redline | e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe
Size

690KB
MD5

7fa6cc9ae7238019b166562de282928a
SHA1

e8370fe2717ad008a952e541f22b898851129746
SHA256

e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71
SHA512

f451d959602d32cafb7f08a19202856996366d761e276f0311c8b8a9dc6b85a2bf66ea47b7686e442d198f231f3cccc55e8122ae871250f0b77cef7ae43d72bc
SSDEEP

12288:zy90ia8sCba0f8e0srtnpcXoJdRWadO8V2uBqAlYCiJ76DtD1RHiL:zyTa8sCb5ke0d4JvzOo2y3iZ6Dx1BiL

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1680-989-0x00000000076B0000-0x0000000007CC8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	03093245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	03093245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	03093245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	03093245.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	03093245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	03093245.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4052	un631066.exe
4208	03093245.exe
1680	rk364979.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	03093245.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	03093245.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un631066.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un631066.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1436	4208	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4208	03093245.exe
4208	03093245.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4208	03093245.exe
Token: SeDebugPrivilege	1680	rk364979.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 4052	2828	e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe	83
PID 2828 wrote to memory of 4052	2828	e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe	83
PID 2828 wrote to memory of 4052	2828	e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe	83
PID 4052 wrote to memory of 4208	4052	un631066.exe	84
PID 4052 wrote to memory of 4208	4052	un631066.exe	84
PID 4052 wrote to memory of 4208	4052	un631066.exe	84
PID 4052 wrote to memory of 1680	4052	un631066.exe	89
PID 4052 wrote to memory of 1680	4052	un631066.exe	89
PID 4052 wrote to memory of 1680	4052	un631066.exe	89

C:\Users\Admin\AppData\Local\Temp\e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe
"C:\Users\Admin\AppData\Local\Temp\e881d7472b118bfbf89e98ab2b6bb201da2afdc7b0869b8d18ef019ae5c0ec71.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631066.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631066.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\03093245.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\03093245.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1080
      4⤵
      Program crash
      PID:1436
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk364979.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk364979.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4208 -ip 4208
1⤵
PID:4108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631066.exe

Filesize
536KB

MD5
ae2e72e004eb797e4f25a43584eaf1dc

SHA1
7abd7e3de6e22c26c965730d5803a902fd77985d

SHA256
24fcda44d4dbf3ab7c82566d6c4794bf48a425485a9f819aa03358b36f1dbd60

SHA512
35220d9c6b7ea9be7a88689a13cb1ab55016befeb750533ff9e3ee8058c864d073d45ef170d8a3166b2669ad7dee3fdb5b5577a798a9ffc32a13bb6f5d715047

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631066.exe

Filesize
536KB

MD5
ae2e72e004eb797e4f25a43584eaf1dc

SHA1
7abd7e3de6e22c26c965730d5803a902fd77985d

SHA256
24fcda44d4dbf3ab7c82566d6c4794bf48a425485a9f819aa03358b36f1dbd60

SHA512
35220d9c6b7ea9be7a88689a13cb1ab55016befeb750533ff9e3ee8058c864d073d45ef170d8a3166b2669ad7dee3fdb5b5577a798a9ffc32a13bb6f5d715047

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\03093245.exe

Filesize
259KB

MD5
fb5839878edbf5ec0171a2f332a68268

SHA1
3da45590b8c0f3a5bf33da3cfc4662b1d831a808

SHA256
6faeb7841b8df7911fabbe6231954a7c210abc64a7983c3b3ef30d1c211d234f

SHA512
07fe1180f4741c483671631dbd431a080bd236be1755a42e9fc09f283894b5ad6aa6a1d06b1c7c60b5077604985c10ebc3b8504eac9f6c2ea0aef09384f97fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\03093245.exe

Filesize
259KB

MD5
fb5839878edbf5ec0171a2f332a68268

SHA1
3da45590b8c0f3a5bf33da3cfc4662b1d831a808

SHA256
6faeb7841b8df7911fabbe6231954a7c210abc64a7983c3b3ef30d1c211d234f

SHA512
07fe1180f4741c483671631dbd431a080bd236be1755a42e9fc09f283894b5ad6aa6a1d06b1c7c60b5077604985c10ebc3b8504eac9f6c2ea0aef09384f97fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk364979.exe

Filesize
341KB

MD5
cde559d5d45cb816f96317ee49f76af6

SHA1
f8e2b0537d718d73bf47de5bdabb811ebce26491

SHA256
7ccd1735380e511b9df5d3c9b2a8850f08c217eed3506145e11876574f503d98

SHA512
fbd2d47ac58b6d0735ab07d8e98bc88e883c2db537cad695692efe0c071b49974da97a4251e875e1731e1f8d3bafe5a945b4de97ad49afcc97efb1fcd63db94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk364979.exe

Filesize
341KB

MD5
cde559d5d45cb816f96317ee49f76af6

SHA1
f8e2b0537d718d73bf47de5bdabb811ebce26491

SHA256
7ccd1735380e511b9df5d3c9b2a8850f08c217eed3506145e11876574f503d98

SHA512
fbd2d47ac58b6d0735ab07d8e98bc88e883c2db537cad695692efe0c071b49974da97a4251e875e1731e1f8d3bafe5a945b4de97ad49afcc97efb1fcd63db94f

Download Submit
memory/1680-217-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-221-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-998-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1680-997-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1680-195-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1680-995-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1680-993-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1680-992-0x0000000002640000-0x000000000267C000-memory.dmp

Filesize
240KB

Download
memory/1680-991-0x0000000007CD0000-0x0000000007DDA000-memory.dmp

Filesize
1.0MB

Download
memory/1680-990-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/1680-989-0x00000000076B0000-0x0000000007CC8000-memory.dmp

Filesize
6.1MB

Download
memory/1680-687-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1680-227-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-225-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-223-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-219-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-215-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-196-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-211-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-209-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-207-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-205-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-194-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1680-203-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-201-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-193-0x00000000005F0000-0x0000000000636000-memory.dmp

Filesize
280KB

Download
memory/1680-199-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-996-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1680-213-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/1680-197-0x00000000024A0000-0x00000000024D5000-memory.dmp

Filesize
212KB

Download
memory/4208-149-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/4208-183-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4208-187-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4208-184-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4208-150-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/4208-182-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4208-181-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4208-176-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/4208-179-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4208-148-0x0000000004BC0000-0x0000000005164000-memory.dmp

Filesize
5.6MB

Download
memory/4208-180-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4208-154-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/4208-174-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/4208-177-0x00000000005C0000-0x00000000005ED000-memory.dmp

Filesize
180KB

Download
memory/4208-178-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4208-172-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/4208-170-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/4208-168-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/4208-166-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/4208-164-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/4208-162-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/4208-160-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/4208-158-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/4208-156-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/4208-152-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download