redline | c19a69cf76117d64b6a17d16fe5be6f59e19154bf577aec3037fd6ddf0ccd78b

Analysis

max time kernel
148s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c19a69cf76117d64b6a17d16fe5be6f59e19154bf577aec3037fd6ddf0ccd78b.exe
Size

691KB
MD5

14323b95a1c2c784f36f833c811ceea1
SHA1

7e8e378645bb44620ee875c5214bdfd0267c74cd
SHA256

c19a69cf76117d64b6a17d16fe5be6f59e19154bf577aec3037fd6ddf0ccd78b
SHA512

35fd892795fb1674a66191d0f9d1728bb0766587921bfd77c8413b187a130cebe9a92690f75d7631daa2f10862cf86ebb3b372aa66c885acd57424d65a3c01a1
SSDEEP

12288:sy90HNE/SkBw74Ps8VuwdAPZRHrrQ0vPQ2+m1Of/46twd22u:syyNu24Ps8V1+L5I2+gOH4Iwd/u

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1376-989-0x0000000007650000-0x0000000007C68000-memory.dmp	redline_stealer

Detects any file with a triage score of 10 1 IoCs

This file has been assigned a triage score of 10, indicating a high likelihood of malicious behavior.

resource	yara_rule
behavioral2/memory/1376-161-0x0000000000400000-0x000000000046A000-memory.dmp	triage_score_10

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	96715942.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	96715942.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	96715942.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	96715942.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	96715942.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	96715942.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4520	un731868.exe
2592	96715942.exe
3160	96715942.exe
1376	rk028513.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	96715942.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	96715942.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c19a69cf76117d64b6a17d16fe5be6f59e19154bf577aec3037fd6ddf0ccd78b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un731868.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un731868.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c19a69cf76117d64b6a17d16fe5be6f59e19154bf577aec3037fd6ddf0ccd78b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 3160	2592	96715942.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3160	96715942.exe
3160	96715942.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	rk028513.exe
Token: SeDebugPrivilege	3160	96715942.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 4520	4212	c19a69cf76117d64b6a17d16fe5be6f59e19154bf577aec3037fd6ddf0ccd78b.exe	83
PID 4212 wrote to memory of 4520	4212	c19a69cf76117d64b6a17d16fe5be6f59e19154bf577aec3037fd6ddf0ccd78b.exe	83
PID 4212 wrote to memory of 4520	4212	c19a69cf76117d64b6a17d16fe5be6f59e19154bf577aec3037fd6ddf0ccd78b.exe	83
PID 4520 wrote to memory of 2592	4520	un731868.exe	84
PID 4520 wrote to memory of 2592	4520	un731868.exe	84
PID 4520 wrote to memory of 2592	4520	un731868.exe	84
PID 2592 wrote to memory of 3160	2592	96715942.exe	85
PID 2592 wrote to memory of 3160	2592	96715942.exe	85
PID 2592 wrote to memory of 3160	2592	96715942.exe	85
PID 2592 wrote to memory of 3160	2592	96715942.exe	85
PID 2592 wrote to memory of 3160	2592	96715942.exe	85
PID 2592 wrote to memory of 3160	2592	96715942.exe	85
PID 2592 wrote to memory of 3160	2592	96715942.exe	85
PID 2592 wrote to memory of 3160	2592	96715942.exe	85
PID 2592 wrote to memory of 3160	2592	96715942.exe	85
PID 4520 wrote to memory of 1376	4520	un731868.exe	86
PID 4520 wrote to memory of 1376	4520	un731868.exe	86
PID 4520 wrote to memory of 1376	4520	un731868.exe	86

C:\Users\Admin\AppData\Local\Temp\c19a69cf76117d64b6a17d16fe5be6f59e19154bf577aec3037fd6ddf0ccd78b.exe
"C:\Users\Admin\AppData\Local\Temp\c19a69cf76117d64b6a17d16fe5be6f59e19154bf577aec3037fd6ddf0ccd78b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un731868.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un731868.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\96715942.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\96715942.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\96715942.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\96715942.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3160
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk028513.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk028513.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un731868.exe

Filesize
536KB

MD5
8d7151b7987e84c4ff650608c2331179

SHA1
bf5e510285f7f374fab00d96b5ace05119fab1bc

SHA256
7c351767f3ac837f9b6349826604450e59f5ccac3bf841a0137572a5cc8198d5

SHA512
f390d41bd4e70e3ad344daf58d5e3687fa2eb1ab0959c9511798d7d2c34d3d0b9bf18bb50b8d6677ece7335439641f61850f36448027440909e39a30241f24fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un731868.exe

Filesize
536KB

MD5
8d7151b7987e84c4ff650608c2331179

SHA1
bf5e510285f7f374fab00d96b5ace05119fab1bc

SHA256
7c351767f3ac837f9b6349826604450e59f5ccac3bf841a0137572a5cc8198d5

SHA512
f390d41bd4e70e3ad344daf58d5e3687fa2eb1ab0959c9511798d7d2c34d3d0b9bf18bb50b8d6677ece7335439641f61850f36448027440909e39a30241f24fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\96715942.exe

Filesize
259KB

MD5
a874c986f4befc7997c0be41e738ee4e

SHA1
736dbf14102b3955cec6b0df6d58e9f051ddfea4

SHA256
03b88f25d34568f1cb49a1ddc4a2fe2a062b7ea34e13f0e598ff0b31fa5e106a

SHA512
e8510424a4ff7bf9065b761f444dabb191896134024808ef4949c9bb42e2957ce2ef7a251e7421f48db159eb95c065a32ac14339580f52344452c9f7a8d6b73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\96715942.exe

Filesize
259KB

MD5
a874c986f4befc7997c0be41e738ee4e

SHA1
736dbf14102b3955cec6b0df6d58e9f051ddfea4

SHA256
03b88f25d34568f1cb49a1ddc4a2fe2a062b7ea34e13f0e598ff0b31fa5e106a

SHA512
e8510424a4ff7bf9065b761f444dabb191896134024808ef4949c9bb42e2957ce2ef7a251e7421f48db159eb95c065a32ac14339580f52344452c9f7a8d6b73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\96715942.exe

Filesize
259KB

MD5
a874c986f4befc7997c0be41e738ee4e

SHA1
736dbf14102b3955cec6b0df6d58e9f051ddfea4

SHA256
03b88f25d34568f1cb49a1ddc4a2fe2a062b7ea34e13f0e598ff0b31fa5e106a

SHA512
e8510424a4ff7bf9065b761f444dabb191896134024808ef4949c9bb42e2957ce2ef7a251e7421f48db159eb95c065a32ac14339580f52344452c9f7a8d6b73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk028513.exe

Filesize
341KB

MD5
886cb657b55fed44cd34c8b5b6e7b74c

SHA1
36d4c23c84ec0cfe699cb331e44895aa6343af00

SHA256
a4a6c7c331d54ea0d8ead1512207af70dce3f115826782397d9b703d9b9eceab

SHA512
88e23fbcf3d8cdadd053451f08e32e87a86ab9424388c320601358740736fc9cfd652c0ab53927d0c9d58d2ec8dad0c279adff3ec47581923cc9c77f25a06b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk028513.exe

Filesize
341KB

MD5
886cb657b55fed44cd34c8b5b6e7b74c

SHA1
36d4c23c84ec0cfe699cb331e44895aa6343af00

SHA256
a4a6c7c331d54ea0d8ead1512207af70dce3f115826782397d9b703d9b9eceab

SHA512
88e23fbcf3d8cdadd053451f08e32e87a86ab9424388c320601358740736fc9cfd652c0ab53927d0c9d58d2ec8dad0c279adff3ec47581923cc9c77f25a06b91

Download Submit
memory/1376-991-0x0000000007D20000-0x0000000007E2A000-memory.dmp

Filesize
1.0MB

Download
memory/1376-174-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/1376-205-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/1376-994-0x0000000000840000-0x0000000000886000-memory.dmp

Filesize
280KB

Download
memory/1376-999-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/1376-159-0x0000000000840000-0x0000000000886000-memory.dmp

Filesize
280KB

Download
memory/1376-993-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/1376-161-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1376-163-0x0000000004C20000-0x00000000051C4000-memory.dmp

Filesize
5.6MB

Download
memory/1376-992-0x0000000007E40000-0x0000000007E7C000-memory.dmp

Filesize
240KB

Download
memory/1376-166-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/1376-201-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/1376-170-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/1376-990-0x0000000007D00000-0x0000000007D12000-memory.dmp

Filesize
72KB

Download
memory/1376-165-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/1376-996-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/1376-989-0x0000000007650000-0x0000000007C68000-memory.dmp

Filesize
6.1MB

Download
memory/1376-178-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/1376-181-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/1376-222-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/1376-218-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/1376-182-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/1376-1006-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/1376-213-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/1376-189-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/1376-188-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/1376-194-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/1376-209-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/1376-198-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/2592-151-0x00000000008F0000-0x000000000091E000-memory.dmp

Filesize
184KB

Download
memory/3160-186-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3160-200-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/3160-196-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/3160-204-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/3160-208-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/3160-192-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/3160-187-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/3160-212-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/3160-216-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/3160-183-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3160-219-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/3160-180-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/3160-223-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/3160-175-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/3160-171-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/3160-167-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/3160-164-0x0000000002440000-0x0000000002453000-memory.dmp

Filesize
76KB

Download
memory/3160-160-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3160-156-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3160-152-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3160-997-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3160-150-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3160-998-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3160-1000-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3160-1004-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3160-148-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download