redline | ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe
Size

697KB
MD5

6efc55934592cb8a85fa3a83f993e28b
SHA1

6cee545cc11d14da88aefae0cde0ad44eaee2940
SHA256

ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355
SHA512

d21b01eb3020aae0fed567e1845ab88c521b54c8ed6df7823cb32198710f076605a7cf95958191e0c003f89e07a08e1249c560cf29490fe20f033410f4764a9f
SSDEEP

12288:ty90fnQ4MUmOE9EQxywvAj9ujjNNCaW3EwXldSVhhYWj57vlzO:ty/4xc9EQxyLYjBmZXlQnnfzO

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1696-986-0x0000000009D20000-0x000000000A338000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	69072912.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	69072912.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	69072912.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	69072912.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	69072912.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	69072912.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2580	un039840.exe
2224	69072912.exe
1696	rk859349.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	69072912.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	69072912.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un039840.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un039840.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3660	2224	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2224	69072912.exe
2224	69072912.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	69072912.exe
Token: SeDebugPrivilege	1696	rk859349.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2580	2256	ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe	87
PID 2256 wrote to memory of 2580	2256	ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe	87
PID 2256 wrote to memory of 2580	2256	ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe	87
PID 2580 wrote to memory of 2224	2580	un039840.exe	88
PID 2580 wrote to memory of 2224	2580	un039840.exe	88
PID 2580 wrote to memory of 2224	2580	un039840.exe	88
PID 2580 wrote to memory of 1696	2580	un039840.exe	91
PID 2580 wrote to memory of 1696	2580	un039840.exe	91
PID 2580 wrote to memory of 1696	2580	un039840.exe	91

C:\Users\Admin\AppData\Local\Temp\ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe
"C:\Users\Admin\AppData\Local\Temp\ec8e63103dbd25e27239eafb0c5e218c5da2d8e464792bb5100309a2812de355.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un039840.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un039840.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\69072912.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\69072912.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 1080
      4⤵
      Program crash
      PID:3660
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk859349.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk859349.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2224 -ip 2224
1⤵
PID:4340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un039840.exe

Filesize
542KB

MD5
95de9bc57944caa7d11e546c1ca89d6b

SHA1
3f5de289e52313a924836e77a80b5f877d583b84

SHA256
02fa75eb5e34fc192926f82b85cc0b829fa58751cc5ea800df61285420d7178d

SHA512
63a25a1eca8b77a65ef789d0f5132798967d3be5d689b9094167036b7b0a7f0fa5326f46dbb28c1183aaba4a0b8d4c75fa44be9fa578ff415c9b78f1eb447246

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un039840.exe

Filesize
542KB

MD5
95de9bc57944caa7d11e546c1ca89d6b

SHA1
3f5de289e52313a924836e77a80b5f877d583b84

SHA256
02fa75eb5e34fc192926f82b85cc0b829fa58751cc5ea800df61285420d7178d

SHA512
63a25a1eca8b77a65ef789d0f5132798967d3be5d689b9094167036b7b0a7f0fa5326f46dbb28c1183aaba4a0b8d4c75fa44be9fa578ff415c9b78f1eb447246

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\69072912.exe

Filesize
263KB

MD5
872e0454fee70310ccfe1b94b13cfa7b

SHA1
7a5ecac3fd09c5953ab3c00565eb44b88c52860f

SHA256
48db4f6ecbac38e315f4159056f5addf427f4769bc3f539f48721566ce56a4c8

SHA512
f84597d292e14a0ad8d968606096b23b12090c5af6dcdde451fe7962edc3a1dd791b64603f9a5206386919e548e4a984ae407512ca17144d3a501ba07f1ec208

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\69072912.exe

Filesize
263KB

MD5
872e0454fee70310ccfe1b94b13cfa7b

SHA1
7a5ecac3fd09c5953ab3c00565eb44b88c52860f

SHA256
48db4f6ecbac38e315f4159056f5addf427f4769bc3f539f48721566ce56a4c8

SHA512
f84597d292e14a0ad8d968606096b23b12090c5af6dcdde451fe7962edc3a1dd791b64603f9a5206386919e548e4a984ae407512ca17144d3a501ba07f1ec208

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk859349.exe

Filesize
328KB

MD5
49413204f477a7b87e6ee8781d5bc523

SHA1
2aa8c3acc2bde76e60c55e44efe4acc3781ec519

SHA256
aa1c0631059ce7c8c6cdb17fd27fe38aae1c0f8aedffb4a9f9fc76c58bf7ac73

SHA512
249150fd49c26c124235c73b0b2e5eba9ecefd3a221b2bb91ad3fcc5e3472660434c64681fbd2484964d312fcfd0c67852b6c6f7994a92305e2697051420dbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk859349.exe

Filesize
328KB

MD5
49413204f477a7b87e6ee8781d5bc523

SHA1
2aa8c3acc2bde76e60c55e44efe4acc3781ec519

SHA256
aa1c0631059ce7c8c6cdb17fd27fe38aae1c0f8aedffb4a9f9fc76c58bf7ac73

SHA512
249150fd49c26c124235c73b0b2e5eba9ecefd3a221b2bb91ad3fcc5e3472660434c64681fbd2484964d312fcfd0c67852b6c6f7994a92305e2697051420dbc3

Download Submit
memory/1696-218-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-354-0x00000000046F0000-0x0000000004736000-memory.dmp

Filesize
280KB

Download
memory/1696-995-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1696-994-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1696-993-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1696-992-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1696-990-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1696-196-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-989-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/1696-988-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-987-0x00000000072A0000-0x00000000072B2000-memory.dmp

Filesize
72KB

Download
memory/1696-194-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-357-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1696-355-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/1696-192-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-200-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-224-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-222-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-220-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-216-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-214-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-212-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-210-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-208-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-206-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-191-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-204-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-986-0x0000000009D20000-0x000000000A338000-memory.dmp

Filesize
6.1MB

Download
memory/1696-202-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/1696-198-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/2224-176-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2224-160-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2224-151-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/2224-149-0x0000000007260000-0x0000000007804000-memory.dmp

Filesize
5.6MB

Download
memory/2224-150-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/2224-186-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/2224-183-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/2224-184-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/2224-182-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/2224-148-0x0000000002D00000-0x0000000002D2D000-memory.dmp

Filesize
180KB

Download
memory/2224-181-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/2224-180-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2224-178-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2224-174-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2224-172-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2224-170-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2224-168-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2224-166-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2224-164-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2224-162-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2224-158-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2224-156-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2224-154-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2224-153-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/2224-152-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download