redline | d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe
Size

747KB
MD5

441f88bcf41639caed3a648d098442cf
SHA1

a589bdbb510d62a7083f84df582499274735d2cb
SHA256

d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e
SHA512

752b3ff61f2a8bd4af18c4f60b6f84f8c5be66f993d1dfcda9a24888c1a96d63f8f80810902a39b85ca32e5656454098210749fadf3de153513669fc24eeeeac
SSDEEP

12288:3y90LHeU5MUvfTisw5KEIjD6/BM92tmoB+8bIgWWv5RY5vGcILMbp:3y8h7isoPs6/OaZdbIgpMnILmp

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1088-988-0x0000000007920000-0x0000000007F38000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	62372485.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	62372485.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	62372485.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	62372485.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	62372485.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	62372485.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4252	un940277.exe
716	62372485.exe
1088	rk649223.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	62372485.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	62372485.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un940277.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un940277.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1816	716	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
716	62372485.exe
716	62372485.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	716	62372485.exe
Token: SeDebugPrivilege	1088	rk649223.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 4252	3080	d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe	83
PID 3080 wrote to memory of 4252	3080	d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe	83
PID 3080 wrote to memory of 4252	3080	d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe	83
PID 4252 wrote to memory of 716	4252	un940277.exe	84
PID 4252 wrote to memory of 716	4252	un940277.exe	84
PID 4252 wrote to memory of 716	4252	un940277.exe	84
PID 4252 wrote to memory of 1088	4252	un940277.exe	93
PID 4252 wrote to memory of 1088	4252	un940277.exe	93
PID 4252 wrote to memory of 1088	4252	un940277.exe	93

C:\Users\Admin\AppData\Local\Temp\d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe
"C:\Users\Admin\AppData\Local\Temp\d50677e6418159426793545371c130602376bda85546596838df3772cf03c93e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un940277.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un940277.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62372485.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62372485.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 1008
      4⤵
      Program crash
      PID:1816
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk649223.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk649223.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 716 -ip 716
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un940277.exe

Filesize
593KB

MD5
4c7a2a0b89157829e1e7718117963697

SHA1
d339aac1286cb16e099829a3614ae5bacb0590fa

SHA256
f68f229f32dccdf5a0bf40f4a3690c566f7af0b97cfea652f3356c76fe72e46c

SHA512
2fb9c77702d0daacf6fef9cb7003d0c0ed37f6dc92fb7aa0f775d90aecec2856ebb3d2cc1c5e322136d8a5d109438f0311cb3c259f71e2bab54ce42996a013c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un940277.exe

Filesize
593KB

MD5
4c7a2a0b89157829e1e7718117963697

SHA1
d339aac1286cb16e099829a3614ae5bacb0590fa

SHA256
f68f229f32dccdf5a0bf40f4a3690c566f7af0b97cfea652f3356c76fe72e46c

SHA512
2fb9c77702d0daacf6fef9cb7003d0c0ed37f6dc92fb7aa0f775d90aecec2856ebb3d2cc1c5e322136d8a5d109438f0311cb3c259f71e2bab54ce42996a013c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62372485.exe

Filesize
377KB

MD5
15b74b3251aaf9ea9f9c978c0ec29958

SHA1
0cf18286e9df7e851eb5ee85b983a7cd5440ab7a

SHA256
16a148829a6a2abb7669d41480b8158576c64c49b8ba2faa8580b28cfeef9bc0

SHA512
0bd4d49babf267f96342924fc5466f9858bfcdbb7f21772cfc96be03ca811c119b06abe0c2ae472f9927fb368d1ff1f0ea69967a72b2ea0ad17a6a36ef73de38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62372485.exe

Filesize
377KB

MD5
15b74b3251aaf9ea9f9c978c0ec29958

SHA1
0cf18286e9df7e851eb5ee85b983a7cd5440ab7a

SHA256
16a148829a6a2abb7669d41480b8158576c64c49b8ba2faa8580b28cfeef9bc0

SHA512
0bd4d49babf267f96342924fc5466f9858bfcdbb7f21772cfc96be03ca811c119b06abe0c2ae472f9927fb368d1ff1f0ea69967a72b2ea0ad17a6a36ef73de38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk649223.exe

Filesize
460KB

MD5
2a024d07dfcdfc911a8fa88fb299da8c

SHA1
519b886a02163e6490239909e7a1b7039865a8f9

SHA256
034637c4f21cbc749088af6db27715698d5f7bb241a5504982d17ab0c3356bd9

SHA512
d69a2477a30b4251371dc6a32ef16d71a88df3f11b1ea214724f35a92b1a0ec673da2919ace085f097cf828cb9dd316fe041abbc3d184905c68bbb20af1c39ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk649223.exe

Filesize
460KB

MD5
2a024d07dfcdfc911a8fa88fb299da8c

SHA1
519b886a02163e6490239909e7a1b7039865a8f9

SHA256
034637c4f21cbc749088af6db27715698d5f7bb241a5504982d17ab0c3356bd9

SHA512
d69a2477a30b4251371dc6a32ef16d71a88df3f11b1ea214724f35a92b1a0ec673da2919ace085f097cf828cb9dd316fe041abbc3d184905c68bbb20af1c39ef

Download Submit
memory/716-184-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/716-150-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/716-153-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/716-152-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/716-154-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/716-156-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/716-158-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/716-160-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/716-162-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/716-164-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/716-166-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/716-168-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/716-170-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/716-172-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/716-174-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/716-176-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/716-178-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/716-180-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/716-181-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/716-182-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/716-183-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/716-151-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/716-187-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/716-149-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/716-148-0x0000000004E40000-0x00000000053E4000-memory.dmp

Filesize
5.6MB

Download
memory/1088-478-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1088-990-0x0000000007FA0000-0x00000000080AA000-memory.dmp

Filesize
1.0MB

Download
memory/1088-989-0x0000000007F80000-0x0000000007F92000-memory.dmp

Filesize
72KB

Download
memory/1088-193-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-221-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-201-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-203-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-205-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-207-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-211-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-209-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-213-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-199-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-215-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-197-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-217-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-223-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-474-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/1088-219-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-475-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1088-479-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1088-988-0x0000000007920000-0x0000000007F38000-memory.dmp

Filesize
6.1MB

Download
memory/1088-195-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-192-0x0000000004E40000-0x0000000004E75000-memory.dmp

Filesize
212KB

Download
memory/1088-991-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/1088-992-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1088-994-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1088-995-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download