redline | fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1

Analysis

max time kernel
231s
max time network
251s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe
Size

691KB
MD5

29b40358b0c7266e8c11d8487e972eea
SHA1

0a2fcffdb0aa792a45ef05004f810940fef292dc
SHA256

fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1
SHA512

449f09645a2566010f4d005adf34b0be041fd05a32beca3915d157c313e031f5aa62a646b1f555248a6ad1cf3f07580e869731c7af0987e7bef7b339a40cfcf0
SSDEEP

12288:ay900bUUcekt7K07hmDkX/SETqQgeiCYMvQz7trDe207ShcANBg+lePIG7SZKAND:ayzbtCKyYoXKETbghCYMqtrq2UANu8KO

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2624-211-0x0000000007A30000-0x0000000008048000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	51593139.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	51593139.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	51593139.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	51593139.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	51593139.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	51593139.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3960	un255172.exe
1480	51593139.exe
1960	rk575995.exe
4824	rk575995.exe
2624	si157445.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	51593139.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	51593139.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un255172.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un255172.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 4824	1960	rk575995.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
724	1480	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1480	51593139.exe
1480	51593139.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	51593139.exe
Token: SeDebugPrivilege	4824	rk575995.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 3960	732	fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe	79
PID 732 wrote to memory of 3960	732	fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe	79
PID 732 wrote to memory of 3960	732	fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe	79
PID 3960 wrote to memory of 1480	3960	un255172.exe	80
PID 3960 wrote to memory of 1480	3960	un255172.exe	80
PID 3960 wrote to memory of 1480	3960	un255172.exe	80
PID 3960 wrote to memory of 1960	3960	un255172.exe	84
PID 3960 wrote to memory of 1960	3960	un255172.exe	84
PID 3960 wrote to memory of 1960	3960	un255172.exe	84
PID 1960 wrote to memory of 4824	1960	rk575995.exe	85
PID 1960 wrote to memory of 4824	1960	rk575995.exe	85
PID 1960 wrote to memory of 4824	1960	rk575995.exe	85
PID 1960 wrote to memory of 4824	1960	rk575995.exe	85
PID 1960 wrote to memory of 4824	1960	rk575995.exe	85
PID 1960 wrote to memory of 4824	1960	rk575995.exe	85
PID 1960 wrote to memory of 4824	1960	rk575995.exe	85
PID 1960 wrote to memory of 4824	1960	rk575995.exe	85
PID 1960 wrote to memory of 4824	1960	rk575995.exe	85
PID 732 wrote to memory of 2624	732	fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe	86
PID 732 wrote to memory of 2624	732	fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe	86
PID 732 wrote to memory of 2624	732	fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe	86

C:\Users\Admin\AppData\Local\Temp\fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe
"C:\Users\Admin\AppData\Local\Temp\fb2fea52147f2fae6ab0be4b0a48887ba924826547858f65fa870fe490e442c1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un255172.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un255172.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\51593139.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\51593139.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1080
      4⤵
      Program crash
      PID:724
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk575995.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk575995.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk575995.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk575995.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4824
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si157445.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si157445.exe
  2⤵
  - Executes dropped EXE
  PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1480 -ip 1480
1⤵
PID:4700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si157445.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si157445.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un255172.exe

Filesize
537KB

MD5
8703ae699b6b7025467d0c2a8a223102

SHA1
6f5544d6e718de33257be2f4b3c45afe187742d2

SHA256
2b1f87a53d65c18cee0f4682f3078e2ba092d651932c0a34d780e5ab9d6395df

SHA512
584191cca4cba1cb0b35ead701a363723d039c1340517e5a5f1c9ceecfad7097f837d120426baa1422280a600fc8357457f7d1e0cf3f2ee27b401532bbe69e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un255172.exe

Filesize
537KB

MD5
8703ae699b6b7025467d0c2a8a223102

SHA1
6f5544d6e718de33257be2f4b3c45afe187742d2

SHA256
2b1f87a53d65c18cee0f4682f3078e2ba092d651932c0a34d780e5ab9d6395df

SHA512
584191cca4cba1cb0b35ead701a363723d039c1340517e5a5f1c9ceecfad7097f837d120426baa1422280a600fc8357457f7d1e0cf3f2ee27b401532bbe69e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\51593139.exe

Filesize
259KB

MD5
8094a3586d9c45eca9f38499312b2d38

SHA1
919032480ff35763613e87cb4619d7d72c4d996d

SHA256
45e5a15b23f6c09721e5efc2d651ca922af5cde864e99e65edcf4dbae1f5dc3b

SHA512
ceea89a25afb59562e77a55554ecce66fe3a536302f3ecb40a779f98039a7c2fc39cb2aaee5cc9aa1772fe6548d6e2417bd69c23c7fab4f23c7304f109b217ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\51593139.exe

Filesize
259KB

MD5
8094a3586d9c45eca9f38499312b2d38

SHA1
919032480ff35763613e87cb4619d7d72c4d996d

SHA256
45e5a15b23f6c09721e5efc2d651ca922af5cde864e99e65edcf4dbae1f5dc3b

SHA512
ceea89a25afb59562e77a55554ecce66fe3a536302f3ecb40a779f98039a7c2fc39cb2aaee5cc9aa1772fe6548d6e2417bd69c23c7fab4f23c7304f109b217ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk575995.exe

Filesize
342KB

MD5
4917f0ea51212be79d676877a568eced

SHA1
0f71e179d494dfb71d0a5aeb7c6c0fab9cfa76fb

SHA256
5d0ce5748792cb7c1b56cb3a9b899aed9c513dc31a6eff8c1a76999c0de15cce

SHA512
c81cc1ca501290130d2dbe78981feae0ca896b51f774722940b47e7c2d3455f05236f85d197593feea502973aee267caa509e0dc9173e1ff834d275bb84975c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk575995.exe

Filesize
342KB

MD5
4917f0ea51212be79d676877a568eced

SHA1
0f71e179d494dfb71d0a5aeb7c6c0fab9cfa76fb

SHA256
5d0ce5748792cb7c1b56cb3a9b899aed9c513dc31a6eff8c1a76999c0de15cce

SHA512
c81cc1ca501290130d2dbe78981feae0ca896b51f774722940b47e7c2d3455f05236f85d197593feea502973aee267caa509e0dc9173e1ff834d275bb84975c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk575995.exe

Filesize
342KB

MD5
4917f0ea51212be79d676877a568eced

SHA1
0f71e179d494dfb71d0a5aeb7c6c0fab9cfa76fb

SHA256
5d0ce5748792cb7c1b56cb3a9b899aed9c513dc31a6eff8c1a76999c0de15cce

SHA512
c81cc1ca501290130d2dbe78981feae0ca896b51f774722940b47e7c2d3455f05236f85d197593feea502973aee267caa509e0dc9173e1ff834d275bb84975c5

Download Submit
memory/1480-166-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1480-180-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1480-156-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1480-158-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1480-160-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1480-162-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1480-164-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1480-153-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1480-170-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1480-168-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1480-172-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1480-174-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1480-176-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1480-154-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1480-178-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1480-181-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1480-182-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/1480-183-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/1480-184-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/1480-188-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1480-152-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/1480-150-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/1480-151-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/1480-149-0x00000000006C0000-0x00000000006ED000-memory.dmp

Filesize
180KB

Download
memory/1480-148-0x0000000004BA0000-0x0000000005144000-memory.dmp

Filesize
5.6MB

Download
memory/1960-201-0x00000000020A0000-0x00000000020E7000-memory.dmp

Filesize
284KB

Download
memory/2624-214-0x0000000002AF0000-0x0000000002B02000-memory.dmp

Filesize
72KB

Download
memory/2624-1013-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2624-241-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2624-208-0x0000000000690000-0x00000000006B8000-memory.dmp

Filesize
160KB

Download
memory/2624-226-0x0000000007450000-0x000000000748C000-memory.dmp

Filesize
240KB

Download
memory/2624-211-0x0000000007A30000-0x0000000008048000-memory.dmp

Filesize
6.1MB

Download
memory/2624-217-0x0000000007520000-0x000000000762A000-memory.dmp

Filesize
1.0MB

Download
memory/4824-225-0x0000000002430000-0x0000000002465000-memory.dmp

Filesize
212KB

Download
memory/4824-233-0x0000000002430000-0x0000000002465000-memory.dmp

Filesize
212KB

Download
memory/4824-210-0x0000000002430000-0x0000000002465000-memory.dmp

Filesize
212KB

Download
memory/4824-216-0x0000000002430000-0x0000000002465000-memory.dmp

Filesize
212KB

Download
memory/4824-219-0x0000000002430000-0x0000000002465000-memory.dmp

Filesize
212KB

Download
memory/4824-221-0x0000000002430000-0x0000000002465000-memory.dmp

Filesize
212KB

Download
memory/4824-223-0x0000000002430000-0x0000000002465000-memory.dmp

Filesize
212KB

Download
memory/4824-202-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4824-228-0x0000000002430000-0x0000000002465000-memory.dmp

Filesize
212KB

Download
memory/4824-209-0x0000000002430000-0x0000000002465000-memory.dmp

Filesize
212KB

Download
memory/4824-230-0x0000000002430000-0x0000000002465000-memory.dmp

Filesize
212KB

Download
memory/4824-213-0x0000000002430000-0x0000000002465000-memory.dmp

Filesize
212KB

Download
memory/4824-232-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4824-234-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4824-237-0x0000000002430000-0x0000000002465000-memory.dmp

Filesize
212KB

Download
memory/4824-236-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4824-239-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4824-199-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4824-1012-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4824-1011-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4824-1014-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4824-203-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4824-1016-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download