redline | c611eb80a876b934b7baffd23e8a7e59f30bb852aa5dfe4881a47520ded23ff2

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c611eb80a876b934b7baffd23e8a7e59f30bb852aa5dfe4881a47520ded23ff2.exe
Size

642KB
MD5

88040981837527a7f29adc05c8e6a69a
SHA1

ad13a009dd0ba88e46f074b5416a4479021b9a3d
SHA256

c611eb80a876b934b7baffd23e8a7e59f30bb852aa5dfe4881a47520ded23ff2
SHA512

91ab171c695adfd2a2d51e51fc1fb800759096bb89b31222c441d223c033499af9f01014c75cd16590041caaba5ad3ba2e45935aca8df4e895131056e3f20ec7
SSDEEP

12288:zy90fBeV4r4p4YNPH4WMXtj17Y92LSyzHcXIwZZa94UWW873:zygW49kAWMN17cWcYwZzP73

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1928-980-0x0000000009C50000-0x000000000A268000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	09697423.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	09697423.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	09697423.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	09697423.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	09697423.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	09697423.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4460	st839475.exe
1036	09697423.exe
1928	kp597773.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	09697423.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	09697423.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c611eb80a876b934b7baffd23e8a7e59f30bb852aa5dfe4881a47520ded23ff2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st839475.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st839475.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c611eb80a876b934b7baffd23e8a7e59f30bb852aa5dfe4881a47520ded23ff2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1036	09697423.exe
1036	09697423.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	09697423.exe
Token: SeDebugPrivilege	1928	kp597773.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 4460	1072	c611eb80a876b934b7baffd23e8a7e59f30bb852aa5dfe4881a47520ded23ff2.exe	83
PID 1072 wrote to memory of 4460	1072	c611eb80a876b934b7baffd23e8a7e59f30bb852aa5dfe4881a47520ded23ff2.exe	83
PID 1072 wrote to memory of 4460	1072	c611eb80a876b934b7baffd23e8a7e59f30bb852aa5dfe4881a47520ded23ff2.exe	83
PID 4460 wrote to memory of 1036	4460	st839475.exe	84
PID 4460 wrote to memory of 1036	4460	st839475.exe	84
PID 4460 wrote to memory of 1036	4460	st839475.exe	84
PID 4460 wrote to memory of 1928	4460	st839475.exe	85
PID 4460 wrote to memory of 1928	4460	st839475.exe	85
PID 4460 wrote to memory of 1928	4460	st839475.exe	85

C:\Users\Admin\AppData\Local\Temp\c611eb80a876b934b7baffd23e8a7e59f30bb852aa5dfe4881a47520ded23ff2.exe
"C:\Users\Admin\AppData\Local\Temp\c611eb80a876b934b7baffd23e8a7e59f30bb852aa5dfe4881a47520ded23ff2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st839475.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st839475.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09697423.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09697423.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp597773.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp597773.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st839475.exe

Filesize
488KB

MD5
0a20ed3960b6ea68230e1b1ef4ca7609

SHA1
1c01946a35831e374a41d54cb2e38de373a88b02

SHA256
c30e70f2866a788ec6ba5147ec45aec8d414e02d82d1ac28712d244ffa4bf797

SHA512
21ad13f2eacd220f1dacb492ab15feb412bc20b17c59c2df115828b1b89e4da34b07e34b41859db9b567422bd6d10e6441ce4923a98c8444d946d3db20091704

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st839475.exe

Filesize
488KB

MD5
0a20ed3960b6ea68230e1b1ef4ca7609

SHA1
1c01946a35831e374a41d54cb2e38de373a88b02

SHA256
c30e70f2866a788ec6ba5147ec45aec8d414e02d82d1ac28712d244ffa4bf797

SHA512
21ad13f2eacd220f1dacb492ab15feb412bc20b17c59c2df115828b1b89e4da34b07e34b41859db9b567422bd6d10e6441ce4923a98c8444d946d3db20091704

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09697423.exe

Filesize
176KB

MD5
2b71f4b18ac8214a2bff547b6ce2f64f

SHA1
b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5

SHA256
f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc

SHA512
33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09697423.exe

Filesize
176KB

MD5
2b71f4b18ac8214a2bff547b6ce2f64f

SHA1
b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5

SHA256
f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc

SHA512
33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp597773.exe

Filesize
340KB

MD5
46eaf2c3f351bdab7e45b454cc11de26

SHA1
b12e19e479bb782775378dac735d391150b01b74

SHA256
a74f03bb2aafc600a2193cd41907739e75aa3786bc130416b7c29e0dc5ed1b13

SHA512
e926bf0ca247c3f9ad58b028daddf5d255e1d54d919deb264cd3f146c0cdaf8fe97e02011991adc39d728ddad82fb2ee2f2416a42f2892a027277e53ca8940af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp597773.exe

Filesize
340KB

MD5
46eaf2c3f351bdab7e45b454cc11de26

SHA1
b12e19e479bb782775378dac735d391150b01b74

SHA256
a74f03bb2aafc600a2193cd41907739e75aa3786bc130416b7c29e0dc5ed1b13

SHA512
e926bf0ca247c3f9ad58b028daddf5d255e1d54d919deb264cd3f146c0cdaf8fe97e02011991adc39d728ddad82fb2ee2f2416a42f2892a027277e53ca8940af

Download Submit
memory/1036-147-0x0000000004A40000-0x0000000004FE4000-memory.dmp

Filesize
5.6MB

Download
memory/1036-148-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1036-149-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1036-151-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1036-153-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1036-155-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1036-157-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1036-161-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1036-159-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1036-163-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1036-165-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1036-167-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1036-169-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1036-171-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1036-173-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1036-175-0x0000000004950000-0x0000000004963000-memory.dmp

Filesize
76KB

Download
memory/1036-176-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/1036-177-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/1036-178-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/1928-185-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-187-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-184-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-189-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-191-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-193-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-195-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-197-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-199-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-201-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-203-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-205-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-208-0x0000000002F90000-0x0000000002FD6000-memory.dmp

Filesize
280KB

Download
memory/1928-207-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-211-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1928-213-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1928-212-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-210-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1928-215-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-217-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-219-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-221-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-223-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/1928-980-0x0000000009C50000-0x000000000A268000-memory.dmp

Filesize
6.1MB

Download
memory/1928-981-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/1928-982-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/1928-983-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1928-984-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/1928-986-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1928-987-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1928-988-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1928-989-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download