redline | 2aac5886264489958ec9d7ab130039e6bfdbb3eabd87c8cbdb38d1d50b18ab67

Analysis

max time kernel
137s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2aac5886264489958ec9d7ab130039e6bfdbb3eabd87c8cbdb38d1d50b18ab67.exe
Size

1.2MB
MD5

bce9070fb44c7900e69a9f6fcedfcf0c
SHA1

73bbb68fdaf457ee47ea58cff8da939a4e7f50dd
SHA256

2aac5886264489958ec9d7ab130039e6bfdbb3eabd87c8cbdb38d1d50b18ab67
SHA512

7869c5d84bfb88956e55d53c42f1180faed6f8f98f36b0bee2a17122c61c4cb6606147e0a832b9897e2cc9abfeb98d3c94397320f52a2b69a4131c61f3f442f6
SSDEEP

24576:dy8+yG0chEaYcRMvGOnuGsvcSLeui3iPffUWTbXJ9Ct19IWkE3pV:48ghWCCTsjdEcbi9NkIp

Score

10^/10

redline luser evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luser

185.161.248.73:4164

Attributes

auth_value
cf14a84de9a3b6b7b8981202f3b616fb

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1144-207-0x000000000A4C0000-0x000000000AAD8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	s78074264.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	s78074264.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	s78074264.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	s78074264.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	s78074264.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	s78074264.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1520	z66582782.exe
3980	z81798106.exe
1448	z34856069.exe
3800	s78074264.exe
1144	t32697815.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	s78074264.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	s78074264.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2aac5886264489958ec9d7ab130039e6bfdbb3eabd87c8cbdb38d1d50b18ab67.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z66582782.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z66582782.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z81798106.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z81798106.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z34856069.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z34856069.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2aac5886264489958ec9d7ab130039e6bfdbb3eabd87c8cbdb38d1d50b18ab67.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2072	3800	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3800	s78074264.exe
3800	s78074264.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3800	s78074264.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1520	1432	2aac5886264489958ec9d7ab130039e6bfdbb3eabd87c8cbdb38d1d50b18ab67.exe	82
PID 1432 wrote to memory of 1520	1432	2aac5886264489958ec9d7ab130039e6bfdbb3eabd87c8cbdb38d1d50b18ab67.exe	82
PID 1432 wrote to memory of 1520	1432	2aac5886264489958ec9d7ab130039e6bfdbb3eabd87c8cbdb38d1d50b18ab67.exe	82
PID 1520 wrote to memory of 3980	1520	z66582782.exe	83
PID 1520 wrote to memory of 3980	1520	z66582782.exe	83
PID 1520 wrote to memory of 3980	1520	z66582782.exe	83
PID 3980 wrote to memory of 1448	3980	z81798106.exe	84
PID 3980 wrote to memory of 1448	3980	z81798106.exe	84
PID 3980 wrote to memory of 1448	3980	z81798106.exe	84
PID 1448 wrote to memory of 3800	1448	z34856069.exe	85
PID 1448 wrote to memory of 3800	1448	z34856069.exe	85
PID 1448 wrote to memory of 3800	1448	z34856069.exe	85
PID 1448 wrote to memory of 1144	1448	z34856069.exe	89
PID 1448 wrote to memory of 1144	1448	z34856069.exe	89
PID 1448 wrote to memory of 1144	1448	z34856069.exe	89

C:\Users\Admin\AppData\Local\Temp\2aac5886264489958ec9d7ab130039e6bfdbb3eabd87c8cbdb38d1d50b18ab67.exe
"C:\Users\Admin\AppData\Local\Temp\2aac5886264489958ec9d7ab130039e6bfdbb3eabd87c8cbdb38d1d50b18ab67.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z66582782.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z66582782.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z81798106.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z81798106.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z34856069.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z34856069.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s78074264.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s78074264.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3800
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1080
        6⤵
        Program crash
        
        PID:2072
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t32697815.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t32697815.exe
        5⤵
        Executes dropped EXE
        
        PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3800 -ip 3800
1⤵
PID:3264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z66582782.exe

Filesize
1.0MB

MD5
be1beae42a178396ba81a8fc257df775

SHA1
a2cf2e985a1ecfd6c1e1fbe35d5647c20bc5f383

SHA256
c9e3becc0071f8061a34ce341bf26071674bdd9657fac75f208d67871ff77912

SHA512
08ce14efaaa8f6cc4adc17139cb53a7489bff4f5513a603287f18e83f1fbd29f200306b59b7e6e01039f3a3c9179e21746e897971f5b15e9dcf03f87b4e1cb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z66582782.exe

Filesize
1.0MB

MD5
be1beae42a178396ba81a8fc257df775

SHA1
a2cf2e985a1ecfd6c1e1fbe35d5647c20bc5f383

SHA256
c9e3becc0071f8061a34ce341bf26071674bdd9657fac75f208d67871ff77912

SHA512
08ce14efaaa8f6cc4adc17139cb53a7489bff4f5513a603287f18e83f1fbd29f200306b59b7e6e01039f3a3c9179e21746e897971f5b15e9dcf03f87b4e1cb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z81798106.exe

Filesize
850KB

MD5
6773def544564eb1afcc2e66d982d501

SHA1
59b096e3aa980447e461a0eff2188d5660bb68c7

SHA256
5bc84cc2fc945f96bf4802435661e42d13542dc029ce5022028173debb13d546

SHA512
18f2ed0103d0f7ef7572023b3991d4a511ab9e6f28c4e8a85ab4b505611168329c1cf84670f1396b6bb1e94dde3ab31c61957115ebbffe50f41bb70ec845df9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z81798106.exe

Filesize
850KB

MD5
6773def544564eb1afcc2e66d982d501

SHA1
59b096e3aa980447e461a0eff2188d5660bb68c7

SHA256
5bc84cc2fc945f96bf4802435661e42d13542dc029ce5022028173debb13d546

SHA512
18f2ed0103d0f7ef7572023b3991d4a511ab9e6f28c4e8a85ab4b505611168329c1cf84670f1396b6bb1e94dde3ab31c61957115ebbffe50f41bb70ec845df9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z34856069.exe

Filesize
385KB

MD5
e0f62d1199bfcfc2634a0d68ea47b2ef

SHA1
724cc1a1567b763c6b4b8c6eccb86277e8bdf269

SHA256
549db5ed5557a1389f5043ffa54b5dee191582b71a50102623f843966fcf1beb

SHA512
e26a2f875c9ea67e2bc86d69ab6137adc5f35111489e88d3e343741199cb133117fd1c36b12531b67d15d457394966373bc26843a16a45215be59f34a4b3b7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z34856069.exe

Filesize
385KB

MD5
e0f62d1199bfcfc2634a0d68ea47b2ef

SHA1
724cc1a1567b763c6b4b8c6eccb86277e8bdf269

SHA256
549db5ed5557a1389f5043ffa54b5dee191582b71a50102623f843966fcf1beb

SHA512
e26a2f875c9ea67e2bc86d69ab6137adc5f35111489e88d3e343741199cb133117fd1c36b12531b67d15d457394966373bc26843a16a45215be59f34a4b3b7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s78074264.exe

Filesize
294KB

MD5
499e94fc5686e5f79abbd112ff93ebca

SHA1
2399b2a909bb96e4962403333d0a241e6bfb1c36

SHA256
3907ee2c3ec179271fb28741277ea347dda1b51c6bfeab8eedb6f79196f7ab9c

SHA512
f5dce1b0fdf767a85b8fa3eef8112c34657b6aaf1e0ed1a48ab2fe0b5ad7938cd9af3141ed35e7c211872579483d382e4a3cf87976ce0178991579358d7b53ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s78074264.exe

Filesize
294KB

MD5
499e94fc5686e5f79abbd112ff93ebca

SHA1
2399b2a909bb96e4962403333d0a241e6bfb1c36

SHA256
3907ee2c3ec179271fb28741277ea347dda1b51c6bfeab8eedb6f79196f7ab9c

SHA512
f5dce1b0fdf767a85b8fa3eef8112c34657b6aaf1e0ed1a48ab2fe0b5ad7938cd9af3141ed35e7c211872579483d382e4a3cf87976ce0178991579358d7b53ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t32697815.exe

Filesize
168KB

MD5
8a5654c4bd466d48ccd8d6c191271c85

SHA1
fa1ec0c9c2f3ba232e030128f19aab8b6155eb30

SHA256
76c7416f4fb2a061d280d3dfd60578a5f76b88e25d355d9c7aa56d0482a5d9a3

SHA512
9edd613c051786f3c7aed97ebe4742cc32caba3d75f9a5917842523f230ef2375c425f8dce77f5ea25b66fde4355ad328d580b8ba3de63bcb61a3fc5baf97f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t32697815.exe

Filesize
168KB

MD5
8a5654c4bd466d48ccd8d6c191271c85

SHA1
fa1ec0c9c2f3ba232e030128f19aab8b6155eb30

SHA256
76c7416f4fb2a061d280d3dfd60578a5f76b88e25d355d9c7aa56d0482a5d9a3

SHA512
9edd613c051786f3c7aed97ebe4742cc32caba3d75f9a5917842523f230ef2375c425f8dce77f5ea25b66fde4355ad328d580b8ba3de63bcb61a3fc5baf97f17

Download Submit
memory/1144-212-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/1144-209-0x0000000009F70000-0x0000000009F82000-memory.dmp

Filesize
72KB

Download
memory/1144-208-0x000000000A040000-0x000000000A14A000-memory.dmp

Filesize
1.0MB

Download
memory/1144-207-0x000000000A4C0000-0x000000000AAD8000-memory.dmp

Filesize
6.1MB

Download
memory/1144-206-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/1144-210-0x0000000009FD0000-0x000000000A00C000-memory.dmp

Filesize
240KB

Download
memory/1144-211-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/3800-184-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3800-197-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/3800-182-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3800-178-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3800-186-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3800-188-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3800-190-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3800-191-0x00000000007A0000-0x00000000007CD000-memory.dmp

Filesize
180KB

Download
memory/3800-193-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/3800-192-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/3800-194-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/3800-195-0x0000000000400000-0x00000000006CA000-memory.dmp

Filesize
2.8MB

Download
memory/3800-196-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/3800-180-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3800-198-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/3800-200-0x0000000000400000-0x00000000006CA000-memory.dmp

Filesize
2.8MB

Download
memory/3800-176-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3800-174-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3800-172-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3800-170-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3800-168-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3800-166-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3800-163-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3800-164-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3800-162-0x0000000004CC0000-0x0000000005264000-memory.dmp

Filesize
5.6MB

Download