redline | 9d6d356cf995c731752fc56e5ed866550c0010c522f119b706d60e72cb469d32

Analysis

max time kernel
149s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d6d356cf995c731752fc56e5ed866550c0010c522f119b706d60e72cb469d32.exe
Size

693KB
MD5

a88b7668feabe5693c36f50e174514bb
SHA1

57694cdea9b5c57949c52547976035166fb87cce
SHA256

9d6d356cf995c731752fc56e5ed866550c0010c522f119b706d60e72cb469d32
SHA512

774a6a86147adadacaf565b67539d2fd8e4ee435a8f56075ac705f66f6e71980d703fb9ffdfda460b45284f0944a1cf1120a194b51f0a77f561a278a917bb32a
SSDEEP

12288:Py90Isk/9Kdf0n0yUi4lo9WX1cIqlcwKKrzP6IhgZ8VNV7m/Nyeg:Pyvsd0nHr4Oy/yzzyANV7mljg

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3160-989-0x0000000009D40000-0x000000000A358000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	37996797.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	37996797.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	37996797.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	37996797.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	37996797.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	37996797.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2272	un733981.exe
2220	37996797.exe
3160	rk675113.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	37996797.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	37996797.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un733981.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9d6d356cf995c731752fc56e5ed866550c0010c522f119b706d60e72cb469d32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9d6d356cf995c731752fc56e5ed866550c0010c522f119b706d60e72cb469d32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un733981.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1996	2220	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2220	37996797.exe
2220	37996797.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	37996797.exe
Token: SeDebugPrivilege	3160	rk675113.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 2272	4648	9d6d356cf995c731752fc56e5ed866550c0010c522f119b706d60e72cb469d32.exe	84
PID 4648 wrote to memory of 2272	4648	9d6d356cf995c731752fc56e5ed866550c0010c522f119b706d60e72cb469d32.exe	84
PID 4648 wrote to memory of 2272	4648	9d6d356cf995c731752fc56e5ed866550c0010c522f119b706d60e72cb469d32.exe	84
PID 2272 wrote to memory of 2220	2272	un733981.exe	86
PID 2272 wrote to memory of 2220	2272	un733981.exe	86
PID 2272 wrote to memory of 2220	2272	un733981.exe	86
PID 2272 wrote to memory of 3160	2272	un733981.exe	89
PID 2272 wrote to memory of 3160	2272	un733981.exe	89
PID 2272 wrote to memory of 3160	2272	un733981.exe	89

C:\Users\Admin\AppData\Local\Temp\9d6d356cf995c731752fc56e5ed866550c0010c522f119b706d60e72cb469d32.exe
"C:\Users\Admin\AppData\Local\Temp\9d6d356cf995c731752fc56e5ed866550c0010c522f119b706d60e72cb469d32.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un733981.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un733981.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\37996797.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\37996797.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1084
      4⤵
      Program crash
      PID:1996
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk675113.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk675113.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2220 -ip 2220
1⤵
PID:4216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un733981.exe

Filesize
540KB

MD5
91a8787981de63db06eedc716dafc4eb

SHA1
066bfaae3711318bf9d7800fb18771957449fee5

SHA256
a05c3b24ad789d70f778518d0b734751184a0eaf575fb16b37f4dcea926490b5

SHA512
a29825dd68459d05233ededc667090ad7c136918b479bebe701e0ad56fb57068c3610899d8b82f9d2466b28bf2d799d2385d41faf2d84b794997ceb571175f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un733981.exe

Filesize
540KB

MD5
91a8787981de63db06eedc716dafc4eb

SHA1
066bfaae3711318bf9d7800fb18771957449fee5

SHA256
a05c3b24ad789d70f778518d0b734751184a0eaf575fb16b37f4dcea926490b5

SHA512
a29825dd68459d05233ededc667090ad7c136918b479bebe701e0ad56fb57068c3610899d8b82f9d2466b28bf2d799d2385d41faf2d84b794997ceb571175f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\37996797.exe

Filesize
258KB

MD5
2833562e7aa9e6e66d9ad74bacbef8ef

SHA1
a57630bcdaed38793c339f96da73aa56d385ac0c

SHA256
7272cf513a5939b1b1442454d7e307bd89d8197137a2f636fc691126c2f1fdfa

SHA512
7763cb4b4b264e985e0fe1cd4276706e65cea4b36a6b3da7724e0579fb079ded93395ca97732a637f262ab53d73bfceb5dd31e67941bb0fdb930fc92e212de1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\37996797.exe

Filesize
258KB

MD5
2833562e7aa9e6e66d9ad74bacbef8ef

SHA1
a57630bcdaed38793c339f96da73aa56d385ac0c

SHA256
7272cf513a5939b1b1442454d7e307bd89d8197137a2f636fc691126c2f1fdfa

SHA512
7763cb4b4b264e985e0fe1cd4276706e65cea4b36a6b3da7724e0579fb079ded93395ca97732a637f262ab53d73bfceb5dd31e67941bb0fdb930fc92e212de1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk675113.exe

Filesize
341KB

MD5
46695c44f10bfa53df436caf2c691b8e

SHA1
79b4057c2ab423e078cfd85634496427ae967d8f

SHA256
f62d4d56dd0c7b03fbfe5a256601b73038a7ad4689c459dd9da61f54ac5658e9

SHA512
201851d13cab0bcd1f8befacabd19e9b0c209e223a3e2c55acf9a869b19fc2972a952fbf2e7e7316ceb815927479f5e1d99c547d4fdd89f65d622909b0e47566

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk675113.exe

Filesize
341KB

MD5
46695c44f10bfa53df436caf2c691b8e

SHA1
79b4057c2ab423e078cfd85634496427ae967d8f

SHA256
f62d4d56dd0c7b03fbfe5a256601b73038a7ad4689c459dd9da61f54ac5658e9

SHA512
201851d13cab0bcd1f8befacabd19e9b0c209e223a3e2c55acf9a869b19fc2972a952fbf2e7e7316ceb815927479f5e1d99c547d4fdd89f65d622909b0e47566

Download Submit
memory/2220-162-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2220-185-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/2220-152-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/2220-153-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2220-154-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2220-156-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2220-158-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2220-160-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2220-149-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/2220-164-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2220-166-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2220-168-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2220-170-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2220-172-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2220-174-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2220-176-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2220-178-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2220-180-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2220-181-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/2220-182-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/2220-183-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/2220-151-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/2220-150-0x00000000072E0000-0x0000000007884000-memory.dmp

Filesize
5.6MB

Download
memory/2220-148-0x0000000002BD0000-0x0000000002BFD000-memory.dmp

Filesize
180KB

Download
memory/3160-245-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3160-220-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-200-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-993-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3160-196-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-202-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-204-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-206-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-208-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-210-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-212-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-214-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-218-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-193-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-194-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-239-0x0000000002C80000-0x0000000002CC6000-memory.dmp

Filesize
280KB

Download
memory/3160-216-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-243-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3160-241-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3160-990-0x00000000072A0000-0x00000000072B2000-memory.dmp

Filesize
72KB

Download
memory/3160-989-0x0000000009D40000-0x000000000A358000-memory.dmp

Filesize
6.1MB

Download
memory/3160-222-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-991-0x000000000A360000-0x000000000A46A000-memory.dmp

Filesize
1.0MB

Download
memory/3160-198-0x0000000004C10000-0x0000000004C45000-memory.dmp

Filesize
212KB

Download
memory/3160-992-0x000000000A470000-0x000000000A4AC000-memory.dmp

Filesize
240KB

Download
memory/3160-995-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3160-996-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3160-997-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3160-998-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download