redline | 390f9b7bd6f5035522f64194b9fd686112b281d880e9a529e969fe743893422f

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

390f9b7bd6f5035522f64194b9fd686112b281d880e9a529e969fe743893422f.exe
Size

924KB
MD5

a08f2ffc86f7670670ea8ce061979071
SHA1

2a880260e0164a2e3c5ff3e8761dae3c660810da
SHA256

390f9b7bd6f5035522f64194b9fd686112b281d880e9a529e969fe743893422f
SHA512

cb21af0ea4e9d61329d3a2014c8e9b8b93e1a81e7f751ce6e0a11f85f3926f4d5165f95dfaaa1129cfe2c555d10bb4208b0ae30e06ab133e4585bf4479e4f1c6
SSDEEP

24576:0y+q6hxpBqjNKXbxFcZOVSG4S/THHzb2e3KweRX:D+X/XqJUf4G4ITHH+UKbR

Score

10^/10

redline lupa evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lupa

217.196.96.56:4138

Attributes

auth_value
fcb02fce9bc10c56a9841d56974bd7b8

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2056-206-0x000000000A7B0000-0x000000000ADC8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	N00106~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	N00106~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	N00106~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	N00106~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	N00106~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	N00106~1.EXE

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4960	Z46483~1.EXE
5064	Z76077~1.EXE
1472	Z70744~1.EXE
4780	N00106~1.EXE
2056	O96686~1.EXE

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	N00106~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	N00106~1.EXE

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Z76077~1.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Z70744~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Z70744~1.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	390f9b7bd6f5035522f64194b9fd686112b281d880e9a529e969fe743893422f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	390f9b7bd6f5035522f64194b9fd686112b281d880e9a529e969fe743893422f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Z46483~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Z46483~1.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Z76077~1.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2052	4780	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4780	N00106~1.EXE
4780	N00106~1.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	N00106~1.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 4960	2820	390f9b7bd6f5035522f64194b9fd686112b281d880e9a529e969fe743893422f.exe	82
PID 2820 wrote to memory of 4960	2820	390f9b7bd6f5035522f64194b9fd686112b281d880e9a529e969fe743893422f.exe	82
PID 2820 wrote to memory of 4960	2820	390f9b7bd6f5035522f64194b9fd686112b281d880e9a529e969fe743893422f.exe	82
PID 4960 wrote to memory of 5064	4960	Z46483~1.EXE	83
PID 4960 wrote to memory of 5064	4960	Z46483~1.EXE	83
PID 4960 wrote to memory of 5064	4960	Z46483~1.EXE	83
PID 5064 wrote to memory of 1472	5064	Z76077~1.EXE	84
PID 5064 wrote to memory of 1472	5064	Z76077~1.EXE	84
PID 5064 wrote to memory of 1472	5064	Z76077~1.EXE	84
PID 1472 wrote to memory of 4780	1472	Z70744~1.EXE	85
PID 1472 wrote to memory of 4780	1472	Z70744~1.EXE	85
PID 1472 wrote to memory of 4780	1472	Z70744~1.EXE	85
PID 1472 wrote to memory of 2056	1472	Z70744~1.EXE	89
PID 1472 wrote to memory of 2056	1472	Z70744~1.EXE	89
PID 1472 wrote to memory of 2056	1472	Z70744~1.EXE	89

C:\Users\Admin\AppData\Local\Temp\390f9b7bd6f5035522f64194b9fd686112b281d880e9a529e969fe743893422f.exe
"C:\Users\Admin\AppData\Local\Temp\390f9b7bd6f5035522f64194b9fd686112b281d880e9a529e969fe743893422f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Z46483~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Z46483~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Z76077~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Z76077~1.EXE
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Z70744~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Z70744~1.EXE
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\N00106~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\N00106~1.EXE
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 1088
        6⤵
        Program crash
        
        PID:2052
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\O96686~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\O96686~1.EXE
        5⤵
        Executes dropped EXE
        
        PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4780 -ip 4780
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Z46483~1.EXE

Filesize
770KB

MD5
124b9362ebb36eb8490872424f27f70d

SHA1
099fe6cd4b4fcccf2c4dde868f28d465350d5c19

SHA256
37b81cbcd0b2f211b58148139786dc7e063013eda0644f16345ac23d5d5b3354

SHA512
60bc61f166513239b482c7ee3875baa6403da299df151ec8601dec77a8ead62897a24a296374d38533b8c0cf7a6f3b83835de7950db2c555b797d3db761d69da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Z46483~1.EXE

Filesize
770KB

MD5
124b9362ebb36eb8490872424f27f70d

SHA1
099fe6cd4b4fcccf2c4dde868f28d465350d5c19

SHA256
37b81cbcd0b2f211b58148139786dc7e063013eda0644f16345ac23d5d5b3354

SHA512
60bc61f166513239b482c7ee3875baa6403da299df151ec8601dec77a8ead62897a24a296374d38533b8c0cf7a6f3b83835de7950db2c555b797d3db761d69da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Z76077~1.EXE

Filesize
586KB

MD5
a4af42261726ef73993ca90cdce7a1c0

SHA1
8387ae412657e616fb8310c9349168c37d38c268

SHA256
9d0fc56758a2d65c6efbf54120b37c2d13fe265a955a3c15dddb37d7369c5ce2

SHA512
7c2210e68f6366eade452aa8cd81581d490f09f6e33802c639dc6c0688a807e80b4f44203bcd9d4c2e0e189b5f2026432fb82546f87662984f876dd87451e30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Z76077~1.EXE

Filesize
586KB

MD5
a4af42261726ef73993ca90cdce7a1c0

SHA1
8387ae412657e616fb8310c9349168c37d38c268

SHA256
9d0fc56758a2d65c6efbf54120b37c2d13fe265a955a3c15dddb37d7369c5ce2

SHA512
7c2210e68f6366eade452aa8cd81581d490f09f6e33802c639dc6c0688a807e80b4f44203bcd9d4c2e0e189b5f2026432fb82546f87662984f876dd87451e30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Z70744~1.EXE

Filesize
383KB

MD5
7a273e1d18d9be30778426c68a83e827

SHA1
d9fe1a95a7763d98d20568a2feecc0aa06172580

SHA256
34be13d8ff1db891e244c80860bbeab17ff911aeb30ecba83cd0674f8d578a9e

SHA512
b374bc05a0f52925621d767e7963b3057f6e8e8d144e7bbbba414b6133444eff4864b4082261a24ddfd9f1c88ed9438f5e3c5464d9ee5faa930d61d13fc45aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Z70744~1.EXE

Filesize
383KB

MD5
7a273e1d18d9be30778426c68a83e827

SHA1
d9fe1a95a7763d98d20568a2feecc0aa06172580

SHA256
34be13d8ff1db891e244c80860bbeab17ff911aeb30ecba83cd0674f8d578a9e

SHA512
b374bc05a0f52925621d767e7963b3057f6e8e8d144e7bbbba414b6133444eff4864b4082261a24ddfd9f1c88ed9438f5e3c5464d9ee5faa930d61d13fc45aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\N00106~1.EXE

Filesize
283KB

MD5
7ca8ef8c5820a938ca4aae8a057c1bc9

SHA1
351718a888f1a2df4f49b7f923b0490b9c8b2a37

SHA256
146f269525131f6339d995af715bbe1f248eda7c3cd1d31ace4fcd8c70ec7a5c

SHA512
25f6c80f8357b1cec2973a414d7c934429026f7dbc4287bcf7e9650ef7932723d801a88de6a19ac8d9592e9097597ac528f1f9752edb4ce5fd46bfd756a184df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\N00106~1.EXE

Filesize
283KB

MD5
7ca8ef8c5820a938ca4aae8a057c1bc9

SHA1
351718a888f1a2df4f49b7f923b0490b9c8b2a37

SHA256
146f269525131f6339d995af715bbe1f248eda7c3cd1d31ace4fcd8c70ec7a5c

SHA512
25f6c80f8357b1cec2973a414d7c934429026f7dbc4287bcf7e9650ef7932723d801a88de6a19ac8d9592e9097597ac528f1f9752edb4ce5fd46bfd756a184df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\O96686~1.EXE

Filesize
168KB

MD5
76b5ac1a6d46691e9e3285ee375256a3

SHA1
ad896f69fc1a6e78acabe430a3214a5c3cff7ee6

SHA256
74cd8495b9e48ea9a60ff2a4bcb018c66ff5993edb8fbd238ffa825a8964f408

SHA512
cd2e63f4f184a55855ae862053c6f813e11826bb38d3b4e2a13bba1679a4154f39670449e528da7c505f2bae79020e9eaa4287ba0d536a0b64ca1b0ba3c79841

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\O96686~1.EXE

Filesize
168KB

MD5
76b5ac1a6d46691e9e3285ee375256a3

SHA1
ad896f69fc1a6e78acabe430a3214a5c3cff7ee6

SHA256
74cd8495b9e48ea9a60ff2a4bcb018c66ff5993edb8fbd238ffa825a8964f408

SHA512
cd2e63f4f184a55855ae862053c6f813e11826bb38d3b4e2a13bba1679a4154f39670449e528da7c505f2bae79020e9eaa4287ba0d536a0b64ca1b0ba3c79841

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\O96686~1.EXE

Filesize
168KB

MD5
76b5ac1a6d46691e9e3285ee375256a3

SHA1
ad896f69fc1a6e78acabe430a3214a5c3cff7ee6

SHA256
74cd8495b9e48ea9a60ff2a4bcb018c66ff5993edb8fbd238ffa825a8964f408

SHA512
cd2e63f4f184a55855ae862053c6f813e11826bb38d3b4e2a13bba1679a4154f39670449e528da7c505f2bae79020e9eaa4287ba0d536a0b64ca1b0ba3c79841

Download Submit
memory/2056-211-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2056-207-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/2056-206-0x000000000A7B0000-0x000000000ADC8000-memory.dmp

Filesize
6.1MB

Download
memory/2056-205-0x00000000003A0000-0x00000000003CE000-memory.dmp

Filesize
184KB

Download
memory/2056-208-0x000000000A250000-0x000000000A262000-memory.dmp

Filesize
72KB

Download
memory/2056-209-0x000000000A2B0000-0x000000000A2EC000-memory.dmp

Filesize
240KB

Download
memory/2056-210-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4780-181-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4780-198-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/4780-177-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4780-183-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4780-185-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4780-187-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4780-189-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4780-191-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4780-193-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4780-194-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4780-195-0x00000000007B0000-0x00000000007DD000-memory.dmp

Filesize
180KB

Download
memory/4780-196-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/4780-197-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/4780-179-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4780-200-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/4780-175-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4780-173-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4780-171-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4780-169-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4780-167-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4780-166-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4780-165-0x0000000004CE0000-0x0000000005284000-memory.dmp

Filesize
5.6MB

Download
memory/4780-164-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/4780-163-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/4780-162-0x00000000007B0000-0x00000000007DD000-memory.dmp

Filesize
180KB

Download