redline | f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d

Analysis

max time kernel
79s
max time network
86s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe
Size

746KB
MD5

4b53634946708eb662a8a377edac685d
SHA1

c97e4612369703bd8b807628582c3451601e05cf
SHA256

f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d
SHA512

9ae1551fe7162c26b2dddc36e04ba69f8246ea011d7c328a2dbd292a194f9a978d4090cf66c2edcead525c59a195ac333bcdcacc085a01ef59c66bdbdb90d61d
SSDEEP

12288:Ny90HFiljGXWvJFKxRUHo9kQ68pGEvrr9axBtAosAr0wp+xcxxtqd:NyKdmGxKI9k1BQrkJAoGxcXkd

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4452-986-0x00000000079B0000-0x0000000007FC8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	19686149.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	19686149.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	19686149.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	19686149.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	19686149.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	19686149.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4364	un939618.exe
3832	19686149.exe
4452	rk594735.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	19686149.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	19686149.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un939618.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un939618.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3584	3832	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3832	19686149.exe
3832	19686149.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	19686149.exe
Token: SeDebugPrivilege	4452	rk594735.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4364	5004	f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe	79
PID 5004 wrote to memory of 4364	5004	f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe	79
PID 5004 wrote to memory of 4364	5004	f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe	79
PID 4364 wrote to memory of 3832	4364	un939618.exe	80
PID 4364 wrote to memory of 3832	4364	un939618.exe	80
PID 4364 wrote to memory of 3832	4364	un939618.exe	80
PID 4364 wrote to memory of 4452	4364	un939618.exe	89
PID 4364 wrote to memory of 4452	4364	un939618.exe	89
PID 4364 wrote to memory of 4452	4364	un939618.exe	89

C:\Users\Admin\AppData\Local\Temp\f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe
"C:\Users\Admin\AppData\Local\Temp\f10a09568a87e6c91c1c07cf7eb5b87aaf469aa7d0d3ddefe5a3a01b12308f2d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un939618.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un939618.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19686149.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19686149.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 1036
      4⤵
      Program crash
      PID:3584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594735.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594735.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3832 -ip 3832
1⤵
PID:4304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un939618.exe

Filesize
592KB

MD5
78dce45a13b995d3396c59fcae5f8d92

SHA1
dbd6d450c367c5af9de2a0f5342543934a36a48f

SHA256
9b5316a729befe990929e5f3f99888d1f4da18ad1b0e838f4d98fd1fc8bb128d

SHA512
a4fabab12d874698d0682cadd678aaae9c81fad33961b5b96909c5feb8877a10a47053c99f287497a813b49bc9a076ac0d0bad9b6277853f6c50576f2979ef58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un939618.exe

Filesize
592KB

MD5
78dce45a13b995d3396c59fcae5f8d92

SHA1
dbd6d450c367c5af9de2a0f5342543934a36a48f

SHA256
9b5316a729befe990929e5f3f99888d1f4da18ad1b0e838f4d98fd1fc8bb128d

SHA512
a4fabab12d874698d0682cadd678aaae9c81fad33961b5b96909c5feb8877a10a47053c99f287497a813b49bc9a076ac0d0bad9b6277853f6c50576f2979ef58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19686149.exe

Filesize
376KB

MD5
88cc799dde137f8a38384a7f16986cb3

SHA1
fd40003a2332d5bdb7fff153f460588d1d9510a3

SHA256
5a0f5eff9ef6498c770de66d503d94242679327547e43cb425fba161dac0b24e

SHA512
95e0c1f2543f9d6074dd90ceae0af88fe05f1ae5ccb3a6838e785cdf387bc0a1d4711b63dd7dcad34b8518860d9ad5b7fc6b2bfa84b567ed3eba9ded3715b5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19686149.exe

Filesize
376KB

MD5
88cc799dde137f8a38384a7f16986cb3

SHA1
fd40003a2332d5bdb7fff153f460588d1d9510a3

SHA256
5a0f5eff9ef6498c770de66d503d94242679327547e43cb425fba161dac0b24e

SHA512
95e0c1f2543f9d6074dd90ceae0af88fe05f1ae5ccb3a6838e785cdf387bc0a1d4711b63dd7dcad34b8518860d9ad5b7fc6b2bfa84b567ed3eba9ded3715b5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594735.exe

Filesize
459KB

MD5
409ebf79e8d48ecbbd4ab87c02041674

SHA1
2b8d5d7983962686b61a9156e25f981025184822

SHA256
14f5093881bee4fb4db02f9cd592197bb3da68b1349c65e2b5296acedb3c0533

SHA512
5b2207a240a78c9bf77cc9dc80a7d69d0c46bf68304da904ef7ebf120d67d263951c3394ddd080d4dda5f7047b20abf44ea1112814afdea9aeadd96eaa455d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594735.exe

Filesize
459KB

MD5
409ebf79e8d48ecbbd4ab87c02041674

SHA1
2b8d5d7983962686b61a9156e25f981025184822

SHA256
14f5093881bee4fb4db02f9cd592197bb3da68b1349c65e2b5296acedb3c0533

SHA512
5b2207a240a78c9bf77cc9dc80a7d69d0c46bf68304da904ef7ebf120d67d263951c3394ddd080d4dda5f7047b20abf44ea1112814afdea9aeadd96eaa455d29

Download Submit
memory/3832-148-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/3832-149-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3832-150-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3832-151-0x0000000004FD0000-0x0000000005574000-memory.dmp

Filesize
5.6MB

Download
memory/3832-153-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/3832-152-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/3832-155-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/3832-157-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/3832-159-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/3832-161-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/3832-163-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/3832-165-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/3832-167-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/3832-169-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/3832-171-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/3832-173-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/3832-175-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/3832-177-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/3832-179-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/3832-180-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3832-181-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3832-182-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3832-183-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3832-185-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4452-190-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/4452-191-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/4452-192-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/4452-193-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-194-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-196-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-198-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-200-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-202-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-204-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-206-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-208-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-210-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-212-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-214-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-216-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-218-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-220-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-222-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-224-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-226-0x0000000002760000-0x0000000002795000-memory.dmp

Filesize
212KB

Download
memory/4452-517-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/4452-986-0x00000000079B0000-0x0000000007FC8000-memory.dmp

Filesize
6.1MB

Download
memory/4452-987-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/4452-988-0x0000000007FD0000-0x00000000080DA000-memory.dmp

Filesize
1.0MB

Download
memory/4452-989-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/4452-990-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/4452-992-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/4452-993-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/4452-994-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/4452-995-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download