redline | f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a

Analysis

max time kernel
154s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe
Size

694KB
MD5

3f92a310c625725ac14eede0651791ce
SHA1

1a1ae6715f2bce5a2dd6236bd80b4614ff6645d7
SHA256

f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a
SHA512

f9a75a89c8e7182ef07392fcb8cc677317754a9456e080927bb7b24b7d2af64fa9f579e6f30c84fca618261138e52abad807dc8a650ce63bb5109c52a82754c6
SSDEEP

12288:Qy90pEPoPLLYhdxCmRM6eHwpFTK0gF8Lbc7Sd+1WK6FL18bZK6A+M9p9:QysFLYkKM1oFXgFH4y6FL18bZ5i9X

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4296-988-0x0000000009D70000-0x000000000A388000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	23561019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	23561019.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	23561019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	23561019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	23561019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	23561019.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2656	un111140.exe
1648	23561019.exe
4296	rk745928.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	23561019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	23561019.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un111140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un111140.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4864	1648	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1648	23561019.exe
1648	23561019.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	23561019.exe
Token: SeDebugPrivilege	4296	rk745928.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2656	2204	f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe	82
PID 2204 wrote to memory of 2656	2204	f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe	82
PID 2204 wrote to memory of 2656	2204	f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe	82
PID 2656 wrote to memory of 1648	2656	un111140.exe	83
PID 2656 wrote to memory of 1648	2656	un111140.exe	83
PID 2656 wrote to memory of 1648	2656	un111140.exe	83
PID 2656 wrote to memory of 4296	2656	un111140.exe	88
PID 2656 wrote to memory of 4296	2656	un111140.exe	88
PID 2656 wrote to memory of 4296	2656	un111140.exe	88

C:\Users\Admin\AppData\Local\Temp\f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe
"C:\Users\Admin\AppData\Local\Temp\f8b710fd89739236ff2b961d47b738df7ac02f9f47e2b20247656acbda2fae1a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un111140.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un111140.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23561019.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23561019.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1080
      4⤵
      Program crash
      PID:4864
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk745928.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk745928.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1648 -ip 1648
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un111140.exe

Filesize
540KB

MD5
763c0cf6e9bdadedd86ddc78e9cd7612

SHA1
c6fe2d0dfd91f8f6e9adb96f3ec3e4a847c26cd9

SHA256
41023780cd24f27a497f27f2f136433e2dad3b30317e3cef1f17d065abb34393

SHA512
8612076ca8f475092f855b445775cf5c9a10df6703a68c622d2de1eb5a40471c3a044739d96fa2807529579ee977883981c843a91e3cbf39587719b7f40c86a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un111140.exe

Filesize
540KB

MD5
763c0cf6e9bdadedd86ddc78e9cd7612

SHA1
c6fe2d0dfd91f8f6e9adb96f3ec3e4a847c26cd9

SHA256
41023780cd24f27a497f27f2f136433e2dad3b30317e3cef1f17d065abb34393

SHA512
8612076ca8f475092f855b445775cf5c9a10df6703a68c622d2de1eb5a40471c3a044739d96fa2807529579ee977883981c843a91e3cbf39587719b7f40c86a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23561019.exe

Filesize
258KB

MD5
31439707cd9747de3c3ad168ebcb569e

SHA1
85eb92b27fbe0742718edae49526d1bb58f8b401

SHA256
c86ed48735060e60338996e5649af34fb821649f1a1a32952e060d18d36e7f47

SHA512
cb9a39dabfea77d7e9a9c62ca7bd9c9cf824285880587982134fac54780bbb960af07350f2cb98cc915f44720e8fba6e291c29a77c214ec731de64a2fffa0089

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23561019.exe

Filesize
258KB

MD5
31439707cd9747de3c3ad168ebcb569e

SHA1
85eb92b27fbe0742718edae49526d1bb58f8b401

SHA256
c86ed48735060e60338996e5649af34fb821649f1a1a32952e060d18d36e7f47

SHA512
cb9a39dabfea77d7e9a9c62ca7bd9c9cf824285880587982134fac54780bbb960af07350f2cb98cc915f44720e8fba6e291c29a77c214ec731de64a2fffa0089

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk745928.exe

Filesize
340KB

MD5
e19a5a4d663ce2893b10b3c896eb6c01

SHA1
388b010b7c9bd73f8359ce10dea990dd7dc901ac

SHA256
84f663b65c5dd96bdd2634115bc8dd36482dd2cb9329a62fe9e624669e1f52ab

SHA512
54ef96e634dabbc55162ac214e7066bd46744ae823a9825bcd7dbdf691de027a2a25f3f74182a26f6bf79f6295425ade3ab467cc9dc6c10720e13f63fcc7de62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk745928.exe

Filesize
340KB

MD5
e19a5a4d663ce2893b10b3c896eb6c01

SHA1
388b010b7c9bd73f8359ce10dea990dd7dc901ac

SHA256
84f663b65c5dd96bdd2634115bc8dd36482dd2cb9329a62fe9e624669e1f52ab

SHA512
54ef96e634dabbc55162ac214e7066bd46744ae823a9825bcd7dbdf691de027a2a25f3f74182a26f6bf79f6295425ade3ab467cc9dc6c10720e13f63fcc7de62

Download Submit
memory/1648-164-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/1648-187-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1648-154-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/1648-152-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/1648-151-0x0000000004810000-0x0000000004820000-memory.dmp

Filesize
64KB

Download
memory/1648-156-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/1648-160-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/1648-158-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/1648-162-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/1648-150-0x0000000004810000-0x0000000004820000-memory.dmp

Filesize
64KB

Download
memory/1648-166-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/1648-168-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/1648-170-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/1648-172-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/1648-174-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/1648-176-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/1648-178-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/1648-180-0x00000000048B0000-0x00000000048C3000-memory.dmp

Filesize
76KB

Download
memory/1648-181-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1648-182-0x0000000004810000-0x0000000004820000-memory.dmp

Filesize
64KB

Download
memory/1648-183-0x0000000004810000-0x0000000004820000-memory.dmp

Filesize
64KB

Download
memory/1648-184-0x0000000004810000-0x0000000004820000-memory.dmp

Filesize
64KB

Download
memory/1648-153-0x0000000004810000-0x0000000004820000-memory.dmp

Filesize
64KB

Download
memory/1648-149-0x00000000071F0000-0x0000000007794000-memory.dmp

Filesize
5.6MB

Download
memory/1648-148-0x0000000002CD0000-0x0000000002CFD000-memory.dmp

Filesize
180KB

Download
memory/4296-995-0x000000000A540000-0x000000000A57C000-memory.dmp

Filesize
240KB

Download
memory/4296-221-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-192-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-215-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-199-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-201-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-203-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-205-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-207-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-209-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-211-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-213-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-197-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-217-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-219-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-193-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-223-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-355-0x0000000002BF0000-0x0000000002C36000-memory.dmp

Filesize
280KB

Download
memory/4296-358-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4296-356-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4296-359-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4296-988-0x0000000009D70000-0x000000000A388000-memory.dmp

Filesize
6.1MB

Download
memory/4296-990-0x000000000A400000-0x000000000A412000-memory.dmp

Filesize
72KB

Download
memory/4296-991-0x000000000A420000-0x000000000A52A000-memory.dmp

Filesize
1.0MB

Download
memory/4296-992-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4296-993-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4296-994-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4296-195-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/4296-997-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4296-999-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download