redline | c8cec3f5132b64facf2c62d4d8eaef0d907133d3f3e7b9920162acb6569ad513

Analysis

max time kernel
146s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8cec3f5132b64facf2c62d4d8eaef0d907133d3f3e7b9920162acb6569ad513.exe
Size

746KB
MD5

7d915bebb5bdcf752fbe9e7ed2c31bca
SHA1

983823832a72314c48ccebfa2ffe39fddf886bff
SHA256

c8cec3f5132b64facf2c62d4d8eaef0d907133d3f3e7b9920162acb6569ad513
SHA512

c7f0a89fe7916d120b6ea5e4175886be284b9bf83c03cd4318fed12bc2c06013176c26f66028bd43005f555ef099ef3823c829578093ed033edd015cbb5e22c4
SSDEEP

12288:6y90/Uw0r175e+zU6dSXsJpNf/3q2ha6YY9saBtXXdAfeBjNUIdQFVHU:6yiyt8R6dEsXR/Fhar6XXz3Jd2V0

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1788-995-0x0000000007950000-0x0000000007F68000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	63395101.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	63395101.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	63395101.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	63395101.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	63395101.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	63395101.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4040	un041791.exe
2684	63395101.exe
1788	rk411091.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	63395101.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	63395101.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c8cec3f5132b64facf2c62d4d8eaef0d907133d3f3e7b9920162acb6569ad513.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c8cec3f5132b64facf2c62d4d8eaef0d907133d3f3e7b9920162acb6569ad513.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un041791.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un041791.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3568	2684	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2684	63395101.exe
2684	63395101.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	63395101.exe
Token: SeDebugPrivilege	1788	rk411091.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4040	4972	c8cec3f5132b64facf2c62d4d8eaef0d907133d3f3e7b9920162acb6569ad513.exe	83
PID 4972 wrote to memory of 4040	4972	c8cec3f5132b64facf2c62d4d8eaef0d907133d3f3e7b9920162acb6569ad513.exe	83
PID 4972 wrote to memory of 4040	4972	c8cec3f5132b64facf2c62d4d8eaef0d907133d3f3e7b9920162acb6569ad513.exe	83
PID 4040 wrote to memory of 2684	4040	un041791.exe	84
PID 4040 wrote to memory of 2684	4040	un041791.exe	84
PID 4040 wrote to memory of 2684	4040	un041791.exe	84
PID 4040 wrote to memory of 1788	4040	un041791.exe	88
PID 4040 wrote to memory of 1788	4040	un041791.exe	88
PID 4040 wrote to memory of 1788	4040	un041791.exe	88

C:\Users\Admin\AppData\Local\Temp\c8cec3f5132b64facf2c62d4d8eaef0d907133d3f3e7b9920162acb6569ad513.exe
"C:\Users\Admin\AppData\Local\Temp\c8cec3f5132b64facf2c62d4d8eaef0d907133d3f3e7b9920162acb6569ad513.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un041791.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un041791.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63395101.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63395101.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1080
      4⤵
      Program crash
      PID:3568
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk411091.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk411091.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2684 -ip 2684
1⤵
PID:3128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un041791.exe

Filesize
591KB

MD5
9b8ef05f0514b5ed91d56c2690556202

SHA1
d7615845c53486253a0eb55f22838958119be034

SHA256
fe9d75307228a8315250e843ed5726eaaa9804f8eeb06f82211c6010c6fe7a5c

SHA512
67bf366edc8a8b7cef45cf6321ee4cd32e341de39497b9372f7a5644d26072830e41cbb554956340001b25a0dc78e365146e33896181dad8966ecde1bb13bcd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un041791.exe

Filesize
591KB

MD5
9b8ef05f0514b5ed91d56c2690556202

SHA1
d7615845c53486253a0eb55f22838958119be034

SHA256
fe9d75307228a8315250e843ed5726eaaa9804f8eeb06f82211c6010c6fe7a5c

SHA512
67bf366edc8a8b7cef45cf6321ee4cd32e341de39497b9372f7a5644d26072830e41cbb554956340001b25a0dc78e365146e33896181dad8966ecde1bb13bcd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63395101.exe

Filesize
376KB

MD5
0b8107a6b4f7aa6da0d543638cbfa500

SHA1
c3d3f6f428d6923145fe4954566c553de8b3d4df

SHA256
428215387ee8682854d7d3a1c6e4d3bf932265323f96e785d79b62a7bf855256

SHA512
2958e1461591a7fbf43eb36ca2a21f0bbc4856ddd1efcfe116c95d3ea9000a92b2d25d4072304c1d7444670a02a86718e96034d5bb6e49523a95b10330baf77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63395101.exe

Filesize
376KB

MD5
0b8107a6b4f7aa6da0d543638cbfa500

SHA1
c3d3f6f428d6923145fe4954566c553de8b3d4df

SHA256
428215387ee8682854d7d3a1c6e4d3bf932265323f96e785d79b62a7bf855256

SHA512
2958e1461591a7fbf43eb36ca2a21f0bbc4856ddd1efcfe116c95d3ea9000a92b2d25d4072304c1d7444670a02a86718e96034d5bb6e49523a95b10330baf77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk411091.exe

Filesize
459KB

MD5
5f554997b25e2980631888985dc85bc0

SHA1
f984e4ffad30065b9791057912b0668aee420469

SHA256
0d7416191649431acf4d84269e049227e214a7ddd985e864973484aba1f5f708

SHA512
ce1a6921b0f16f2686e86793c9e6f6648be688a743da2389f0ff4860102f8e397a67ab3bd79d4adf22a033f04cd9d962177ce4fbe90b9b2ce9aa24c88ebb3a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk411091.exe

Filesize
459KB

MD5
5f554997b25e2980631888985dc85bc0

SHA1
f984e4ffad30065b9791057912b0668aee420469

SHA256
0d7416191649431acf4d84269e049227e214a7ddd985e864973484aba1f5f708

SHA512
ce1a6921b0f16f2686e86793c9e6f6648be688a743da2389f0ff4860102f8e397a67ab3bd79d4adf22a033f04cd9d962177ce4fbe90b9b2ce9aa24c88ebb3a63

Download Submit
memory/1788-316-0x0000000000910000-0x0000000000956000-memory.dmp

Filesize
280KB

Download
memory/1788-220-0x00000000027D0000-0x0000000002805000-memory.dmp

Filesize
212KB

Download
memory/1788-998-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/1788-997-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/1788-996-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/1788-995-0x0000000007950000-0x0000000007F68000-memory.dmp

Filesize
6.1MB

Download
memory/1788-320-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1788-322-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1788-1001-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1788-317-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1788-1002-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1788-224-0x00000000027D0000-0x0000000002805000-memory.dmp

Filesize
212KB

Download
memory/1788-222-0x00000000027D0000-0x0000000002805000-memory.dmp

Filesize
212KB

Download
memory/1788-999-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1788-218-0x00000000027D0000-0x0000000002805000-memory.dmp

Filesize
212KB

Download
memory/1788-216-0x00000000027D0000-0x0000000002805000-memory.dmp

Filesize
212KB

Download
memory/1788-214-0x00000000027D0000-0x0000000002805000-memory.dmp

Filesize
212KB

Download
memory/1788-212-0x00000000027D0000-0x0000000002805000-memory.dmp

Filesize
212KB

Download
memory/1788-210-0x00000000027D0000-0x0000000002805000-memory.dmp

Filesize
212KB

Download
memory/1788-208-0x00000000027D0000-0x0000000002805000-memory.dmp

Filesize
212KB

Download
memory/1788-206-0x00000000027D0000-0x0000000002805000-memory.dmp

Filesize
212KB

Download
memory/1788-204-0x00000000027D0000-0x0000000002805000-memory.dmp

Filesize
212KB

Download
memory/1788-202-0x00000000027D0000-0x0000000002805000-memory.dmp

Filesize
212KB

Download
memory/1788-200-0x00000000027D0000-0x0000000002805000-memory.dmp

Filesize
212KB

Download
memory/1788-199-0x00000000027D0000-0x0000000002805000-memory.dmp

Filesize
212KB

Download
memory/1788-1003-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/2684-162-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2684-194-0x00000000008F0000-0x000000000091D000-memory.dmp

Filesize
180KB

Download
memory/2684-189-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2684-185-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2684-186-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2684-184-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2684-183-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2684-182-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2684-180-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2684-178-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2684-176-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2684-174-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2684-172-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2684-170-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2684-168-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2684-166-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2684-164-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2684-160-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2684-158-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2684-156-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2684-155-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/2684-154-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2684-153-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2684-152-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2684-151-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download
memory/2684-149-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2684-148-0x00000000008F0000-0x000000000091D000-memory.dmp

Filesize
180KB

Download