redline | 005e9df4f61f779fb2ab062a91060b825e882dfc36978649260565d1f8f66427

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

005e9df4f61f779fb2ab062a91060b825e882dfc36978649260565d1f8f66427.exe
Size

1.4MB
MD5

36afbedc4aea6e680097c7134f721b05
SHA1

681c0686d82b3050adcb1cda99ad79a3d46e23be
SHA256

005e9df4f61f779fb2ab062a91060b825e882dfc36978649260565d1f8f66427
SHA512

9b9ab7a650db6dc5ea5912e1527a41b87e254b4ea5f24adf149d4a4781263a218ae40ed0a409305f48dd23d49786a6dce8cc743edc0c879676b946be2ad99323
SSDEEP

24576:byhhBvapvYX4O5uQNj8RCEC1NmBl2AQMwtuSZ6eY+0b99bTEQcgOg9VjPI855Y2:O5voO4Qd8RvC1NuwArhSZ6egb99bTPtP

Score

10^/10

redline massa evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

massa

185.161.248.73:4164

Attributes

auth_value
413bf908ab27d959c62bef532780f511

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3320-212-0x000000000AA50000-0x000000000B068000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a96940714.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a96940714.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a96940714.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a96940714.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a96940714.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a96940714.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1928	i99561726.exe
4940	i17007523.exe
2004	i42833455.exe
1516	i67360280.exe
4532	a96940714.exe
3320	b39061956.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a96940714.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a96940714.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i67360280.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	005e9df4f61f779fb2ab062a91060b825e882dfc36978649260565d1f8f66427.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i99561726.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i17007523.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i42833455.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i67360280.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	005e9df4f61f779fb2ab062a91060b825e882dfc36978649260565d1f8f66427.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i99561726.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i17007523.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i42833455.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2800	4532	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4532	a96940714.exe
4532	a96940714.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	a96940714.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1928	1716	005e9df4f61f779fb2ab062a91060b825e882dfc36978649260565d1f8f66427.exe	83
PID 1716 wrote to memory of 1928	1716	005e9df4f61f779fb2ab062a91060b825e882dfc36978649260565d1f8f66427.exe	83
PID 1716 wrote to memory of 1928	1716	005e9df4f61f779fb2ab062a91060b825e882dfc36978649260565d1f8f66427.exe	83
PID 1928 wrote to memory of 4940	1928	i99561726.exe	84
PID 1928 wrote to memory of 4940	1928	i99561726.exe	84
PID 1928 wrote to memory of 4940	1928	i99561726.exe	84
PID 4940 wrote to memory of 2004	4940	i17007523.exe	85
PID 4940 wrote to memory of 2004	4940	i17007523.exe	85
PID 4940 wrote to memory of 2004	4940	i17007523.exe	85
PID 2004 wrote to memory of 1516	2004	i42833455.exe	86
PID 2004 wrote to memory of 1516	2004	i42833455.exe	86
PID 2004 wrote to memory of 1516	2004	i42833455.exe	86
PID 1516 wrote to memory of 4532	1516	i67360280.exe	87
PID 1516 wrote to memory of 4532	1516	i67360280.exe	87
PID 1516 wrote to memory of 4532	1516	i67360280.exe	87
PID 1516 wrote to memory of 3320	1516	i67360280.exe	95
PID 1516 wrote to memory of 3320	1516	i67360280.exe	95
PID 1516 wrote to memory of 3320	1516	i67360280.exe	95

C:\Users\Admin\AppData\Local\Temp\005e9df4f61f779fb2ab062a91060b825e882dfc36978649260565d1f8f66427.exe
"C:\Users\Admin\AppData\Local\Temp\005e9df4f61f779fb2ab062a91060b825e882dfc36978649260565d1f8f66427.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i99561726.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i99561726.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i17007523.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i17007523.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i42833455.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i42833455.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67360280.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67360280.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1516
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96940714.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96940714.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1064
        7⤵
        Program crash
        
        PID:2800
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39061956.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39061956.exe
        6⤵
        Executes dropped EXE
        
        PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4532 -ip 4532
1⤵
PID:532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i99561726.exe

Filesize
1.2MB

MD5
50b95bca7dc289b0a5419523604706bd

SHA1
3cdd2e9f1e526664b26745b73c7d390e6d91af84

SHA256
1223dc0c25800776bc4bf16e443ceb39fa17bc46987f24720b9a44465bbb1f52

SHA512
74f7dc986961d3630ec0b6cbae7d6300a4b35b622270b7831d851bcd0cc1611e05ee2fa4014e6e8cd09c4322448146832ce84d15ba110729e8a0226929f2e7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i99561726.exe

Filesize
1.2MB

MD5
50b95bca7dc289b0a5419523604706bd

SHA1
3cdd2e9f1e526664b26745b73c7d390e6d91af84

SHA256
1223dc0c25800776bc4bf16e443ceb39fa17bc46987f24720b9a44465bbb1f52

SHA512
74f7dc986961d3630ec0b6cbae7d6300a4b35b622270b7831d851bcd0cc1611e05ee2fa4014e6e8cd09c4322448146832ce84d15ba110729e8a0226929f2e7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i17007523.exe

Filesize
1.1MB

MD5
a8e9bf1e2fe9ed013e133c3142df6971

SHA1
2201985d413dba0da7652a661fe2b66fa6e6f23f

SHA256
17fd101cb7647d0b979121bd51cdc69df7e6c1791c04c1511028a59e8d7006c3

SHA512
abd1de936c870903945d71a2bb433b3c4c6fe0d6adf6a49d0749f2f14110b405ae1aa37b942a137e963211ee2cbb44e15dbb72bdc869d3481c1f2a756bbe5d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i17007523.exe

Filesize
1.1MB

MD5
a8e9bf1e2fe9ed013e133c3142df6971

SHA1
2201985d413dba0da7652a661fe2b66fa6e6f23f

SHA256
17fd101cb7647d0b979121bd51cdc69df7e6c1791c04c1511028a59e8d7006c3

SHA512
abd1de936c870903945d71a2bb433b3c4c6fe0d6adf6a49d0749f2f14110b405ae1aa37b942a137e963211ee2cbb44e15dbb72bdc869d3481c1f2a756bbe5d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i42833455.exe

Filesize
643KB

MD5
db8a2d5ac8dc49a5351dd505c6a89c02

SHA1
30ed7c9b18603d995f7d066a6f72f416cc4b3a81

SHA256
9da92e9ba9ab911b53180bfd5544186400b8a6c99d8f8cf0cbdd665307951935

SHA512
e623d51e57c81d774b1b47bc36360f0aed8cf28483c8fd1ca761364f1a031f401a4646dc6b07d3200047db4e576ab1fe395ec79a4ad2ad50f32d257678ae8c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i42833455.exe

Filesize
643KB

MD5
db8a2d5ac8dc49a5351dd505c6a89c02

SHA1
30ed7c9b18603d995f7d066a6f72f416cc4b3a81

SHA256
9da92e9ba9ab911b53180bfd5544186400b8a6c99d8f8cf0cbdd665307951935

SHA512
e623d51e57c81d774b1b47bc36360f0aed8cf28483c8fd1ca761364f1a031f401a4646dc6b07d3200047db4e576ab1fe395ec79a4ad2ad50f32d257678ae8c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67360280.exe

Filesize
385KB

MD5
8aa2accf20fda21d2f7c608b9911cb9f

SHA1
dcc3e74af88c98c2c67ec2843a7d5a6383327e33

SHA256
4aeb8009ee858cf27806e4c6d83509b6481f99e906389de59d0368207d464383

SHA512
f1b5bba545e1d008516d69c3cc67ff51769f9124bae5e1b6d0401473cd506af6a415c3ad2af045fd082a539faca09544a396629aa045e7d10c348be587f1d1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67360280.exe

Filesize
385KB

MD5
8aa2accf20fda21d2f7c608b9911cb9f

SHA1
dcc3e74af88c98c2c67ec2843a7d5a6383327e33

SHA256
4aeb8009ee858cf27806e4c6d83509b6481f99e906389de59d0368207d464383

SHA512
f1b5bba545e1d008516d69c3cc67ff51769f9124bae5e1b6d0401473cd506af6a415c3ad2af045fd082a539faca09544a396629aa045e7d10c348be587f1d1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96940714.exe

Filesize
291KB

MD5
a336d9278acff5a1d96483fc5146013e

SHA1
812d0cc90c3e9078fe1ba8096e57308eb263420b

SHA256
94e8f3df5595df96183bccfa9e6a3f5621438a1126f92d05ff35042f6293a44c

SHA512
1696f24893fbe247cb1d9cb0202a17a4f95b8fe4c37f6142201ae5e5306380adf4182936daba51853fe5f5b1f5b6fc22fa28e9a74c68ca926fb1382651c26a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a96940714.exe

Filesize
291KB

MD5
a336d9278acff5a1d96483fc5146013e

SHA1
812d0cc90c3e9078fe1ba8096e57308eb263420b

SHA256
94e8f3df5595df96183bccfa9e6a3f5621438a1126f92d05ff35042f6293a44c

SHA512
1696f24893fbe247cb1d9cb0202a17a4f95b8fe4c37f6142201ae5e5306380adf4182936daba51853fe5f5b1f5b6fc22fa28e9a74c68ca926fb1382651c26a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39061956.exe

Filesize
168KB

MD5
20c6a33503daa0a10c4856b41b4c6628

SHA1
e406bbaae8c9ecddf8ee54b477394024bdc3e1c1

SHA256
915531524f885f8f0f5179d09e0a2e4d93149a6932564e4b61d48d6c17681579

SHA512
681e7df321dc41f8d5cd3449ef9c48cc8ba019cdeec2844002f020b47ec9c53e1d2798bdcad4347a1db01d1c037d59bfd2553abac88cecdf139740448d9b56b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b39061956.exe

Filesize
168KB

MD5
20c6a33503daa0a10c4856b41b4c6628

SHA1
e406bbaae8c9ecddf8ee54b477394024bdc3e1c1

SHA256
915531524f885f8f0f5179d09e0a2e4d93149a6932564e4b61d48d6c17681579

SHA512
681e7df321dc41f8d5cd3449ef9c48cc8ba019cdeec2844002f020b47ec9c53e1d2798bdcad4347a1db01d1c037d59bfd2553abac88cecdf139740448d9b56b7

Download Submit
memory/3320-217-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/3320-216-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/3320-215-0x000000000A540000-0x000000000A57C000-memory.dmp

Filesize
240KB

Download
memory/3320-214-0x000000000A4E0000-0x000000000A4F2000-memory.dmp

Filesize
72KB

Download
memory/3320-213-0x000000000A5B0000-0x000000000A6BA000-memory.dmp

Filesize
1.0MB

Download
memory/3320-212-0x000000000AA50000-0x000000000B068000-memory.dmp

Filesize
6.1MB

Download
memory/3320-211-0x0000000000630000-0x0000000000660000-memory.dmp

Filesize
192KB

Download
memory/4532-193-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4532-205-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4532-187-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4532-171-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4532-191-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4532-195-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4532-197-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4532-198-0x00000000006D0000-0x00000000006FD000-memory.dmp

Filesize
180KB

Download
memory/4532-199-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4532-200-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4532-201-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4532-202-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/4532-204-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4532-189-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4532-203-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4532-207-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/4532-185-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4532-173-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4532-183-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4532-175-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4532-181-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4532-177-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4532-179-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4532-170-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/4532-169-0x0000000004DC0000-0x0000000005364000-memory.dmp

Filesize
5.6MB

Download