redline | d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe
Size

707KB
MD5

416bdb8e05ee78385956ed39aaace2b5
SHA1

17547f35983565f00cd149006563cd6a78179d53
SHA256

d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb
SHA512

3a2e8078b13733fa8e40a11e2468052b65b04e28376a24e6e1b3e3bd81790815114e42929e215360d73c12af97558aeae721f701763d69a3a2f7ca3c4b2b9d96
SSDEEP

12288:Oy90Iz9hP9yGNwto6t/CvF2wjxxcb4wG+ulJWkDGsTdn7Um1pduAeJvGjipl:OyN7P9nA22ojcbCX3i479/qVGwl

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3972-989-0x0000000009D60000-0x000000000A378000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	77211406.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	77211406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	77211406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	77211406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	77211406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	77211406.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4436	un304808.exe
2504	77211406.exe
3972	rk687410.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	77211406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	77211406.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un304808.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un304808.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1504	2504	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2504	77211406.exe
2504	77211406.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	77211406.exe
Token: SeDebugPrivilege	3972	rk687410.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 4436	1472	d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe	82
PID 1472 wrote to memory of 4436	1472	d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe	82
PID 1472 wrote to memory of 4436	1472	d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe	82
PID 4436 wrote to memory of 2504	4436	un304808.exe	83
PID 4436 wrote to memory of 2504	4436	un304808.exe	83
PID 4436 wrote to memory of 2504	4436	un304808.exe	83
PID 4436 wrote to memory of 3972	4436	un304808.exe	93
PID 4436 wrote to memory of 3972	4436	un304808.exe	93
PID 4436 wrote to memory of 3972	4436	un304808.exe	93

C:\Users\Admin\AppData\Local\Temp\d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe
"C:\Users\Admin\AppData\Local\Temp\d9b8e92d6077c83fe446904937dbd37e34a183d1af1fa1d95278179655713efb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1076
      4⤵
      Program crash
      PID:1504
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2504 -ip 2504
1⤵
PID:4000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe

Filesize
553KB

MD5
b5715a8a7dfde31a802387b19321f31b

SHA1
39f0756bbc2cc322fff969028603b8572981e923

SHA256
70d1f037b11e26c7bbcf797fbf86b4e2616d40994f7b7967cc5b4168b662b339

SHA512
92ab6cc19724e4008de54a42ddf997ec537eccdf2a16936ce6c6de8862a9a86a11fed8aebcdd12c74d7e1e5736a0ccd3c21cc2a124809d794863e84548c117dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un304808.exe

Filesize
553KB

MD5
b5715a8a7dfde31a802387b19321f31b

SHA1
39f0756bbc2cc322fff969028603b8572981e923

SHA256
70d1f037b11e26c7bbcf797fbf86b4e2616d40994f7b7967cc5b4168b662b339

SHA512
92ab6cc19724e4008de54a42ddf997ec537eccdf2a16936ce6c6de8862a9a86a11fed8aebcdd12c74d7e1e5736a0ccd3c21cc2a124809d794863e84548c117dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe

Filesize
258KB

MD5
24f85c699a19ee5e19fdd82c6e224735

SHA1
ec4fcba5f997ff3cc61d1a6cc36b35efc8427ab8

SHA256
f34886dfa880aa85c0b53f7562db4510487150009654382d225fcdbf8add0a58

SHA512
9cd0f861035d455f30a702eb70b88f549ec96f83467819867b63d584cccad33d6c138e601585099d12d12f1a0cf60f9bb6219aa8001d67b6e97217c0521b884b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77211406.exe

Filesize
258KB

MD5
24f85c699a19ee5e19fdd82c6e224735

SHA1
ec4fcba5f997ff3cc61d1a6cc36b35efc8427ab8

SHA256
f34886dfa880aa85c0b53f7562db4510487150009654382d225fcdbf8add0a58

SHA512
9cd0f861035d455f30a702eb70b88f549ec96f83467819867b63d584cccad33d6c138e601585099d12d12f1a0cf60f9bb6219aa8001d67b6e97217c0521b884b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe

Filesize
353KB

MD5
8811341d1ea7a75289287e97b6ae3d65

SHA1
bc41b1b0187a35dcdfa016c5a1657aff7133c331

SHA256
fbe65c4fc429a0274e4003e6d31616abc0ef05ddcea1f2a6948275c9eefcf4ea

SHA512
4112905de2e05c53766373ae5ea85e7faf1fa4cbba5a32ee224f6d36e8f4bb8e73b65e588d06dbe0f49898aed73d28e5ea827a295dfa2edb6470971e5d2f40a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk687410.exe

Filesize
353KB

MD5
8811341d1ea7a75289287e97b6ae3d65

SHA1
bc41b1b0187a35dcdfa016c5a1657aff7133c331

SHA256
fbe65c4fc429a0274e4003e6d31616abc0ef05ddcea1f2a6948275c9eefcf4ea

SHA512
4112905de2e05c53766373ae5ea85e7faf1fa4cbba5a32ee224f6d36e8f4bb8e73b65e588d06dbe0f49898aed73d28e5ea827a295dfa2edb6470971e5d2f40a1

Download Submit
memory/2504-168-0x0000000004D70000-0x0000000004D83000-memory.dmp

Filesize
76KB

Download
memory/2504-164-0x0000000004D70000-0x0000000004D83000-memory.dmp

Filesize
76KB

Download
memory/2504-154-0x0000000004D70000-0x0000000004D83000-memory.dmp

Filesize
76KB

Download
memory/2504-158-0x0000000004D70000-0x0000000004D83000-memory.dmp

Filesize
76KB

Download
memory/2504-160-0x0000000004D70000-0x0000000004D83000-memory.dmp

Filesize
76KB

Download
memory/2504-156-0x0000000004D70000-0x0000000004D83000-memory.dmp

Filesize
76KB

Download
memory/2504-162-0x0000000004D70000-0x0000000004D83000-memory.dmp

Filesize
76KB

Download
memory/2504-152-0x0000000004D70000-0x0000000004D83000-memory.dmp

Filesize
76KB

Download
memory/2504-166-0x0000000004D70000-0x0000000004D83000-memory.dmp

Filesize
76KB

Download
memory/2504-150-0x0000000004D70000-0x0000000004D83000-memory.dmp

Filesize
76KB

Download
memory/2504-170-0x0000000004D70000-0x0000000004D83000-memory.dmp

Filesize
76KB

Download
memory/2504-173-0x0000000002CA0000-0x0000000002CCD000-memory.dmp

Filesize
180KB

Download
memory/2504-172-0x0000000004D70000-0x0000000004D83000-memory.dmp

Filesize
76KB

Download
memory/2504-175-0x0000000007480000-0x0000000007490000-memory.dmp

Filesize
64KB

Download
memory/2504-176-0x0000000007480000-0x0000000007490000-memory.dmp

Filesize
64KB

Download
memory/2504-179-0x0000000007480000-0x0000000007490000-memory.dmp

Filesize
64KB

Download
memory/2504-177-0x0000000004D70000-0x0000000004D83000-memory.dmp

Filesize
76KB

Download
memory/2504-180-0x0000000004D70000-0x0000000004D83000-memory.dmp

Filesize
76KB

Download
memory/2504-181-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/2504-182-0x0000000007480000-0x0000000007490000-memory.dmp

Filesize
64KB

Download
memory/2504-183-0x0000000007480000-0x0000000007490000-memory.dmp

Filesize
64KB

Download
memory/2504-184-0x0000000007480000-0x0000000007490000-memory.dmp

Filesize
64KB

Download
memory/2504-187-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/2504-149-0x0000000004D70000-0x0000000004D83000-memory.dmp

Filesize
76KB

Download
memory/2504-148-0x0000000007490000-0x0000000007A34000-memory.dmp

Filesize
5.6MB

Download
memory/3972-222-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-246-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/3972-989-0x0000000009D60000-0x000000000A378000-memory.dmp

Filesize
6.1MB

Download
memory/3972-194-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-200-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-202-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-204-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-206-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-208-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-210-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-212-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-214-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-216-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-193-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-198-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-218-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-990-0x00000000072B0000-0x00000000072C2000-memory.dmp

Filesize
72KB

Download
memory/3972-220-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-242-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/3972-244-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/3972-240-0x0000000002C90000-0x0000000002CD6000-memory.dmp

Filesize
280KB

Download
memory/3972-196-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-224-0x00000000071B0000-0x00000000071E5000-memory.dmp

Filesize
212KB

Download
memory/3972-991-0x000000000A380000-0x000000000A48A000-memory.dmp

Filesize
1.0MB

Download
memory/3972-992-0x00000000072E0000-0x000000000731C000-memory.dmp

Filesize
240KB

Download
memory/3972-993-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/3972-995-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/3972-996-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/3972-997-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download
memory/3972-998-0x0000000007320000-0x0000000007330000-memory.dmp

Filesize
64KB

Download