redline | e43dadcb1d5c1515f9fc3f0fe8a2975f080fda25c4a5a39a450a962650efefac

Analysis

max time kernel
160s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e43dadcb1d5c1515f9fc3f0fe8a2975f080fda25c4a5a39a450a962650efefac.exe
Size

690KB
MD5

c0110754e9aafc6ae98f972853407079
SHA1

c9d6862c8305363d2af2598d912b5a16124c1541
SHA256

e43dadcb1d5c1515f9fc3f0fe8a2975f080fda25c4a5a39a450a962650efefac
SHA512

a08032805f44d766195c730142b237272c5ee295bdb77428533794b1003ae8dc9afc01c561a548096eb006c2de0dba03238405cbd15d25b34e40652da38bad06
SSDEEP

12288:My90WT+R7GVUhjHS9ShUeXdK4Dd719W+bx2j0krB2umG8KQm1:Mym7GVQH2ShMKdJ0+bxu92uflQM

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2308-990-0x0000000007550000-0x0000000007B68000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	41879203.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	41879203.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	41879203.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	41879203.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	41879203.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	41879203.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2988	un536776.exe
2012	41879203.exe
2308	rk326726.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	41879203.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	41879203.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e43dadcb1d5c1515f9fc3f0fe8a2975f080fda25c4a5a39a450a962650efefac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un536776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un536776.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e43dadcb1d5c1515f9fc3f0fe8a2975f080fda25c4a5a39a450a962650efefac.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2012	41879203.exe
2012	41879203.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	41879203.exe
Token: SeDebugPrivilege	2308	rk326726.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2988	212	e43dadcb1d5c1515f9fc3f0fe8a2975f080fda25c4a5a39a450a962650efefac.exe	83
PID 212 wrote to memory of 2988	212	e43dadcb1d5c1515f9fc3f0fe8a2975f080fda25c4a5a39a450a962650efefac.exe	83
PID 212 wrote to memory of 2988	212	e43dadcb1d5c1515f9fc3f0fe8a2975f080fda25c4a5a39a450a962650efefac.exe	83
PID 2988 wrote to memory of 2012	2988	un536776.exe	85
PID 2988 wrote to memory of 2012	2988	un536776.exe	85
PID 2988 wrote to memory of 2012	2988	un536776.exe	85
PID 2988 wrote to memory of 2308	2988	un536776.exe	88
PID 2988 wrote to memory of 2308	2988	un536776.exe	88
PID 2988 wrote to memory of 2308	2988	un536776.exe	88

C:\Users\Admin\AppData\Local\Temp\e43dadcb1d5c1515f9fc3f0fe8a2975f080fda25c4a5a39a450a962650efefac.exe
"C:\Users\Admin\AppData\Local\Temp\e43dadcb1d5c1515f9fc3f0fe8a2975f080fda25c4a5a39a450a962650efefac.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un536776.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un536776.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41879203.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41879203.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk326726.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk326726.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un536776.exe

Filesize
536KB

MD5
9a7ae84b207237867bd2b5a6dc05b51f

SHA1
0bf3ddf48298075c6094ba24fc5ea2fbfb2b2fbb

SHA256
9abff570d6f0bffcdd3e7d41334eb5929642bd9198f7f8ab3d860393c9aeb95d

SHA512
8b380c8e2e172fe106a41650c28ba3c7b3aa1cb6d713abde49318e1c7cec4606f27ed0b51d17290145240a4f2c613386af1ead9cbafc7798caec33df7da98294

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un536776.exe

Filesize
536KB

MD5
9a7ae84b207237867bd2b5a6dc05b51f

SHA1
0bf3ddf48298075c6094ba24fc5ea2fbfb2b2fbb

SHA256
9abff570d6f0bffcdd3e7d41334eb5929642bd9198f7f8ab3d860393c9aeb95d

SHA512
8b380c8e2e172fe106a41650c28ba3c7b3aa1cb6d713abde49318e1c7cec4606f27ed0b51d17290145240a4f2c613386af1ead9cbafc7798caec33df7da98294

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41879203.exe

Filesize
259KB

MD5
3de15d1cd4147086d41a5b64462d35ea

SHA1
76c2d6035d404532bec11b3b4d79167f5e5b37e7

SHA256
e5ddbb0a05147bbf8c3aafb15c789dbab4f0751d34d1ce426344702c57591a69

SHA512
99df663f4bb1cd058667f4e7d17f849f6cb80ff8ba3685069719a7c020d2e269ef343becd33e054b6ae5ea3271b90c5d5c94fee631433bc22d4d65c496575f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41879203.exe

Filesize
259KB

MD5
3de15d1cd4147086d41a5b64462d35ea

SHA1
76c2d6035d404532bec11b3b4d79167f5e5b37e7

SHA256
e5ddbb0a05147bbf8c3aafb15c789dbab4f0751d34d1ce426344702c57591a69

SHA512
99df663f4bb1cd058667f4e7d17f849f6cb80ff8ba3685069719a7c020d2e269ef343becd33e054b6ae5ea3271b90c5d5c94fee631433bc22d4d65c496575f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk326726.exe

Filesize
341KB

MD5
cb4475f758872a7a925aed5636da293a

SHA1
e9d8fe0204ccb80cefc9c21c6e6bd4fc33048621

SHA256
23a8f2b81539d2e33c4f0b3d1de70d47438f8de8176f98a684dc622525d5ae39

SHA512
0346a87b6e1f200484f5f8ff0fb13d0129278d5bb83438f62b9ff817bc576e38840b6fda12cffa295ebbf6cf58cb0ce8fefe34f8260d2612d719c3ffeb5dedc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk326726.exe

Filesize
341KB

MD5
cb4475f758872a7a925aed5636da293a

SHA1
e9d8fe0204ccb80cefc9c21c6e6bd4fc33048621

SHA256
23a8f2b81539d2e33c4f0b3d1de70d47438f8de8176f98a684dc622525d5ae39

SHA512
0346a87b6e1f200484f5f8ff0fb13d0129278d5bb83438f62b9ff817bc576e38840b6fda12cffa295ebbf6cf58cb0ce8fefe34f8260d2612d719c3ffeb5dedc7

Download Submit
memory/2012-164-0x0000000002570000-0x0000000002583000-memory.dmp

Filesize
76KB

Download
memory/2012-160-0x0000000002570000-0x0000000002583000-memory.dmp

Filesize
76KB

Download
memory/2012-153-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2012-154-0x0000000004A70000-0x0000000005014000-memory.dmp

Filesize
5.6MB

Download
memory/2012-156-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2012-157-0x0000000002570000-0x0000000002583000-memory.dmp

Filesize
76KB

Download
memory/2012-158-0x0000000002570000-0x0000000002583000-memory.dmp

Filesize
76KB

Download
memory/2012-152-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2012-162-0x0000000002570000-0x0000000002583000-memory.dmp

Filesize
76KB

Download
memory/2012-151-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2012-166-0x0000000002570000-0x0000000002583000-memory.dmp

Filesize
76KB

Download
memory/2012-168-0x0000000002570000-0x0000000002583000-memory.dmp

Filesize
76KB

Download
memory/2012-170-0x0000000002570000-0x0000000002583000-memory.dmp

Filesize
76KB

Download
memory/2012-172-0x0000000002570000-0x0000000002583000-memory.dmp

Filesize
76KB

Download
memory/2012-174-0x0000000002570000-0x0000000002583000-memory.dmp

Filesize
76KB

Download
memory/2012-176-0x0000000002570000-0x0000000002583000-memory.dmp

Filesize
76KB

Download
memory/2012-178-0x0000000002570000-0x0000000002583000-memory.dmp

Filesize
76KB

Download
memory/2012-180-0x0000000002570000-0x0000000002583000-memory.dmp

Filesize
76KB

Download
memory/2012-182-0x0000000002570000-0x0000000002583000-memory.dmp

Filesize
76KB

Download
memory/2012-184-0x0000000002570000-0x0000000002583000-memory.dmp

Filesize
76KB

Download
memory/2012-185-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2012-186-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/2012-189-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2012-150-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2012-149-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/2308-223-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-384-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/2308-990-0x0000000007550000-0x0000000007B68000-memory.dmp

Filesize
6.1MB

Download
memory/2308-195-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-201-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-203-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-205-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-207-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-209-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-211-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-213-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-215-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-217-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-194-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-199-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-221-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-991-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/2308-219-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-382-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/2308-380-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/2308-378-0x00000000020B0000-0x00000000020F6000-memory.dmp

Filesize
280KB

Download
memory/2308-197-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-225-0x0000000005050000-0x0000000005085000-memory.dmp

Filesize
212KB

Download
memory/2308-992-0x0000000007BE0000-0x0000000007CEA000-memory.dmp

Filesize
1.0MB

Download
memory/2308-993-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/2308-994-0x0000000007D00000-0x0000000007D3C000-memory.dmp

Filesize
240KB

Download
memory/2308-997-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/2308-996-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/2308-998-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/2308-999-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download