redline | ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe
Size

687KB
MD5

c2f156cc9d8af8a50c38eb60e53c7aa4
SHA1

bc7c0defab780cda95d783e528942a66c90ef75a
SHA256

ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c
SHA512

9c5f64525d0d8629a737270d84efd2e9791cf85388070afbed62d1faeab35ba378923ecb93213db072373d83989bab477324be53486de8c4241d7329aa468d41
SSDEEP

12288:vy906JacQHX0DXkjFpyCS5A8Rlbf8XuYi2h5EIXP/Fa9BMn4+/70:vyTQHXUqrSdKu12XEgFiBSlT0

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2028-989-0x0000000009C40000-0x000000000A258000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	50108514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	50108514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	50108514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	50108514.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	50108514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	50108514.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4704	un241332.exe
1460	50108514.exe
2028	rk570693.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	50108514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	50108514.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un241332.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un241332.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2764	1460	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1460	50108514.exe
1460	50108514.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	50108514.exe
Token: SeDebugPrivilege	2028	rk570693.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 4704	4104	ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe	85
PID 4104 wrote to memory of 4704	4104	ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe	85
PID 4104 wrote to memory of 4704	4104	ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe	85
PID 4704 wrote to memory of 1460	4704	un241332.exe	86
PID 4704 wrote to memory of 1460	4704	un241332.exe	86
PID 4704 wrote to memory of 1460	4704	un241332.exe	86
PID 4704 wrote to memory of 2028	4704	un241332.exe	90
PID 4704 wrote to memory of 2028	4704	un241332.exe	90
PID 4704 wrote to memory of 2028	4704	un241332.exe	90

C:\Users\Admin\AppData\Local\Temp\ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe
"C:\Users\Admin\AppData\Local\Temp\ae6213ba393c5b1e094743461a9c289fc37aacb6bdc71fe323b2adfd29f4153c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un241332.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un241332.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50108514.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50108514.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1080
      4⤵
      Program crash
      PID:2764
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk570693.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk570693.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1460 -ip 1460
1⤵
PID:2676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un241332.exe

Filesize
533KB

MD5
c27356bded81c084175c481d52ad131b

SHA1
f430869e559995d76a0dc60894e0af176a053dc0

SHA256
7fb9aa5308cfde3f0f149229fdaaeb0b1a5aeb73744d0449311ea3d50be9fc0a

SHA512
b0259b26686710d4bc579d231342de80a90550d74fd2a796ce71ff337bfff3a6c05df019e1bed8dd865335c111a69b7414e1525723cde5d5a134d3d55ac410ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un241332.exe

Filesize
533KB

MD5
c27356bded81c084175c481d52ad131b

SHA1
f430869e559995d76a0dc60894e0af176a053dc0

SHA256
7fb9aa5308cfde3f0f149229fdaaeb0b1a5aeb73744d0449311ea3d50be9fc0a

SHA512
b0259b26686710d4bc579d231342de80a90550d74fd2a796ce71ff337bfff3a6c05df019e1bed8dd865335c111a69b7414e1525723cde5d5a134d3d55ac410ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50108514.exe

Filesize
249KB

MD5
f5ee338c3504c811500f3873b8c32759

SHA1
e8664b50e1bdbc30ab35b696d5bbf9f83a943932

SHA256
d8b6fafbd171f40f520d4cf7ef4d796fd871fed7131af18b0f74b1ef6a44ac1c

SHA512
1c9d925f585b4ce0a898120e81769802a6f41ffd06664cb77d47ffa8ed9843f5e3ea2f9c9a6ed82b17cfec3c86f288d0b7f0c15b627b0da047d152a5f67c5d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\50108514.exe

Filesize
249KB

MD5
f5ee338c3504c811500f3873b8c32759

SHA1
e8664b50e1bdbc30ab35b696d5bbf9f83a943932

SHA256
d8b6fafbd171f40f520d4cf7ef4d796fd871fed7131af18b0f74b1ef6a44ac1c

SHA512
1c9d925f585b4ce0a898120e81769802a6f41ffd06664cb77d47ffa8ed9843f5e3ea2f9c9a6ed82b17cfec3c86f288d0b7f0c15b627b0da047d152a5f67c5d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk570693.exe

Filesize
332KB

MD5
5de00505d47e284ef8c01493c51ff5c6

SHA1
018f143b4cd2c8aaf5c7888a716a15f3b3c19b37

SHA256
f14baa42e44af2776f95b508ecd150415b74bd299fc05798cd7856ae60dee4bc

SHA512
aed23f66185836dea8ce251c3b02d687069a0334a662a26908b83732f109572bcbe16894a0f69f5ee7bd9fd8e1211bfba37d3208d2b59dde124b62baa89480f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk570693.exe

Filesize
332KB

MD5
5de00505d47e284ef8c01493c51ff5c6

SHA1
018f143b4cd2c8aaf5c7888a716a15f3b3c19b37

SHA256
f14baa42e44af2776f95b508ecd150415b74bd299fc05798cd7856ae60dee4bc

SHA512
aed23f66185836dea8ce251c3b02d687069a0334a662a26908b83732f109572bcbe16894a0f69f5ee7bd9fd8e1211bfba37d3208d2b59dde124b62baa89480f4

Download Submit
memory/1460-163-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/1460-159-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/1460-152-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/1460-153-0x0000000000400000-0x0000000002B9A000-memory.dmp

Filesize
39.6MB

Download
memory/1460-154-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/1460-155-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/1460-157-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/1460-151-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/1460-161-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/1460-150-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/1460-165-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/1460-167-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/1460-169-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/1460-171-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/1460-173-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/1460-177-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/1460-175-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/1460-179-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/1460-181-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/1460-182-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/1460-183-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/1460-184-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/1460-187-0x0000000000400000-0x0000000002B9A000-memory.dmp

Filesize
39.6MB

Download
memory/1460-149-0x00000000073C0000-0x0000000007964000-memory.dmp

Filesize
5.6MB

Download
memory/1460-148-0x00000000047A0000-0x00000000047CD000-memory.dmp

Filesize
180KB

Download
memory/2028-218-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-228-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-989-0x0000000009C40000-0x000000000A258000-memory.dmp

Filesize
6.1MB

Download
memory/2028-193-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-200-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/2028-201-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/2028-199-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-204-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/2028-208-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-206-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-203-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-210-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-212-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-194-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-198-0x0000000002D50000-0x0000000002D96000-memory.dmp

Filesize
280KB

Download
memory/2028-214-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-990-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/2028-216-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-224-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-226-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-222-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-196-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-220-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/2028-991-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/2028-992-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/2028-993-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/2028-995-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/2028-996-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/2028-997-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/2028-998-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download