redline | 15f5bf9aa1380726403d8cf31e4d06684417273e99ac6b7446251912c5dc2ca7

Analysis

max time kernel
151s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15f5bf9aa1380726403d8cf31e4d06684417273e99ac6b7446251912c5dc2ca7.exe
Size

599KB
MD5

67076f2b9f7cc7b4892d743f2df82bde
SHA1

1fbf0fd2ca51e826e006e6ba84221f370794e8f3
SHA256

15f5bf9aa1380726403d8cf31e4d06684417273e99ac6b7446251912c5dc2ca7
SHA512

51daf79bee987471bb8ef5cfe387f02b0c8a4f8d8b29ed265d0c303b768be3aa5aa250a13c0361ae60308a1eb9bd87f33ec75a113c934330347359751d364304
SSDEEP

12288:uMrMy90Zp34e/CksvdnHGjlzwUsTorCNl8GC5TpZNU0e+u:ey9kyBGjVsT/3jC5TXNe/

Score

10^/10

redline discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3132-148-0x00000000079B0000-0x0000000007FC8000-memory.dmp	redline_stealer
behavioral2/memory/3132-153-0x00000000077C0000-0x0000000007826000-memory.dmp	redline_stealer
behavioral2/memory/3132-157-0x0000000008E70000-0x0000000009032000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	l0643003.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	l0643003.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	l0643003.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	l0643003.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	l0643003.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	l0643003.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1364	y5761640.exe
3132	k4606294.exe
1704	l0643003.exe
392	m7511088.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	l0643003.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	l0643003.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	15f5bf9aa1380726403d8cf31e4d06684417273e99ac6b7446251912c5dc2ca7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5761640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5761640.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	15f5bf9aa1380726403d8cf31e4d06684417273e99ac6b7446251912c5dc2ca7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4820	392	WerFault.exe	96
4308	392	WerFault.exe	96
3924	392	WerFault.exe	96
2052	392	WerFault.exe	96
4216	392	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3132	k4606294.exe
3132	k4606294.exe
1704	l0643003.exe
1704	l0643003.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3132	k4606294.exe
Token: SeDebugPrivilege	1704	l0643003.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 1364	2428	15f5bf9aa1380726403d8cf31e4d06684417273e99ac6b7446251912c5dc2ca7.exe	86
PID 2428 wrote to memory of 1364	2428	15f5bf9aa1380726403d8cf31e4d06684417273e99ac6b7446251912c5dc2ca7.exe	86
PID 2428 wrote to memory of 1364	2428	15f5bf9aa1380726403d8cf31e4d06684417273e99ac6b7446251912c5dc2ca7.exe	86
PID 1364 wrote to memory of 3132	1364	y5761640.exe	87
PID 1364 wrote to memory of 3132	1364	y5761640.exe	87
PID 1364 wrote to memory of 3132	1364	y5761640.exe	87
PID 1364 wrote to memory of 1704	1364	y5761640.exe	93
PID 1364 wrote to memory of 1704	1364	y5761640.exe	93
PID 1364 wrote to memory of 1704	1364	y5761640.exe	93
PID 2428 wrote to memory of 392	2428	15f5bf9aa1380726403d8cf31e4d06684417273e99ac6b7446251912c5dc2ca7.exe	96
PID 2428 wrote to memory of 392	2428	15f5bf9aa1380726403d8cf31e4d06684417273e99ac6b7446251912c5dc2ca7.exe	96
PID 2428 wrote to memory of 392	2428	15f5bf9aa1380726403d8cf31e4d06684417273e99ac6b7446251912c5dc2ca7.exe	96

C:\Users\Admin\AppData\Local\Temp\15f5bf9aa1380726403d8cf31e4d06684417273e99ac6b7446251912c5dc2ca7.exe
"C:\Users\Admin\AppData\Local\Temp\15f5bf9aa1380726403d8cf31e4d06684417273e99ac6b7446251912c5dc2ca7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5761640.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5761640.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4606294.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4606294.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0643003.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0643003.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7511088.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7511088.exe
  2⤵
  - Executes dropped EXE
  PID:392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 696
    3⤵
    - Program crash
    PID:4820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 780
    3⤵
    - Program crash
    PID:4308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 800
    3⤵
    - Program crash
    PID:3924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 968
    3⤵
    - Program crash
    PID:2052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 968
    3⤵
    - Program crash
    PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 392 -ip 392
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 392 -ip 392
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 392 -ip 392
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 392 -ip 392
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 392 -ip 392
1⤵
PID:4228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7511088.exe

Filesize
340KB

MD5
845ea211aaf625324491a68918ed6f35

SHA1
9e3cf73ceb7bbcd02b15a95ce77a81ec20c92463

SHA256
3a48addbcdff427d25bdcaa063972e006d1a5f2c3791ef07d43ea85313799bb3

SHA512
38af14c2c97e14d9cd71b4905f4fb65e40dd6d6fcd96751d03f6f657b17ad75b005384603a06115e2b834f99efea2ce354bc1dead7ede0d1e20746fc24332d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7511088.exe

Filesize
340KB

MD5
845ea211aaf625324491a68918ed6f35

SHA1
9e3cf73ceb7bbcd02b15a95ce77a81ec20c92463

SHA256
3a48addbcdff427d25bdcaa063972e006d1a5f2c3791ef07d43ea85313799bb3

SHA512
38af14c2c97e14d9cd71b4905f4fb65e40dd6d6fcd96751d03f6f657b17ad75b005384603a06115e2b834f99efea2ce354bc1dead7ede0d1e20746fc24332d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5761640.exe

Filesize
307KB

MD5
9a5ff2d49e923d6e5f35e3657e51555b

SHA1
d313aa8c0180c66c48ae71c7ca5faab5ab04be12

SHA256
2da2656733d85a97bc16e0784bd2eeaea9e90eefa299d5fb978eb368f529f158

SHA512
faed875998cc3fcbb9f232c59d2d7ef12cb47ac1a620de66919c77c21bc02059d6109147be6e7f0ffe5dda0ff74cdc4828fcc4e6112fda07492a9ae5ed6b2992

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5761640.exe

Filesize
307KB

MD5
9a5ff2d49e923d6e5f35e3657e51555b

SHA1
d313aa8c0180c66c48ae71c7ca5faab5ab04be12

SHA256
2da2656733d85a97bc16e0784bd2eeaea9e90eefa299d5fb978eb368f529f158

SHA512
faed875998cc3fcbb9f232c59d2d7ef12cb47ac1a620de66919c77c21bc02059d6109147be6e7f0ffe5dda0ff74cdc4828fcc4e6112fda07492a9ae5ed6b2992

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4606294.exe

Filesize
136KB

MD5
dbcd0dc60f4823693df743994913c3f4

SHA1
0acfa0a5266445756680f5461c2390db9942c990

SHA256
a33b3a07e11cf27bd46bc6b5f50a28469e323e5e3bc5d68d6fbd298ca656780c

SHA512
0819aae5f2228a296a62ab066ba3df86760e659fb0124183d10977626eee42692aa003e6f6caaa55f7eebac953de33eb76e71ce533a7e520b075c426d6c5a1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4606294.exe

Filesize
136KB

MD5
dbcd0dc60f4823693df743994913c3f4

SHA1
0acfa0a5266445756680f5461c2390db9942c990

SHA256
a33b3a07e11cf27bd46bc6b5f50a28469e323e5e3bc5d68d6fbd298ca656780c

SHA512
0819aae5f2228a296a62ab066ba3df86760e659fb0124183d10977626eee42692aa003e6f6caaa55f7eebac953de33eb76e71ce533a7e520b075c426d6c5a1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0643003.exe

Filesize
175KB

MD5
c26459bb4088797519ec48043ba5f69f

SHA1
5cab7e3599133525af71fc895fb4ec307f55e40f

SHA256
b93d1a36f2c2d88d37d31666c5c5f2054357d445b0f793c98314c0e02357d2c1

SHA512
dee94d3797e9983326785e405608f3c2f6190a4c5d9045caa75e7b3dd31c3b16598fe48123367cfd27687b1a5711debb31ab1ef1979004398286dfcc7d3dfdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0643003.exe

Filesize
175KB

MD5
c26459bb4088797519ec48043ba5f69f

SHA1
5cab7e3599133525af71fc895fb4ec307f55e40f

SHA256
b93d1a36f2c2d88d37d31666c5c5f2054357d445b0f793c98314c0e02357d2c1

SHA512
dee94d3797e9983326785e405608f3c2f6190a4c5d9045caa75e7b3dd31c3b16598fe48123367cfd27687b1a5711debb31ab1ef1979004398286dfcc7d3dfdd0

Download Submit
memory/392-206-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/392-205-0x00000000008A0000-0x00000000008D5000-memory.dmp

Filesize
212KB

Download
memory/1704-189-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1704-193-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1704-199-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1704-198-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1704-197-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1704-196-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1704-195-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1704-194-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1704-191-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1704-187-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1704-185-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1704-166-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1704-167-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1704-169-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1704-171-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1704-173-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1704-175-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1704-177-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1704-179-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1704-181-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/1704-183-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/3132-159-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download
memory/3132-157-0x0000000008E70000-0x0000000009032000-memory.dmp

Filesize
1.8MB

Download
memory/3132-151-0x00000000074A0000-0x00000000074DC000-memory.dmp

Filesize
240KB

Download
memory/3132-161-0x0000000002890000-0x00000000028E0000-memory.dmp

Filesize
320KB

Download
memory/3132-154-0x0000000008270000-0x0000000008302000-memory.dmp

Filesize
584KB

Download
memory/3132-160-0x00000000085F0000-0x000000000860E000-memory.dmp

Filesize
120KB

Download
memory/3132-153-0x00000000077C0000-0x0000000007826000-memory.dmp

Filesize
408KB

Download
memory/3132-158-0x0000000009570000-0x0000000009A9C000-memory.dmp

Filesize
5.2MB

Download
memory/3132-152-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download
memory/3132-156-0x0000000008490000-0x0000000008506000-memory.dmp

Filesize
472KB

Download
memory/3132-155-0x00000000088C0000-0x0000000008E64000-memory.dmp

Filesize
5.6MB

Download
memory/3132-150-0x0000000007530000-0x000000000763A000-memory.dmp

Filesize
1.0MB

Download
memory/3132-149-0x0000000007400000-0x0000000007412000-memory.dmp

Filesize
72KB

Download
memory/3132-148-0x00000000079B0000-0x0000000007FC8000-memory.dmp

Filesize
6.1MB

Download
memory/3132-147-0x00000000005B0000-0x00000000005D8000-memory.dmp

Filesize
160KB

Download