redline | 1b6194a6aa3aff77aaccf9fb3483a73312817ed021c48a29346c3274d8c05461

Analysis

max time kernel
203s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b6194a6aa3aff77aaccf9fb3483a73312817ed021c48a29346c3274d8c05461.exe
Size

1.3MB
MD5

3c318275db9c2d6b9a1d4ecadf4980ea
SHA1

fc389a27551dd706db6f7cb0faa2cfda00c3b25c
SHA256

1b6194a6aa3aff77aaccf9fb3483a73312817ed021c48a29346c3274d8c05461
SHA512

807ac32911ddfb37f2cca4ef14b03b9e2181a3c15288f3e91cbdd083cc0e9559401cc6e7aa4cc55688842d3588614b9d8d4613825dae28917a6eb607f07faa4a
SSDEEP

24576:6y1+hPWiIYSFzXvrLvQh5Ygb2JHm+eRt534o9klyJw:BS1IY2zjTQHYtG+eRtFH

Score

10^/10

redline discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4484-208-0x00000000075E0000-0x0000000007BF8000-memory.dmp	redline_stealer
behavioral2/memory/4484-214-0x0000000007520000-0x0000000007586000-memory.dmp	redline_stealer
behavioral2/memory/4484-219-0x00000000082C0000-0x0000000008482000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	n0436510.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	n0436510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	n0436510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	n0436510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	n0436510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	n0436510.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3208	z9146087.exe
3664	z0864955.exe
180	z7094504.exe
3852	n0436510.exe
4484	o9654310.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	n0436510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	n0436510.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0864955.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0864955.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7094504.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z7094504.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1b6194a6aa3aff77aaccf9fb3483a73312817ed021c48a29346c3274d8c05461.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1b6194a6aa3aff77aaccf9fb3483a73312817ed021c48a29346c3274d8c05461.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9146087.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9146087.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2608	3852	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3852	n0436510.exe
3852	n0436510.exe
4484	o9654310.exe
4484	o9654310.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3852	n0436510.exe
Token: SeDebugPrivilege	4484	o9654310.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 3208	1244	1b6194a6aa3aff77aaccf9fb3483a73312817ed021c48a29346c3274d8c05461.exe	84
PID 1244 wrote to memory of 3208	1244	1b6194a6aa3aff77aaccf9fb3483a73312817ed021c48a29346c3274d8c05461.exe	84
PID 1244 wrote to memory of 3208	1244	1b6194a6aa3aff77aaccf9fb3483a73312817ed021c48a29346c3274d8c05461.exe	84
PID 3208 wrote to memory of 3664	3208	z9146087.exe	85
PID 3208 wrote to memory of 3664	3208	z9146087.exe	85
PID 3208 wrote to memory of 3664	3208	z9146087.exe	85
PID 3664 wrote to memory of 180	3664	z0864955.exe	86
PID 3664 wrote to memory of 180	3664	z0864955.exe	86
PID 3664 wrote to memory of 180	3664	z0864955.exe	86
PID 180 wrote to memory of 3852	180	z7094504.exe	87
PID 180 wrote to memory of 3852	180	z7094504.exe	87
PID 180 wrote to memory of 3852	180	z7094504.exe	87
PID 180 wrote to memory of 4484	180	z7094504.exe	91
PID 180 wrote to memory of 4484	180	z7094504.exe	91
PID 180 wrote to memory of 4484	180	z7094504.exe	91

C:\Users\Admin\AppData\Local\Temp\1b6194a6aa3aff77aaccf9fb3483a73312817ed021c48a29346c3274d8c05461.exe
"C:\Users\Admin\AppData\Local\Temp\1b6194a6aa3aff77aaccf9fb3483a73312817ed021c48a29346c3274d8c05461.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9146087.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9146087.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0864955.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0864955.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7094504.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7094504.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:180
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n0436510.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n0436510.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1088
        6⤵
        Program crash
        
        PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o9654310.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o9654310.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3852 -ip 3852
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9146087.exe

Filesize
1.1MB

MD5
24e526668763231eddd9c748cb86260b

SHA1
63414d77e13643836e0d9c3ddd6ded82143a9f5a

SHA256
3ab8e7e3296b5c195e46b18d286c9f78d6cc57c6598556d26728ce049eacf70a

SHA512
6891af517c9ab97580f570520f002db89bb0ad3cacf7bb8cf24e655acec3a1dd038247830aa72062a2c4d5f4311d7934a22384c872140e44ad3ebc2b1491e64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9146087.exe

Filesize
1.1MB

MD5
24e526668763231eddd9c748cb86260b

SHA1
63414d77e13643836e0d9c3ddd6ded82143a9f5a

SHA256
3ab8e7e3296b5c195e46b18d286c9f78d6cc57c6598556d26728ce049eacf70a

SHA512
6891af517c9ab97580f570520f002db89bb0ad3cacf7bb8cf24e655acec3a1dd038247830aa72062a2c4d5f4311d7934a22384c872140e44ad3ebc2b1491e64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0864955.exe

Filesize
621KB

MD5
467c7d4d4923a0966e5012b6efad1856

SHA1
f3a6c6a56e7e17263e6d79b43346580254cb3f7e

SHA256
ae1ff25d16e0a436001a714e504ac505da831ef575208797b00cc280b4b6a7ba

SHA512
c7afb6260672db4aaa26eb2c1a8fa54d2c669656132ac4f84f736b569e899c762da368230dee2f4223c6de636c1bc9febfcc61ba956c16d1029dc67aee136fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0864955.exe

Filesize
621KB

MD5
467c7d4d4923a0966e5012b6efad1856

SHA1
f3a6c6a56e7e17263e6d79b43346580254cb3f7e

SHA256
ae1ff25d16e0a436001a714e504ac505da831ef575208797b00cc280b4b6a7ba

SHA512
c7afb6260672db4aaa26eb2c1a8fa54d2c669656132ac4f84f736b569e899c762da368230dee2f4223c6de636c1bc9febfcc61ba956c16d1029dc67aee136fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7094504.exe

Filesize
416KB

MD5
89174c3a12e4d7ae244641da51f34008

SHA1
f8779b010afa9b859c83841640376b2661dcb769

SHA256
ccb15d02bcd64c57dfc934024c1c3a8bc3901c8ed6d22a4a8894c66fe70aecd5

SHA512
9ac08eb0f4c5af6ba7a2bbabe85be7a2dc0ea1a4d278b1a724a19df40e8875442406c57c99412dffde53783d0a0edf66ba749c63b19d9a59e3a5b8efc998cb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7094504.exe

Filesize
416KB

MD5
89174c3a12e4d7ae244641da51f34008

SHA1
f8779b010afa9b859c83841640376b2661dcb769

SHA256
ccb15d02bcd64c57dfc934024c1c3a8bc3901c8ed6d22a4a8894c66fe70aecd5

SHA512
9ac08eb0f4c5af6ba7a2bbabe85be7a2dc0ea1a4d278b1a724a19df40e8875442406c57c99412dffde53783d0a0edf66ba749c63b19d9a59e3a5b8efc998cb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n0436510.exe

Filesize
360KB

MD5
c18fb2271c8a94862cf50189e03c4012

SHA1
2c553d054065b71108bdd224911b75debedd8117

SHA256
fa2d56bf72be69205ceea69b6bff3ad9fc22455f254c4151f4a734ab81a773c5

SHA512
40f9310fa719ba2cf4c715fc227b626969c850b1357da936dcce18a13cdcb1c70de408e0ba50d2037d4e837c50a122231bc0ac62c36478da6abe3e260f62334a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n0436510.exe

Filesize
360KB

MD5
c18fb2271c8a94862cf50189e03c4012

SHA1
2c553d054065b71108bdd224911b75debedd8117

SHA256
fa2d56bf72be69205ceea69b6bff3ad9fc22455f254c4151f4a734ab81a773c5

SHA512
40f9310fa719ba2cf4c715fc227b626969c850b1357da936dcce18a13cdcb1c70de408e0ba50d2037d4e837c50a122231bc0ac62c36478da6abe3e260f62334a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o9654310.exe

Filesize
136KB

MD5
74ed9e3a828310a4e2976dfcece12145

SHA1
4cdec48e74a62563fb6abc60e62d56beb43e10d2

SHA256
8922a0ea2d930783be6544f7c9dc015e94b79e49a04a783408bbc58628b52a76

SHA512
247727ec2dd21baebf303013248833afc411e83752eaec0a254ba0f73229c88c8bd43a918664415657a8430b4dcf63b1da25a0bab7ccd37aa88b35a973631532

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\o9654310.exe

Filesize
136KB

MD5
74ed9e3a828310a4e2976dfcece12145

SHA1
4cdec48e74a62563fb6abc60e62d56beb43e10d2

SHA256
8922a0ea2d930783be6544f7c9dc015e94b79e49a04a783408bbc58628b52a76

SHA512
247727ec2dd21baebf303013248833afc411e83752eaec0a254ba0f73229c88c8bd43a918664415657a8430b4dcf63b1da25a0bab7ccd37aa88b35a973631532

Download Submit
memory/3852-186-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/3852-196-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/3852-166-0x0000000004DA0000-0x0000000005344000-memory.dmp

Filesize
5.6MB

Download
memory/3852-167-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/3852-168-0x00000000007D0000-0x00000000007FD000-memory.dmp

Filesize
180KB

Download
memory/3852-169-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/3852-170-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/3852-172-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/3852-174-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/3852-176-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/3852-178-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/3852-180-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/3852-182-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/3852-184-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/3852-164-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3852-188-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/3852-190-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/3852-192-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/3852-194-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/3852-165-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3852-197-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3852-198-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3852-202-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/3852-163-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3852-162-0x00000000007D0000-0x00000000007FD000-memory.dmp

Filesize
180KB

Download
memory/4484-213-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4484-219-0x00000000082C0000-0x0000000008482000-memory.dmp

Filesize
1.8MB

Download
memory/4484-209-0x0000000007030000-0x0000000007042000-memory.dmp

Filesize
72KB

Download
memory/4484-210-0x0000000007160000-0x000000000726A000-memory.dmp

Filesize
1.0MB

Download
memory/4484-211-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4484-212-0x0000000004B40000-0x0000000004B7C000-memory.dmp

Filesize
240KB

Download
memory/4484-215-0x0000000007EA0000-0x0000000007F32000-memory.dmp

Filesize
584KB

Download
memory/4484-207-0x0000000000300000-0x0000000000328000-memory.dmp

Filesize
160KB

Download
memory/4484-208-0x00000000075E0000-0x0000000007BF8000-memory.dmp

Filesize
6.1MB

Download
memory/4484-216-0x0000000008070000-0x00000000080E6000-memory.dmp

Filesize
472KB

Download
memory/4484-217-0x0000000002450000-0x000000000246E000-memory.dmp

Filesize
120KB

Download
memory/4484-218-0x0000000007E50000-0x0000000007EA0000-memory.dmp

Filesize
320KB

Download
memory/4484-214-0x0000000007520000-0x0000000007586000-memory.dmp

Filesize
408KB

Download
memory/4484-220-0x0000000008FD0000-0x00000000094FC000-memory.dmp

Filesize
5.2MB

Download