redline | f3878e3193c9cf4f56105966f1bba82ab5ffa81cb0117b3b9102e4ae405c037b

Analysis

max time kernel
151s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3878e3193c9cf4f56105966f1bba82ab5ffa81cb0117b3b9102e4ae405c037b.exe
Size

693KB
MD5

4b9e25f182a3ec7a379c101134ce7320
SHA1

5eb756750abe820c9565b489e8ac90b20c06f233
SHA256

f3878e3193c9cf4f56105966f1bba82ab5ffa81cb0117b3b9102e4ae405c037b
SHA512

24090aed61e9b7c319b400366c4876ddaa25587eed14ab04a66603cc16b6b5d637f638f22b1c77d3648690118c773afae40b94e0c94ef6c7be62facab506f240
SSDEEP

12288:Yy90D9PUZ3I0XPZAhrOyQJwSkcEJ2tvtwreXYUKCoWz6FW18bzK9A+LAFnC:YyQY7BAhCxccNtvtyeoU/J6FW18bzSxz

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2772-987-0x0000000009C40000-0x000000000A258000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	65745420.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	65745420.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	65745420.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	65745420.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	65745420.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	65745420.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4424	un767156.exe
3660	65745420.exe
2772	rk469979.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	65745420.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	65745420.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f3878e3193c9cf4f56105966f1bba82ab5ffa81cb0117b3b9102e4ae405c037b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f3878e3193c9cf4f56105966f1bba82ab5ffa81cb0117b3b9102e4ae405c037b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un767156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un767156.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2060	3660	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3660	65745420.exe
3660	65745420.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	65745420.exe
Token: SeDebugPrivilege	2772	rk469979.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 4424	1372	f3878e3193c9cf4f56105966f1bba82ab5ffa81cb0117b3b9102e4ae405c037b.exe	83
PID 1372 wrote to memory of 4424	1372	f3878e3193c9cf4f56105966f1bba82ab5ffa81cb0117b3b9102e4ae405c037b.exe	83
PID 1372 wrote to memory of 4424	1372	f3878e3193c9cf4f56105966f1bba82ab5ffa81cb0117b3b9102e4ae405c037b.exe	83
PID 4424 wrote to memory of 3660	4424	un767156.exe	84
PID 4424 wrote to memory of 3660	4424	un767156.exe	84
PID 4424 wrote to memory of 3660	4424	un767156.exe	84
PID 4424 wrote to memory of 2772	4424	un767156.exe	93
PID 4424 wrote to memory of 2772	4424	un767156.exe	93
PID 4424 wrote to memory of 2772	4424	un767156.exe	93

C:\Users\Admin\AppData\Local\Temp\f3878e3193c9cf4f56105966f1bba82ab5ffa81cb0117b3b9102e4ae405c037b.exe
"C:\Users\Admin\AppData\Local\Temp\f3878e3193c9cf4f56105966f1bba82ab5ffa81cb0117b3b9102e4ae405c037b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un767156.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un767156.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65745420.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65745420.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 1096
      4⤵
      Program crash
      PID:2060
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469979.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469979.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3660 -ip 3660
1⤵
PID:2704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un767156.exe

Filesize
540KB

MD5
e7013ba8775cc855b3e16226989c0e96

SHA1
e0a77ced0e2d33194346bb83f1755c1c3d7a8e7f

SHA256
7356ea11a956704246ec5cb9f852e9bed8123f1e68ba6d80e6c064b4183aebec

SHA512
be664dd23061e7cdafb3b169cfda5250b1f180dfbfc82e7c409ec542494379c5430156e011c5fc65866d5ca8649d4b663d36608c06f0f5f350417f1b60991e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un767156.exe

Filesize
540KB

MD5
e7013ba8775cc855b3e16226989c0e96

SHA1
e0a77ced0e2d33194346bb83f1755c1c3d7a8e7f

SHA256
7356ea11a956704246ec5cb9f852e9bed8123f1e68ba6d80e6c064b4183aebec

SHA512
be664dd23061e7cdafb3b169cfda5250b1f180dfbfc82e7c409ec542494379c5430156e011c5fc65866d5ca8649d4b663d36608c06f0f5f350417f1b60991e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65745420.exe

Filesize
258KB

MD5
63fad0828043cd7e27373613053c89be

SHA1
4c5bb83fde449f75dff5dc3996f67c96f0eeb655

SHA256
9d8d3b9a06e0e3970220b454d58a30c75cba2913f2f7385d766b19d985235922

SHA512
2984c26096ada19b72dffc66aebdefed1723f09f1c806914e6930c10ecae01f565339b29b888899d4e1e5de0a9791e767ac959029daaf10ca77c2ef3d848df5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65745420.exe

Filesize
258KB

MD5
63fad0828043cd7e27373613053c89be

SHA1
4c5bb83fde449f75dff5dc3996f67c96f0eeb655

SHA256
9d8d3b9a06e0e3970220b454d58a30c75cba2913f2f7385d766b19d985235922

SHA512
2984c26096ada19b72dffc66aebdefed1723f09f1c806914e6930c10ecae01f565339b29b888899d4e1e5de0a9791e767ac959029daaf10ca77c2ef3d848df5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469979.exe

Filesize
340KB

MD5
7d89039aa8848f728d64988feb89abc9

SHA1
6344a11b85b889f69b9cceadedb8921909654fc6

SHA256
b620eb337f466925899eec924e2381f77381cf95c1f4727b8a16126f17e6dc97

SHA512
c1c9983802b93ff4b8323cff71719cfeff00f8728c36223bf81b1364ae0d6ffb11397bf97c2e875bfd2cab550cf1fa64959b653c12665b94dbdf640f067752eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk469979.exe

Filesize
340KB

MD5
7d89039aa8848f728d64988feb89abc9

SHA1
6344a11b85b889f69b9cceadedb8921909654fc6

SHA256
b620eb337f466925899eec924e2381f77381cf95c1f4727b8a16126f17e6dc97

SHA512
c1c9983802b93ff4b8323cff71719cfeff00f8728c36223bf81b1364ae0d6ffb11397bf97c2e875bfd2cab550cf1fa64959b653c12665b94dbdf640f067752eb

Download Submit
memory/2772-218-0x0000000002BF0000-0x0000000002C36000-memory.dmp

Filesize
280KB

Download
memory/2772-222-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2772-194-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-996-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2772-994-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2772-995-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2772-993-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2772-196-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-990-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/2772-989-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/2772-988-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/2772-987-0x0000000009C40000-0x000000000A258000-memory.dmp

Filesize
6.1MB

Download
memory/2772-198-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-223-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-224-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2772-220-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2772-219-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-216-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-212-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-214-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-210-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-208-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-206-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-204-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-192-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-191-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-202-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-991-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2772-226-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/2772-200-0x0000000007720000-0x0000000007755000-memory.dmp

Filesize
212KB

Download
memory/3660-185-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3660-156-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/3660-150-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3660-176-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/3660-183-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3660-182-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3660-172-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/3660-180-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/3660-178-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/3660-148-0x0000000002BE0000-0x0000000002C0D000-memory.dmp

Filesize
180KB

Download
memory/3660-153-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/3660-151-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3660-174-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/3660-181-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3660-152-0x0000000007310000-0x00000000078B4000-memory.dmp

Filesize
5.6MB

Download
memory/3660-168-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/3660-166-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/3660-164-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/3660-162-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/3660-160-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/3660-158-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/3660-149-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3660-154-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/3660-170-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download