redline | f83c1cf0031800da5282ea2328e6bc91b05edfcc43218abb6e36f4bfb7f5a946

Analysis

max time kernel
160s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 19:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f83c1cf0031800da5282ea2328e6bc91b05edfcc43218abb6e36f4bfb7f5a946.exe
Size

696KB
MD5

984336ab7ba353232599dbc9d55867af
SHA1

561d59f0bdeae3b62b02a4b17e2a44392d64903b
SHA256

f83c1cf0031800da5282ea2328e6bc91b05edfcc43218abb6e36f4bfb7f5a946
SHA512

14a55e866600da6100ba8655e75cf791bc0368c41db25e84a65c22d5ce06f879c66bce14e5967943a4f70d330446581f506e13425067a94591ba7e05bd03e031
SSDEEP

12288:Uy90EV+NfmvfWjlYzB/wV+RfdHg11II2fUm7ISPV8v1F0Urix:Uyh5CSzBCEyH45paNuUrY

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/452-990-0x0000000009C50000-0x000000000A268000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	32039383.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	32039383.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	32039383.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	32039383.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	32039383.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	32039383.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3468	un028373.exe
2084	32039383.exe
452	rk205281.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	32039383.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	32039383.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f83c1cf0031800da5282ea2328e6bc91b05edfcc43218abb6e36f4bfb7f5a946.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f83c1cf0031800da5282ea2328e6bc91b05edfcc43218abb6e36f4bfb7f5a946.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un028373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un028373.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
740	2084	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2084	32039383.exe
2084	32039383.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	32039383.exe
Token: SeDebugPrivilege	452	rk205281.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3468	4764	f83c1cf0031800da5282ea2328e6bc91b05edfcc43218abb6e36f4bfb7f5a946.exe	83
PID 4764 wrote to memory of 3468	4764	f83c1cf0031800da5282ea2328e6bc91b05edfcc43218abb6e36f4bfb7f5a946.exe	83
PID 4764 wrote to memory of 3468	4764	f83c1cf0031800da5282ea2328e6bc91b05edfcc43218abb6e36f4bfb7f5a946.exe	83
PID 3468 wrote to memory of 2084	3468	un028373.exe	84
PID 3468 wrote to memory of 2084	3468	un028373.exe	84
PID 3468 wrote to memory of 2084	3468	un028373.exe	84
PID 3468 wrote to memory of 452	3468	un028373.exe	88
PID 3468 wrote to memory of 452	3468	un028373.exe	88
PID 3468 wrote to memory of 452	3468	un028373.exe	88

C:\Users\Admin\AppData\Local\Temp\f83c1cf0031800da5282ea2328e6bc91b05edfcc43218abb6e36f4bfb7f5a946.exe
"C:\Users\Admin\AppData\Local\Temp\f83c1cf0031800da5282ea2328e6bc91b05edfcc43218abb6e36f4bfb7f5a946.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un028373.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un028373.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\32039383.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\32039383.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1080
      4⤵
      Program crash
      PID:740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk205281.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk205281.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2084 -ip 2084
1⤵
PID:4128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un028373.exe

Filesize
542KB

MD5
415da03fb8943963a03d39b6521d8ece

SHA1
a64aa7cee05e1fd46016dc1823f41f5d8b9d7ca0

SHA256
248c3560ee6a5b2dbcdafb029b6c34b67f20c8282671558dfcc036c833b4c92b

SHA512
9712048841cd454654320bebeedab791346d66a9107c80e1b13d95d672ae663ed337961ccdb8947abd6ad715fe2e28354412f732c997c591715813cc91d21845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un028373.exe

Filesize
542KB

MD5
415da03fb8943963a03d39b6521d8ece

SHA1
a64aa7cee05e1fd46016dc1823f41f5d8b9d7ca0

SHA256
248c3560ee6a5b2dbcdafb029b6c34b67f20c8282671558dfcc036c833b4c92b

SHA512
9712048841cd454654320bebeedab791346d66a9107c80e1b13d95d672ae663ed337961ccdb8947abd6ad715fe2e28354412f732c997c591715813cc91d21845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\32039383.exe

Filesize
263KB

MD5
d95b06f12a70a3d1b8b2c091c9a79092

SHA1
86e4e3f3fc4d32c91607d9772d9f47f393c56cfb

SHA256
7b6edf18238ebc272b48003f68bb1269abe510f36067d8f5168c68804fd675ff

SHA512
cd33c5860024264af8698cfea9ee0e31318e9ed9a9e5dd629bf86cd973bff738c9051cc31d56ba81c217428111feea9fd0b4081c86060b439dec6a52d57f3dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\32039383.exe

Filesize
263KB

MD5
d95b06f12a70a3d1b8b2c091c9a79092

SHA1
86e4e3f3fc4d32c91607d9772d9f47f393c56cfb

SHA256
7b6edf18238ebc272b48003f68bb1269abe510f36067d8f5168c68804fd675ff

SHA512
cd33c5860024264af8698cfea9ee0e31318e9ed9a9e5dd629bf86cd973bff738c9051cc31d56ba81c217428111feea9fd0b4081c86060b439dec6a52d57f3dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk205281.exe

Filesize
328KB

MD5
664b98d907551d721e6ce274594edf76

SHA1
4919097d43a27d7cb57e5277e9e3a4a5f6e24378

SHA256
40ce43f5a2b7ab8295aafe5284e53fe7d3002178eae9901f4ea648fed34739f6

SHA512
2842274fec8072d7adbee0f0d693776ffea622f0db04bfdfef51adad9698a7ee811b52aa0449bd710c415351295e6703984cba219de5fbef7a6d0e17ff27b520

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk205281.exe

Filesize
328KB

MD5
664b98d907551d721e6ce274594edf76

SHA1
4919097d43a27d7cb57e5277e9e3a4a5f6e24378

SHA256
40ce43f5a2b7ab8295aafe5284e53fe7d3002178eae9901f4ea648fed34739f6

SHA512
2842274fec8072d7adbee0f0d693776ffea622f0db04bfdfef51adad9698a7ee811b52aa0449bd710c415351295e6703984cba219de5fbef7a6d0e17ff27b520

Download Submit
memory/452-217-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/452-221-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/452-998-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/452-995-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/452-996-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/452-994-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/452-992-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/452-991-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/452-195-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/452-330-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/452-327-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/452-328-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/452-324-0x0000000004800000-0x0000000004846000-memory.dmp

Filesize
280KB

Download
memory/452-223-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/452-194-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/452-219-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/452-197-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/452-213-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/452-211-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/452-209-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/452-207-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/452-205-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/452-203-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/452-201-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/452-199-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/452-990-0x0000000009C50000-0x000000000A268000-memory.dmp

Filesize
6.1MB

Download
memory/452-215-0x0000000004E30000-0x0000000004E65000-memory.dmp

Filesize
212KB

Download
memory/2084-155-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2084-182-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2084-150-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/2084-187-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/2084-184-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/2084-183-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/2084-151-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/2084-180-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2084-178-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2084-148-0x0000000002D20000-0x0000000002D4D000-memory.dmp

Filesize
180KB

Download
memory/2084-149-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/2084-176-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2084-164-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2084-174-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2084-168-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2084-166-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2084-170-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2084-162-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2084-160-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2084-158-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2084-172-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2084-156-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2084-153-0x00000000072E0000-0x0000000007884000-memory.dmp

Filesize
5.6MB

Download
memory/2084-152-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download