redline | 31ab3655887de6720f1b0cff9166245b1c5c154b613e01e11a186e04ea24f796

Analysis

max time kernel
169s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31ab3655887de6720f1b0cff9166245b1c5c154b613e01e11a186e04ea24f796.exe
Size

1.5MB
MD5

6108d836010313d77b93aa0de9b89894
SHA1

8a231e1ea5ef2109fe13a179e524589ad3d29dcb
SHA256

31ab3655887de6720f1b0cff9166245b1c5c154b613e01e11a186e04ea24f796
SHA512

02a1f21b5a3e19e1c8514f77121589a84c9aa10c39d150d539f283ffdefd285bbf1dd84b869e102888538ce37b350e4f0706744393986031390e9d514374e889
SSDEEP

24576:Lyr4bwrkH9EeO8QvaaIAb/S7/obGt4fgmHbf5UIyvIha/MVbbDtckmidUkuHup4:+Gtsv2AujAGQ37/OIh8aVcXrkv

Score

10^/10

redline mazda evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mazda

217.196.96.56:4138

Attributes

auth_value
3d2870537d84a4c6d7aeecd002871c51

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2024-215-0x00000000059F0000-0x0000000006008000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6927465.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6927465.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6927465.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6927465.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6927465.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a6927465.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
2120	v3052329.exe
488	v3354145.exe
2588	v7273182.exe
2572	v2989093.exe
2720	a6927465.exe
2024	b1618104.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a6927465.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6927465.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	31ab3655887de6720f1b0cff9166245b1c5c154b613e01e11a186e04ea24f796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	31ab3655887de6720f1b0cff9166245b1c5c154b613e01e11a186e04ea24f796.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3052329.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3354145.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2989093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3052329.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3354145.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7273182.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7273182.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2989093.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3852	2720	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2720	a6927465.exe
2720	a6927465.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	a6927465.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2120	1740	31ab3655887de6720f1b0cff9166245b1c5c154b613e01e11a186e04ea24f796.exe	81
PID 1740 wrote to memory of 2120	1740	31ab3655887de6720f1b0cff9166245b1c5c154b613e01e11a186e04ea24f796.exe	81
PID 1740 wrote to memory of 2120	1740	31ab3655887de6720f1b0cff9166245b1c5c154b613e01e11a186e04ea24f796.exe	81
PID 2120 wrote to memory of 488	2120	v3052329.exe	82
PID 2120 wrote to memory of 488	2120	v3052329.exe	82
PID 2120 wrote to memory of 488	2120	v3052329.exe	82
PID 488 wrote to memory of 2588	488	v3354145.exe	83
PID 488 wrote to memory of 2588	488	v3354145.exe	83
PID 488 wrote to memory of 2588	488	v3354145.exe	83
PID 2588 wrote to memory of 2572	2588	v7273182.exe	84
PID 2588 wrote to memory of 2572	2588	v7273182.exe	84
PID 2588 wrote to memory of 2572	2588	v7273182.exe	84
PID 2572 wrote to memory of 2720	2572	v2989093.exe	85
PID 2572 wrote to memory of 2720	2572	v2989093.exe	85
PID 2572 wrote to memory of 2720	2572	v2989093.exe	85
PID 2572 wrote to memory of 2024	2572	v2989093.exe	89
PID 2572 wrote to memory of 2024	2572	v2989093.exe	89
PID 2572 wrote to memory of 2024	2572	v2989093.exe	89

C:\Users\Admin\AppData\Local\Temp\31ab3655887de6720f1b0cff9166245b1c5c154b613e01e11a186e04ea24f796.exe
"C:\Users\Admin\AppData\Local\Temp\31ab3655887de6720f1b0cff9166245b1c5c154b613e01e11a186e04ea24f796.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3052329.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3052329.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3354145.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3354145.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7273182.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7273182.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2989093.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2989093.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6927465.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6927465.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 1096
        7⤵
        Program crash
        
        PID:3852
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1618104.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1618104.exe
        6⤵
        Executes dropped EXE
        
        PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2720 -ip 2720
1⤵
PID:3080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3052329.exe

Filesize
1.3MB

MD5
d66a14d9fe340832143e13adfe40dfd4

SHA1
7b0854d33b916a8f884fbaf8ca7e24299d3a3efd

SHA256
88355c120c9908d7cb3cd485c8cea447c1fb1e06edd533902dac9c818c43db23

SHA512
accdbf181c77fb9aca93815882cd60ad322d845d0e517a05e680a7880281051ead1eb8d563fd2ae693afa1bba4875f7fe7d444414039f76050e172cbcb0fc0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3052329.exe

Filesize
1.3MB

MD5
d66a14d9fe340832143e13adfe40dfd4

SHA1
7b0854d33b916a8f884fbaf8ca7e24299d3a3efd

SHA256
88355c120c9908d7cb3cd485c8cea447c1fb1e06edd533902dac9c818c43db23

SHA512
accdbf181c77fb9aca93815882cd60ad322d845d0e517a05e680a7880281051ead1eb8d563fd2ae693afa1bba4875f7fe7d444414039f76050e172cbcb0fc0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3354145.exe

Filesize
866KB

MD5
36705cac86a74e4e90350c7f2ed45994

SHA1
fe534a4a2977496b7d3845698dc5ae606c882786

SHA256
3d6885b8280a559655d177d133950fe28a9ac6f058a2dabd372711dec48c45c1

SHA512
e0e84c8b0aada07c7694621ea1d6c3f3de9090256a268ba41b72da55c43b2261c6c9be51698e038471417f6114b3ecf037d99651783ef5bb29cbb65c30d2d12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3354145.exe

Filesize
866KB

MD5
36705cac86a74e4e90350c7f2ed45994

SHA1
fe534a4a2977496b7d3845698dc5ae606c882786

SHA256
3d6885b8280a559655d177d133950fe28a9ac6f058a2dabd372711dec48c45c1

SHA512
e0e84c8b0aada07c7694621ea1d6c3f3de9090256a268ba41b72da55c43b2261c6c9be51698e038471417f6114b3ecf037d99651783ef5bb29cbb65c30d2d12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7273182.exe

Filesize
662KB

MD5
f73d73fd367c0d3f3be7face46f9c58f

SHA1
e7dcebd390f8e83e9bc88c356f29c1053a865711

SHA256
099f56affa6f84acfdf93fe963c1b8afd48b90d492d8338ba5946e641c3bf6ea

SHA512
b595aa5dd5b6957ff42750b5d2c9fb5b675c99f226b32c9ba9873740dc09079481642243721c04ef1eae5e9b0c0b073f37b33b395de3effc26c924f17ab9b3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7273182.exe

Filesize
662KB

MD5
f73d73fd367c0d3f3be7face46f9c58f

SHA1
e7dcebd390f8e83e9bc88c356f29c1053a865711

SHA256
099f56affa6f84acfdf93fe963c1b8afd48b90d492d8338ba5946e641c3bf6ea

SHA512
b595aa5dd5b6957ff42750b5d2c9fb5b675c99f226b32c9ba9873740dc09079481642243721c04ef1eae5e9b0c0b073f37b33b395de3effc26c924f17ab9b3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2989093.exe

Filesize
393KB

MD5
1e45788c3e05942a934c29e7f2c00cad

SHA1
7b899c5248c9ff0f35e223bd2f03b0c87fd3fbd5

SHA256
90930c82c4af36f1036709f20ec45391bd888e8f996eed7d90998d57eef4ee1f

SHA512
f3b1936419c9c36a37f2c6088b94a31c7bd0fb39ffde1b3a8ba5e3c7317eede45b6680ae3fecea05bd3e78a1e4bab105b62004234b0a1a977a949d485b6257d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2989093.exe

Filesize
393KB

MD5
1e45788c3e05942a934c29e7f2c00cad

SHA1
7b899c5248c9ff0f35e223bd2f03b0c87fd3fbd5

SHA256
90930c82c4af36f1036709f20ec45391bd888e8f996eed7d90998d57eef4ee1f

SHA512
f3b1936419c9c36a37f2c6088b94a31c7bd0fb39ffde1b3a8ba5e3c7317eede45b6680ae3fecea05bd3e78a1e4bab105b62004234b0a1a977a949d485b6257d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6927465.exe

Filesize
315KB

MD5
40a9f0f75a8bb4591dc57f10e26456be

SHA1
b0840d51ef8cf349e60a0ece5300d8ef5951a6c8

SHA256
21a9cfca5ad0606db96b931cb7b3b57a0da826f0b9028cb6ab5dbf1fb2790a19

SHA512
aceb18e90ced3a425fba29da777b1b926b94268c34f11be0ca76b26b33bb5a3dab61c9d70119eb6a46122a18df55fcca0e25a8e853d825a74616e4eec84d0751

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6927465.exe

Filesize
315KB

MD5
40a9f0f75a8bb4591dc57f10e26456be

SHA1
b0840d51ef8cf349e60a0ece5300d8ef5951a6c8

SHA256
21a9cfca5ad0606db96b931cb7b3b57a0da826f0b9028cb6ab5dbf1fb2790a19

SHA512
aceb18e90ced3a425fba29da777b1b926b94268c34f11be0ca76b26b33bb5a3dab61c9d70119eb6a46122a18df55fcca0e25a8e853d825a74616e4eec84d0751

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1618104.exe

Filesize
168KB

MD5
9a720a0ec9b1511071468427546e75cf

SHA1
5061123501cf321837eb73225bcbfec89c87e952

SHA256
9633a81383ff1d4de3b564eef7c3bdef3ec2b7ed4d720de9820d98e419215ede

SHA512
09b083bda12bfea9f7df30a2ca41b460eea3e497005387fcc525c4aa1d5a60a6ef0ec5bcd354f9de1f2032e8cee17212f19ff4c64b6084120205c1d5820fe7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1618104.exe

Filesize
168KB

MD5
9a720a0ec9b1511071468427546e75cf

SHA1
5061123501cf321837eb73225bcbfec89c87e952

SHA256
9633a81383ff1d4de3b564eef7c3bdef3ec2b7ed4d720de9820d98e419215ede

SHA512
09b083bda12bfea9f7df30a2ca41b460eea3e497005387fcc525c4aa1d5a60a6ef0ec5bcd354f9de1f2032e8cee17212f19ff4c64b6084120205c1d5820fe7b5

Download Submit
memory/2024-220-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/2024-219-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/2024-218-0x0000000005450000-0x000000000548C000-memory.dmp

Filesize
240KB

Download
memory/2024-217-0x00000000053F0000-0x0000000005402000-memory.dmp

Filesize
72KB

Download
memory/2024-216-0x00000000054E0000-0x00000000055EA000-memory.dmp

Filesize
1.0MB

Download
memory/2024-215-0x00000000059F0000-0x0000000006008000-memory.dmp

Filesize
6.1MB

Download
memory/2024-214-0x0000000000960000-0x0000000000990000-memory.dmp

Filesize
192KB

Download
memory/2720-187-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2720-204-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/2720-185-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2720-181-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2720-189-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2720-191-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2720-193-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2720-195-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2720-197-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2720-199-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2720-201-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2720-202-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2720-203-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/2720-183-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2720-205-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/2720-209-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2720-179-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2720-177-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2720-175-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2720-174-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2720-172-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/2720-173-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/2720-171-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/2720-170-0x0000000004C50000-0x00000000051F4000-memory.dmp

Filesize
5.6MB

Download
memory/2720-169-0x0000000000560000-0x000000000058D000-memory.dmp

Filesize
180KB

Download