redline | 1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe
Size

1.5MB
MD5

a9a3d36f1944fd0338a084030f126b1c
SHA1

aa2127dcd116cea561395beccac1679cff97b762
SHA256

1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0
SHA512

00545d15999c6c5dab1616a1279ff5ce7d2481dfecc9a1884d008ee2299ac342ac5cac8a5d7e56d96ee18ddea366f9b96ca3db1d97931c7ada3b88520b87aa76
SSDEEP

24576:eyM7bvKR3YqrusDsCJzFKHKv4DWWMMXnuUzgrVyD2NSw4Et/5tSgI8s4ZGKOL7R:tCbiR3fFzRgWWhuCgCYSot//SgHGKOL

Score

10^/10

redline mazda evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mazda

217.196.96.56:4138

Attributes

auth_value
3d2870537d84a4c6d7aeecd002871c51

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4104-209-0x000000000A9A0000-0x000000000AFB8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2191162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2191162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2191162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2191162.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a2191162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2191162.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
2688	v1296116.exe
2176	v1707671.exe
2144	v0279443.exe
1844	v4217318.exe
1768	a2191162.exe
4104	b6088643.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a2191162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2191162.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0279443.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4217318.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1296116.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1707671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1296116.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1707671.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0279443.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v4217318.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3992	1768	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1768	a2191162.exe
1768	a2191162.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	a2191162.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 2688	3128	1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe	84
PID 3128 wrote to memory of 2688	3128	1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe	84
PID 3128 wrote to memory of 2688	3128	1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe	84
PID 2688 wrote to memory of 2176	2688	v1296116.exe	85
PID 2688 wrote to memory of 2176	2688	v1296116.exe	85
PID 2688 wrote to memory of 2176	2688	v1296116.exe	85
PID 2176 wrote to memory of 2144	2176	v1707671.exe	86
PID 2176 wrote to memory of 2144	2176	v1707671.exe	86
PID 2176 wrote to memory of 2144	2176	v1707671.exe	86
PID 2144 wrote to memory of 1844	2144	v0279443.exe	87
PID 2144 wrote to memory of 1844	2144	v0279443.exe	87
PID 2144 wrote to memory of 1844	2144	v0279443.exe	87
PID 1844 wrote to memory of 1768	1844	v4217318.exe	88
PID 1844 wrote to memory of 1768	1844	v4217318.exe	88
PID 1844 wrote to memory of 1768	1844	v4217318.exe	88
PID 1844 wrote to memory of 4104	1844	v4217318.exe	94
PID 1844 wrote to memory of 4104	1844	v4217318.exe	94
PID 1844 wrote to memory of 4104	1844	v4217318.exe	94

C:\Users\Admin\AppData\Local\Temp\1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe
"C:\Users\Admin\AppData\Local\Temp\1537100c0399e845e2b2b2c42272a7b80e876c6d280918ae8ee1fb3bd7e7dcf0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1296116.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1296116.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1707671.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1707671.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0279443.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0279443.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4217318.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4217318.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1844
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2191162.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2191162.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1080
        7⤵
        Program crash
        
        PID:3992
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6088643.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6088643.exe
        6⤵
        Executes dropped EXE
        
        PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1768 -ip 1768
1⤵
PID:3068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1296116.exe

Filesize
1.4MB

MD5
1c4c3e8549b893bcd059bb831ed37382

SHA1
f8a7e31fd186bdaa2097a770247927085ddadff4

SHA256
ca77d178b1d292156ff0c451dbc84525f29f53d301af1b72cc93d8a01cd5d38f

SHA512
8ebbc9ecbc2074ae7a508b988795fe3ede93bf9bee29429986ffc0ca5a019e082bb5801aa9a1af26e70284712c8d17b783cfec6784e3b0a69926a4485522240f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1296116.exe

Filesize
1.4MB

MD5
1c4c3e8549b893bcd059bb831ed37382

SHA1
f8a7e31fd186bdaa2097a770247927085ddadff4

SHA256
ca77d178b1d292156ff0c451dbc84525f29f53d301af1b72cc93d8a01cd5d38f

SHA512
8ebbc9ecbc2074ae7a508b988795fe3ede93bf9bee29429986ffc0ca5a019e082bb5801aa9a1af26e70284712c8d17b783cfec6784e3b0a69926a4485522240f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1707671.exe

Filesize
916KB

MD5
e30b32224037f41ad359719bdc98fdc9

SHA1
448661a8dace69a901beb50c8945c5a20f208170

SHA256
dcf0e0002ef0d68de08ceb56c09f575434482909da4ca33d48fb69faff19f13d

SHA512
4b75e9738550006cde08fd5ea2dfb5f4f29e6311c4e96f6a0a4c979c5893393c0cbc465b162b384d554cf63e53d40ed2b895cb1b4616062aff94f588416f7322

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1707671.exe

Filesize
916KB

MD5
e30b32224037f41ad359719bdc98fdc9

SHA1
448661a8dace69a901beb50c8945c5a20f208170

SHA256
dcf0e0002ef0d68de08ceb56c09f575434482909da4ca33d48fb69faff19f13d

SHA512
4b75e9738550006cde08fd5ea2dfb5f4f29e6311c4e96f6a0a4c979c5893393c0cbc465b162b384d554cf63e53d40ed2b895cb1b4616062aff94f588416f7322

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0279443.exe

Filesize
711KB

MD5
b47acdf37a719c3ffca5b15a02fd1c1a

SHA1
b0badef32052eaf2acd580bd31cb6d154c68d1b5

SHA256
7577e4e48d1938fdde13afb488f03a36b9b01b95d9cb648b094da2d4653b2bfd

SHA512
2a090bb1ab1720f8d44228410d57112ac304da46ace591b330bf266f73e6e4c638582ca62cc8050425c113d4980eb2a83c58c58bfb9c1c21da89a14748aa19d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0279443.exe

Filesize
711KB

MD5
b47acdf37a719c3ffca5b15a02fd1c1a

SHA1
b0badef32052eaf2acd580bd31cb6d154c68d1b5

SHA256
7577e4e48d1938fdde13afb488f03a36b9b01b95d9cb648b094da2d4653b2bfd

SHA512
2a090bb1ab1720f8d44228410d57112ac304da46ace591b330bf266f73e6e4c638582ca62cc8050425c113d4980eb2a83c58c58bfb9c1c21da89a14748aa19d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4217318.exe

Filesize
416KB

MD5
b4eb9c4489ea41fe844a42a0c17f857c

SHA1
ade15e1fea0c0d001fefb7fa523e6b26a70b02ba

SHA256
263965637013da5de444eede206022c8ab353cb0e0cae98bacac6e2d96386853

SHA512
ffe104be4c6a203de29987bc169e7c1ee02d6370f780be8e80ef4baa8fe54f8320614f9c72264b6518e9ada580c41a0bd18449fa282ccd699725863420a6ff5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4217318.exe

Filesize
416KB

MD5
b4eb9c4489ea41fe844a42a0c17f857c

SHA1
ade15e1fea0c0d001fefb7fa523e6b26a70b02ba

SHA256
263965637013da5de444eede206022c8ab353cb0e0cae98bacac6e2d96386853

SHA512
ffe104be4c6a203de29987bc169e7c1ee02d6370f780be8e80ef4baa8fe54f8320614f9c72264b6518e9ada580c41a0bd18449fa282ccd699725863420a6ff5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2191162.exe

Filesize
360KB

MD5
003e7969e35bd587d02591ea55e8f552

SHA1
06f0d129506feb02366717b231202b26028f291c

SHA256
9d188a4f10160bfc611cc9495a4627a655ea87acebd322279cc5d1008ce08397

SHA512
55a67605e97e85a2336d62017094d4b0ae1a184844922129f00ae883e4a1c2862bd89ca479a3a126c98855ffea91a733105527a1f34d1875613382a4bc4c391c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2191162.exe

Filesize
360KB

MD5
003e7969e35bd587d02591ea55e8f552

SHA1
06f0d129506feb02366717b231202b26028f291c

SHA256
9d188a4f10160bfc611cc9495a4627a655ea87acebd322279cc5d1008ce08397

SHA512
55a67605e97e85a2336d62017094d4b0ae1a184844922129f00ae883e4a1c2862bd89ca479a3a126c98855ffea91a733105527a1f34d1875613382a4bc4c391c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6088643.exe

Filesize
168KB

MD5
ff0f79bac5a1b3d02dd224c5da59ee47

SHA1
768bcf57bb724c8c6e1cd6d4f1c83f5738312e69

SHA256
1ec1375b9e17535df1e1334d62490c9d4c141e75ff2c4a0a2697c46c35fd5c1e

SHA512
8bf3ce2ca3b42989281c946bb01926f60103aee3aa17fc708e706342994e97feb1b21f74e176516b1e6c41b5dd44f6ec69ce0278dc25172632b1449e3c7d8c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6088643.exe

Filesize
168KB

MD5
ff0f79bac5a1b3d02dd224c5da59ee47

SHA1
768bcf57bb724c8c6e1cd6d4f1c83f5738312e69

SHA256
1ec1375b9e17535df1e1334d62490c9d4c141e75ff2c4a0a2697c46c35fd5c1e

SHA512
8bf3ce2ca3b42989281c946bb01926f60103aee3aa17fc708e706342994e97feb1b21f74e176516b1e6c41b5dd44f6ec69ce0278dc25172632b1449e3c7d8c1f

Download Submit
memory/1768-184-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/1768-198-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/1768-173-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/1768-174-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/1768-176-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/1768-178-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/1768-180-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/1768-182-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/1768-171-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1768-186-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/1768-188-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/1768-190-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/1768-192-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/1768-194-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/1768-196-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/1768-172-0x0000000004D50000-0x00000000052F4000-memory.dmp

Filesize
5.6MB

Download
memory/1768-200-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/1768-201-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/1768-202-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1768-204-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/1768-170-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1768-169-0x0000000000740000-0x000000000076D000-memory.dmp

Filesize
180KB

Download
memory/4104-208-0x0000000000570000-0x00000000005A0000-memory.dmp

Filesize
192KB

Download
memory/4104-209-0x000000000A9A0000-0x000000000AFB8000-memory.dmp

Filesize
6.1MB

Download
memory/4104-210-0x000000000A4F0000-0x000000000A5FA000-memory.dmp

Filesize
1.0MB

Download
memory/4104-211-0x000000000A420000-0x000000000A432000-memory.dmp

Filesize
72KB

Download
memory/4104-212-0x000000000A480000-0x000000000A4BC000-memory.dmp

Filesize
240KB

Download
memory/4104-213-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4104-214-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download