redline | 13aafc1f639702c9045d72104fc5d05f7ae721f4552951eb0e3288f4db11df1c

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13aafc1f639702c9045d72104fc5d05f7ae721f4552951eb0e3288f4db11df1c.exe
Size

1.3MB
MD5

73fc90a2dfb883d62242fe23897cdd68
SHA1

e2840e54a9b35f534c6b7b2c297e963e56ab623c
SHA256

13aafc1f639702c9045d72104fc5d05f7ae721f4552951eb0e3288f4db11df1c
SHA512

56b8c8770f60a083a552a145302cf1bcfd38561c44cdd33cce7ec86e0f8ea593c17f4285ac3a5cb8aaa2d4c377becb4bb42378f4789196edc6927da112f20041
SSDEEP

24576:9ysiCpkuI0O8ORDj5msKjiVJMEqw/TWGZmkrHE3lj/j1XWy0vfdK:Ysi6kT0OVX5Y1EZ/T/mkI3lj71avf

Score

10^/10

redline lakio evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lakio

217.196.96.56:4138

Attributes

auth_value
5a2372e90cce274157a245c74afe9d6e

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4832-204-0x000000000AB10000-0x000000000B128000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	n7448528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	n7448528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	n7448528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	n7448528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	n7448528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	n7448528.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4896	z7215700.exe
4608	z6373462.exe
488	z8035758.exe
4052	n7448528.exe
4832	o3856791.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	n7448528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	n7448528.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	13aafc1f639702c9045d72104fc5d05f7ae721f4552951eb0e3288f4db11df1c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	13aafc1f639702c9045d72104fc5d05f7ae721f4552951eb0e3288f4db11df1c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7215700.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7215700.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6373462.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6373462.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z8035758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z8035758.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
560	4052	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4052	n7448528.exe
4052	n7448528.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	n7448528.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4896	2704	13aafc1f639702c9045d72104fc5d05f7ae721f4552951eb0e3288f4db11df1c.exe	86
PID 2704 wrote to memory of 4896	2704	13aafc1f639702c9045d72104fc5d05f7ae721f4552951eb0e3288f4db11df1c.exe	86
PID 2704 wrote to memory of 4896	2704	13aafc1f639702c9045d72104fc5d05f7ae721f4552951eb0e3288f4db11df1c.exe	86
PID 4896 wrote to memory of 4608	4896	z7215700.exe	87
PID 4896 wrote to memory of 4608	4896	z7215700.exe	87
PID 4896 wrote to memory of 4608	4896	z7215700.exe	87
PID 4608 wrote to memory of 488	4608	z6373462.exe	88
PID 4608 wrote to memory of 488	4608	z6373462.exe	88
PID 4608 wrote to memory of 488	4608	z6373462.exe	88
PID 488 wrote to memory of 4052	488	z8035758.exe	89
PID 488 wrote to memory of 4052	488	z8035758.exe	89
PID 488 wrote to memory of 4052	488	z8035758.exe	89
PID 488 wrote to memory of 4832	488	z8035758.exe	95
PID 488 wrote to memory of 4832	488	z8035758.exe	95
PID 488 wrote to memory of 4832	488	z8035758.exe	95

C:\Users\Admin\AppData\Local\Temp\13aafc1f639702c9045d72104fc5d05f7ae721f4552951eb0e3288f4db11df1c.exe
"C:\Users\Admin\AppData\Local\Temp\13aafc1f639702c9045d72104fc5d05f7ae721f4552951eb0e3288f4db11df1c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7215700.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7215700.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6373462.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6373462.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8035758.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8035758.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:488
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7448528.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7448528.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1080
        6⤵
        Program crash
        
        PID:560
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o3856791.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o3856791.exe
        5⤵
        Executes dropped EXE
        
        PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4052 -ip 4052
1⤵
PID:3680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7215700.exe

Filesize
1.1MB

MD5
ad2729ae74dfcdfe2a68e75a8381571a

SHA1
34ecbea8e97520c1c12c1f2d95188789affe7717

SHA256
fc62c697c47c9f2c317665afb51e174e15543eb224becd5c98a6bccd188167a5

SHA512
f8585c58119730ad77b8fdbc2108b7b29d207343f0c4339a7371f01efc97e34a9bde859a2a03074e825e9bb8bde1ff8304aa3cc26f13e0d80e207f1e43889731

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7215700.exe

Filesize
1.1MB

MD5
ad2729ae74dfcdfe2a68e75a8381571a

SHA1
34ecbea8e97520c1c12c1f2d95188789affe7717

SHA256
fc62c697c47c9f2c317665afb51e174e15543eb224becd5c98a6bccd188167a5

SHA512
f8585c58119730ad77b8fdbc2108b7b29d207343f0c4339a7371f01efc97e34a9bde859a2a03074e825e9bb8bde1ff8304aa3cc26f13e0d80e207f1e43889731

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6373462.exe

Filesize
620KB

MD5
c922045dfe2fe20acfe0751bd155a55d

SHA1
c994fa03a1ecf25d72f1f82d485d7763cf25390e

SHA256
0015ee3895b5713212ed254dc839c0047afa11446361c76c234ae423b3c763f1

SHA512
c1029c3006f1729bc4ec60679b7f6e8bcbbd7aad0e5eefcf8c0822df6a6777201711dd8ca5c3bb8911bf808f0e152f3b3e06b9731b25e4f4e51b98fce071cd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6373462.exe

Filesize
620KB

MD5
c922045dfe2fe20acfe0751bd155a55d

SHA1
c994fa03a1ecf25d72f1f82d485d7763cf25390e

SHA256
0015ee3895b5713212ed254dc839c0047afa11446361c76c234ae423b3c763f1

SHA512
c1029c3006f1729bc4ec60679b7f6e8bcbbd7aad0e5eefcf8c0822df6a6777201711dd8ca5c3bb8911bf808f0e152f3b3e06b9731b25e4f4e51b98fce071cd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8035758.exe

Filesize
416KB

MD5
e2795bc01b50b2c4d90ab0c776e1a269

SHA1
0507289a7fdcfefd23fbe23dd46b2247b5d68fa1

SHA256
b218a77597ccb2cc3b42b0b53fd17575870e697433f656187ff4c59bfe6d515a

SHA512
dafb6af435ab3b84f0ccb77dbe6866cac5b6c3e2cc92072db83bb5c9449c545fbbc17862b2d62eac9fabe93b8cd89613235d0228d78f4daf986f9523dce75bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8035758.exe

Filesize
416KB

MD5
e2795bc01b50b2c4d90ab0c776e1a269

SHA1
0507289a7fdcfefd23fbe23dd46b2247b5d68fa1

SHA256
b218a77597ccb2cc3b42b0b53fd17575870e697433f656187ff4c59bfe6d515a

SHA512
dafb6af435ab3b84f0ccb77dbe6866cac5b6c3e2cc92072db83bb5c9449c545fbbc17862b2d62eac9fabe93b8cd89613235d0228d78f4daf986f9523dce75bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7448528.exe

Filesize
360KB

MD5
de3c4809fdd333def21bfcba55da1a1f

SHA1
a7fa58339f83dabf837c83dc8dc31e5fc65fd1c5

SHA256
afe7078c488a5e884f9ace725da1711a6268dc54d79a4766855643e3eb183660

SHA512
8ea7b67738d061c261d5e26f74b6e80fc1ecbed4cfbce101b710195f4eafa041f4ff8a3e1c8b9263253f6bf38bdfcb1301e01d3b1a688329103ecf3145d6c3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n7448528.exe

Filesize
360KB

MD5
de3c4809fdd333def21bfcba55da1a1f

SHA1
a7fa58339f83dabf837c83dc8dc31e5fc65fd1c5

SHA256
afe7078c488a5e884f9ace725da1711a6268dc54d79a4766855643e3eb183660

SHA512
8ea7b67738d061c261d5e26f74b6e80fc1ecbed4cfbce101b710195f4eafa041f4ff8a3e1c8b9263253f6bf38bdfcb1301e01d3b1a688329103ecf3145d6c3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o3856791.exe

Filesize
168KB

MD5
05f1bf56723c6af23c89d2bd93e23ee2

SHA1
635c5756c28d8a008f46e0cfb5eed5a1e1441b6a

SHA256
aa412a0a098d63da8cde641a630cf7c35ab7e67db75fe2f0ceb84f6a4cf09919

SHA512
cf0f351c602b4b92f1976e9cb50670852949dca5229c50678d01b6dc301b7b1974e18076bb638a436053542858f119e82007a2131d316c002ca4a0719aafefb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o3856791.exe

Filesize
168KB

MD5
05f1bf56723c6af23c89d2bd93e23ee2

SHA1
635c5756c28d8a008f46e0cfb5eed5a1e1441b6a

SHA256
aa412a0a098d63da8cde641a630cf7c35ab7e67db75fe2f0ceb84f6a4cf09919

SHA512
cf0f351c602b4b92f1976e9cb50670852949dca5229c50678d01b6dc301b7b1974e18076bb638a436053542858f119e82007a2131d316c002ca4a0719aafefb4

Download Submit
memory/4052-183-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4052-191-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4052-167-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4052-165-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4052-169-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4052-171-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4052-173-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4052-175-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4052-177-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4052-179-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4052-164-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4052-181-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4052-185-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4052-187-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4052-189-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4052-166-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4052-193-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4052-194-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4052-195-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4052-196-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4052-197-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4052-199-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4052-163-0x0000000000870000-0x000000000089D000-memory.dmp

Filesize
180KB

Download
memory/4052-162-0x0000000005050000-0x00000000055F4000-memory.dmp

Filesize
5.6MB

Download
memory/4832-203-0x0000000000710000-0x000000000073E000-memory.dmp

Filesize
184KB

Download
memory/4832-204-0x000000000AB10000-0x000000000B128000-memory.dmp

Filesize
6.1MB

Download
memory/4832-205-0x000000000A690000-0x000000000A79A000-memory.dmp

Filesize
1.0MB

Download
memory/4832-206-0x000000000A5C0000-0x000000000A5D2000-memory.dmp

Filesize
72KB

Download
memory/4832-207-0x000000000A620000-0x000000000A65C000-memory.dmp

Filesize
240KB

Download
memory/4832-208-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/4832-209-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download