redline | f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe
Size

746KB
MD5

250affbad89fd991d9f9ce3014d4ff18
SHA1

c88cef73509b2981e5a81fdad8c6cced388a89e7
SHA256

f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e
SHA512

a32164d8c1d9361a4987737ff761cd37518317585ac0a2a2c775155ffc2ec4525008fa507fb6df195a50b588919ac071e2b5f2bc73d09e31fe78ba69b351cbb6
SSDEEP

12288:Hy908hLIYMvyInncjo0QgvoZGyOcdeuid2ORi9N8BtjXOxjIfkAPASab+:HyfhLIvyInnN18ylddhxEjXa4YRy

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3576-983-0x0000000007B50000-0x0000000008168000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	47540033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	47540033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	47540033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	47540033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	47540033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	47540033.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1356	un527206.exe
3244	47540033.exe
3576	rk938990.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	47540033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	47540033.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un527206.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un527206.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2860	3244	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3244	47540033.exe
3244	47540033.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3244	47540033.exe
Token: SeDebugPrivilege	3576	rk938990.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1356	1792	f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe	87
PID 1792 wrote to memory of 1356	1792	f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe	87
PID 1792 wrote to memory of 1356	1792	f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe	87
PID 1356 wrote to memory of 3244	1356	un527206.exe	88
PID 1356 wrote to memory of 3244	1356	un527206.exe	88
PID 1356 wrote to memory of 3244	1356	un527206.exe	88
PID 1356 wrote to memory of 3576	1356	un527206.exe	91
PID 1356 wrote to memory of 3576	1356	un527206.exe	91
PID 1356 wrote to memory of 3576	1356	un527206.exe	91

C:\Users\Admin\AppData\Local\Temp\f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe
"C:\Users\Admin\AppData\Local\Temp\f9b2e799ebbaeabccb5dff72fbd4003cbaf3e50d23d7b742e950bd8a4d67254e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un527206.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un527206.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47540033.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47540033.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3244
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1084
      4⤵
      Program crash
      PID:2860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk938990.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk938990.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3244 -ip 3244
1⤵
PID:880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un527206.exe

Filesize
592KB

MD5
ba1f2ae963d9e50c277eb66757e8042f

SHA1
833881b4900b89e99a52850bfd63e750bcc48e2f

SHA256
2099cfe93f127463bd7665c40548e0141c9fbd488896c81712cbd139ee2c57c3

SHA512
6e346521cc39bb70fd3c9fef61d06cb19648a6460501d99fdbb12ff57f8df4b05932f95d7e745e2ec16180d06a7f3114f09ae46096ae0780e135954c4a62282d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un527206.exe

Filesize
592KB

MD5
ba1f2ae963d9e50c277eb66757e8042f

SHA1
833881b4900b89e99a52850bfd63e750bcc48e2f

SHA256
2099cfe93f127463bd7665c40548e0141c9fbd488896c81712cbd139ee2c57c3

SHA512
6e346521cc39bb70fd3c9fef61d06cb19648a6460501d99fdbb12ff57f8df4b05932f95d7e745e2ec16180d06a7f3114f09ae46096ae0780e135954c4a62282d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47540033.exe

Filesize
376KB

MD5
62c00b2291f6aceac7e8b25146708d91

SHA1
3b16ebd1cf7898a241f1409a66d1deda251853f6

SHA256
2f98f6730d8e702242bdb0eb8554af21a07602c3a17aaa88cd559a3b5406e87e

SHA512
a7f75ee8308ae6e3d8effb8aa25e48f85fb4e9b6783ea8d3cc966b77693c33a46973c630d581703117a9820df5c75e82425f6f4f7c462254248372481483086f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47540033.exe

Filesize
376KB

MD5
62c00b2291f6aceac7e8b25146708d91

SHA1
3b16ebd1cf7898a241f1409a66d1deda251853f6

SHA256
2f98f6730d8e702242bdb0eb8554af21a07602c3a17aaa88cd559a3b5406e87e

SHA512
a7f75ee8308ae6e3d8effb8aa25e48f85fb4e9b6783ea8d3cc966b77693c33a46973c630d581703117a9820df5c75e82425f6f4f7c462254248372481483086f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk938990.exe

Filesize
459KB

MD5
d1d968be5239306a79e4a5afdda5148a

SHA1
484d19b67d3a26ef1438d14cf2feb4f862761d87

SHA256
3aadcffdb1bfd8716817b46b727abbfd89b7ccf58bea2f71325e0e1c0fc99257

SHA512
ec4ab160aec274c61e32a6a59a5cd66ed1a98c0121ad006a8dc1daa97eef47b1fb2de98445253a11ea9099a10868ee99e8de22bf19212b682f33194b7b3bf5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk938990.exe

Filesize
459KB

MD5
d1d968be5239306a79e4a5afdda5148a

SHA1
484d19b67d3a26ef1438d14cf2feb4f862761d87

SHA256
3aadcffdb1bfd8716817b46b727abbfd89b7ccf58bea2f71325e0e1c0fc99257

SHA512
ec4ab160aec274c61e32a6a59a5cd66ed1a98c0121ad006a8dc1daa97eef47b1fb2de98445253a11ea9099a10868ee99e8de22bf19212b682f33194b7b3bf5f3

Download Submit
memory/3244-148-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/3244-149-0x0000000004FA0000-0x0000000005544000-memory.dmp

Filesize
5.6MB

Download
memory/3244-150-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3244-151-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3244-153-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3244-154-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/3244-157-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3244-160-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3244-158-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/3244-156-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/3244-164-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3244-172-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3244-176-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3244-174-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3244-178-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3244-180-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3244-170-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3244-168-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3244-166-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3244-162-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3244-181-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3244-183-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3576-188-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-189-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-191-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-193-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-195-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-197-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-199-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-201-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-203-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-205-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-207-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-209-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-211-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-213-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-215-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-217-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-221-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-219-0x0000000002550000-0x0000000002585000-memory.dmp

Filesize
212KB

Download
memory/3576-343-0x00000000008F0000-0x0000000000936000-memory.dmp

Filesize
280KB

Download
memory/3576-347-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3576-344-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3576-983-0x0000000007B50000-0x0000000008168000-memory.dmp

Filesize
6.1MB

Download
memory/3576-984-0x00000000029B0000-0x00000000029C2000-memory.dmp

Filesize
72KB

Download
memory/3576-985-0x0000000008170000-0x000000000827A000-memory.dmp

Filesize
1.0MB

Download
memory/3576-986-0x00000000029F0000-0x0000000002A2C000-memory.dmp

Filesize
240KB

Download
memory/3576-987-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3576-989-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3576-990-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3576-991-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3576-992-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download