redline | 25054c2132e3e082fbdf5130258bd542ddd996379b8f66fb66afa4b5d49290f7

Analysis

max time kernel
152s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25054c2132e3e082fbdf5130258bd542ddd996379b8f66fb66afa4b5d49290f7.exe
Size

1.5MB
MD5

c84a65f6dcda600ca1e77067b761b776
SHA1

921332b8cfa4646b1ccafac38a4b29c4adff8e29
SHA256

25054c2132e3e082fbdf5130258bd542ddd996379b8f66fb66afa4b5d49290f7
SHA512

12c81d0bbc1e3806aafe73da792a04e737836dabbfda580155fc8b87b2b700fadaf2562c6496ee7c504dec18471ed159fb6db82b983d5723c14a3f95d7157fb1
SSDEEP

24576:Hy6G7IH3JMEliK2D8SBVMn13yBVSMItPW6gVNhzcEZk1D46b36iPWRgeyIB:SrIT7IJBVsyBVSMEWjVAEWv61RI

Score

10^/10

redline max evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

max

185.161.248.73:4164

Attributes

auth_value
efb1499709a5d08ed1ddf71cff71211f

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1588-208-0x000000000A440000-0x000000000AA58000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a24988039.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a24988039.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a24988039.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a24988039.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a24988039.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a24988039.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4832	i38843643.exe
5044	i90639570.exe
2960	i02286822.exe
4300	i93454479.exe
1296	a24988039.exe
1588	b42125006.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a24988039.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a24988039.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i93454479.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	25054c2132e3e082fbdf5130258bd542ddd996379b8f66fb66afa4b5d49290f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i38843643.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i90639570.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i90639570.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i02286822.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	25054c2132e3e082fbdf5130258bd542ddd996379b8f66fb66afa4b5d49290f7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i38843643.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i02286822.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i93454479.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1296	a24988039.exe
1296	a24988039.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1296	a24988039.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 4832	3204	25054c2132e3e082fbdf5130258bd542ddd996379b8f66fb66afa4b5d49290f7.exe	84
PID 3204 wrote to memory of 4832	3204	25054c2132e3e082fbdf5130258bd542ddd996379b8f66fb66afa4b5d49290f7.exe	84
PID 3204 wrote to memory of 4832	3204	25054c2132e3e082fbdf5130258bd542ddd996379b8f66fb66afa4b5d49290f7.exe	84
PID 4832 wrote to memory of 5044	4832	i38843643.exe	86
PID 4832 wrote to memory of 5044	4832	i38843643.exe	86
PID 4832 wrote to memory of 5044	4832	i38843643.exe	86
PID 5044 wrote to memory of 2960	5044	i90639570.exe	87
PID 5044 wrote to memory of 2960	5044	i90639570.exe	87
PID 5044 wrote to memory of 2960	5044	i90639570.exe	87
PID 2960 wrote to memory of 4300	2960	i02286822.exe	88
PID 2960 wrote to memory of 4300	2960	i02286822.exe	88
PID 2960 wrote to memory of 4300	2960	i02286822.exe	88
PID 4300 wrote to memory of 1296	4300	i93454479.exe	89
PID 4300 wrote to memory of 1296	4300	i93454479.exe	89
PID 4300 wrote to memory of 1296	4300	i93454479.exe	89
PID 4300 wrote to memory of 1588	4300	i93454479.exe	90
PID 4300 wrote to memory of 1588	4300	i93454479.exe	90
PID 4300 wrote to memory of 1588	4300	i93454479.exe	90

C:\Users\Admin\AppData\Local\Temp\25054c2132e3e082fbdf5130258bd542ddd996379b8f66fb66afa4b5d49290f7.exe
"C:\Users\Admin\AppData\Local\Temp\25054c2132e3e082fbdf5130258bd542ddd996379b8f66fb66afa4b5d49290f7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i38843643.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i38843643.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i90639570.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i90639570.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i02286822.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i02286822.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i93454479.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i93454479.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4300
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a24988039.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a24988039.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b42125006.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b42125006.exe
        6⤵
        Executes dropped EXE
        
        PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i38843643.exe

Filesize
1.2MB

MD5
3341977ea3ac555735b97f6f1243e290

SHA1
539bdd69bbb4203105ee1d19eceab82a3df1308e

SHA256
3bbfe400b6c8cf6cef826cc70ec04965e725bdf62705030b4ef72a357dad0c20

SHA512
96ed9238bff9246160605b6059479dd2d6507997a9a15bf6969a1ac0d951be8fb889f4e9af03399e7217f14f47cca99fa42e49e23e1879e9b6e0fd40ef7e63f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i38843643.exe

Filesize
1.2MB

MD5
3341977ea3ac555735b97f6f1243e290

SHA1
539bdd69bbb4203105ee1d19eceab82a3df1308e

SHA256
3bbfe400b6c8cf6cef826cc70ec04965e725bdf62705030b4ef72a357dad0c20

SHA512
96ed9238bff9246160605b6059479dd2d6507997a9a15bf6969a1ac0d951be8fb889f4e9af03399e7217f14f47cca99fa42e49e23e1879e9b6e0fd40ef7e63f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i90639570.exe

Filesize
1.0MB

MD5
dfb447791c17ea1c92c70c636f452af2

SHA1
0b7a4efc52a3e7158706c9bc0f62d8d8c8502c8d

SHA256
3ca8ca1c5e6d5a2d460ed45d7da686ae625f5e25e3e14e1f8a3335633c889023

SHA512
c8cde71f83d035df9cedb524c7119107918b57bd35569649288c2afcea9d82b96f42f6d9dc9cc1cb55b2171c0ff20e5f6caef151fdb51d29a3d2855a138f0b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i90639570.exe

Filesize
1.0MB

MD5
dfb447791c17ea1c92c70c636f452af2

SHA1
0b7a4efc52a3e7158706c9bc0f62d8d8c8502c8d

SHA256
3ca8ca1c5e6d5a2d460ed45d7da686ae625f5e25e3e14e1f8a3335633c889023

SHA512
c8cde71f83d035df9cedb524c7119107918b57bd35569649288c2afcea9d82b96f42f6d9dc9cc1cb55b2171c0ff20e5f6caef151fdb51d29a3d2855a138f0b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i02286822.exe

Filesize
569KB

MD5
33c292b917b554f7b1d4379f38c32392

SHA1
312608520d59b0cdb2d48dd6ce46c242afa4d8bd

SHA256
e005b9648481c6bf55773a2042941e7cb02d5ce1a8ca9a9aee6e52debea2daec

SHA512
b5534e84768c2019040641d7b9a4d0616cb383676fd27d8c9ccad4e4a2a6f926b178037d799cf54d4077a17625301ae2b9592f2e3e86143446ed9892e077b08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i02286822.exe

Filesize
569KB

MD5
33c292b917b554f7b1d4379f38c32392

SHA1
312608520d59b0cdb2d48dd6ce46c242afa4d8bd

SHA256
e005b9648481c6bf55773a2042941e7cb02d5ce1a8ca9a9aee6e52debea2daec

SHA512
b5534e84768c2019040641d7b9a4d0616cb383676fd27d8c9ccad4e4a2a6f926b178037d799cf54d4077a17625301ae2b9592f2e3e86143446ed9892e077b08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i93454479.exe

Filesize
310KB

MD5
83d8ffec68bf1b5ed5765915efe169b0

SHA1
8cdbf4b956da8fa44114bc2fb042537b1deb1fbd

SHA256
e33f9ae97c26660175a2dd199cf2ae712517dd41af1e9fdeacd7cc2f49196640

SHA512
745d9881ac2f873293d5dedbbe9168825107f94958036a6804cf97a6b934d7a19388be5a3d1f189633fe0e4c4b58954c5787df34d60bb78a051a4b37c40c1c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i93454479.exe

Filesize
310KB

MD5
83d8ffec68bf1b5ed5765915efe169b0

SHA1
8cdbf4b956da8fa44114bc2fb042537b1deb1fbd

SHA256
e33f9ae97c26660175a2dd199cf2ae712517dd41af1e9fdeacd7cc2f49196640

SHA512
745d9881ac2f873293d5dedbbe9168825107f94958036a6804cf97a6b934d7a19388be5a3d1f189633fe0e4c4b58954c5787df34d60bb78a051a4b37c40c1c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a24988039.exe

Filesize
176KB

MD5
1726d699c3d98f51b8592b872a16a85c

SHA1
3d9677ead1f5ef3d774eefeea1397f96959a90c4

SHA256
2801db8611836e8bcd1579f79bb83c058cf192b41e47bdf860a0613f2366299f

SHA512
60e43b9400922c7c85b75e5787b462b564129586b6e377575e17f2cef4162fb7a479327400abdc513f83670a00b9f75e06b6f16ecb66119d0ac45d173760ba85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a24988039.exe

Filesize
176KB

MD5
1726d699c3d98f51b8592b872a16a85c

SHA1
3d9677ead1f5ef3d774eefeea1397f96959a90c4

SHA256
2801db8611836e8bcd1579f79bb83c058cf192b41e47bdf860a0613f2366299f

SHA512
60e43b9400922c7c85b75e5787b462b564129586b6e377575e17f2cef4162fb7a479327400abdc513f83670a00b9f75e06b6f16ecb66119d0ac45d173760ba85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b42125006.exe

Filesize
168KB

MD5
8e4dd9a4b5a60ce1e5a96589d72e0adf

SHA1
56ad7a40371ee80efcf57aa6ac00da69e892dd1e

SHA256
b84273518e105ffbc3859a21cb4844c95e9b3f56cb53590cbc1450b9a6a7ab6f

SHA512
b0c1640d193e490e3aa220905a59e997153ee79516d34c68843ff4ed96f688009f3b4afbe3d8d06e22c1c149153ff705c6d61e6798cf50cee07786697e17ca54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b42125006.exe

Filesize
168KB

MD5
8e4dd9a4b5a60ce1e5a96589d72e0adf

SHA1
56ad7a40371ee80efcf57aa6ac00da69e892dd1e

SHA256
b84273518e105ffbc3859a21cb4844c95e9b3f56cb53590cbc1450b9a6a7ab6f

SHA512
b0c1640d193e490e3aa220905a59e997153ee79516d34c68843ff4ed96f688009f3b4afbe3d8d06e22c1c149153ff705c6d61e6798cf50cee07786697e17ca54

Download Submit
memory/1296-183-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1296-197-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1296-172-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1296-173-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1296-175-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1296-177-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1296-179-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1296-181-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1296-170-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1296-185-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1296-187-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1296-193-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1296-191-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1296-189-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1296-195-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1296-171-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1296-199-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1296-200-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1296-201-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1296-202-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1296-169-0x0000000004D00000-0x00000000052A4000-memory.dmp

Filesize
5.6MB

Download
memory/1296-168-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1588-207-0x0000000000140000-0x0000000000170000-memory.dmp

Filesize
192KB

Download
memory/1588-208-0x000000000A440000-0x000000000AA58000-memory.dmp

Filesize
6.1MB

Download
memory/1588-209-0x0000000009F80000-0x000000000A08A000-memory.dmp

Filesize
1.0MB

Download
memory/1588-210-0x0000000009EB0000-0x0000000009EC2000-memory.dmp

Filesize
72KB

Download
memory/1588-211-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/1588-212-0x0000000004930000-0x000000000496C000-memory.dmp

Filesize
240KB

Download
memory/1588-213-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download