redline | e6a4e7f0d85c167f28c00084c100d394769cd40aba6ebb30a05cff5b19eea25a

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6a4e7f0d85c167f28c00084c100d394769cd40aba6ebb30a05cff5b19eea25a.exe
Size

747KB
MD5

30e510cf8927bd6359adff1cf5745d8f
SHA1

1fef501bb23e0b88a375b0ef064c7d60acab0066
SHA256

e6a4e7f0d85c167f28c00084c100d394769cd40aba6ebb30a05cff5b19eea25a
SHA512

f92a6bd90c28edea7cf5916be6f47779b80f4609e13332ddf97d23862170f660c0657fda52cd2b0ccc3e998ada5f2b0176cbacd167f2cb4e1e3b237ef68220a0
SSDEEP

12288:oy90YU612b+HDoEr+UvxJzm5E4paUgzcaXClat7I5bE4w52vok+:oy+612bE8ErhINpMzcaXCsR2bEZn5

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4968-991-0x0000000007930000-0x0000000007F48000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	14404042.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	14404042.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	14404042.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	14404042.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	14404042.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	14404042.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4476	un904449.exe
4744	14404042.exe
4968	rk738920.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	14404042.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	14404042.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un904449.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e6a4e7f0d85c167f28c00084c100d394769cd40aba6ebb30a05cff5b19eea25a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e6a4e7f0d85c167f28c00084c100d394769cd40aba6ebb30a05cff5b19eea25a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un904449.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4744	14404042.exe
4744	14404042.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	14404042.exe
Token: SeDebugPrivilege	4968	rk738920.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 4476	1304	e6a4e7f0d85c167f28c00084c100d394769cd40aba6ebb30a05cff5b19eea25a.exe	84
PID 1304 wrote to memory of 4476	1304	e6a4e7f0d85c167f28c00084c100d394769cd40aba6ebb30a05cff5b19eea25a.exe	84
PID 1304 wrote to memory of 4476	1304	e6a4e7f0d85c167f28c00084c100d394769cd40aba6ebb30a05cff5b19eea25a.exe	84
PID 4476 wrote to memory of 4744	4476	un904449.exe	86
PID 4476 wrote to memory of 4744	4476	un904449.exe	86
PID 4476 wrote to memory of 4744	4476	un904449.exe	86
PID 4476 wrote to memory of 4968	4476	un904449.exe	87
PID 4476 wrote to memory of 4968	4476	un904449.exe	87
PID 4476 wrote to memory of 4968	4476	un904449.exe	87

C:\Users\Admin\AppData\Local\Temp\e6a4e7f0d85c167f28c00084c100d394769cd40aba6ebb30a05cff5b19eea25a.exe
"C:\Users\Admin\AppData\Local\Temp\e6a4e7f0d85c167f28c00084c100d394769cd40aba6ebb30a05cff5b19eea25a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un904449.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un904449.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14404042.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14404042.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk738920.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk738920.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un904449.exe

Filesize
593KB

MD5
5e65eb208a869264ff6c450331946dd9

SHA1
c25c4fc2c5eb3eeafa9522d255b74a11324f817f

SHA256
b32c081be707c35df1bca880e938e789b22f96ea893c5e9917fe09be44cfcffb

SHA512
8cb87b3eb8c46412cfa35ee36543804e95c69e7f52e98b1c246d3aa12861721c1eb08d8a5d7f4011c84aeb8fce02f84e6073dec54f5d6605dcf8e9c019698cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un904449.exe

Filesize
593KB

MD5
5e65eb208a869264ff6c450331946dd9

SHA1
c25c4fc2c5eb3eeafa9522d255b74a11324f817f

SHA256
b32c081be707c35df1bca880e938e789b22f96ea893c5e9917fe09be44cfcffb

SHA512
8cb87b3eb8c46412cfa35ee36543804e95c69e7f52e98b1c246d3aa12861721c1eb08d8a5d7f4011c84aeb8fce02f84e6073dec54f5d6605dcf8e9c019698cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14404042.exe

Filesize
377KB

MD5
bf9d9d5ab84e0367272b452cde92a639

SHA1
b0fdca54ad78ec4c0046a32e55f66be41f07e681

SHA256
9e65d1274577e4aaa99fd17b1510a3482b6a77d90d4f7934343c948a4172d46f

SHA512
4b0c40f8f61ef077a39a53deefbf3afd9752c4e7a8536a5665ef3f7370b9801bb36106bbbe51c3ca5e61c9e0f0e4d329d6e130651de5b1cc0f158d07da9df399

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14404042.exe

Filesize
377KB

MD5
bf9d9d5ab84e0367272b452cde92a639

SHA1
b0fdca54ad78ec4c0046a32e55f66be41f07e681

SHA256
9e65d1274577e4aaa99fd17b1510a3482b6a77d90d4f7934343c948a4172d46f

SHA512
4b0c40f8f61ef077a39a53deefbf3afd9752c4e7a8536a5665ef3f7370b9801bb36106bbbe51c3ca5e61c9e0f0e4d329d6e130651de5b1cc0f158d07da9df399

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk738920.exe

Filesize
459KB

MD5
c0301cc062dac5f03f5aff4e542ee00d

SHA1
af73de1bae14d9b41748eef302cab5aad749438b

SHA256
76b237154e1a3bab0f42aef13539d3e94e41a2c8fa04ee8d11e3a5fbaeef4118

SHA512
f2baecb1a094d2269b48b78540b07b0ca336f3247c59d0b9853e2956ad79f1b193f6922f67228da8614fa3235885b4b74b1cd08fc2d4993e9ab89a5f997599d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk738920.exe

Filesize
459KB

MD5
c0301cc062dac5f03f5aff4e542ee00d

SHA1
af73de1bae14d9b41748eef302cab5aad749438b

SHA256
76b237154e1a3bab0f42aef13539d3e94e41a2c8fa04ee8d11e3a5fbaeef4118

SHA512
f2baecb1a094d2269b48b78540b07b0ca336f3247c59d0b9853e2956ad79f1b193f6922f67228da8614fa3235885b4b74b1cd08fc2d4993e9ab89a5f997599d3

Download Submit
memory/4744-164-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4744-151-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4744-152-0x0000000005100000-0x00000000056A4000-memory.dmp

Filesize
5.6MB

Download
memory/4744-153-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4744-154-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4744-156-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4744-158-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4744-160-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4744-162-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4744-150-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4744-166-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4744-168-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4744-170-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4744-178-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4744-176-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4744-180-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4744-174-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4744-172-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4744-181-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4744-182-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4744-184-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4744-183-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4744-186-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4744-149-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4744-148-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/4968-226-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-216-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-191-0x0000000000A50000-0x0000000000A96000-memory.dmp

Filesize
280KB

Download
memory/4968-989-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4968-196-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4968-198-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-197-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4968-200-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-202-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-204-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-206-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-208-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-210-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-212-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-214-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-192-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-218-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-220-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-222-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-224-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-193-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4968-228-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-988-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4968-194-0x0000000002AC0000-0x0000000002AF5000-memory.dmp

Filesize
212KB

Download
memory/4968-990-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4968-991-0x0000000007930000-0x0000000007F48000-memory.dmp

Filesize
6.1MB

Download
memory/4968-992-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/4968-993-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/4968-994-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/4968-996-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/4968-998-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download