redline | 1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe
Size

1.2MB
MD5

df7766644429147defcfbf52e0d66820
SHA1

99590600560d874b868d0dc4cc058a5731eb21a6
SHA256

1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200
SHA512

3051e4382ced519729f16121f67881f0f1c9ed8ed1d623e2aac65639c4ae14dc69b02db11826ca9999d8546df6292e12bc53491ffc214936f4996fac46972c36
SSDEEP

24576:xy82+uEH5krSnSs2hKnH//FnK+PTJ4KFwvoanSZk9Zb7:k1SSs24H/xJooanSZk9

Score

10^/10

redline lisa evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lisa

185.161.248.73:4164

Attributes

auth_value
c2dc311db9820012377b054447d37949

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3940-204-0x000000000B0B0000-0x000000000B6C8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	s88696686.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	s88696686.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	s88696686.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	s88696686.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	s88696686.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	s88696686.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2276	z47808691.exe
1572	z86481943.exe
3044	z70605767.exe
2704	s88696686.exe
3940	t25872183.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	s88696686.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	s88696686.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z86481943.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z86481943.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z70605767.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z70605767.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z47808691.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z47808691.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2704	s88696686.exe
2704	s88696686.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	s88696686.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 2276	4464	1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe	82
PID 4464 wrote to memory of 2276	4464	1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe	82
PID 4464 wrote to memory of 2276	4464	1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe	82
PID 2276 wrote to memory of 1572	2276	z47808691.exe	83
PID 2276 wrote to memory of 1572	2276	z47808691.exe	83
PID 2276 wrote to memory of 1572	2276	z47808691.exe	83
PID 1572 wrote to memory of 3044	1572	z86481943.exe	84
PID 1572 wrote to memory of 3044	1572	z86481943.exe	84
PID 1572 wrote to memory of 3044	1572	z86481943.exe	84
PID 3044 wrote to memory of 2704	3044	z70605767.exe	85
PID 3044 wrote to memory of 2704	3044	z70605767.exe	85
PID 3044 wrote to memory of 2704	3044	z70605767.exe	85
PID 3044 wrote to memory of 3940	3044	z70605767.exe	86
PID 3044 wrote to memory of 3940	3044	z70605767.exe	86
PID 3044 wrote to memory of 3940	3044	z70605767.exe	86

C:\Users\Admin\AppData\Local\Temp\1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe
"C:\Users\Admin\AppData\Local\Temp\1d4681213d51464c75f7a52cf66d72bfc40314f22284d1b1e679062d69f41200.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z47808691.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z47808691.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z86481943.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z86481943.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z70605767.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z70605767.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s88696686.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s88696686.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t25872183.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t25872183.exe
        5⤵
        Executes dropped EXE
        
        PID:3940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z47808691.exe

Filesize
979KB

MD5
f6103e0b00a2bdd96699acbfe3ad2661

SHA1
da92ee7657a4a6c8331dd985ea9cd98a26048eab

SHA256
33a7d7ba45a05b90b68453572f5b258ef60af216893d8ee311c065a0900d5fbb

SHA512
5a982c8992866d449826cdcc703476a746f7da0b52ac6ffb5524981471862b9217479b2023ccbbfc378415570c388996e53b84d4b1c0b7639a32b38d776d144c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z47808691.exe

Filesize
979KB

MD5
f6103e0b00a2bdd96699acbfe3ad2661

SHA1
da92ee7657a4a6c8331dd985ea9cd98a26048eab

SHA256
33a7d7ba45a05b90b68453572f5b258ef60af216893d8ee311c065a0900d5fbb

SHA512
5a982c8992866d449826cdcc703476a746f7da0b52ac6ffb5524981471862b9217479b2023ccbbfc378415570c388996e53b84d4b1c0b7639a32b38d776d144c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z86481943.exe

Filesize
796KB

MD5
62dde79d46cf2a27f4414287b2cae269

SHA1
f9d1a45cc622500129d4b870e0ce2688839c50b0

SHA256
ee1445f6872e01ec7f880b4c1a2f99136d5ee85ea0deaaaa925dfacae6789d99

SHA512
6e5e1e19d1b053283225e8f1cd11ae09d86f0e1e9a0797f5b2f9e2143594026a33a402744169d41edbed1162aac7b47f4e06dda54cbd8d100f3611e57828ecf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z86481943.exe

Filesize
796KB

MD5
62dde79d46cf2a27f4414287b2cae269

SHA1
f9d1a45cc622500129d4b870e0ce2688839c50b0

SHA256
ee1445f6872e01ec7f880b4c1a2f99136d5ee85ea0deaaaa925dfacae6789d99

SHA512
6e5e1e19d1b053283225e8f1cd11ae09d86f0e1e9a0797f5b2f9e2143594026a33a402744169d41edbed1162aac7b47f4e06dda54cbd8d100f3611e57828ecf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z70605767.exe

Filesize
310KB

MD5
ac6d9e942afb345cfd34c31e3c1090c4

SHA1
c3f1537197e9df73fc0dd3c5c7a35c13be255d53

SHA256
73ca18df1ac0851b1178b90baabf6c4bbc7d9804de10033ef1ea2ce740eb48f6

SHA512
ef502068f666466291ef2ae0b11526649873e8d8d61832ba1dac0eec50859b9a8f8d347e8c2f1c5410430137489930a3cf0003ffd86daa6522851251125ec486

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z70605767.exe

Filesize
310KB

MD5
ac6d9e942afb345cfd34c31e3c1090c4

SHA1
c3f1537197e9df73fc0dd3c5c7a35c13be255d53

SHA256
73ca18df1ac0851b1178b90baabf6c4bbc7d9804de10033ef1ea2ce740eb48f6

SHA512
ef502068f666466291ef2ae0b11526649873e8d8d61832ba1dac0eec50859b9a8f8d347e8c2f1c5410430137489930a3cf0003ffd86daa6522851251125ec486

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s88696686.exe

Filesize
177KB

MD5
315004f0bf0ad63ef13d8e7b7bce9cf4

SHA1
711bb77789ef1dcbe6fc5ad97f8aafc717715676

SHA256
9b71e96b163fd2bb59185fcdc65189a52190aaa7ca919f23c661119e4a918ad1

SHA512
7d999724d7d4e6c247017faea84ac1fb170ee9f02368fda144abe1bd365db75e2d20ee37059b81c4badf67d358344bfd7fc892ab5cddd4272f163cd6360dbfe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s88696686.exe

Filesize
177KB

MD5
315004f0bf0ad63ef13d8e7b7bce9cf4

SHA1
711bb77789ef1dcbe6fc5ad97f8aafc717715676

SHA256
9b71e96b163fd2bb59185fcdc65189a52190aaa7ca919f23c661119e4a918ad1

SHA512
7d999724d7d4e6c247017faea84ac1fb170ee9f02368fda144abe1bd365db75e2d20ee37059b81c4badf67d358344bfd7fc892ab5cddd4272f163cd6360dbfe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t25872183.exe

Filesize
168KB

MD5
630dbb29491ee1e66ecce3f2627eae78

SHA1
4896ed4e19096b70a247013589239e16b0c865de

SHA256
6373f077eead9fb9e8a34fbca2fea9dc2446dab7d0f2994d9f36134f289e6270

SHA512
63dabfac22949550ecb237802a2cc99774f8e6c61008e867683389e43f23dba7ca80bdfb4cfe8a6c4d0d621f1a4c5fbdee606ec005afdc1f41023ca5ace66444

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t25872183.exe

Filesize
168KB

MD5
630dbb29491ee1e66ecce3f2627eae78

SHA1
4896ed4e19096b70a247013589239e16b0c865de

SHA256
6373f077eead9fb9e8a34fbca2fea9dc2446dab7d0f2994d9f36134f289e6270

SHA512
63dabfac22949550ecb237802a2cc99774f8e6c61008e867683389e43f23dba7ca80bdfb4cfe8a6c4d0d621f1a4c5fbdee606ec005afdc1f41023ca5ace66444

Download Submit
memory/2704-179-0x0000000002410000-0x0000000002423000-memory.dmp

Filesize
76KB

Download
memory/2704-193-0x0000000002410000-0x0000000002423000-memory.dmp

Filesize
76KB

Download
memory/2704-168-0x0000000002410000-0x0000000002423000-memory.dmp

Filesize
76KB

Download
memory/2704-169-0x0000000002410000-0x0000000002423000-memory.dmp

Filesize
76KB

Download
memory/2704-171-0x0000000002410000-0x0000000002423000-memory.dmp

Filesize
76KB

Download
memory/2704-173-0x0000000002410000-0x0000000002423000-memory.dmp

Filesize
76KB

Download
memory/2704-175-0x0000000002410000-0x0000000002423000-memory.dmp

Filesize
76KB

Download
memory/2704-177-0x0000000002410000-0x0000000002423000-memory.dmp

Filesize
76KB

Download
memory/2704-166-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/2704-181-0x0000000002410000-0x0000000002423000-memory.dmp

Filesize
76KB

Download
memory/2704-183-0x0000000002410000-0x0000000002423000-memory.dmp

Filesize
76KB

Download
memory/2704-185-0x0000000002410000-0x0000000002423000-memory.dmp

Filesize
76KB

Download
memory/2704-187-0x0000000002410000-0x0000000002423000-memory.dmp

Filesize
76KB

Download
memory/2704-189-0x0000000002410000-0x0000000002423000-memory.dmp

Filesize
76KB

Download
memory/2704-191-0x0000000002410000-0x0000000002423000-memory.dmp

Filesize
76KB

Download
memory/2704-167-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/2704-195-0x0000000002410000-0x0000000002423000-memory.dmp

Filesize
76KB

Download
memory/2704-196-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/2704-197-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/2704-198-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/2704-165-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/2704-164-0x0000000004980000-0x0000000004F24000-memory.dmp

Filesize
5.6MB

Download
memory/3940-203-0x0000000000BC0000-0x0000000000BF0000-memory.dmp

Filesize
192KB

Download
memory/3940-204-0x000000000B0B0000-0x000000000B6C8000-memory.dmp

Filesize
6.1MB

Download
memory/3940-205-0x000000000ABA0000-0x000000000ACAA000-memory.dmp

Filesize
1.0MB

Download
memory/3940-206-0x00000000055E0000-0x00000000055F2000-memory.dmp

Filesize
72KB

Download
memory/3940-207-0x000000000AAD0000-0x000000000AB0C000-memory.dmp

Filesize
240KB

Download
memory/3940-208-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/3940-209-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download