redline | e896c2ba310f250c9af7fa0fc3b762f9d3bdf352da3aab23e8c95577c2f7f5ca

Analysis

max time kernel
191s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e896c2ba310f250c9af7fa0fc3b762f9d3bdf352da3aab23e8c95577c2f7f5ca.exe
Size

1.0MB
MD5

0f1d4c615c36eebed9485539aa0af9e0
SHA1

3e4d4ba9dde997b937b0012467cbce7e7544eb12
SHA256

e896c2ba310f250c9af7fa0fc3b762f9d3bdf352da3aab23e8c95577c2f7f5ca
SHA512

5983ef729b290ee9e873ae701ed57efdf4b4534cd6230a4d14edd056cefdb557c6f7344cb3e97298467c7289aa1380b6d548d7a8db804e89461bb665356705c9
SSDEEP

24576:vyj1wbkcIchzHir7sear8AIKfpPMsetTgrvQaHQcEU:6Zwbkc3hW3sekpPRvHN

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4692-998-0x0000000007910000-0x0000000007F28000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	23618535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	23618535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	23618535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	23618535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	23618535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	23618535.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1516	za223838.exe
220	za006943.exe
2096	23618535.exe
4692	w31Tw36.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	23618535.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	23618535.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za006943.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za006943.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e896c2ba310f250c9af7fa0fc3b762f9d3bdf352da3aab23e8c95577c2f7f5ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e896c2ba310f250c9af7fa0fc3b762f9d3bdf352da3aab23e8c95577c2f7f5ca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za223838.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za223838.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2096	23618535.exe
2096	23618535.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	23618535.exe
Token: SeDebugPrivilege	4692	w31Tw36.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1516	1468	e896c2ba310f250c9af7fa0fc3b762f9d3bdf352da3aab23e8c95577c2f7f5ca.exe	84
PID 1468 wrote to memory of 1516	1468	e896c2ba310f250c9af7fa0fc3b762f9d3bdf352da3aab23e8c95577c2f7f5ca.exe	84
PID 1468 wrote to memory of 1516	1468	e896c2ba310f250c9af7fa0fc3b762f9d3bdf352da3aab23e8c95577c2f7f5ca.exe	84
PID 1516 wrote to memory of 220	1516	za223838.exe	85
PID 1516 wrote to memory of 220	1516	za223838.exe	85
PID 1516 wrote to memory of 220	1516	za223838.exe	85
PID 220 wrote to memory of 2096	220	za006943.exe	86
PID 220 wrote to memory of 2096	220	za006943.exe	86
PID 220 wrote to memory of 2096	220	za006943.exe	86
PID 220 wrote to memory of 4692	220	za006943.exe	88
PID 220 wrote to memory of 4692	220	za006943.exe	88
PID 220 wrote to memory of 4692	220	za006943.exe	88

C:\Users\Admin\AppData\Local\Temp\e896c2ba310f250c9af7fa0fc3b762f9d3bdf352da3aab23e8c95577c2f7f5ca.exe
"C:\Users\Admin\AppData\Local\Temp\e896c2ba310f250c9af7fa0fc3b762f9d3bdf352da3aab23e8c95577c2f7f5ca.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za223838.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za223838.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za006943.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za006943.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\23618535.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\23618535.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w31Tw36.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w31Tw36.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za223838.exe

Filesize
775KB

MD5
f7bc433cfae146a7301e6b5aaa57fc98

SHA1
ad03dd10a7fff5fd43d9392494015d1b268d84cd

SHA256
7fb0bf3e4510b36c04b937d83ad599b5843d751e44606268342730a38f3f2d01

SHA512
015816f14791b9f5f50b7fa28fccff1378ef53740b472b4440ae06bdd56be5e1011ca14f34cb00596781b1b12916b69611f0d5fb11312e4184bcb9998f3f9ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za223838.exe

Filesize
775KB

MD5
f7bc433cfae146a7301e6b5aaa57fc98

SHA1
ad03dd10a7fff5fd43d9392494015d1b268d84cd

SHA256
7fb0bf3e4510b36c04b937d83ad599b5843d751e44606268342730a38f3f2d01

SHA512
015816f14791b9f5f50b7fa28fccff1378ef53740b472b4440ae06bdd56be5e1011ca14f34cb00596781b1b12916b69611f0d5fb11312e4184bcb9998f3f9ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za006943.exe

Filesize
592KB

MD5
b2a17d25df6c6f9f087a1a2c30d73b47

SHA1
9062c9a34b4b2896bdb431ad628aa207bfb4e526

SHA256
03131ae997063b1522072a2bc6c07e40948d94ac97bad683a017daf8bf5ba4c5

SHA512
a0fddf908e9576361ce2d07bffd14baa7c6a86078faaa22c3e0227c530b09843ab037ea8390c1380dd924dfed67c1ad1bdb3dc005a7bea89cdbce3ea751c1ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za006943.exe

Filesize
592KB

MD5
b2a17d25df6c6f9f087a1a2c30d73b47

SHA1
9062c9a34b4b2896bdb431ad628aa207bfb4e526

SHA256
03131ae997063b1522072a2bc6c07e40948d94ac97bad683a017daf8bf5ba4c5

SHA512
a0fddf908e9576361ce2d07bffd14baa7c6a86078faaa22c3e0227c530b09843ab037ea8390c1380dd924dfed67c1ad1bdb3dc005a7bea89cdbce3ea751c1ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\23618535.exe

Filesize
377KB

MD5
e6fef72cc41ec0f12373382601a8c0a6

SHA1
bd3d62d966f42520aaf8c919286d1c618401bf0b

SHA256
d8715555f2bb26ede8831bb2f82b09d63eab356dc502fc8641cf182f990f4b36

SHA512
d779ea410092aa31d1af10a1d32a1d84e29b2120ee6bf73ba2c343755a16f427215c5c61644bc8238d52d21ca2670b3cf5488637575579e49ec3fb346e8de0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\23618535.exe

Filesize
377KB

MD5
e6fef72cc41ec0f12373382601a8c0a6

SHA1
bd3d62d966f42520aaf8c919286d1c618401bf0b

SHA256
d8715555f2bb26ede8831bb2f82b09d63eab356dc502fc8641cf182f990f4b36

SHA512
d779ea410092aa31d1af10a1d32a1d84e29b2120ee6bf73ba2c343755a16f427215c5c61644bc8238d52d21ca2670b3cf5488637575579e49ec3fb346e8de0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w31Tw36.exe

Filesize
459KB

MD5
f26f082d3165716a437277b14fb96449

SHA1
963b47dcae45314f6f2dfbd44df6ed06a7cb1b09

SHA256
92fa2e78d0e6c251b4012b71bc547cb61f494414defab1934a77870cf871ed2c

SHA512
48ac93c30e0c24f7ed04145e94fce08ac984e9471b900e81c760694bd6a7c2334702ad017a7af007c010e2c1161563472bc8e39f36225e50cadc25f048dac195

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w31Tw36.exe

Filesize
459KB

MD5
f26f082d3165716a437277b14fb96449

SHA1
963b47dcae45314f6f2dfbd44df6ed06a7cb1b09

SHA256
92fa2e78d0e6c251b4012b71bc547cb61f494414defab1934a77870cf871ed2c

SHA512
48ac93c30e0c24f7ed04145e94fce08ac984e9471b900e81c760694bd6a7c2334702ad017a7af007c010e2c1161563472bc8e39f36225e50cadc25f048dac195

Download Submit
memory/2096-193-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2096-159-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2096-161-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2096-163-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2096-169-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2096-167-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2096-173-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2096-171-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2096-175-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2096-177-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2096-165-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2096-179-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2096-181-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2096-183-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2096-185-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2096-186-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2096-187-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2096-188-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2096-189-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2096-191-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2096-192-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2096-158-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2096-197-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2096-157-0x0000000004D30000-0x00000000052D4000-memory.dmp

Filesize
5.6MB

Download
memory/2096-156-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/4692-205-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-231-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-202-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-207-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-209-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-211-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-213-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-217-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-215-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-219-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-223-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-225-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-221-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-227-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-229-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-203-0x0000000005410000-0x0000000005445000-memory.dmp

Filesize
212KB

Download
memory/4692-352-0x00000000008F0000-0x0000000000936000-memory.dmp

Filesize
280KB

Download
memory/4692-354-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/4692-356-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/4692-358-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/4692-998-0x0000000007910000-0x0000000007F28000-memory.dmp

Filesize
6.1MB

Download
memory/4692-999-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/4692-1000-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/4692-1001-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/4692-1002-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/4692-1004-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/4692-1005-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/4692-1006-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/4692-1008-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download