redline | a8ae002d95449f9c9c020cc8ede21d8263cf441e7e14f77b64ebc7698579c3e5

Analysis

max time kernel
187s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8ae002d95449f9c9c020cc8ede21d8263cf441e7e14f77b64ebc7698579c3e5.exe
Size

690KB
MD5

828c599fb8490b61e5c0e44d5a2fc5ec
SHA1

2c69618dff7a82123b36fa20326b3b245a6a2668
SHA256

a8ae002d95449f9c9c020cc8ede21d8263cf441e7e14f77b64ebc7698579c3e5
SHA512

2eb484e163870bbb0d7b190066e2708d3b6a38a88a7c4bbe5acf0f536d569bac8efda85035f11e84cbf049f8936db853e10575ac46521b885eaf59148962ab61
SSDEEP

12288:iy90oDlYm5Y1pwywDwBMIt6w0j2QSbOZ/czVmCcuLO8JpuGD0Sbr0B+:iy/emWhH5bq2QFcP/puG4Sf0o

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4116-992-0x00000000075D0000-0x0000000007BE8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	18241926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	18241926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	18241926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	18241926.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	18241926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	18241926.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2580	un813170.exe
3132	18241926.exe
4116	rk627278.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	18241926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	18241926.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a8ae002d95449f9c9c020cc8ede21d8263cf441e7e14f77b64ebc7698579c3e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a8ae002d95449f9c9c020cc8ede21d8263cf441e7e14f77b64ebc7698579c3e5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un813170.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un813170.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2956	3132	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3132	18241926.exe
3132	18241926.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3132	18241926.exe
Token: SeDebugPrivilege	4116	rk627278.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 2580	4228	a8ae002d95449f9c9c020cc8ede21d8263cf441e7e14f77b64ebc7698579c3e5.exe	81
PID 4228 wrote to memory of 2580	4228	a8ae002d95449f9c9c020cc8ede21d8263cf441e7e14f77b64ebc7698579c3e5.exe	81
PID 4228 wrote to memory of 2580	4228	a8ae002d95449f9c9c020cc8ede21d8263cf441e7e14f77b64ebc7698579c3e5.exe	81
PID 2580 wrote to memory of 3132	2580	un813170.exe	82
PID 2580 wrote to memory of 3132	2580	un813170.exe	82
PID 2580 wrote to memory of 3132	2580	un813170.exe	82
PID 2580 wrote to memory of 4116	2580	un813170.exe	86
PID 2580 wrote to memory of 4116	2580	un813170.exe	86
PID 2580 wrote to memory of 4116	2580	un813170.exe	86

C:\Users\Admin\AppData\Local\Temp\a8ae002d95449f9c9c020cc8ede21d8263cf441e7e14f77b64ebc7698579c3e5.exe
"C:\Users\Admin\AppData\Local\Temp\a8ae002d95449f9c9c020cc8ede21d8263cf441e7e14f77b64ebc7698579c3e5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un813170.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un813170.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18241926.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18241926.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1088
      4⤵
      Program crash
      PID:2956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk627278.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk627278.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3132 -ip 3132
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un813170.exe

Filesize
536KB

MD5
474471a74e86569b7519d4074bf8359e

SHA1
002c76d7359721961c183c8656fc09e0c43833c5

SHA256
09ccdc884ab913ba7d2593164dc28e7b22a6f4599c1d4f14f2000173e9f5b3e1

SHA512
66491d39a7b8bdc75dd05f97bdd7d5cf36ce6426f63ddd136332c607d5a07458e6d050d1cfbe14d0820b63a32bb029c2587848483ed077297321f9dd8faef34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un813170.exe

Filesize
536KB

MD5
474471a74e86569b7519d4074bf8359e

SHA1
002c76d7359721961c183c8656fc09e0c43833c5

SHA256
09ccdc884ab913ba7d2593164dc28e7b22a6f4599c1d4f14f2000173e9f5b3e1

SHA512
66491d39a7b8bdc75dd05f97bdd7d5cf36ce6426f63ddd136332c607d5a07458e6d050d1cfbe14d0820b63a32bb029c2587848483ed077297321f9dd8faef34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18241926.exe

Filesize
258KB

MD5
15544bdfde9480702881947f97f938e8

SHA1
cf04c09f96c52a61c7a2004ed86cb7d0b95f167a

SHA256
9b36c0b58bcac1190484ea1c27c87903f9c6a683dcd196e3a08906c414c63a76

SHA512
03ad4349cefcd96f40eb7b9f5fb1b0857795ac6f080ebd7ccb3c24c1bcbe514e55940ff69ee25290d2d00cce1aecfcc7c871ebd773e8c350aa6abdbe265c1f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\18241926.exe

Filesize
258KB

MD5
15544bdfde9480702881947f97f938e8

SHA1
cf04c09f96c52a61c7a2004ed86cb7d0b95f167a

SHA256
9b36c0b58bcac1190484ea1c27c87903f9c6a683dcd196e3a08906c414c63a76

SHA512
03ad4349cefcd96f40eb7b9f5fb1b0857795ac6f080ebd7ccb3c24c1bcbe514e55940ff69ee25290d2d00cce1aecfcc7c871ebd773e8c350aa6abdbe265c1f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk627278.exe

Filesize
342KB

MD5
318beeab2e1f981daa3cde68e16548ad

SHA1
31dc9f08d57d8a628f66b98563e210c25f1297b4

SHA256
bc385492acc5c945bcf4c4f4efea9030f906a319075a01b6c492cd6041c502a3

SHA512
3f04239764d0417b62f1e54dc06d3614f2b21a6de41ce364f562787d009e3572190ddfd8d7b06cb48a2006dbf75491f55ddda8ff9e76a461a6aaff6478234001

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk627278.exe

Filesize
342KB

MD5
318beeab2e1f981daa3cde68e16548ad

SHA1
31dc9f08d57d8a628f66b98563e210c25f1297b4

SHA256
bc385492acc5c945bcf4c4f4efea9030f906a319075a01b6c492cd6041c502a3

SHA512
3f04239764d0417b62f1e54dc06d3614f2b21a6de41ce364f562787d009e3572190ddfd8d7b06cb48a2006dbf75491f55ddda8ff9e76a461a6aaff6478234001

Download Submit
memory/3132-161-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3132-151-0x0000000004C50000-0x00000000051F4000-memory.dmp

Filesize
5.6MB

Download
memory/3132-152-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3132-155-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3132-153-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3132-157-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3132-159-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3132-150-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3132-163-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3132-165-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3132-167-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3132-169-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3132-171-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3132-173-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3132-175-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3132-177-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3132-179-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3132-180-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3132-182-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3132-186-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3132-149-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3132-148-0x00000000006C0000-0x00000000006ED000-memory.dmp

Filesize
180KB

Download
memory/4116-197-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-217-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-195-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-192-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-199-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-201-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-203-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-205-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-207-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-209-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-211-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-213-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-215-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-193-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-219-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-220-0x0000000000540000-0x0000000000586000-memory.dmp

Filesize
280KB

Download
memory/4116-223-0x00000000026E0000-0x0000000002715000-memory.dmp

Filesize
212KB

Download
memory/4116-222-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4116-224-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4116-988-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4116-989-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4116-992-0x00000000075D0000-0x0000000007BE8000-memory.dmp

Filesize
6.1MB

Download
memory/4116-993-0x0000000007E40000-0x0000000007E52000-memory.dmp

Filesize
72KB

Download
memory/4116-994-0x0000000007E60000-0x0000000007F6A000-memory.dmp

Filesize
1.0MB

Download
memory/4116-995-0x0000000007F80000-0x0000000007FBC000-memory.dmp

Filesize
240KB

Download
memory/4116-996-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/4116-998-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download