redline | b0cd7dd83ede702aa4f26ed851cd590c7e39061910904bc5ed3f8395dd316b68

Analysis

max time kernel
149s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0cd7dd83ede702aa4f26ed851cd590c7e39061910904bc5ed3f8395dd316b68.exe
Size

598KB
MD5

4aa079464e41a903ef35421ea8ca2f5d
SHA1

b5569f2e8834314ed4f26a0c4d353a6ed0eac5a9
SHA256

b0cd7dd83ede702aa4f26ed851cd590c7e39061910904bc5ed3f8395dd316b68
SHA512

6e53fc18b1fbd69d6628aa20a76a0c9d3783f8b7278a08fc5191bc0ec2d75982ed9d0f19ae52a01bac88adfd01afffb8489e6a9d3903e4571a456e5a9829ff6a
SSDEEP

12288:oMrPy90a4MY3jVuUIq8rvO62jriqR3/QC3/dOsC8bdWeqKxhFF:3yQtjfIqWva2q9/DMsxddvF

Score

10^/10

redline discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2744-148-0x0000000007D00000-0x0000000008318000-memory.dmp	redline_stealer
behavioral2/memory/2744-154-0x00000000028A0000-0x0000000002906000-memory.dmp	redline_stealer
behavioral2/memory/2744-158-0x0000000008FC0000-0x0000000009182000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	l0522728.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	l0522728.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	l0522728.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	l0522728.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	l0522728.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	l0522728.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4832	y6064222.exe
2744	k1580220.exe
4072	l0522728.exe
1552	m4223929.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	l0522728.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	l0522728.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b0cd7dd83ede702aa4f26ed851cd590c7e39061910904bc5ed3f8395dd316b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b0cd7dd83ede702aa4f26ed851cd590c7e39061910904bc5ed3f8395dd316b68.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6064222.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6064222.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3264	1552	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2744	k1580220.exe
2744	k1580220.exe
4072	l0522728.exe
4072	l0522728.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	k1580220.exe
Token: SeDebugPrivilege	4072	l0522728.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 4832	2020	b0cd7dd83ede702aa4f26ed851cd590c7e39061910904bc5ed3f8395dd316b68.exe	83
PID 2020 wrote to memory of 4832	2020	b0cd7dd83ede702aa4f26ed851cd590c7e39061910904bc5ed3f8395dd316b68.exe	83
PID 2020 wrote to memory of 4832	2020	b0cd7dd83ede702aa4f26ed851cd590c7e39061910904bc5ed3f8395dd316b68.exe	83
PID 4832 wrote to memory of 2744	4832	y6064222.exe	84
PID 4832 wrote to memory of 2744	4832	y6064222.exe	84
PID 4832 wrote to memory of 2744	4832	y6064222.exe	84
PID 4832 wrote to memory of 4072	4832	y6064222.exe	92
PID 4832 wrote to memory of 4072	4832	y6064222.exe	92
PID 4832 wrote to memory of 4072	4832	y6064222.exe	92
PID 2020 wrote to memory of 1552	2020	b0cd7dd83ede702aa4f26ed851cd590c7e39061910904bc5ed3f8395dd316b68.exe	93
PID 2020 wrote to memory of 1552	2020	b0cd7dd83ede702aa4f26ed851cd590c7e39061910904bc5ed3f8395dd316b68.exe	93
PID 2020 wrote to memory of 1552	2020	b0cd7dd83ede702aa4f26ed851cd590c7e39061910904bc5ed3f8395dd316b68.exe	93

C:\Users\Admin\AppData\Local\Temp\b0cd7dd83ede702aa4f26ed851cd590c7e39061910904bc5ed3f8395dd316b68.exe
"C:\Users\Admin\AppData\Local\Temp\b0cd7dd83ede702aa4f26ed851cd590c7e39061910904bc5ed3f8395dd316b68.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6064222.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6064222.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1580220.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1580220.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0522728.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0522728.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4223929.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4223929.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 696
    3⤵
    - Program crash
    PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1552 -ip 1552
1⤵
PID:3628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4223929.exe

Filesize
339KB

MD5
308dd67176523354afc107e3f69c4a88

SHA1
f5100fe0b9aad8b0cd2fb94aa0b62ade9eea207e

SHA256
61231a8e8f457f2884376ec1247205cd171e0818fcb3e9078f085d38634b9765

SHA512
0fdb5ae719720ce01f4d3d6c73a4e08d9c32869b01e08ff749d817aca2f8453515385f25cf387f12f0fa63f3e0f8d41cc9628d14f8d67e389a6eb04c6b5041f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m4223929.exe

Filesize
339KB

MD5
308dd67176523354afc107e3f69c4a88

SHA1
f5100fe0b9aad8b0cd2fb94aa0b62ade9eea207e

SHA256
61231a8e8f457f2884376ec1247205cd171e0818fcb3e9078f085d38634b9765

SHA512
0fdb5ae719720ce01f4d3d6c73a4e08d9c32869b01e08ff749d817aca2f8453515385f25cf387f12f0fa63f3e0f8d41cc9628d14f8d67e389a6eb04c6b5041f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6064222.exe

Filesize
307KB

MD5
23d99dae90cb2ab725f71e15ff045740

SHA1
0ffb33bcfba923abc5a43d351a7b0b82c7a9fa5f

SHA256
c13f4c20a72f5e0115941e4f460390d24e3e46bf054abc33ded344c9a4049fae

SHA512
23a0ac7972686021e3b6a020c568cc718c5a5998951b4cb4d83f7927ddcc8a48dc78f85e2a3c5683a3033fe289b0ba7d29f69ab95bcd0f1d6e8a062192a785bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6064222.exe

Filesize
307KB

MD5
23d99dae90cb2ab725f71e15ff045740

SHA1
0ffb33bcfba923abc5a43d351a7b0b82c7a9fa5f

SHA256
c13f4c20a72f5e0115941e4f460390d24e3e46bf054abc33ded344c9a4049fae

SHA512
23a0ac7972686021e3b6a020c568cc718c5a5998951b4cb4d83f7927ddcc8a48dc78f85e2a3c5683a3033fe289b0ba7d29f69ab95bcd0f1d6e8a062192a785bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1580220.exe

Filesize
136KB

MD5
be6c8bc8b566eba75d0c54d15c7aa403

SHA1
40484117bb7d947d754107ebe637377bb877bedf

SHA256
04f3b97e578ed4e9a407092243f197aa1bda65b958c8b5cdf1ec3bc3f8d6a897

SHA512
71ca4403a52b05903459519ab7bb893bee03802390f24406ea852faddaa921cc2332855080463e7545be4e4469243b38fa52a59dfa204b98613964d8d9e3bb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1580220.exe

Filesize
136KB

MD5
be6c8bc8b566eba75d0c54d15c7aa403

SHA1
40484117bb7d947d754107ebe637377bb877bedf

SHA256
04f3b97e578ed4e9a407092243f197aa1bda65b958c8b5cdf1ec3bc3f8d6a897

SHA512
71ca4403a52b05903459519ab7bb893bee03802390f24406ea852faddaa921cc2332855080463e7545be4e4469243b38fa52a59dfa204b98613964d8d9e3bb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0522728.exe

Filesize
175KB

MD5
c778cea1d02c52daa9f527510558bfdc

SHA1
27fbc7699326972b5c1bb9d5e8f5f79eb1508bae

SHA256
255f02b493141f4c15f10d7214c0867782aaff0265827f1f43287374db482d8a

SHA512
e49b18d2b4c20d3d175420d3ea7d92d7c117b24d91cc762a39f832d73b0ebeb28b62585ca693ad359b984759c76168d77926a2c0a8d85027164a4552d6be8986

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0522728.exe

Filesize
175KB

MD5
c778cea1d02c52daa9f527510558bfdc

SHA1
27fbc7699326972b5c1bb9d5e8f5f79eb1508bae

SHA256
255f02b493141f4c15f10d7214c0867782aaff0265827f1f43287374db482d8a

SHA512
e49b18d2b4c20d3d175420d3ea7d92d7c117b24d91cc762a39f832d73b0ebeb28b62585ca693ad359b984759c76168d77926a2c0a8d85027164a4552d6be8986

Download Submit
memory/1552-205-0x0000000000880000-0x00000000008B5000-memory.dmp

Filesize
212KB

Download
memory/1552-206-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/2744-155-0x0000000008A10000-0x0000000008FB4000-memory.dmp

Filesize
5.6MB

Download
memory/2744-160-0x0000000008860000-0x000000000887E000-memory.dmp

Filesize
120KB

Download
memory/2744-153-0x0000000007820000-0x0000000007830000-memory.dmp

Filesize
64KB

Download
memory/2744-156-0x0000000008540000-0x00000000085D2000-memory.dmp

Filesize
584KB

Download
memory/2744-157-0x0000000008660000-0x00000000086D6000-memory.dmp

Filesize
472KB

Download
memory/2744-158-0x0000000008FC0000-0x0000000009182000-memory.dmp

Filesize
1.8MB

Download
memory/2744-159-0x00000000096C0000-0x0000000009BEC000-memory.dmp

Filesize
5.2MB

Download
memory/2744-154-0x00000000028A0000-0x0000000002906000-memory.dmp

Filesize
408KB

Download
memory/2744-161-0x0000000004D80000-0x0000000004DD0000-memory.dmp

Filesize
320KB

Download
memory/2744-152-0x0000000007820000-0x0000000007830000-memory.dmp

Filesize
64KB

Download
memory/2744-151-0x0000000007830000-0x000000000786C000-memory.dmp

Filesize
240KB

Download
memory/2744-150-0x00000000078D0000-0x00000000079DA000-memory.dmp

Filesize
1.0MB

Download
memory/2744-149-0x00000000077A0000-0x00000000077B2000-memory.dmp

Filesize
72KB

Download
memory/2744-148-0x0000000007D00000-0x0000000008318000-memory.dmp

Filesize
6.1MB

Download
memory/2744-147-0x0000000000950000-0x0000000000978000-memory.dmp

Filesize
160KB

Download
memory/4072-167-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4072-172-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4072-176-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4072-174-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4072-180-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4072-182-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4072-178-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4072-184-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4072-186-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4072-188-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4072-190-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4072-194-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4072-192-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4072-196-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4072-197-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4072-198-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4072-199-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4072-170-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4072-169-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/4072-168-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4072-166-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download