redline | b0aa21cba7e2469b90c60df9e8763b58dd4f359ffb4d7319dd9c65dc1ce0ac75

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b0aa21cba7e2469b90c60df9e8763b58dd4f359ffb4d7319dd9c65dc1ce0ac75.exe
Size

696KB
MD5

46c5d415ae900547c67e46d2c5b10e99
SHA1

4265c640004d22544e23733190a47f20c424af64
SHA256

b0aa21cba7e2469b90c60df9e8763b58dd4f359ffb4d7319dd9c65dc1ce0ac75
SHA512

329fff8777f25c0cf604b80859f93afa1ba2deb422cb7d8f3df1a8ba3c6c6ec9fb7978f1f0d5dc85720d4e26e7e0e53a2f04901cbaac7363b140e6164ec2014d
SSDEEP

12288:y/y90HghzsWWrh0ArHiRKksjQFxr8UFdMM9e6Z52PBb0c/:gyNhwWWrZ4KoFxYUFHougPBYc/

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4936-986-0x0000000009CC0000-0x000000000A2D8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	61497159.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	61497159.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	61497159.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	61497159.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	61497159.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	61497159.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4476	un882836.exe
1008	61497159.exe
4936	rk460060.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	61497159.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	61497159.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b0aa21cba7e2469b90c60df9e8763b58dd4f359ffb4d7319dd9c65dc1ce0ac75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b0aa21cba7e2469b90c60df9e8763b58dd4f359ffb4d7319dd9c65dc1ce0ac75.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un882836.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un882836.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4364	1008	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1008	61497159.exe
1008	61497159.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1008	61497159.exe
Token: SeDebugPrivilege	4936	rk460060.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 4476	1172	b0aa21cba7e2469b90c60df9e8763b58dd4f359ffb4d7319dd9c65dc1ce0ac75.exe	89
PID 1172 wrote to memory of 4476	1172	b0aa21cba7e2469b90c60df9e8763b58dd4f359ffb4d7319dd9c65dc1ce0ac75.exe	89
PID 1172 wrote to memory of 4476	1172	b0aa21cba7e2469b90c60df9e8763b58dd4f359ffb4d7319dd9c65dc1ce0ac75.exe	89
PID 4476 wrote to memory of 1008	4476	un882836.exe	90
PID 4476 wrote to memory of 1008	4476	un882836.exe	90
PID 4476 wrote to memory of 1008	4476	un882836.exe	90
PID 4476 wrote to memory of 4936	4476	un882836.exe	100
PID 4476 wrote to memory of 4936	4476	un882836.exe	100
PID 4476 wrote to memory of 4936	4476	un882836.exe	100

C:\Users\Admin\AppData\Local\Temp\b0aa21cba7e2469b90c60df9e8763b58dd4f359ffb4d7319dd9c65dc1ce0ac75.exe
"C:\Users\Admin\AppData\Local\Temp\b0aa21cba7e2469b90c60df9e8763b58dd4f359ffb4d7319dd9c65dc1ce0ac75.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un882836.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un882836.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\61497159.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\61497159.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 1096
      4⤵
      Program crash
      PID:4364
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk460060.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk460060.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1008 -ip 1008
1⤵
PID:3964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un882836.exe

Filesize
542KB

MD5
acd518c7fc1539c9e2ab7d9222a0317a

SHA1
bd305922855413ce3a5bcf66976c1fed64f94b08

SHA256
dfdf3a0d0f49b07349ae9ac748d44682875a2bca57bc75b4efa47d0d0de6367f

SHA512
9e22d67a59912fea9b4a9e237653c3605fb39cd74a53e474607e0a559b87006b51c1511235e78f5e34dddcba618c1083259a57330388cc86160fb2df5e4b70f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un882836.exe

Filesize
542KB

MD5
acd518c7fc1539c9e2ab7d9222a0317a

SHA1
bd305922855413ce3a5bcf66976c1fed64f94b08

SHA256
dfdf3a0d0f49b07349ae9ac748d44682875a2bca57bc75b4efa47d0d0de6367f

SHA512
9e22d67a59912fea9b4a9e237653c3605fb39cd74a53e474607e0a559b87006b51c1511235e78f5e34dddcba618c1083259a57330388cc86160fb2df5e4b70f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\61497159.exe

Filesize
263KB

MD5
8aa0057da72dbc4de69388395d30f7bf

SHA1
50d2b3aee624feaab7b78831291e695416b88fc6

SHA256
aa51dfcd6bc031142d0433c52cce2a53d92292ca027a87cb820016a585574049

SHA512
b9bb645c24d2d7288415953624ad89ac61aa62da4fb8900d1228e30edcc73d76d908958bf56364eaa8058327b52d5464e0ff2c0b16a0e4a976007b3b9c1b286e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\61497159.exe

Filesize
263KB

MD5
8aa0057da72dbc4de69388395d30f7bf

SHA1
50d2b3aee624feaab7b78831291e695416b88fc6

SHA256
aa51dfcd6bc031142d0433c52cce2a53d92292ca027a87cb820016a585574049

SHA512
b9bb645c24d2d7288415953624ad89ac61aa62da4fb8900d1228e30edcc73d76d908958bf56364eaa8058327b52d5464e0ff2c0b16a0e4a976007b3b9c1b286e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk460060.exe

Filesize
328KB

MD5
4badfb5e978c89ea1d82ee094ed1925c

SHA1
bbd5d4c46e95e5c86463e17cb0f1058cc2eb5bff

SHA256
8f330296fcca3d208f94b4cbb008d8f79309b08b110735abe15731881f2520ff

SHA512
67731f85df6070abbab22331b36c3c29746c7083fb00deb1611655c17dfda40638bf7048b95d8092d9b46996a0124fa4efdb7154ec27a5d5a09c87690c8ecd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk460060.exe

Filesize
328KB

MD5
4badfb5e978c89ea1d82ee094ed1925c

SHA1
bbd5d4c46e95e5c86463e17cb0f1058cc2eb5bff

SHA256
8f330296fcca3d208f94b4cbb008d8f79309b08b110735abe15731881f2520ff

SHA512
67731f85df6070abbab22331b36c3c29746c7083fb00deb1611655c17dfda40638bf7048b95d8092d9b46996a0124fa4efdb7154ec27a5d5a09c87690c8ecd4a

Download Submit
memory/1008-148-0x0000000002C20000-0x0000000002C4D000-memory.dmp

Filesize
180KB

Download
memory/1008-149-0x0000000007370000-0x0000000007914000-memory.dmp

Filesize
5.6MB

Download
memory/1008-150-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/1008-151-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/1008-152-0x0000000004AA0000-0x0000000004AB3000-memory.dmp

Filesize
76KB

Download
memory/1008-153-0x0000000004AA0000-0x0000000004AB3000-memory.dmp

Filesize
76KB

Download
memory/1008-155-0x0000000004AA0000-0x0000000004AB3000-memory.dmp

Filesize
76KB

Download
memory/1008-157-0x0000000004AA0000-0x0000000004AB3000-memory.dmp

Filesize
76KB

Download
memory/1008-159-0x0000000004AA0000-0x0000000004AB3000-memory.dmp

Filesize
76KB

Download
memory/1008-161-0x0000000004AA0000-0x0000000004AB3000-memory.dmp

Filesize
76KB

Download
memory/1008-163-0x0000000004AA0000-0x0000000004AB3000-memory.dmp

Filesize
76KB

Download
memory/1008-165-0x0000000004AA0000-0x0000000004AB3000-memory.dmp

Filesize
76KB

Download
memory/1008-167-0x0000000004AA0000-0x0000000004AB3000-memory.dmp

Filesize
76KB

Download
memory/1008-169-0x0000000004AA0000-0x0000000004AB3000-memory.dmp

Filesize
76KB

Download
memory/1008-171-0x0000000004AA0000-0x0000000004AB3000-memory.dmp

Filesize
76KB

Download
memory/1008-173-0x0000000004AA0000-0x0000000004AB3000-memory.dmp

Filesize
76KB

Download
memory/1008-175-0x0000000004AA0000-0x0000000004AB3000-memory.dmp

Filesize
76KB

Download
memory/1008-177-0x0000000004AA0000-0x0000000004AB3000-memory.dmp

Filesize
76KB

Download
memory/1008-179-0x0000000004AA0000-0x0000000004AB3000-memory.dmp

Filesize
76KB

Download
memory/1008-180-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/1008-182-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/1008-183-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/1008-184-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/1008-185-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/4936-190-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-191-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-193-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-195-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-197-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-199-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-201-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-203-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-205-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-207-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-209-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-211-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-213-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-215-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-217-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-219-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-221-0x0000000004700000-0x0000000004746000-memory.dmp

Filesize
280KB

Download
memory/4936-226-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-223-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4936-222-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4936-225-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4936-227-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4936-986-0x0000000009CC0000-0x000000000A2D8000-memory.dmp

Filesize
6.1MB

Download
memory/4936-987-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/4936-988-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/4936-989-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/4936-990-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4936-992-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4936-993-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4936-994-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download