redline | 189ebb2509fb98fb6552421719c446efdf2daad510ed60c177fcc84112321ff6

Analysis

max time kernel
161s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

189ebb2509fb98fb6552421719c446efdf2daad510ed60c177fcc84112321ff6.exe
Size

1.4MB
MD5

9d8e0505246513493a86f38902bc8031
SHA1

1377b577ade57c286b91a997eda060619292f955
SHA256

189ebb2509fb98fb6552421719c446efdf2daad510ed60c177fcc84112321ff6
SHA512

2c762ccc36ea84633d1fda5402005e44c94731f50d4ba1e667b3a3abc8811ce597de2d7571733bed36802b7c87451b7da3190406d74435fa6f7be8b81a04bd0d
SSDEEP

24576:oyIQPzlb1rycJtqz3EKaij5/gjn1Sn3wDcDEvJNAtMDBshzICNtz047i1vnBMrIy:vlPfrEpRN/gjMo02NrCvW5BFIrd

Score

10^/10

redline max evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

max

185.161.248.73:4164

Attributes

auth_value
efb1499709a5d08ed1ddf71cff71211f

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1796-208-0x000000000AA80000-0x000000000B098000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a26024373.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a26024373.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a26024373.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a26024373.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a26024373.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a26024373.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1496	i08317511.exe
3248	i86905583.exe
2108	i45390495.exe
4184	i82079015.exe
1752	a26024373.exe
1796	b30585462.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a26024373.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a26024373.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i86905583.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i45390495.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i45390495.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i82079015.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	189ebb2509fb98fb6552421719c446efdf2daad510ed60c177fcc84112321ff6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i08317511.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i08317511.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i86905583.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	189ebb2509fb98fb6552421719c446efdf2daad510ed60c177fcc84112321ff6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i82079015.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1752	a26024373.exe
1752	a26024373.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	a26024373.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 1496	4972	189ebb2509fb98fb6552421719c446efdf2daad510ed60c177fcc84112321ff6.exe	83
PID 4972 wrote to memory of 1496	4972	189ebb2509fb98fb6552421719c446efdf2daad510ed60c177fcc84112321ff6.exe	83
PID 4972 wrote to memory of 1496	4972	189ebb2509fb98fb6552421719c446efdf2daad510ed60c177fcc84112321ff6.exe	83
PID 1496 wrote to memory of 3248	1496	i08317511.exe	84
PID 1496 wrote to memory of 3248	1496	i08317511.exe	84
PID 1496 wrote to memory of 3248	1496	i08317511.exe	84
PID 3248 wrote to memory of 2108	3248	i86905583.exe	85
PID 3248 wrote to memory of 2108	3248	i86905583.exe	85
PID 3248 wrote to memory of 2108	3248	i86905583.exe	85
PID 2108 wrote to memory of 4184	2108	i45390495.exe	86
PID 2108 wrote to memory of 4184	2108	i45390495.exe	86
PID 2108 wrote to memory of 4184	2108	i45390495.exe	86
PID 4184 wrote to memory of 1752	4184	i82079015.exe	87
PID 4184 wrote to memory of 1752	4184	i82079015.exe	87
PID 4184 wrote to memory of 1752	4184	i82079015.exe	87
PID 4184 wrote to memory of 1796	4184	i82079015.exe	88
PID 4184 wrote to memory of 1796	4184	i82079015.exe	88
PID 4184 wrote to memory of 1796	4184	i82079015.exe	88

C:\Users\Admin\AppData\Local\Temp\189ebb2509fb98fb6552421719c446efdf2daad510ed60c177fcc84112321ff6.exe
"C:\Users\Admin\AppData\Local\Temp\189ebb2509fb98fb6552421719c446efdf2daad510ed60c177fcc84112321ff6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08317511.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08317511.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86905583.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86905583.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i45390495.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i45390495.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i82079015.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i82079015.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4184
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a26024373.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a26024373.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b30585462.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b30585462.exe
        6⤵
        Executes dropped EXE
        
        PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08317511.exe

Filesize
1.2MB

MD5
aa8dd256360d16edd0da217d03dd24ba

SHA1
a0d784250966c91bad33928d32489d75196d37dc

SHA256
cf4cc89b0c6a7aa7647c7089723635948e8c54de7b141be6925fac9afc921349

SHA512
b9e51063f0ae7f9845406b0141679f0849dc69810a45df4930a5ba8a0f40b5f14299e378a404527eed1770f6ce814b14481ca2f3821af27f6c4041de88008608

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08317511.exe

Filesize
1.2MB

MD5
aa8dd256360d16edd0da217d03dd24ba

SHA1
a0d784250966c91bad33928d32489d75196d37dc

SHA256
cf4cc89b0c6a7aa7647c7089723635948e8c54de7b141be6925fac9afc921349

SHA512
b9e51063f0ae7f9845406b0141679f0849dc69810a45df4930a5ba8a0f40b5f14299e378a404527eed1770f6ce814b14481ca2f3821af27f6c4041de88008608

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86905583.exe

Filesize
1.0MB

MD5
6cca0371ceced7cc19ff5da9dc08196b

SHA1
ac4854cf2df3fa1f6609791fb59bab7001a774db

SHA256
8ade889bab255dc1e9ae32701335d12a9f3cb6d4e2704704fa8cd357d46040b1

SHA512
a4352a7f102e4727a724b38404e2e3d2210272a3c141916a23737dc7c23e607ed46399ecb5d9b3d562b483c18b05df2bdf8d0f8b3e64c6a811bf239d49a61c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86905583.exe

Filesize
1.0MB

MD5
6cca0371ceced7cc19ff5da9dc08196b

SHA1
ac4854cf2df3fa1f6609791fb59bab7001a774db

SHA256
8ade889bab255dc1e9ae32701335d12a9f3cb6d4e2704704fa8cd357d46040b1

SHA512
a4352a7f102e4727a724b38404e2e3d2210272a3c141916a23737dc7c23e607ed46399ecb5d9b3d562b483c18b05df2bdf8d0f8b3e64c6a811bf239d49a61c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i45390495.exe

Filesize
569KB

MD5
59a1c1637c4e90ad48260acb1bfa494e

SHA1
6d60ed60b36446243592bba8eb25a5db1a679ce9

SHA256
3a7e7a98ce29227ae6b6921478b86692eff1e271ec78e940de389dc7c6f3e0cd

SHA512
1a38dc2f722b9a042693a1f5e71a4b01a5da27ab7b4f188baf290e7797f337dfb9711804f11da2adc981cd6b20d1d35027bb0256a87ab5c9dfe2297ee74c09a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i45390495.exe

Filesize
569KB

MD5
59a1c1637c4e90ad48260acb1bfa494e

SHA1
6d60ed60b36446243592bba8eb25a5db1a679ce9

SHA256
3a7e7a98ce29227ae6b6921478b86692eff1e271ec78e940de389dc7c6f3e0cd

SHA512
1a38dc2f722b9a042693a1f5e71a4b01a5da27ab7b4f188baf290e7797f337dfb9711804f11da2adc981cd6b20d1d35027bb0256a87ab5c9dfe2297ee74c09a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i82079015.exe

Filesize
310KB

MD5
b9253542f48edaf9dca1fa8b5a61040d

SHA1
0a4910e471925daf4427e09a3e0e0a5027f7dcce

SHA256
9994bc55089590916e561400ab46a821ab3ce5e7fbc20b723633ec2961a0f7d1

SHA512
96ca4b9636f15438089148da11c5013207355cebe04e991d43af7fb87941065ece920513d5512571472556889a43c987a15ad948d195b0ced032e5f38c3e656a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i82079015.exe

Filesize
310KB

MD5
b9253542f48edaf9dca1fa8b5a61040d

SHA1
0a4910e471925daf4427e09a3e0e0a5027f7dcce

SHA256
9994bc55089590916e561400ab46a821ab3ce5e7fbc20b723633ec2961a0f7d1

SHA512
96ca4b9636f15438089148da11c5013207355cebe04e991d43af7fb87941065ece920513d5512571472556889a43c987a15ad948d195b0ced032e5f38c3e656a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a26024373.exe

Filesize
176KB

MD5
9e6cbdae60a6ce3e6259183014829886

SHA1
c4715a2468b1555c9a5178dc73dca7e8cc7f98de

SHA256
603eeb76ee5d684353defc5cffab3c53f211108861be952f5817310969d89c7a

SHA512
3a5ec75a2b290d7f40e116bdb0f878135b1e601d27fed2a923be2754f505854b287cf827a0af5474b71a46f309edfe0fc2c0263ba512185e8154417129e4dd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a26024373.exe

Filesize
176KB

MD5
9e6cbdae60a6ce3e6259183014829886

SHA1
c4715a2468b1555c9a5178dc73dca7e8cc7f98de

SHA256
603eeb76ee5d684353defc5cffab3c53f211108861be952f5817310969d89c7a

SHA512
3a5ec75a2b290d7f40e116bdb0f878135b1e601d27fed2a923be2754f505854b287cf827a0af5474b71a46f309edfe0fc2c0263ba512185e8154417129e4dd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b30585462.exe

Filesize
168KB

MD5
a2470420e1c82cd3ac3edfaa3255f6f1

SHA1
7a99c012d1faa9ff255e605a4a829a169282eeec

SHA256
5d50c574a6072423746bb8591f3637261d7d1fbbc915e07af80f3ade2f83e2fe

SHA512
1ba67aa70af077cedd9249ca126c4df05b6c270617a984f58d623135f3403c85519f7f1f1896ebc653dac0e06cf60d6cde79413e5810ba8e11d58da2017040f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b30585462.exe

Filesize
168KB

MD5
a2470420e1c82cd3ac3edfaa3255f6f1

SHA1
7a99c012d1faa9ff255e605a4a829a169282eeec

SHA256
5d50c574a6072423746bb8591f3637261d7d1fbbc915e07af80f3ade2f83e2fe

SHA512
1ba67aa70af077cedd9249ca126c4df05b6c270617a984f58d623135f3403c85519f7f1f1896ebc653dac0e06cf60d6cde79413e5810ba8e11d58da2017040f0

Download Submit
memory/1752-183-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1752-197-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1752-172-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1752-173-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1752-175-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1752-177-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1752-179-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1752-181-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1752-170-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1752-185-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1752-187-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1752-189-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1752-191-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1752-193-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1752-195-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1752-171-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1752-199-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1752-200-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1752-201-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1752-202-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1752-169-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1752-168-0x0000000004A10000-0x0000000004FB4000-memory.dmp

Filesize
5.6MB

Download
memory/1796-207-0x00000000007C0000-0x00000000007F0000-memory.dmp

Filesize
192KB

Download
memory/1796-208-0x000000000AA80000-0x000000000B098000-memory.dmp

Filesize
6.1MB

Download
memory/1796-209-0x000000000A600000-0x000000000A70A000-memory.dmp

Filesize
1.0MB

Download
memory/1796-210-0x000000000A530000-0x000000000A542000-memory.dmp

Filesize
72KB

Download
memory/1796-211-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/1796-212-0x000000000A590000-0x000000000A5CC000-memory.dmp

Filesize
240KB

Download
memory/1796-213-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download