redline | da7fad334a87ea8bbac628d2d0eea50038993e077d4c93e5ee45f9c899e67d78

Analysis

max time kernel
176s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da7fad334a87ea8bbac628d2d0eea50038993e077d4c93e5ee45f9c899e67d78.exe
Size

939KB
MD5

8d52bd9554828ebda2d146da3bdf15dd
SHA1

90e5a53f4d0fa15b60f00f1e7974519e1b37a54c
SHA256

da7fad334a87ea8bbac628d2d0eea50038993e077d4c93e5ee45f9c899e67d78
SHA512

053ab82bd5acc64164b1bf07cd537055c14f405aa706c0aae838c39a5fe514704c1928d3af27a6f7f9cd68c6b3b3f7521971667a0283c9b27a980e2d298a53fa
SSDEEP

24576:gy+QwbLXPYNNNrL9jRRuPcUEWKOIOYpOS:nluiLzRuPcUSOnYA

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3864-1000-0x0000000009C60000-0x000000000A278000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	30207487.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	30207487.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	30207487.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	30207487.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	30207487.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	30207487.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3324	za369770.exe
2704	za024015.exe
3240	30207487.exe
3864	w75Fe25.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	30207487.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	30207487.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	da7fad334a87ea8bbac628d2d0eea50038993e077d4c93e5ee45f9c899e67d78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	da7fad334a87ea8bbac628d2d0eea50038993e077d4c93e5ee45f9c899e67d78.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za369770.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za369770.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za024015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za024015.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3412	3240	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3240	30207487.exe
3240	30207487.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	30207487.exe
Token: SeDebugPrivilege	3864	w75Fe25.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 3324	2256	da7fad334a87ea8bbac628d2d0eea50038993e077d4c93e5ee45f9c899e67d78.exe	80
PID 2256 wrote to memory of 3324	2256	da7fad334a87ea8bbac628d2d0eea50038993e077d4c93e5ee45f9c899e67d78.exe	80
PID 2256 wrote to memory of 3324	2256	da7fad334a87ea8bbac628d2d0eea50038993e077d4c93e5ee45f9c899e67d78.exe	80
PID 3324 wrote to memory of 2704	3324	za369770.exe	81
PID 3324 wrote to memory of 2704	3324	za369770.exe	81
PID 3324 wrote to memory of 2704	3324	za369770.exe	81
PID 2704 wrote to memory of 3240	2704	za024015.exe	82
PID 2704 wrote to memory of 3240	2704	za024015.exe	82
PID 2704 wrote to memory of 3240	2704	za024015.exe	82
PID 2704 wrote to memory of 3864	2704	za024015.exe	89
PID 2704 wrote to memory of 3864	2704	za024015.exe	89
PID 2704 wrote to memory of 3864	2704	za024015.exe	89

C:\Users\Admin\AppData\Local\Temp\da7fad334a87ea8bbac628d2d0eea50038993e077d4c93e5ee45f9c899e67d78.exe
"C:\Users\Admin\AppData\Local\Temp\da7fad334a87ea8bbac628d2d0eea50038993e077d4c93e5ee45f9c899e67d78.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za369770.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za369770.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za024015.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za024015.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\30207487.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\30207487.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3240
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 1088
        5⤵
        Program crash
        
        PID:3412
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w75Fe25.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w75Fe25.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3240 -ip 3240
1⤵
PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za369770.exe

Filesize
723KB

MD5
2f0f83b8a08721640f69a27cb8423f48

SHA1
99c152d0b15afebc1327934ce3192c992288d71f

SHA256
2c4bbbe21bfd2741a549a6cf576711c4ebf3a1fd641babec22a4dfcf45f956f2

SHA512
65c759ed19f4de7c8c4e11e00185a0cbe4b7fb2ed78972b9adc99caececf959a343001f57407d47dc971c6ce3921b5af66641f17c296e8f8e27c54c84d9b0e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za369770.exe

Filesize
723KB

MD5
2f0f83b8a08721640f69a27cb8423f48

SHA1
99c152d0b15afebc1327934ce3192c992288d71f

SHA256
2c4bbbe21bfd2741a549a6cf576711c4ebf3a1fd641babec22a4dfcf45f956f2

SHA512
65c759ed19f4de7c8c4e11e00185a0cbe4b7fb2ed78972b9adc99caececf959a343001f57407d47dc971c6ce3921b5af66641f17c296e8f8e27c54c84d9b0e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za024015.exe

Filesize
541KB

MD5
76f07765f2f24e1b59f6e98e7f4b6c54

SHA1
121c18087aa725970eb5697f5022d828e425c436

SHA256
74bfd46c9df22a967dc8c9c504b0694ee02e2b3d4277d729cdb8667bbd2c68a0

SHA512
71365728f4ac6c349b50034fbb213a2506b644ca7b73c180ffb9da61f6682bfa72b8f5b5d16c5dfdecae9ca9529cc74122095faf52aa59562392e81bc2e42e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za024015.exe

Filesize
541KB

MD5
76f07765f2f24e1b59f6e98e7f4b6c54

SHA1
121c18087aa725970eb5697f5022d828e425c436

SHA256
74bfd46c9df22a967dc8c9c504b0694ee02e2b3d4277d729cdb8667bbd2c68a0

SHA512
71365728f4ac6c349b50034fbb213a2506b644ca7b73c180ffb9da61f6682bfa72b8f5b5d16c5dfdecae9ca9529cc74122095faf52aa59562392e81bc2e42e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\30207487.exe

Filesize
257KB

MD5
183e2a5982e0bdee9fd8dc8c69d10899

SHA1
7748cb5203afcaae09310452d4776a24d41e8a4b

SHA256
fbce00949dcabe9643071523849aa79c4eae943c31b25a5b1d91b184161cf63f

SHA512
fe76a8d81e82c62bc77bfab6d443b287746b87d9b49ab20020762c72bcecd1354e58a0ff3466ec3ac8c85ce5f44eb69f3f55647ce43523dc5f63ead86b52e514

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\30207487.exe

Filesize
257KB

MD5
183e2a5982e0bdee9fd8dc8c69d10899

SHA1
7748cb5203afcaae09310452d4776a24d41e8a4b

SHA256
fbce00949dcabe9643071523849aa79c4eae943c31b25a5b1d91b184161cf63f

SHA512
fe76a8d81e82c62bc77bfab6d443b287746b87d9b49ab20020762c72bcecd1354e58a0ff3466ec3ac8c85ce5f44eb69f3f55647ce43523dc5f63ead86b52e514

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w75Fe25.exe

Filesize
340KB

MD5
12fff22f6e59bb9f53c09c48d9d85832

SHA1
8fc41d0ef8e976a3ca3c176c7b3da32de8a12188

SHA256
9e005ecc5e92e011d21de1071b448a869a70412a48040db2c00983a993378a73

SHA512
b3835b859b74ff1acc28f90773a0ff6182256a90c6fa9709c3e999b99543cbf2aa4bafe989d0db424a8cd007569e5e3fb3ee20cf64c5b82cde87fd7269eebf64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w75Fe25.exe

Filesize
340KB

MD5
12fff22f6e59bb9f53c09c48d9d85832

SHA1
8fc41d0ef8e976a3ca3c176c7b3da32de8a12188

SHA256
9e005ecc5e92e011d21de1071b448a869a70412a48040db2c00983a993378a73

SHA512
b3835b859b74ff1acc28f90773a0ff6182256a90c6fa9709c3e999b99543cbf2aa4bafe989d0db424a8cd007569e5e3fb3ee20cf64c5b82cde87fd7269eebf64

Download Submit
memory/3240-191-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/3240-158-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/3240-159-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/3240-160-0x0000000004B20000-0x0000000004B33000-memory.dmp

Filesize
76KB

Download
memory/3240-161-0x0000000004B20000-0x0000000004B33000-memory.dmp

Filesize
76KB

Download
memory/3240-163-0x0000000004B20000-0x0000000004B33000-memory.dmp

Filesize
76KB

Download
memory/3240-165-0x0000000004B20000-0x0000000004B33000-memory.dmp

Filesize
76KB

Download
memory/3240-167-0x0000000004B20000-0x0000000004B33000-memory.dmp

Filesize
76KB

Download
memory/3240-169-0x0000000004B20000-0x0000000004B33000-memory.dmp

Filesize
76KB

Download
memory/3240-171-0x0000000004B20000-0x0000000004B33000-memory.dmp

Filesize
76KB

Download
memory/3240-173-0x0000000004B20000-0x0000000004B33000-memory.dmp

Filesize
76KB

Download
memory/3240-175-0x0000000004B20000-0x0000000004B33000-memory.dmp

Filesize
76KB

Download
memory/3240-177-0x0000000004B20000-0x0000000004B33000-memory.dmp

Filesize
76KB

Download
memory/3240-179-0x0000000004B20000-0x0000000004B33000-memory.dmp

Filesize
76KB

Download
memory/3240-181-0x0000000004B20000-0x0000000004B33000-memory.dmp

Filesize
76KB

Download
memory/3240-183-0x0000000004B20000-0x0000000004B33000-memory.dmp

Filesize
76KB

Download
memory/3240-185-0x0000000004B20000-0x0000000004B33000-memory.dmp

Filesize
76KB

Download
memory/3240-187-0x0000000004B20000-0x0000000004B33000-memory.dmp

Filesize
76KB

Download
memory/3240-188-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3240-189-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/3240-190-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/3240-157-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/3240-195-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3240-156-0x0000000007130000-0x00000000076D4000-memory.dmp

Filesize
5.6MB

Download
memory/3240-155-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/3864-207-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3864-229-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3864-204-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3864-209-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3864-211-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3864-213-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3864-215-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3864-217-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3864-219-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3864-221-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3864-223-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3864-225-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3864-227-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3864-205-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3864-231-0x0000000004D00000-0x0000000004D35000-memory.dmp

Filesize
212KB

Download
memory/3864-562-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3864-560-0x0000000002BB0000-0x0000000002BF6000-memory.dmp

Filesize
280KB

Download
memory/3864-564-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3864-565-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3864-1000-0x0000000009C60000-0x000000000A278000-memory.dmp

Filesize
6.1MB

Download
memory/3864-1001-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/3864-1002-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/3864-1004-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/3864-1005-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3864-1006-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3864-1007-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3864-1008-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3864-1010-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download