redline | 39554c80d8362dd259d61f5947a4b006dc1cea86d7d3a63752495c8b2168473e

Analysis

max time kernel
140s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39554c80d8362dd259d61f5947a4b006dc1cea86d7d3a63752495c8b2168473e.exe
Size

1.3MB
MD5

8990f412b5dab379ac33edf54c6a407a
SHA1

c34f1f95eeb165fea9760219e54008c17a0267d8
SHA256

39554c80d8362dd259d61f5947a4b006dc1cea86d7d3a63752495c8b2168473e
SHA512

e850186e07c7807bc06f54278e7f3dfbd754cfc55d4d9245bf3451e926862f598382a9fc7d0c5d51a6efe6366530efc7b588786f8407914fa75451d790278bbb
SSDEEP

24576:oyG9/SvM/vhJL/7FA+/u934mDEJIikfF2lUobykO0aXETKZrdXXs:vBavlG93YGFQUIykhaBZrB

Score

10^/10

redline lakio evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lakio

217.196.96.56:4138

Attributes

auth_value
5a2372e90cce274157a245c74afe9d6e

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2020-210-0x000000000B400000-0x000000000BA18000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	n7579973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	n7579973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	n7579973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	n7579973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	n7579973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	n7579973.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4116	z6217695.exe
2088	z5631122.exe
3004	z7390475.exe
1544	n7579973.exe
2020	o9232842.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	n7579973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	n7579973.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5631122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5631122.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7390475.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z7390475.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	39554c80d8362dd259d61f5947a4b006dc1cea86d7d3a63752495c8b2168473e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	39554c80d8362dd259d61f5947a4b006dc1cea86d7d3a63752495c8b2168473e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6217695.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6217695.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4672	1544	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1544	n7579973.exe
1544	n7579973.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	n7579973.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 4116	1716	39554c80d8362dd259d61f5947a4b006dc1cea86d7d3a63752495c8b2168473e.exe	83
PID 1716 wrote to memory of 4116	1716	39554c80d8362dd259d61f5947a4b006dc1cea86d7d3a63752495c8b2168473e.exe	83
PID 1716 wrote to memory of 4116	1716	39554c80d8362dd259d61f5947a4b006dc1cea86d7d3a63752495c8b2168473e.exe	83
PID 4116 wrote to memory of 2088	4116	z6217695.exe	84
PID 4116 wrote to memory of 2088	4116	z6217695.exe	84
PID 4116 wrote to memory of 2088	4116	z6217695.exe	84
PID 2088 wrote to memory of 3004	2088	z5631122.exe	85
PID 2088 wrote to memory of 3004	2088	z5631122.exe	85
PID 2088 wrote to memory of 3004	2088	z5631122.exe	85
PID 3004 wrote to memory of 1544	3004	z7390475.exe	86
PID 3004 wrote to memory of 1544	3004	z7390475.exe	86
PID 3004 wrote to memory of 1544	3004	z7390475.exe	86
PID 3004 wrote to memory of 2020	3004	z7390475.exe	90
PID 3004 wrote to memory of 2020	3004	z7390475.exe	90
PID 3004 wrote to memory of 2020	3004	z7390475.exe	90

C:\Users\Admin\AppData\Local\Temp\39554c80d8362dd259d61f5947a4b006dc1cea86d7d3a63752495c8b2168473e.exe
"C:\Users\Admin\AppData\Local\Temp\39554c80d8362dd259d61f5947a4b006dc1cea86d7d3a63752495c8b2168473e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6217695.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6217695.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5631122.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5631122.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7390475.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7390475.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7579973.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7579973.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1084
        6⤵
        Program crash
        
        PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o9232842.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o9232842.exe
        5⤵
        Executes dropped EXE
        
        PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1544 -ip 1544
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6217695.exe

Filesize
1.1MB

MD5
0270dbcd7c52645040f636705556c482

SHA1
984748c8569d03fba63f9438eb4232d0b245e610

SHA256
cdc4a93807b258185b4332ce74ffcba70b7714f59ca27ef9661ef558ddf394cf

SHA512
f2bfdb68531e43a1aef55c6c883c1ea4a67dacfb4863ea50bd54ff5becb27b5b4eb5e95862d80ef33edf0d60576fd8662b7a769ee955bab44334bcb8cbf7ab9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6217695.exe

Filesize
1.1MB

MD5
0270dbcd7c52645040f636705556c482

SHA1
984748c8569d03fba63f9438eb4232d0b245e610

SHA256
cdc4a93807b258185b4332ce74ffcba70b7714f59ca27ef9661ef558ddf394cf

SHA512
f2bfdb68531e43a1aef55c6c883c1ea4a67dacfb4863ea50bd54ff5becb27b5b4eb5e95862d80ef33edf0d60576fd8662b7a769ee955bab44334bcb8cbf7ab9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5631122.exe

Filesize
619KB

MD5
512e35ad4998b1ec1713f8ef41bf8180

SHA1
0e0548991649494d979fcade75fd1c3714944e26

SHA256
f21056e0a36b943e5e828c6b3dfbf51bbb5ba0f71a405396c6a81063ab1d7520

SHA512
1903fcbdeb36ed693a6a0b4d98c4daa0da5d865fada4e2aa2000bb83d17839ddfffafea506d7c4b9bec18096e7873985ec716a6edae06c434db20d9190ad7c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5631122.exe

Filesize
619KB

MD5
512e35ad4998b1ec1713f8ef41bf8180

SHA1
0e0548991649494d979fcade75fd1c3714944e26

SHA256
f21056e0a36b943e5e828c6b3dfbf51bbb5ba0f71a405396c6a81063ab1d7520

SHA512
1903fcbdeb36ed693a6a0b4d98c4daa0da5d865fada4e2aa2000bb83d17839ddfffafea506d7c4b9bec18096e7873985ec716a6edae06c434db20d9190ad7c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7390475.exe

Filesize
415KB

MD5
9fbc231a854c14c5e71cce59f04185ca

SHA1
5ff6cc8a5d3024af0e442d9c97be14c89747f5ee

SHA256
896f8ff18a36a7f43ea98a0ac96515991324b0017bdb777516b5b5451bbf68bc

SHA512
6b2baad80ebdac6164718a490da5e41db576c89f6e95bdac20194fd346be72d45be2e8a5d945ef74b8320d04eb4787e9a175b2641e1c755f38d20bc28209b5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7390475.exe

Filesize
415KB

MD5
9fbc231a854c14c5e71cce59f04185ca

SHA1
5ff6cc8a5d3024af0e442d9c97be14c89747f5ee

SHA256
896f8ff18a36a7f43ea98a0ac96515991324b0017bdb777516b5b5451bbf68bc

SHA512
6b2baad80ebdac6164718a490da5e41db576c89f6e95bdac20194fd346be72d45be2e8a5d945ef74b8320d04eb4787e9a175b2641e1c755f38d20bc28209b5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7579973.exe

Filesize
360KB

MD5
01c0163979814658be50fe70bea00924

SHA1
c6a3bca1d6e9f244ea1d1950822a74554f739059

SHA256
3cd6e192841ac80086b33a3912db1a65d98bd956b6f403de5c4131f51df9f987

SHA512
462899794da480bcf12001f8a98cffcfcd0801e43a7fcb7cefc8b134a71a1ba6fec42ffb566a60f425e951ac045b7669e1218cce0f93b6422e61bcbb8031ca2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7579973.exe

Filesize
360KB

MD5
01c0163979814658be50fe70bea00924

SHA1
c6a3bca1d6e9f244ea1d1950822a74554f739059

SHA256
3cd6e192841ac80086b33a3912db1a65d98bd956b6f403de5c4131f51df9f987

SHA512
462899794da480bcf12001f8a98cffcfcd0801e43a7fcb7cefc8b134a71a1ba6fec42ffb566a60f425e951ac045b7669e1218cce0f93b6422e61bcbb8031ca2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o9232842.exe

Filesize
168KB

MD5
fd635af7478363693a24bfde5dbb2a16

SHA1
ec7f13077c209f1b25c4d5cf5566566c16c47b25

SHA256
6de621b74c6b94889ec08a88cbbde63f4445c4bbd354ed5e0e7ec3ae83bcba3c

SHA512
923a3643bc11e4e37dfc58611663b1dbe358da239db2b4431bc2e233139577a15872a1b3ef6cb0eb0bf1f241c66015cc035988ca55179d928647dd72d7eac202

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o9232842.exe

Filesize
168KB

MD5
fd635af7478363693a24bfde5dbb2a16

SHA1
ec7f13077c209f1b25c4d5cf5566566c16c47b25

SHA256
6de621b74c6b94889ec08a88cbbde63f4445c4bbd354ed5e0e7ec3ae83bcba3c

SHA512
923a3643bc11e4e37dfc58611663b1dbe358da239db2b4431bc2e233139577a15872a1b3ef6cb0eb0bf1f241c66015cc035988ca55179d928647dd72d7eac202

Download Submit
memory/1544-177-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/1544-187-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/1544-166-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1544-167-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/1544-169-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1544-170-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1544-171-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1544-172-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/1544-173-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/1544-175-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/1544-163-0x0000000000850000-0x000000000087D000-memory.dmp

Filesize
180KB

Download
memory/1544-179-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/1544-181-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/1544-183-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/1544-185-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/1544-164-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1544-189-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/1544-191-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/1544-193-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/1544-195-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/1544-197-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/1544-199-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/1544-202-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/1544-165-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1544-162-0x0000000004EC0000-0x0000000005464000-memory.dmp

Filesize
5.6MB

Download
memory/2020-209-0x0000000000FA0000-0x0000000000FCE000-memory.dmp

Filesize
184KB

Download
memory/2020-210-0x000000000B400000-0x000000000BA18000-memory.dmp

Filesize
6.1MB

Download
memory/2020-211-0x000000000AF20000-0x000000000B02A000-memory.dmp

Filesize
1.0MB

Download
memory/2020-212-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/2020-213-0x000000000AE50000-0x000000000AE62000-memory.dmp

Filesize
72KB

Download
memory/2020-214-0x000000000AEB0000-0x000000000AEEC000-memory.dmp

Filesize
240KB

Download
memory/2020-215-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download