
SHA512

a69649ac5d199d71c5f9fd8d3c6378df6aa5af1249afcebaeea72a45d6d41ff217df9d786beed48788ffb9609e6d9f41e04918410a174b4f854018ebe122624a
SSDEEP

24576:tySllzVNEwZofP+D9UfTgIFYqiQUgCxJ6QiDAfq95gPRlnphg4Z:I4hXEdP+yiVgBDrTgTnphg4

Score

10^/10

redline mazda evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mazda

217.196.96.56:4138

Attributes

auth_value
3d2870537d84a4c6d7aeecd002871c51

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2420-217-0x000000000AB40000-0x000000000B158000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4053357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4053357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4053357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4053357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4053357.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a4053357.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
112	v1542791.exe
348	v9374982.exe
5020	v9874677.exe
4148	v0446685.exe
3128	a4053357.exe
2420	b7141076.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a4053357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4053357.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1542791.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1542791.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9374982.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9874677.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9374982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9874677.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0446685.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v0446685.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3396	3128	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3128	a4053357.exe
3128	a4053357.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	a4053357.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 112	3564	0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe	85
PID 3564 wrote to memory of 112	3564	0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe	85
PID 3564 wrote to memory of 112	3564	0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe	85
PID 112 wrote to memory of 348	112	v1542791.exe	86
PID 112 wrote to memory of 348	112	v1542791.exe	86
PID 112 wrote to memory of 348	112	v1542791.exe	86
PID 348 wrote to memory of 5020	348	v9374982.exe	87
PID 348 wrote to memory of 5020	348	v9374982.exe	87
PID 348 wrote to memory of 5020	348	v9374982.exe	87
PID 5020 wrote to memory of 4148	5020	v9874677.exe	88
PID 5020 wrote to memory of 4148	5020	v9874677.exe	88
PID 5020 wrote to memory of 4148	5020	v9874677.exe	88
PID 4148 wrote to memory of 3128	4148	v0446685.exe	89
PID 4148 wrote to memory of 3128	4148	v0446685.exe	89
PID 4148 wrote to memory of 3128	4148	v0446685.exe	89
PID 4148 wrote to memory of 2420	4148	v0446685.exe	92
PID 4148 wrote to memory of 2420	4148	v0446685.exe	92
PID 4148 wrote to memory of 2420	4148	v0446685.exe	92

C:\Users\Admin\AppData\Local\Temp\0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe
"C:\Users\Admin\AppData\Local\Temp\0ed9262d06bc389c81233543bd377c038c7aa5b3626cae439e6f3d9225f9483d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1542791.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1542791.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9374982.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9374982.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9874677.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9874677.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0446685.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0446685.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4148
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4053357.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4053357.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1036
        7⤵
        Program crash
        
        PID:3396
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7141076.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7141076.exe
        6⤵
        Executes dropped EXE
        
        PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3128 -ip 3128
1⤵
PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1542791.exe

Filesize
1.4MB

MD5
542c77f8f8ecfd4980aa52a415ddd678

SHA1
3e82c002a8e664775b50a2609a7b6e487ea2ba13

SHA256
abb814b8f29704a6f38686b52ee33ee7d96d4f889c3dc651988bc67830b614f3

SHA512
874cec90e7658dc573683f7d6d66feda78a0b5a18fe201081da90994a83fa0ff0772137522ea5bbd5183500630562d2f1d2e78de34398208718135f3986cc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1542791.exe

Filesize
1.4MB

MD5
542c77f8f8ecfd4980aa52a415ddd678

SHA1
3e82c002a8e664775b50a2609a7b6e487ea2ba13

SHA256
abb814b8f29704a6f38686b52ee33ee7d96d4f889c3dc651988bc67830b614f3

SHA512
874cec90e7658dc573683f7d6d66feda78a0b5a18fe201081da90994a83fa0ff0772137522ea5bbd5183500630562d2f1d2e78de34398208718135f3986cc7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9374982.exe

Filesize
915KB

MD5
d14f54e9bc8fcc9bac5935c89ad17438

SHA1
a2d42260b17a3783ebb624405200cff261622c59

SHA256
56aea291f42d33785ee44287550c90b0bc8a212539f83ab6a1c1fc1081479a5d

SHA512
a7316d6af98e71001b702f28cf5a482e9c1eb9c8c8dc24c96fb05263cf34775d6750cca2350a4843154af6a11bb0e69f99d222c11d0771535a0c7d0a9da25fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9374982.exe

Filesize
915KB

MD5
d14f54e9bc8fcc9bac5935c89ad17438

SHA1
a2d42260b17a3783ebb624405200cff261622c59

SHA256
56aea291f42d33785ee44287550c90b0bc8a212539f83ab6a1c1fc1081479a5d

SHA512
a7316d6af98e71001b702f28cf5a482e9c1eb9c8c8dc24c96fb05263cf34775d6750cca2350a4843154af6a11bb0e69f99d222c11d0771535a0c7d0a9da25fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9874677.exe

Filesize
711KB

MD5
5e912311eec5659d4ecb25b1e5f42bcc

SHA1
3d292de69e9f1c326240a83db5816dd3b8259640

SHA256
3d23af778685f4f51756291243ad3a505f20b6ddfb22f24c600a0963457d870e

SHA512
367a35272f387679ff8a2233d8d96a3f99bcdc7df547fca4b609c0d82669ce56176f41a90da3199b94cd1341d0a6add43034e0ad259fdf5727d4deea92bab0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9874677.exe

Filesize
711KB

MD5
5e912311eec5659d4ecb25b1e5f42bcc

SHA1
3d292de69e9f1c326240a83db5816dd3b8259640

SHA256
3d23af778685f4f51756291243ad3a505f20b6ddfb22f24c600a0963457d870e

SHA512
367a35272f387679ff8a2233d8d96a3f99bcdc7df547fca4b609c0d82669ce56176f41a90da3199b94cd1341d0a6add43034e0ad259fdf5727d4deea92bab0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0446685.exe

Filesize
416KB

MD5
9418965cc58c075c2ee7a9b4b6ac26f8

SHA1
53cb0348101de4dbfa3748f1e96742da3b193ad3

SHA256
09f91b48625b1b6a34a8901fd0070aa0dce6e612a491dfb05fd6f9cc3852dee0

SHA512
f770cfee1e6d2bf3d83f2b1fd5d34076b80d11f90435a3e20ed1a48dc1b315a8833999c44d84dafc467591f46c9565d68f9189272b87d0f732c05b8a973db8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0446685.exe

Filesize
416KB

MD5
9418965cc58c075c2ee7a9b4b6ac26f8

SHA1
53cb0348101de4dbfa3748f1e96742da3b193ad3

SHA256
09f91b48625b1b6a34a8901fd0070aa0dce6e612a491dfb05fd6f9cc3852dee0

SHA512
f770cfee1e6d2bf3d83f2b1fd5d34076b80d11f90435a3e20ed1a48dc1b315a8833999c44d84dafc467591f46c9565d68f9189272b87d0f732c05b8a973db8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4053357.exe

Filesize
360KB

MD5
2db3571f8f5ab6c40e2e408a132ff4ed

SHA1
98a5ab1ea901d6a563c492707adead8697723ab1

SHA256
28171f5a8e1cfe1d0be5a2ffba3f2cef95b2a47745fd451fddc8e0cfb7afcec7

SHA512
cfc2a1651beec13f8cc902334960edc647bcdbbce94ef16c89210aa056cbafb6ce1a8782afb2bae3ab5792e8ff653cd8fe500bb0bd3f53ac34df40a87250d906

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4053357.exe

Filesize
360KB

MD5
2db3571f8f5ab6c40e2e408a132ff4ed

SHA1
98a5ab1ea901d6a563c492707adead8697723ab1

SHA256
28171f5a8e1cfe1d0be5a2ffba3f2cef95b2a47745fd451fddc8e0cfb7afcec7

SHA512
cfc2a1651beec13f8cc902334960edc647bcdbbce94ef16c89210aa056cbafb6ce1a8782afb2bae3ab5792e8ff653cd8fe500bb0bd3f53ac34df40a87250d906

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7141076.exe

Filesize
168KB

MD5
9b37e586288ad465590a3dd45e5fdba8

SHA1
7c79e216454214785233d4bfa9ca3f9f83daab41

SHA256
4eaf27fff15684f5502a8f3b2dd98a43dd807bff4c6e28e414401359b5c31bbf

SHA512
cdf95b62f51e9ec2ff35eda0664a6c2c158a7956ad88069eee79750ae570041cc67e1356a92890ed499fd80b3433fef3cf41e0521fa3d843b17f967a50f348f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7141076.exe

Filesize
168KB

MD5
9b37e586288ad465590a3dd45e5fdba8

SHA1
7c79e216454214785233d4bfa9ca3f9f83daab41

SHA256
4eaf27fff15684f5502a8f3b2dd98a43dd807bff4c6e28e414401359b5c31bbf

SHA512
cdf95b62f51e9ec2ff35eda0664a6c2c158a7956ad88069eee79750ae570041cc67e1356a92890ed499fd80b3433fef3cf41e0521fa3d843b17f967a50f348f6

Download Submit
memory/2420-222-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/2420-221-0x000000000A710000-0x000000000A74C000-memory.dmp

Filesize
240KB

Download
memory/2420-220-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/2420-219-0x000000000A6B0000-0x000000000A6C2000-memory.dmp

Filesize
72KB

Download
memory/2420-218-0x000000000A780000-0x000000000A88A000-memory.dmp

Filesize
1.0MB

Download
memory/2420-217-0x000000000AB40000-0x000000000B158000-memory.dmp

Filesize
6.1MB

Download
memory/2420-216-0x0000000000800000-0x0000000000830000-memory.dmp

Filesize
192KB

Download
memory/3128-187-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3128-204-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/3128-185-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3128-181-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3128-191-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3128-189-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3128-193-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3128-195-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3128-197-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3128-199-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3128-201-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3128-202-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/3128-203-0x0000000000780000-0x00000000007AD000-memory.dmp

Filesize
180KB

Download
memory/3128-183-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3128-205-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/3128-206-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/3128-210-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/3128-179-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3128-177-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3128-175-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3128-174-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3128-173-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/3128-172-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/3128-171-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/3128-170-0x0000000004DE0000-0x0000000005384000-memory.dmp

Filesize
5.6MB

Download
memory/3128-169-0x0000000000780000-0x00000000007AD000-memory.dmp

Filesize
180KB

Download