redline | 283241b32bba173ce32274491a2c9515ccc901961726254f881f7df757314688

Analysis

max time kernel
151s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

283241b32bba173ce32274491a2c9515ccc901961726254f881f7df757314688.exe
Size

1.5MB
MD5

bdaeda7f19453c9ebb5a7ff728ddae67
SHA1

86c35572befff2cffd5b2720be8e37aae51e2f03
SHA256

283241b32bba173ce32274491a2c9515ccc901961726254f881f7df757314688
SHA512

202dc888d875814ed2cf95c71f696130314b44a929e1627a224e42bad907e6e28eb1a1f8617763833692178aebec00ac59a3eeaff7edbcd1482e818fa5295f34
SSDEEP

49152:BW73ZQLLK9qnuqeZwMIKlvsMcJBmiJF4B3CHLCwjV/:g7mLHnurOJAAJBmiP4B3MGw

Score

10^/10

redline mazda evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mazda

217.196.96.56:4138

Attributes

auth_value
3d2870537d84a4c6d7aeecd002871c51

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/900-216-0x000000000A560000-0x000000000AB78000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0295049.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0295049.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a0295049.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0295049.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0295049.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0295049.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4628	v0042442.exe
2004	v1783389.exe
616	v0894815.exe
3792	v4168449.exe
4456	a0295049.exe
900	b5712370.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a0295049.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0295049.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	283241b32bba173ce32274491a2c9515ccc901961726254f881f7df757314688.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0894815.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0894815.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4168449.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v4168449.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	283241b32bba173ce32274491a2c9515ccc901961726254f881f7df757314688.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0042442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0042442.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1783389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1783389.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1568	4456	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4456	a0295049.exe
4456	a0295049.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4456	a0295049.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 4628	5060	283241b32bba173ce32274491a2c9515ccc901961726254f881f7df757314688.exe	83
PID 5060 wrote to memory of 4628	5060	283241b32bba173ce32274491a2c9515ccc901961726254f881f7df757314688.exe	83
PID 5060 wrote to memory of 4628	5060	283241b32bba173ce32274491a2c9515ccc901961726254f881f7df757314688.exe	83
PID 4628 wrote to memory of 2004	4628	v0042442.exe	84
PID 4628 wrote to memory of 2004	4628	v0042442.exe	84
PID 4628 wrote to memory of 2004	4628	v0042442.exe	84
PID 2004 wrote to memory of 616	2004	v1783389.exe	85
PID 2004 wrote to memory of 616	2004	v1783389.exe	85
PID 2004 wrote to memory of 616	2004	v1783389.exe	85
PID 616 wrote to memory of 3792	616	v0894815.exe	86
PID 616 wrote to memory of 3792	616	v0894815.exe	86
PID 616 wrote to memory of 3792	616	v0894815.exe	86
PID 3792 wrote to memory of 4456	3792	v4168449.exe	87
PID 3792 wrote to memory of 4456	3792	v4168449.exe	87
PID 3792 wrote to memory of 4456	3792	v4168449.exe	87
PID 3792 wrote to memory of 900	3792	v4168449.exe	93
PID 3792 wrote to memory of 900	3792	v4168449.exe	93
PID 3792 wrote to memory of 900	3792	v4168449.exe	93

C:\Users\Admin\AppData\Local\Temp\283241b32bba173ce32274491a2c9515ccc901961726254f881f7df757314688.exe
"C:\Users\Admin\AppData\Local\Temp\283241b32bba173ce32274491a2c9515ccc901961726254f881f7df757314688.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0042442.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0042442.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1783389.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1783389.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0894815.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0894815.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:616
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4168449.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4168449.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3792
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0295049.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0295049.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1096
        7⤵
        Program crash
        
        PID:1568
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5712370.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5712370.exe
        6⤵
        Executes dropped EXE
        
        PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4456 -ip 4456
1⤵
PID:4308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0042442.exe

Filesize
1.4MB

MD5
9d0540922fcc27e973134ab6ee60b64f

SHA1
248ba70ef07a9f33c489e9ecb33aaf190afcc082

SHA256
13625adc1ca3c0ec54ae66800232509ca6256242c496df4c9f33f1099efc1a5d

SHA512
0ff6d01c95f7bf4385fe53fb967f6c85035409e54a5f55e0b4a820fcd17baf4935eaee28e1afb06e6e795831b61c5e99c96072aad2b9729ea8c543c0e7c515c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0042442.exe

Filesize
1.4MB

MD5
9d0540922fcc27e973134ab6ee60b64f

SHA1
248ba70ef07a9f33c489e9ecb33aaf190afcc082

SHA256
13625adc1ca3c0ec54ae66800232509ca6256242c496df4c9f33f1099efc1a5d

SHA512
0ff6d01c95f7bf4385fe53fb967f6c85035409e54a5f55e0b4a820fcd17baf4935eaee28e1afb06e6e795831b61c5e99c96072aad2b9729ea8c543c0e7c515c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1783389.exe

Filesize
912KB

MD5
fa6d9635c2840ab230c59f69033222af

SHA1
779461a817c7fc936760be61b849f688b1032886

SHA256
ea82748e3b3a4e44cb34f01feb2ccd125689e83b50efed250821f97c1769f1c0

SHA512
147a377e8dc3cc59602319f421ec552d0bffc291489b8b6ba35c9871a388b6cc7280797481b58a7e449356f40c6ea4c1981e2c1fd6350bc006f22b0cf381758d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1783389.exe

Filesize
912KB

MD5
fa6d9635c2840ab230c59f69033222af

SHA1
779461a817c7fc936760be61b849f688b1032886

SHA256
ea82748e3b3a4e44cb34f01feb2ccd125689e83b50efed250821f97c1769f1c0

SHA512
147a377e8dc3cc59602319f421ec552d0bffc291489b8b6ba35c9871a388b6cc7280797481b58a7e449356f40c6ea4c1981e2c1fd6350bc006f22b0cf381758d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0894815.exe

Filesize
708KB

MD5
ccbaf089d073eb83defb8a4668c9f7d9

SHA1
8b8fc07cef38b432096d5f7d423065cbf05f7c60

SHA256
5883e3366e2a344a78789486464b6baf1016b582c062c2d957438cf954f3ade4

SHA512
abdfbbaedef2857accff8ab0ad6ff4f7206739c613fc00912ac3bf7a63eaf145b308b121d70995100c237d8c7a69a740e374b124d221b0a27e5038d27d7c6426

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0894815.exe

Filesize
708KB

MD5
ccbaf089d073eb83defb8a4668c9f7d9

SHA1
8b8fc07cef38b432096d5f7d423065cbf05f7c60

SHA256
5883e3366e2a344a78789486464b6baf1016b582c062c2d957438cf954f3ade4

SHA512
abdfbbaedef2857accff8ab0ad6ff4f7206739c613fc00912ac3bf7a63eaf145b308b121d70995100c237d8c7a69a740e374b124d221b0a27e5038d27d7c6426

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4168449.exe

Filesize
417KB

MD5
aebae380783fcf1e3359c8960f0b0d3d

SHA1
107a0893cf7bed9ee3ba22fa23040bc1eea29b91

SHA256
56ccc756513e88931d239951f347373edb9998d8d158039ecbd2271668409740

SHA512
dce60caef51c35f97edf0f8748360a9310ef12e364d55d397e0d26399e4ef964fc49d0dfb0d5db80a7f0bf362132f4d77c6e59e0a2b92c6e69833240da12b308

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4168449.exe

Filesize
417KB

MD5
aebae380783fcf1e3359c8960f0b0d3d

SHA1
107a0893cf7bed9ee3ba22fa23040bc1eea29b91

SHA256
56ccc756513e88931d239951f347373edb9998d8d158039ecbd2271668409740

SHA512
dce60caef51c35f97edf0f8748360a9310ef12e364d55d397e0d26399e4ef964fc49d0dfb0d5db80a7f0bf362132f4d77c6e59e0a2b92c6e69833240da12b308

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0295049.exe

Filesize
361KB

MD5
ec0311b7c8cae07a9e60a7be53a09f17

SHA1
73377e448d62239922f731dc082e3ccb1e669ea7

SHA256
19dfb778bfbf991e48c4fbe51c9dbacf326cff0bb0dc24599115bba6b350100c

SHA512
8635fe29418b3e46048491ce64e4e9050d40d2d5dad034b44a7e7bf7220c8f43a913a2ed7df73cdd3c1eee41169452c08772c4f92d7428a0f2ac81d7bd329b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0295049.exe

Filesize
361KB

MD5
ec0311b7c8cae07a9e60a7be53a09f17

SHA1
73377e448d62239922f731dc082e3ccb1e669ea7

SHA256
19dfb778bfbf991e48c4fbe51c9dbacf326cff0bb0dc24599115bba6b350100c

SHA512
8635fe29418b3e46048491ce64e4e9050d40d2d5dad034b44a7e7bf7220c8f43a913a2ed7df73cdd3c1eee41169452c08772c4f92d7428a0f2ac81d7bd329b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5712370.exe

Filesize
168KB

MD5
9873ab310b99a3bd371f889bbeff33f7

SHA1
2c91119d339bdc512c3967e8100a75d716c25ab3

SHA256
6f30cd04a73b3149b937418263d5bec1f05d7100c7a5ddc1b92fa7875bba14c9

SHA512
86b6e596a2bcd10f40dfd228d124d58e3dfd7537a7d1ff3e8b1c9cdcadf4d031dd47f06fa0347dc0063eaa022f4cc0afa6c838ef8b1012974cff37ebe64f9481

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5712370.exe

Filesize
168KB

MD5
9873ab310b99a3bd371f889bbeff33f7

SHA1
2c91119d339bdc512c3967e8100a75d716c25ab3

SHA256
6f30cd04a73b3149b937418263d5bec1f05d7100c7a5ddc1b92fa7875bba14c9

SHA512
86b6e596a2bcd10f40dfd228d124d58e3dfd7537a7d1ff3e8b1c9cdcadf4d031dd47f06fa0347dc0063eaa022f4cc0afa6c838ef8b1012974cff37ebe64f9481

Download Submit
memory/900-221-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/900-220-0x000000000A040000-0x000000000A07C000-memory.dmp

Filesize
240KB

Download
memory/900-219-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/900-218-0x0000000009FE0000-0x0000000009FF2000-memory.dmp

Filesize
72KB

Download
memory/900-217-0x000000000A0B0000-0x000000000A1BA000-memory.dmp

Filesize
1.0MB

Download
memory/900-216-0x000000000A560000-0x000000000AB78000-memory.dmp

Filesize
6.1MB

Download
memory/900-215-0x0000000000130000-0x0000000000160000-memory.dmp

Filesize
192KB

Download
memory/4456-187-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4456-204-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4456-185-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4456-181-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4456-189-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4456-191-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4456-193-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4456-195-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4456-197-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4456-199-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4456-201-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4456-202-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4456-203-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4456-183-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4456-205-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4456-210-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4456-179-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4456-177-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4456-175-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4456-174-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4456-173-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4456-172-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4456-171-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4456-170-0x0000000000850000-0x000000000087D000-memory.dmp

Filesize
180KB

Download
memory/4456-169-0x0000000004E00000-0x00000000053A4000-memory.dmp

Filesize
5.6MB

Download