redline | cac17db0b0be3621497804e89adfd53a4ef81e486a3e2e9beb8ef5ef7fc0096f

Analysis

max time kernel
135s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a23b608d40c2409be16f02653f782b9bce18fc6e204efea3072c3bd60915715.exe
Size

1.5MB
MD5

3765e5a027328866312a6f27f6d02875
SHA1

88a999cfb8317430a887fc87ee4e243218583a30
SHA256

9a23b608d40c2409be16f02653f782b9bce18fc6e204efea3072c3bd60915715
SHA512

1b54958032e7ae9553118a2b264d0990871cda2c483871a69007299d345258b7bcba2f96142b433bbf621c5756ebbbdd12634e5276e048a8e961012864b3b309
SSDEEP

24576:eyBiX7WB+CjluuY6ckhEUHvEqCyzTGeACrbjUJMb9wPpyJm46fo3qLvZ:tBiXSBkuZl9cqC8TGPCrXUJOSM+/Lv

Score

10^/10

redline maza evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maza

185.161.248.73:4164

Attributes

auth_value
474d54c1c2f5291290c53f8378acd684

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2300-213-0x000000000AEF0000-0x000000000B508000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a78290018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a78290018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a78290018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a78290018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a78290018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a78290018.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1180	i56702579.exe
3332	i25280411.exe
1068	i30717911.exe
3832	i93229882.exe
924	a78290018.exe
2300	b61977632.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a78290018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a78290018.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i93229882.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i93229882.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9a23b608d40c2409be16f02653f782b9bce18fc6e204efea3072c3bd60915715.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i56702579.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i25280411.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i30717911.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i30717911.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9a23b608d40c2409be16f02653f782b9bce18fc6e204efea3072c3bd60915715.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i56702579.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i25280411.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2540	924	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
924	a78290018.exe
924	a78290018.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	a78290018.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1180	2004	9a23b608d40c2409be16f02653f782b9bce18fc6e204efea3072c3bd60915715.exe	85
PID 2004 wrote to memory of 1180	2004	9a23b608d40c2409be16f02653f782b9bce18fc6e204efea3072c3bd60915715.exe	85
PID 2004 wrote to memory of 1180	2004	9a23b608d40c2409be16f02653f782b9bce18fc6e204efea3072c3bd60915715.exe	85
PID 1180 wrote to memory of 3332	1180	i56702579.exe	86
PID 1180 wrote to memory of 3332	1180	i56702579.exe	86
PID 1180 wrote to memory of 3332	1180	i56702579.exe	86
PID 3332 wrote to memory of 1068	3332	i25280411.exe	87
PID 3332 wrote to memory of 1068	3332	i25280411.exe	87
PID 3332 wrote to memory of 1068	3332	i25280411.exe	87
PID 1068 wrote to memory of 3832	1068	i30717911.exe	88
PID 1068 wrote to memory of 3832	1068	i30717911.exe	88
PID 1068 wrote to memory of 3832	1068	i30717911.exe	88
PID 3832 wrote to memory of 924	3832	i93229882.exe	89
PID 3832 wrote to memory of 924	3832	i93229882.exe	89
PID 3832 wrote to memory of 924	3832	i93229882.exe	89
PID 3832 wrote to memory of 2300	3832	i93229882.exe	92
PID 3832 wrote to memory of 2300	3832	i93229882.exe	92
PID 3832 wrote to memory of 2300	3832	i93229882.exe	92

C:\Users\Admin\AppData\Local\Temp\9a23b608d40c2409be16f02653f782b9bce18fc6e204efea3072c3bd60915715.exe
"C:\Users\Admin\AppData\Local\Temp\9a23b608d40c2409be16f02653f782b9bce18fc6e204efea3072c3bd60915715.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i56702579.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i56702579.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i25280411.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i25280411.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30717911.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30717911.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i93229882.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i93229882.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3832
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78290018.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78290018.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1012
        7⤵
        Program crash
        
        PID:2540
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b61977632.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b61977632.exe
        6⤵
        Executes dropped EXE
        
        PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 924 -ip 924
1⤵
PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i56702579.exe

Filesize
1.3MB

MD5
30298022fce160f9aa3bde2158a3e14f

SHA1
d250cc51a27b7d245a385e8e626e0ce683421189

SHA256
d09f8cd1a6fe7401ebf21ff2b05dc96b22da338064676a90cf30120dc856e6f8

SHA512
afbf22b47dba6a2808946cc199638dd29ddb8dc7c61f583d6a97895148d9578dd3f8cb8210dcc1af75a74826062cce523da7ade2304201b016f756f87ac3f0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i56702579.exe

Filesize
1.3MB

MD5
30298022fce160f9aa3bde2158a3e14f

SHA1
d250cc51a27b7d245a385e8e626e0ce683421189

SHA256
d09f8cd1a6fe7401ebf21ff2b05dc96b22da338064676a90cf30120dc856e6f8

SHA512
afbf22b47dba6a2808946cc199638dd29ddb8dc7c61f583d6a97895148d9578dd3f8cb8210dcc1af75a74826062cce523da7ade2304201b016f756f87ac3f0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i25280411.exe

Filesize
1.1MB

MD5
23051fa1442198fc1439c01c2996268b

SHA1
6f5a4964abc467de857b038c547f21eb4abd72c4

SHA256
156620d0e3d8855e7e46fe73cf4de9a2745bdb1e5580c622097476419fcbdbee

SHA512
308e0439e64bb1bb403dff46083b865c9b09b2ab84bf6e1f7864661b6508ddbefa7c7e6f7bc47a3c90c0f9fe6e53e1133627a86f0b1954cc73ed401826f3d055

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i25280411.exe

Filesize
1.1MB

MD5
23051fa1442198fc1439c01c2996268b

SHA1
6f5a4964abc467de857b038c547f21eb4abd72c4

SHA256
156620d0e3d8855e7e46fe73cf4de9a2745bdb1e5580c622097476419fcbdbee

SHA512
308e0439e64bb1bb403dff46083b865c9b09b2ab84bf6e1f7864661b6508ddbefa7c7e6f7bc47a3c90c0f9fe6e53e1133627a86f0b1954cc73ed401826f3d055

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30717911.exe

Filesize
687KB

MD5
ef610db83309b6856b6fa13c93f025d5

SHA1
e50d683d04995e285adb39ab15a624079ce28519

SHA256
83955076601ab552eb35947426c54f07525fdade6b8fffdcf445d62f806d9aa0

SHA512
bba8cd3b9a25dd036c5a7779d8cee24e4fe7ff1018e828c20630c1dc308ec82dd109621231a370fd72ef1f210fd3d7bd4a4ed69cf5fd95a82460fecf46df36f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30717911.exe

Filesize
687KB

MD5
ef610db83309b6856b6fa13c93f025d5

SHA1
e50d683d04995e285adb39ab15a624079ce28519

SHA256
83955076601ab552eb35947426c54f07525fdade6b8fffdcf445d62f806d9aa0

SHA512
bba8cd3b9a25dd036c5a7779d8cee24e4fe7ff1018e828c20630c1dc308ec82dd109621231a370fd72ef1f210fd3d7bd4a4ed69cf5fd95a82460fecf46df36f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i93229882.exe

Filesize
403KB

MD5
ba4a109c9ca0c90cc02c37365c9b50e7

SHA1
8054a1e96b263dc143fffa7e3c1d4a248570562a

SHA256
cdf3d91f15538616f555f1e819b2d510cd1f1441873ef8e4209e2f9fc6cf0fbd

SHA512
f0318055879bf7bdc4f2ce34ce8945dbc651151a08d109c86e7c54c346bf55146535e07e193949aacc635d014625a56a033dfc3cfc1ab52e4bcdf2984563ab6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i93229882.exe

Filesize
403KB

MD5
ba4a109c9ca0c90cc02c37365c9b50e7

SHA1
8054a1e96b263dc143fffa7e3c1d4a248570562a

SHA256
cdf3d91f15538616f555f1e819b2d510cd1f1441873ef8e4209e2f9fc6cf0fbd

SHA512
f0318055879bf7bdc4f2ce34ce8945dbc651151a08d109c86e7c54c346bf55146535e07e193949aacc635d014625a56a033dfc3cfc1ab52e4bcdf2984563ab6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78290018.exe

Filesize
344KB

MD5
c6ecdc777352e773b4a38cd14640a45e

SHA1
597fe0d9bff57fe4e5cef42dd719dbda875c8c8b

SHA256
06b6488995d9076755841d1fa7f3d29aaa81224bce2658dc8d969719b24c351d

SHA512
43a9ee085f66115fd068f6363ee97961d0cf50dd672e17086053071e09e02abb4911c287f7da5f1b14a69264404c46add11e95aa1e1ba709a6a55803c8aa582d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78290018.exe

Filesize
344KB

MD5
c6ecdc777352e773b4a38cd14640a45e

SHA1
597fe0d9bff57fe4e5cef42dd719dbda875c8c8b

SHA256
06b6488995d9076755841d1fa7f3d29aaa81224bce2658dc8d969719b24c351d

SHA512
43a9ee085f66115fd068f6363ee97961d0cf50dd672e17086053071e09e02abb4911c287f7da5f1b14a69264404c46add11e95aa1e1ba709a6a55803c8aa582d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b61977632.exe

Filesize
168KB

MD5
ce515251a3f19ff94fe20b0ef710911f

SHA1
20012695f964b9b8c63b5a264946fc99f52bed1a

SHA256
021f3d7f05c11b77f30e1704cdb4cfa8e521e165e6e31bee524028e5703d4c8d

SHA512
2f48ca036e3fdc3830a37eab9831e1d2626dd435999f91aeea8a78400fefcf1bfa660de5d8b083ef47060b4c43b883947463addf742bdc20ea5634d5c0957cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b61977632.exe

Filesize
168KB

MD5
ce515251a3f19ff94fe20b0ef710911f

SHA1
20012695f964b9b8c63b5a264946fc99f52bed1a

SHA256
021f3d7f05c11b77f30e1704cdb4cfa8e521e165e6e31bee524028e5703d4c8d

SHA512
2f48ca036e3fdc3830a37eab9831e1d2626dd435999f91aeea8a78400fefcf1bfa660de5d8b083ef47060b4c43b883947463addf742bdc20ea5634d5c0957cbc

Download Submit
memory/924-191-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/924-201-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/924-175-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/924-177-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/924-179-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/924-181-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/924-183-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/924-185-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/924-187-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/924-189-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/924-171-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/924-193-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/924-195-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/924-197-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/924-198-0x0000000000C20000-0x0000000000C4D000-memory.dmp

Filesize
180KB

Download
memory/924-173-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/924-200-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/924-199-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/924-202-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/924-203-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/924-204-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/924-205-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/924-208-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/924-170-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/924-169-0x0000000004FE0000-0x0000000005584000-memory.dmp

Filesize
5.6MB

Download
memory/2300-212-0x0000000000C20000-0x0000000000C4E000-memory.dmp

Filesize
184KB

Download
memory/2300-213-0x000000000AEF0000-0x000000000B508000-memory.dmp

Filesize
6.1MB

Download
memory/2300-214-0x000000000AA60000-0x000000000AB6A000-memory.dmp

Filesize
1.0MB

Download
memory/2300-215-0x000000000A990000-0x000000000A9A2000-memory.dmp

Filesize
72KB

Download
memory/2300-216-0x000000000A9F0000-0x000000000AA2C000-memory.dmp

Filesize
240KB

Download
memory/2300-217-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/2300-218-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download