redline | c16b0984fdd75ee56ffc3dfabd40e046b25f4cddfb4ea75441d17c0d2376c608

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c16b0984fdd75ee56ffc3dfabd40e046b25f4cddfb4ea75441d17c0d2376c608.exe
Size

1.0MB
MD5

4b8954429fdb8843337c946a660432e6
SHA1

b93803510b17b83cc00ef3d3496c15d7cda3c895
SHA256

c16b0984fdd75ee56ffc3dfabd40e046b25f4cddfb4ea75441d17c0d2376c608
SHA512

257855b5daa3a2967148806af2b3da5af3ef22ef910a5fa22b56edb728aada06030361ad59f4ec4c092521447df2465f95a1e53c4a3d577a4d673161ba2478d0
SSDEEP

24576:3yEgnCwt4Qbcz4dbTa6q4uYX1JivXWMjZzUEv:CbnHt4Qbcz4dbTPqNYFJifWs1P

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1584-994-0x00000000078F0000-0x0000000007F08000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	16739026.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	16739026.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	16739026.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	16739026.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	16739026.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	16739026.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
480	za228758.exe
388	za663619.exe
4380	16739026.exe
1584	w05JX94.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	16739026.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	16739026.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c16b0984fdd75ee56ffc3dfabd40e046b25f4cddfb4ea75441d17c0d2376c608.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c16b0984fdd75ee56ffc3dfabd40e046b25f4cddfb4ea75441d17c0d2376c608.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za228758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za228758.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za663619.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za663619.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3236	4380	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4380	16739026.exe
4380	16739026.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	16739026.exe
Token: SeDebugPrivilege	1584	w05JX94.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 480	5084	c16b0984fdd75ee56ffc3dfabd40e046b25f4cddfb4ea75441d17c0d2376c608.exe	82
PID 5084 wrote to memory of 480	5084	c16b0984fdd75ee56ffc3dfabd40e046b25f4cddfb4ea75441d17c0d2376c608.exe	82
PID 5084 wrote to memory of 480	5084	c16b0984fdd75ee56ffc3dfabd40e046b25f4cddfb4ea75441d17c0d2376c608.exe	82
PID 480 wrote to memory of 388	480	za228758.exe	83
PID 480 wrote to memory of 388	480	za228758.exe	83
PID 480 wrote to memory of 388	480	za228758.exe	83
PID 388 wrote to memory of 4380	388	za663619.exe	84
PID 388 wrote to memory of 4380	388	za663619.exe	84
PID 388 wrote to memory of 4380	388	za663619.exe	84
PID 388 wrote to memory of 1584	388	za663619.exe	88
PID 388 wrote to memory of 1584	388	za663619.exe	88
PID 388 wrote to memory of 1584	388	za663619.exe	88

C:\Users\Admin\AppData\Local\Temp\c16b0984fdd75ee56ffc3dfabd40e046b25f4cddfb4ea75441d17c0d2376c608.exe
"C:\Users\Admin\AppData\Local\Temp\c16b0984fdd75ee56ffc3dfabd40e046b25f4cddfb4ea75441d17c0d2376c608.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za228758.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za228758.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663619.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663619.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\16739026.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\16739026.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4380
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1080
        5⤵
        Program crash
        
        PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w05JX94.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w05JX94.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4380 -ip 4380
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za228758.exe

Filesize
774KB

MD5
b34431addc40dd79f7127a0891d0d98b

SHA1
5557c81e44ee4acf63dd59fff3e6e6e5927b526f

SHA256
f3a8076ca7c9b720c4a317ec3ebb8e5b39fe0086032ef830cf0125408e028d21

SHA512
9cef890f78c6de68ac4011f10814ecb35302b28fe9ab64c0ba1c4b42e5dcadd82759d8fbdd7a8f72f0cfe8893976539ed55131ce6c2d573c37e035e0093dba09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za228758.exe

Filesize
774KB

MD5
b34431addc40dd79f7127a0891d0d98b

SHA1
5557c81e44ee4acf63dd59fff3e6e6e5927b526f

SHA256
f3a8076ca7c9b720c4a317ec3ebb8e5b39fe0086032ef830cf0125408e028d21

SHA512
9cef890f78c6de68ac4011f10814ecb35302b28fe9ab64c0ba1c4b42e5dcadd82759d8fbdd7a8f72f0cfe8893976539ed55131ce6c2d573c37e035e0093dba09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663619.exe

Filesize
591KB

MD5
dc3a2223813cd2fbf8f1cda34b9aafed

SHA1
d2e682a3d8dfa6606ab194eefefe40ba50670c8a

SHA256
0f781423531ec67c50e6e48b7966a89f1b95be2b7355fece4810a8355fc5dbd0

SHA512
e6f2ffd8c33a44f898dead02ea9a174cec2910aa718066d14a50e98e71905ab0e62a3ca719d47d3054f5bbc301c3db09305e78fe3bbfaeed7e10144a2c73abf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za663619.exe

Filesize
591KB

MD5
dc3a2223813cd2fbf8f1cda34b9aafed

SHA1
d2e682a3d8dfa6606ab194eefefe40ba50670c8a

SHA256
0f781423531ec67c50e6e48b7966a89f1b95be2b7355fece4810a8355fc5dbd0

SHA512
e6f2ffd8c33a44f898dead02ea9a174cec2910aa718066d14a50e98e71905ab0e62a3ca719d47d3054f5bbc301c3db09305e78fe3bbfaeed7e10144a2c73abf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\16739026.exe

Filesize
376KB

MD5
3c24d262651f3c1a2e8961f0e6cc1d49

SHA1
470e6a599edb85f49c4d00404732a8998061a152

SHA256
fb0e5fabf8e2db20c225ed7815862a5b3aeb74d4b9ba64bf6409740c4c50ce42

SHA512
8f0866d2497704987b2ae8331643aa3dc8238ab6d7eb6047c5b5314edfbb11631c172e2d23fe3ed3e90e1ec671b9e714bf9f3a96a3f103f265c8fe46332caae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\16739026.exe

Filesize
376KB

MD5
3c24d262651f3c1a2e8961f0e6cc1d49

SHA1
470e6a599edb85f49c4d00404732a8998061a152

SHA256
fb0e5fabf8e2db20c225ed7815862a5b3aeb74d4b9ba64bf6409740c4c50ce42

SHA512
8f0866d2497704987b2ae8331643aa3dc8238ab6d7eb6047c5b5314edfbb11631c172e2d23fe3ed3e90e1ec671b9e714bf9f3a96a3f103f265c8fe46332caae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w05JX94.exe

Filesize
459KB

MD5
331e710986fd2351e5b96c34261081aa

SHA1
315ddd309f5902802daee6e6116cccfc47ebc1e7

SHA256
11c27c3be083f156e47a3a1866b7846d8f28338c1999972580fcbd255cc2edad

SHA512
32dedd5456121e78e6e88859a0bb3735f4f5df0fb1668ef33693bfdb688e0f4158e3c04f57c9bc6523ad8909d2e345b2bd2be11f07dc8cefc6145dc7732aa393

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w05JX94.exe

Filesize
459KB

MD5
331e710986fd2351e5b96c34261081aa

SHA1
315ddd309f5902802daee6e6116cccfc47ebc1e7

SHA256
11c27c3be083f156e47a3a1866b7846d8f28338c1999972580fcbd255cc2edad

SHA512
32dedd5456121e78e6e88859a0bb3735f4f5df0fb1668ef33693bfdb688e0f4158e3c04f57c9bc6523ad8909d2e345b2bd2be11f07dc8cefc6145dc7732aa393

Download Submit
memory/1584-227-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-229-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-1003-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1584-1002-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1584-1001-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1584-1000-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1584-998-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1584-997-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/1584-996-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/1584-995-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/1584-994-0x00000000078F0000-0x0000000007F08000-memory.dmp

Filesize
6.1MB

Download
memory/1584-577-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1584-573-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1584-574-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1584-571-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/1584-231-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-225-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-223-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-221-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-219-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-217-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-215-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-213-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-211-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-209-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-198-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-199-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-201-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-203-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-205-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1584-207-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/4380-184-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/4380-166-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/4380-193-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4380-192-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4380-191-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4380-190-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4380-188-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4380-187-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4380-186-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4380-155-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/4380-158-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/4380-185-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4380-157-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/4380-180-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/4380-156-0x0000000004F20000-0x00000000054C4000-memory.dmp

Filesize
5.6MB

Download
memory/4380-178-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/4380-176-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/4380-174-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/4380-172-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/4380-170-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/4380-168-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/4380-182-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/4380-164-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/4380-162-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/4380-160-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download