redline | d57a010abd3f6cd47dbfead94353e9df405dc025a4c49da5a31fb56cf3b7b0c5

Analysis

max time kernel
154s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d57a010abd3f6cd47dbfead94353e9df405dc025a4c49da5a31fb56cf3b7b0c5.exe
Size

612KB
MD5

aa6ed2477a1dc1747b14831bc7ff5cf0
SHA1

a0018b80e6ec5c5e087e083e482e67ea01cce8fd
SHA256

d57a010abd3f6cd47dbfead94353e9df405dc025a4c49da5a31fb56cf3b7b0c5
SHA512

76bb5539798386d965b1eb517c3f0f9e6cae95ed43173e99e60bbbafb38155f65bea2acb930b96a40fbf8edafdec044a8c4e7253bef0aa2f708b0efa33373b3e
SSDEEP

12288:Uy90DPpWi/Zqw81rhMhhDNqwYKKQ/aCy3TqmQY6q510/oklQev3:UyiPpWihqwDXDNMKdVUTqmFZvkF3

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4976-950-0x0000000007A30000-0x0000000008048000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	43022133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	43022133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	43022133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	43022133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	43022133.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	43022133.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1420	st882372.exe
1936	43022133.exe
4976	kp169535.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	43022133.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d57a010abd3f6cd47dbfead94353e9df405dc025a4c49da5a31fb56cf3b7b0c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d57a010abd3f6cd47dbfead94353e9df405dc025a4c49da5a31fb56cf3b7b0c5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st882372.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st882372.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1936	43022133.exe
1936	43022133.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	43022133.exe
Token: SeDebugPrivilege	4976	kp169535.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1420	1300	d57a010abd3f6cd47dbfead94353e9df405dc025a4c49da5a31fb56cf3b7b0c5.exe	84
PID 1300 wrote to memory of 1420	1300	d57a010abd3f6cd47dbfead94353e9df405dc025a4c49da5a31fb56cf3b7b0c5.exe	84
PID 1300 wrote to memory of 1420	1300	d57a010abd3f6cd47dbfead94353e9df405dc025a4c49da5a31fb56cf3b7b0c5.exe	84
PID 1420 wrote to memory of 1936	1420	st882372.exe	85
PID 1420 wrote to memory of 1936	1420	st882372.exe	85
PID 1420 wrote to memory of 4976	1420	st882372.exe	90
PID 1420 wrote to memory of 4976	1420	st882372.exe	90
PID 1420 wrote to memory of 4976	1420	st882372.exe	90

C:\Users\Admin\AppData\Local\Temp\d57a010abd3f6cd47dbfead94353e9df405dc025a4c49da5a31fb56cf3b7b0c5.exe
"C:\Users\Admin\AppData\Local\Temp\d57a010abd3f6cd47dbfead94353e9df405dc025a4c49da5a31fb56cf3b7b0c5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st882372.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st882372.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43022133.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43022133.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp169535.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp169535.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st882372.exe

Filesize
458KB

MD5
b0f4910740e32d95e5cbb137f7b4b12e

SHA1
932039d0d1e1193a1a12da2062d028e162056ad0

SHA256
82b012cb82e592a9e926fbc65ff995cc6ec2e7ac40e364afafe8e967c9f4e91f

SHA512
4f62ce7147c94df61653ef8c9f0e2beef880d77a7fdeb32d2311769338fff9e1eb7d5bf7312392f662734c682e0c4084f1d87b9f3408c552c0867e47e575ebe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st882372.exe

Filesize
458KB

MD5
b0f4910740e32d95e5cbb137f7b4b12e

SHA1
932039d0d1e1193a1a12da2062d028e162056ad0

SHA256
82b012cb82e592a9e926fbc65ff995cc6ec2e7ac40e364afafe8e967c9f4e91f

SHA512
4f62ce7147c94df61653ef8c9f0e2beef880d77a7fdeb32d2311769338fff9e1eb7d5bf7312392f662734c682e0c4084f1d87b9f3408c552c0867e47e575ebe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43022133.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\43022133.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp169535.exe

Filesize
459KB

MD5
29086a62a3a97647ce8acfbf17ef9866

SHA1
9d7505e46e57606b3b94e9e7356b42a685059aa5

SHA256
ee379a85be5469c8b249e179ac827935bb61f864396eac29fa9bc275153052fb

SHA512
32dc2c66cf05b7677ab53658e9e277fa36702273afb764e65f42c8ae8ca35b027b03f4b59d930aa41a52b1c9157c3425808436845a59e7e0f5b06ee925116ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp169535.exe

Filesize
459KB

MD5
29086a62a3a97647ce8acfbf17ef9866

SHA1
9d7505e46e57606b3b94e9e7356b42a685059aa5

SHA256
ee379a85be5469c8b249e179ac827935bb61f864396eac29fa9bc275153052fb

SHA512
32dc2c66cf05b7677ab53658e9e277fa36702273afb764e65f42c8ae8ca35b027b03f4b59d930aa41a52b1c9157c3425808436845a59e7e0f5b06ee925116ca3

Download Submit
memory/1936-147-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download
memory/4976-153-0x0000000000A10000-0x0000000000A56000-memory.dmp

Filesize
280KB

Download
memory/4976-154-0x0000000005000000-0x00000000055A4000-memory.dmp

Filesize
5.6MB

Download
memory/4976-155-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-158-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-156-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-160-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-161-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/4976-164-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-162-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/4976-165-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/4976-167-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-169-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-171-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-173-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-175-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-177-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-179-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-181-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-183-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-185-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-187-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-189-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-191-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-193-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-195-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-197-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-199-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-201-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-203-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-205-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-209-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-207-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-211-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-213-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-215-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-217-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-219-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-221-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4976-950-0x0000000007A30000-0x0000000008048000-memory.dmp

Filesize
6.1MB

Download
memory/4976-951-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/4976-952-0x00000000080D0000-0x00000000081DA000-memory.dmp

Filesize
1.0MB

Download
memory/4976-953-0x00000000081F0000-0x000000000822C000-memory.dmp

Filesize
240KB

Download
memory/4976-954-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/4976-956-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/4976-957-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/4976-958-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download