redline | e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 18:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe
Size

694KB
MD5

350833d78e9db8d00bdfa6761a37b3fc
SHA1

6028a30702af762ba2eac5a09e082b6b4769dbdd
SHA256

e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192
SHA512

fb17351992022e8f50ab15185591c78d4d3b3942adb776a6f087aaff55dcea1322895fba7d7456db94cc15215c85f71cd68ebcd9520cd83d91b0000de7ca0667
SSDEEP

12288:ly90z+lRbd1CkIzfNnTiRqlniqVdUN0cR/bP5zBjPJBWWrh:lyqwWkMfNWRqlRdUeYbRBTh

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4380-987-0x0000000009CA0000-0x000000000A2B8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	18709478.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	18709478.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	18709478.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	18709478.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	18709478.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	18709478.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1260	un181759.exe
4168	18709478.exe
4380	rk263891.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	18709478.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	18709478.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un181759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un181759.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1376	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4012	4168	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4168	18709478.exe
4168	18709478.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4168	18709478.exe
Token: SeDebugPrivilege	4380	rk263891.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1260	3004	e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe	89
PID 3004 wrote to memory of 1260	3004	e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe	89
PID 3004 wrote to memory of 1260	3004	e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe	89
PID 1260 wrote to memory of 4168	1260	un181759.exe	90
PID 1260 wrote to memory of 4168	1260	un181759.exe	90
PID 1260 wrote to memory of 4168	1260	un181759.exe	90
PID 1260 wrote to memory of 4380	1260	un181759.exe	96
PID 1260 wrote to memory of 4380	1260	un181759.exe	96
PID 1260 wrote to memory of 4380	1260	un181759.exe	96

C:\Users\Admin\AppData\Local\Temp\e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe
"C:\Users\Admin\AppData\Local\Temp\e9a9f5900e3db922068e24197e4fe4462c1df8ff184bc662bc4eedc846383192.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un181759.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un181759.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18709478.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18709478.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1080
      4⤵
      Program crash
      PID:4012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk263891.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk263891.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4168 -ip 4168
1⤵
PID:4872

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un181759.exe

Filesize
540KB

MD5
e22d9cca9707e68c58e0249fc5ca1730

SHA1
68749f886565be36c6d5964b35707b6f1626d21d

SHA256
f9d67f943a4731803176e24167ddeb18a27be9b6fefb58eadf59c04e7d2cfc75

SHA512
803e5cba7cc0c3b8f4e4403b4b37b00ef88ccd26d5f69006cb1ce76d1a44442678c6f59a4de9b768108609d13f7d98094d7d08bd36dc787764647940d1104736

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un181759.exe

Filesize
540KB

MD5
e22d9cca9707e68c58e0249fc5ca1730

SHA1
68749f886565be36c6d5964b35707b6f1626d21d

SHA256
f9d67f943a4731803176e24167ddeb18a27be9b6fefb58eadf59c04e7d2cfc75

SHA512
803e5cba7cc0c3b8f4e4403b4b37b00ef88ccd26d5f69006cb1ce76d1a44442678c6f59a4de9b768108609d13f7d98094d7d08bd36dc787764647940d1104736

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18709478.exe

Filesize
258KB

MD5
511ebe091c92581b0be0d6166af6be51

SHA1
f8a143ec994fb42e5fce49bdc92a8258f25b20d0

SHA256
dbdeda317f1238a7ce1086898076f93ecc418159b70f5f1e9fc5697fe51f73af

SHA512
119e9d99173b2547d1b12e6ab8391c25ca9c7572fa3e80fcbdf74d47c26f755dd69cafa29486343d591598c18e7d859eb2ceebd1b2ac6e2c1a4cac52667e3a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18709478.exe

Filesize
258KB

MD5
511ebe091c92581b0be0d6166af6be51

SHA1
f8a143ec994fb42e5fce49bdc92a8258f25b20d0

SHA256
dbdeda317f1238a7ce1086898076f93ecc418159b70f5f1e9fc5697fe51f73af

SHA512
119e9d99173b2547d1b12e6ab8391c25ca9c7572fa3e80fcbdf74d47c26f755dd69cafa29486343d591598c18e7d859eb2ceebd1b2ac6e2c1a4cac52667e3a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk263891.exe

Filesize
341KB

MD5
8ecd2d96f80a98d6e7bb2cca69f72604

SHA1
cba3cfc3f264e9bc9a35129118366f7a2525ad2f

SHA256
88c35f3970b0a8be24d6f8698d01bf60444051ea65fd6f0296eb4b47667cdc19

SHA512
7952c58391530da86679732a79984e926c1e79ceab3ce54f0caf60eff92af489a86c71ff51f66e859bf8f96898944e845b286a6a2c7a8b47f719ce5ddfd00b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk263891.exe

Filesize
341KB

MD5
8ecd2d96f80a98d6e7bb2cca69f72604

SHA1
cba3cfc3f264e9bc9a35129118366f7a2525ad2f

SHA256
88c35f3970b0a8be24d6f8698d01bf60444051ea65fd6f0296eb4b47667cdc19

SHA512
7952c58391530da86679732a79984e926c1e79ceab3ce54f0caf60eff92af489a86c71ff51f66e859bf8f96898944e845b286a6a2c7a8b47f719ce5ddfd00b0d

Download Submit
memory/4168-164-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/4168-160-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/4168-152-0x0000000007120000-0x0000000007130000-memory.dmp

Filesize
64KB

Download
memory/4168-153-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/4168-156-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/4168-158-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/4168-154-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/4168-150-0x0000000007120000-0x0000000007130000-memory.dmp

Filesize
64KB

Download
memory/4168-162-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/4168-151-0x0000000007120000-0x0000000007130000-memory.dmp

Filesize
64KB

Download
memory/4168-166-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/4168-170-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/4168-168-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/4168-172-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/4168-174-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/4168-176-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/4168-180-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/4168-178-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/4168-181-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4168-182-0x0000000007120000-0x0000000007130000-memory.dmp

Filesize
64KB

Download
memory/4168-183-0x0000000007120000-0x0000000007130000-memory.dmp

Filesize
64KB

Download
memory/4168-184-0x0000000007120000-0x0000000007130000-memory.dmp

Filesize
64KB

Download
memory/4168-186-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4168-149-0x0000000002C70000-0x0000000002C9D000-memory.dmp

Filesize
180KB

Download
memory/4168-148-0x0000000007130000-0x00000000076D4000-memory.dmp

Filesize
5.6MB

Download
memory/4380-214-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-241-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4380-238-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4380-192-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-198-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-200-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-202-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-204-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-206-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-208-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-210-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-212-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-218-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-191-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-196-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-216-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-987-0x0000000009CA0000-0x000000000A2B8000-memory.dmp

Filesize
6.1MB

Download
memory/4380-220-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-235-0x0000000002C80000-0x0000000002CC6000-memory.dmp

Filesize
280KB

Download
memory/4380-236-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4380-224-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-194-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-222-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4380-988-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/4380-989-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/4380-990-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/4380-991-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4380-993-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4380-994-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4380-995-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download