redline | a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe
Size

690KB
MD5

a040d30b578d01525062075d5033fa02
SHA1

be10a96eb2c1aae00ad4a60863e5d79d4e5901b1
SHA256

a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023
SHA512

25c8c32ed207af29293727e89dc7335c9b2a59e6161d9632f62b779b03c46d5c6f498d25ba7d18723f0436e91ed61e244f1dbcba9ce0ec66bd7c9c93090ed763
SSDEEP

12288:My90OTP01v71oAhaZkIJwTTVYT+urnGuqlb/cd2oB3vlCCiI22kEqke:MyvTP01v71ooaGkwTTV++urGuI7g26x2

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2784-986-0x0000000007500000-0x0000000007B18000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	18002885.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	18002885.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	18002885.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	18002885.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	18002885.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	18002885.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2424	un069612.exe
4516	18002885.exe
2784	rk728287.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	18002885.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	18002885.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un069612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un069612.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4608	4516	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4516	18002885.exe
4516	18002885.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4516	18002885.exe
Token: SeDebugPrivilege	2784	rk728287.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2424	2264	a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe	82
PID 2264 wrote to memory of 2424	2264	a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe	82
PID 2264 wrote to memory of 2424	2264	a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe	82
PID 2424 wrote to memory of 4516	2424	un069612.exe	83
PID 2424 wrote to memory of 4516	2424	un069612.exe	83
PID 2424 wrote to memory of 4516	2424	un069612.exe	83
PID 2424 wrote to memory of 2784	2424	un069612.exe	86
PID 2424 wrote to memory of 2784	2424	un069612.exe	86
PID 2424 wrote to memory of 2784	2424	un069612.exe	86

C:\Users\Admin\AppData\Local\Temp\a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe
"C:\Users\Admin\AppData\Local\Temp\a5833a85260d6abcde0af4f7cb66fca352b98015308d54142ac0cf6b7fe52023.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un069612.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un069612.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18002885.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18002885.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1092
      4⤵
      Program crash
      PID:4608
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk728287.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk728287.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4516 -ip 4516
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un069612.exe

Filesize
536KB

MD5
7da427c76aba24f15fba8d6b678c97d8

SHA1
73ba46b48b11bd84b5d1fb1f31573c7c64176fba

SHA256
7d792ec019942bad451253b0a28bb98545c93b3af477d31b8fb57f4e00f3a35a

SHA512
030bcaf5ee8ffe98ec9177f11350d137cfacc244c7c22b30e3fc7f4aeb3d6d63a4c2af25c25dbc8799f4cab1b0a431494cb955fbfb8b306fcb8dc42ae453f49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un069612.exe

Filesize
536KB

MD5
7da427c76aba24f15fba8d6b678c97d8

SHA1
73ba46b48b11bd84b5d1fb1f31573c7c64176fba

SHA256
7d792ec019942bad451253b0a28bb98545c93b3af477d31b8fb57f4e00f3a35a

SHA512
030bcaf5ee8ffe98ec9177f11350d137cfacc244c7c22b30e3fc7f4aeb3d6d63a4c2af25c25dbc8799f4cab1b0a431494cb955fbfb8b306fcb8dc42ae453f49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18002885.exe

Filesize
259KB

MD5
f246ab38c4583449f787d6ba90191b11

SHA1
b27773ee66a97fe95d03fd6b14a46b2d975cfd9b

SHA256
20dce831c494e08fea6a5cba58d40f35baf8a40252d9083c4e23db6f07ac0700

SHA512
dfe199d4b367daeddad330d7cd6c06982f4fd66600d5262751647d41816bbb747caa884b8d5f862f32604f70a311b38d2394a6dac29f90dc88d0ebe6e58bfe5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18002885.exe

Filesize
259KB

MD5
f246ab38c4583449f787d6ba90191b11

SHA1
b27773ee66a97fe95d03fd6b14a46b2d975cfd9b

SHA256
20dce831c494e08fea6a5cba58d40f35baf8a40252d9083c4e23db6f07ac0700

SHA512
dfe199d4b367daeddad330d7cd6c06982f4fd66600d5262751647d41816bbb747caa884b8d5f862f32604f70a311b38d2394a6dac29f90dc88d0ebe6e58bfe5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk728287.exe

Filesize
341KB

MD5
206c71b72ab08b69c3aa2847f03903aa

SHA1
1b14f68b225e76bf6ce52f58defdf78ff4433e46

SHA256
f0cfd87fcb07e71927cdd2f3886019a5bc5accc251d93c6a1628f03d089d33aa

SHA512
c4bbcf02d87183d8b1566299aef88bb93849db5c8928373c15ab253081f6fcfa0858475ff4c1ff429af94156c53d788c93eb6ff551c539689d5a4e5c5620f5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk728287.exe

Filesize
341KB

MD5
206c71b72ab08b69c3aa2847f03903aa

SHA1
1b14f68b225e76bf6ce52f58defdf78ff4433e46

SHA256
f0cfd87fcb07e71927cdd2f3886019a5bc5accc251d93c6a1628f03d089d33aa

SHA512
c4bbcf02d87183d8b1566299aef88bb93849db5c8928373c15ab253081f6fcfa0858475ff4c1ff429af94156c53d788c93eb6ff551c539689d5a4e5c5620f5f5

Download Submit
memory/2784-219-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-501-0x0000000000840000-0x0000000000886000-memory.dmp

Filesize
280KB

Download
memory/2784-995-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/2784-994-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/2784-993-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/2784-992-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/2784-990-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/2784-197-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-989-0x0000000007D00000-0x0000000007D3C000-memory.dmp

Filesize
240KB

Download
memory/2784-988-0x0000000007BE0000-0x0000000007CEA000-memory.dmp

Filesize
1.0MB

Download
memory/2784-987-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/2784-195-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-507-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/2784-505-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/2784-193-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-203-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-503-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/2784-223-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-221-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-217-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-215-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-213-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-211-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-209-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-191-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-190-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-207-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-986-0x0000000007500000-0x0000000007B18000-memory.dmp

Filesize
6.1MB

Download
memory/2784-205-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-199-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/2784-201-0x0000000004FE0000-0x0000000005015000-memory.dmp

Filesize
212KB

Download
memory/4516-171-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4516-161-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4516-151-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/4516-149-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/4516-150-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/4516-185-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4516-183-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/4516-182-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/4516-148-0x0000000004B80000-0x0000000005124000-memory.dmp

Filesize
5.6MB

Download
memory/4516-181-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/4516-180-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4516-179-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4516-177-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4516-173-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4516-175-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4516-169-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4516-167-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4516-163-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4516-165-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4516-159-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4516-157-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4516-155-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4516-153-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4516-152-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download