redline | 9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db

Analysis

max time kernel
146s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe
Size

690KB
MD5

f8f94d9fc049a9ccc9be5e9fbdd3f1a9
SHA1

dc60384e67de7035339832e31d5139c41479ca26
SHA256

9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db
SHA512

67329f11acbf62bcde00353c26c2c593e982721184b2cea749bfa3289ecbb39804c4241b9f87568db0cf3505b9361062de5525de8081a70587a5933350510861
SSDEEP

12288:4y90L0U8VB5KOE0F6cSDKYyWIziAYom00qX2KmB194k17/Y:4yhU8VTKT0Ik2AY9g2KYDTjY

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3460-989-0x0000000007660000-0x0000000007C78000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	58392694.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	58392694.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	58392694.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	58392694.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	58392694.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	58392694.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
220	un720969.exe
1452	58392694.exe
3460	rk103705.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	58392694.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	58392694.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un720969.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un720969.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4652	1452	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1452	58392694.exe
1452	58392694.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	58392694.exe
Token: SeDebugPrivilege	3460	rk103705.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 220	1636	9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe	87
PID 1636 wrote to memory of 220	1636	9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe	87
PID 1636 wrote to memory of 220	1636	9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe	87
PID 220 wrote to memory of 1452	220	un720969.exe	88
PID 220 wrote to memory of 1452	220	un720969.exe	88
PID 220 wrote to memory of 1452	220	un720969.exe	88
PID 220 wrote to memory of 3460	220	un720969.exe	95
PID 220 wrote to memory of 3460	220	un720969.exe	95
PID 220 wrote to memory of 3460	220	un720969.exe	95

C:\Users\Admin\AppData\Local\Temp\9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe
"C:\Users\Admin\AppData\Local\Temp\9d5ccc8b4ddbec34e19d13aa8391f4f3d2c89e90036212cb6f862fb7d954d9db.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un720969.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un720969.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58392694.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58392694.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 1080
      4⤵
      Program crash
      PID:4652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk103705.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk103705.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1452 -ip 1452
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un720969.exe

Filesize
536KB

MD5
b17a5eb94041f4dde9825f8f2d378711

SHA1
7c05b63f81de92fd917e9b5a4eacdfd5dd7847ca

SHA256
a5c8e5ac3f8bd5c9dc758ce436fc62e497c2ce941a8d02e2d5c44758e1295eb5

SHA512
bd2240d5a476d588521cc8ff72fa8967c0f2a1852d7ab19eb30162e28bf55e99eb6949321be1e22b19685c7d92c8b9ff3295cf12a313aa95ca3d1182289ebcc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un720969.exe

Filesize
536KB

MD5
b17a5eb94041f4dde9825f8f2d378711

SHA1
7c05b63f81de92fd917e9b5a4eacdfd5dd7847ca

SHA256
a5c8e5ac3f8bd5c9dc758ce436fc62e497c2ce941a8d02e2d5c44758e1295eb5

SHA512
bd2240d5a476d588521cc8ff72fa8967c0f2a1852d7ab19eb30162e28bf55e99eb6949321be1e22b19685c7d92c8b9ff3295cf12a313aa95ca3d1182289ebcc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58392694.exe

Filesize
259KB

MD5
0ffe894137924ea28e396ca5523d5f2f

SHA1
97569cea2cf7314150c6b499671ec93317e382a0

SHA256
e04e03ddd14141abe3b7249f8885d1a9243c3981cae3b657e4196b15412f705a

SHA512
893fad59d0f32eb8bd485ae1415c9a96e26953821314fc584cdafbd5cf09d40dcf89271a333d511f911ecad34465e8234da3474bb2b02863ed4f79b5dd3e44c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58392694.exe

Filesize
259KB

MD5
0ffe894137924ea28e396ca5523d5f2f

SHA1
97569cea2cf7314150c6b499671ec93317e382a0

SHA256
e04e03ddd14141abe3b7249f8885d1a9243c3981cae3b657e4196b15412f705a

SHA512
893fad59d0f32eb8bd485ae1415c9a96e26953821314fc584cdafbd5cf09d40dcf89271a333d511f911ecad34465e8234da3474bb2b02863ed4f79b5dd3e44c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk103705.exe

Filesize
341KB

MD5
03bd2aa6d7e42cbefe47d2255205f155

SHA1
53ca51eedb3c598b620d8f1aa479d928e0bb59b3

SHA256
32a3acfacdb23aad64ce33a8ffc660b6a0285d0b3b1f8ebf147dcc5d35fa77b2

SHA512
81afaacd9b76f41af5fb59bb3743fac53ecd75d88ad9a5e29eab58df396b457c88d1e5c322d183d58e9661b22b5be0621e8161f71fdfc049734d0ed8e7dcd00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk103705.exe

Filesize
341KB

MD5
03bd2aa6d7e42cbefe47d2255205f155

SHA1
53ca51eedb3c598b620d8f1aa479d928e0bb59b3

SHA256
32a3acfacdb23aad64ce33a8ffc660b6a0285d0b3b1f8ebf147dcc5d35fa77b2

SHA512
81afaacd9b76f41af5fb59bb3743fac53ecd75d88ad9a5e29eab58df396b457c88d1e5c322d183d58e9661b22b5be0621e8161f71fdfc049734d0ed8e7dcd00f

Download Submit
memory/1452-150-0x00000000005E0000-0x000000000060D000-memory.dmp

Filesize
180KB

Download
memory/1452-151-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/1452-152-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/1452-153-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/1452-154-0x0000000004A30000-0x0000000004FD4000-memory.dmp

Filesize
5.6MB

Download
memory/1452-156-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download
memory/1452-158-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download
memory/1452-155-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download
memory/1452-162-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download
memory/1452-160-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download
memory/1452-164-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download
memory/1452-166-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download
memory/1452-168-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download
memory/1452-170-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download
memory/1452-172-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download
memory/1452-174-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download
memory/1452-176-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download
memory/1452-178-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download
memory/1452-180-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download
memory/1452-182-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download
memory/1452-183-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1452-185-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3460-193-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-194-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-196-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-198-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-200-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-202-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-204-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-206-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-208-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-210-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-212-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-214-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-218-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-216-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-220-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-222-0x00000000023A0000-0x00000000023D5000-memory.dmp

Filesize
212KB

Download
memory/3460-361-0x0000000000710000-0x0000000000756000-memory.dmp

Filesize
280KB

Download
memory/3460-363-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/3460-365-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/3460-368-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/3460-989-0x0000000007660000-0x0000000007C78000-memory.dmp

Filesize
6.1MB

Download
memory/3460-990-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/3460-991-0x0000000007C80000-0x0000000007D8A000-memory.dmp

Filesize
1.0MB

Download
memory/3460-992-0x0000000004C90000-0x0000000004CCC000-memory.dmp

Filesize
240KB

Download
memory/3460-993-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/3460-995-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/3460-996-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/3460-997-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/3460-998-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download