redline | b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae

Analysis

max time kernel
151s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe
Size

694KB
MD5

c60c4a001ba4efc0aa692545796f8a6b
SHA1

c9f03196f34962d25fe257fee95b91b4c2d32cc1
SHA256

b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae
SHA512

50109304b71eef128ea4e2ae8d03e23e782c060daf7623051336ace713b5054d8300ab4847022dafee65269567cb5ad850bdce02ab358c69eeb98fb243a1cb4e
SSDEEP

12288:Oy905DsvczTwF8wlDUiz9DtLvF2Hjx+cqRaEIA9CEW+Y0gf4ZRr4oG42bF3:OymF/28iBDT2DkcqLjCEC0i4ZRr4R421

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4832-995-0x0000000009C70000-0x000000000A288000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	07477955.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	07477955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	07477955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	07477955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	07477955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	07477955.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1404	un930583.exe
4328	07477955.exe
4832	rk462201.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	07477955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	07477955.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un930583.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un930583.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3044	4328	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4328	07477955.exe
4328	07477955.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4328	07477955.exe
Token: SeDebugPrivilege	4832	rk462201.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 1404	3548	b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe	82
PID 3548 wrote to memory of 1404	3548	b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe	82
PID 3548 wrote to memory of 1404	3548	b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe	82
PID 1404 wrote to memory of 4328	1404	un930583.exe	83
PID 1404 wrote to memory of 4328	1404	un930583.exe	83
PID 1404 wrote to memory of 4328	1404	un930583.exe	83
PID 1404 wrote to memory of 4832	1404	un930583.exe	88
PID 1404 wrote to memory of 4832	1404	un930583.exe	88
PID 1404 wrote to memory of 4832	1404	un930583.exe	88

C:\Users\Admin\AppData\Local\Temp\b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe
"C:\Users\Admin\AppData\Local\Temp\b10022b08b58c6b61a664f09454b46761c9ed32566e041c68f1770c93d277eae.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930583.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930583.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\07477955.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\07477955.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1088
      4⤵
      Program crash
      PID:3044
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462201.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462201.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4328 -ip 4328
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930583.exe

Filesize
540KB

MD5
3cffb8f6c3980cae0101e1d8a2c6afcc

SHA1
2076ed903cd3644b96112790dd83dac874617615

SHA256
2b698ab8c23c0719f0c2210d55dccb2ff62a97c9fa71029865f99c6eb52a9c71

SHA512
91dc3b9665732ec532720b8292c62f99ed4146318edf8d1a429f0ddcc84c5cdcc52a36f43bfef0b2ce3daada76cad17f5c7d35dc82ed5d2998d1b8058a595f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un930583.exe

Filesize
540KB

MD5
3cffb8f6c3980cae0101e1d8a2c6afcc

SHA1
2076ed903cd3644b96112790dd83dac874617615

SHA256
2b698ab8c23c0719f0c2210d55dccb2ff62a97c9fa71029865f99c6eb52a9c71

SHA512
91dc3b9665732ec532720b8292c62f99ed4146318edf8d1a429f0ddcc84c5cdcc52a36f43bfef0b2ce3daada76cad17f5c7d35dc82ed5d2998d1b8058a595f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\07477955.exe

Filesize
258KB

MD5
1e1457e485c744c5dd87670b455fbf26

SHA1
8adf8f94c3bf2eaa4936b27b5bc1bc032cb32414

SHA256
8d4c82b5d6dd0efbc325ebb2f85b03b973ebcd936dc716fa8fd4c2ac8fdf1e26

SHA512
df7ce2d41db0ff4773013136168b3e3cdaa9040286b8a5118eb45a116b11924d7bdc7366f51416ee2635339c1b6b30f0b6df1d0fe512a731f846e4ff61dabee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\07477955.exe

Filesize
258KB

MD5
1e1457e485c744c5dd87670b455fbf26

SHA1
8adf8f94c3bf2eaa4936b27b5bc1bc032cb32414

SHA256
8d4c82b5d6dd0efbc325ebb2f85b03b973ebcd936dc716fa8fd4c2ac8fdf1e26

SHA512
df7ce2d41db0ff4773013136168b3e3cdaa9040286b8a5118eb45a116b11924d7bdc7366f51416ee2635339c1b6b30f0b6df1d0fe512a731f846e4ff61dabee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462201.exe

Filesize
341KB

MD5
c86bf5aa6613ead87fc3ddc69445de6d

SHA1
f31f971df8ff70e4a6f02d573fe302b3fd73fbb3

SHA256
05c74c05b42bc775eb69ce955acf3a99a2b82d78f52df01a9f36ce1f0ff5bcd7

SHA512
c9555ca4cf3d541838bb37026ef7f7f4bd7fddb917eb3f64e623298044520b81cb292a4777ab580d12bcdfd927d91dd0bd463707a6a01db6ca221a5c6b2044b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462201.exe

Filesize
341KB

MD5
c86bf5aa6613ead87fc3ddc69445de6d

SHA1
f31f971df8ff70e4a6f02d573fe302b3fd73fbb3

SHA256
05c74c05b42bc775eb69ce955acf3a99a2b82d78f52df01a9f36ce1f0ff5bcd7

SHA512
c9555ca4cf3d541838bb37026ef7f7f4bd7fddb917eb3f64e623298044520b81cb292a4777ab580d12bcdfd927d91dd0bd463707a6a01db6ca221a5c6b2044b8

Download Submit
memory/4328-189-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4328-173-0x0000000004AF0000-0x0000000004B03000-memory.dmp

Filesize
76KB

Download
memory/4328-156-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4328-157-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4328-158-0x0000000004AF0000-0x0000000004B03000-memory.dmp

Filesize
76KB

Download
memory/4328-159-0x0000000004AF0000-0x0000000004B03000-memory.dmp

Filesize
76KB

Download
memory/4328-161-0x0000000004AF0000-0x0000000004B03000-memory.dmp

Filesize
76KB

Download
memory/4328-163-0x0000000004AF0000-0x0000000004B03000-memory.dmp

Filesize
76KB

Download
memory/4328-165-0x0000000004AF0000-0x0000000004B03000-memory.dmp

Filesize
76KB

Download
memory/4328-167-0x0000000004AF0000-0x0000000004B03000-memory.dmp

Filesize
76KB

Download
memory/4328-169-0x0000000004AF0000-0x0000000004B03000-memory.dmp

Filesize
76KB

Download
memory/4328-171-0x0000000004AF0000-0x0000000004B03000-memory.dmp

Filesize
76KB

Download
memory/4328-148-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/4328-175-0x0000000004AF0000-0x0000000004B03000-memory.dmp

Filesize
76KB

Download
memory/4328-177-0x0000000004AF0000-0x0000000004B03000-memory.dmp

Filesize
76KB

Download
memory/4328-179-0x0000000004AF0000-0x0000000004B03000-memory.dmp

Filesize
76KB

Download
memory/4328-181-0x0000000004AF0000-0x0000000004B03000-memory.dmp

Filesize
76KB

Download
memory/4328-183-0x0000000004AF0000-0x0000000004B03000-memory.dmp

Filesize
76KB

Download
memory/4328-185-0x0000000004AF0000-0x0000000004B03000-memory.dmp

Filesize
76KB

Download
memory/4328-186-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4328-188-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4328-153-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4328-191-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4328-149-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4328-155-0x00000000073F0000-0x0000000007994000-memory.dmp

Filesize
5.6MB

Download
memory/4832-999-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4832-1002-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4832-202-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4832-216-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4832-206-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4832-208-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4832-210-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4832-212-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4832-214-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4832-222-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4832-224-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4832-350-0x0000000002C90000-0x0000000002CD6000-memory.dmp

Filesize
280KB

Download
memory/4832-200-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4832-220-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4832-995-0x0000000009C70000-0x000000000A288000-memory.dmp

Filesize
6.1MB

Download
memory/4832-352-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4832-354-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4832-355-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4832-199-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4832-996-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/4832-997-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/4832-998-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/4832-218-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4832-1001-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4832-204-0x0000000004D20000-0x0000000004D55000-memory.dmp

Filesize
212KB

Download
memory/4832-1003-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4832-1004-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download