redline | b33ee453ad2fd964e46e27535fd1c448194779fd9494d005a31d567cd0f052a8

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b33ee453ad2fd964e46e27535fd1c448194779fd9494d005a31d567cd0f052a8.exe
Size

694KB
MD5

be12f1a25da41af9cd01116262da9152
SHA1

24a217701b079ce45c4f21af34b68098919457a4
SHA256

b33ee453ad2fd964e46e27535fd1c448194779fd9494d005a31d567cd0f052a8
SHA512

eea5ba356b47e966573772ab21a475732b33b218146e145ad2e186d1c5ccb8dcf4acca93ca7e3bec33ec1a729449796fc038147c98c6a35a93560af14fa9f269
SSDEEP

12288:Cy90e8MgWttzPJcKFJHIbdzDafkJ1YVK1gmOQ3ZRhu0Hq0iD5e7jw4cMYuPZ:Cy0W/z+iRIZzDaMJD+mOsj7Tue7jwzz0

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4288-988-0x0000000009D20000-0x000000000A338000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	48651618.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	48651618.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	48651618.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	48651618.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	48651618.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	48651618.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2724	un903501.exe
60	48651618.exe
4288	rk219844.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	48651618.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	48651618.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un903501.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b33ee453ad2fd964e46e27535fd1c448194779fd9494d005a31d567cd0f052a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b33ee453ad2fd964e46e27535fd1c448194779fd9494d005a31d567cd0f052a8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un903501.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3748	60	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
60	48651618.exe
60	48651618.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	60	48651618.exe
Token: SeDebugPrivilege	4288	rk219844.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2724	1316	b33ee453ad2fd964e46e27535fd1c448194779fd9494d005a31d567cd0f052a8.exe	83
PID 1316 wrote to memory of 2724	1316	b33ee453ad2fd964e46e27535fd1c448194779fd9494d005a31d567cd0f052a8.exe	83
PID 1316 wrote to memory of 2724	1316	b33ee453ad2fd964e46e27535fd1c448194779fd9494d005a31d567cd0f052a8.exe	83
PID 2724 wrote to memory of 60	2724	un903501.exe	84
PID 2724 wrote to memory of 60	2724	un903501.exe	84
PID 2724 wrote to memory of 60	2724	un903501.exe	84
PID 2724 wrote to memory of 4288	2724	un903501.exe	95
PID 2724 wrote to memory of 4288	2724	un903501.exe	95
PID 2724 wrote to memory of 4288	2724	un903501.exe	95

C:\Users\Admin\AppData\Local\Temp\b33ee453ad2fd964e46e27535fd1c448194779fd9494d005a31d567cd0f052a8.exe
"C:\Users\Admin\AppData\Local\Temp\b33ee453ad2fd964e46e27535fd1c448194779fd9494d005a31d567cd0f052a8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un903501.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un903501.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48651618.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48651618.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:60
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1084
      4⤵
      Program crash
      PID:3748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk219844.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk219844.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 60 -ip 60
1⤵
PID:4620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un903501.exe

Filesize
540KB

MD5
92251c7d83df52b7062a134ae10b1567

SHA1
81b94f489d659f570ca13771112121efd492d976

SHA256
eb55f36fde1d9ac8302443cc47cef4f1584b144771265d3840da1a8f19e841bb

SHA512
0f3b79dafd5f9b20298c923dbf9e45d2b77b157c6b73b10a117e0f0964c133d5a40db7aeb4b3888f53cbf8842bf5890c2a9f5a9c73aee9d6bcbe906f6ecf0633

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un903501.exe

Filesize
540KB

MD5
92251c7d83df52b7062a134ae10b1567

SHA1
81b94f489d659f570ca13771112121efd492d976

SHA256
eb55f36fde1d9ac8302443cc47cef4f1584b144771265d3840da1a8f19e841bb

SHA512
0f3b79dafd5f9b20298c923dbf9e45d2b77b157c6b73b10a117e0f0964c133d5a40db7aeb4b3888f53cbf8842bf5890c2a9f5a9c73aee9d6bcbe906f6ecf0633

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48651618.exe

Filesize
264KB

MD5
1d37a9350af96f84499f78213563da4c

SHA1
90fea2b6ab19cd27f3ef52476e5f31f21b2347ee

SHA256
ca49127e2a33d65c81aad0ef86d763abd7c665a7ff3883cc1b7430d0c4ca36a3

SHA512
bb4487e3f1861acccee14ddfe5c7b2bf0580f7552905fcfdeb29b00dea6eadbe42aca2f5fb735c788c006d6322e3cc7231e22be70f2488155914c702ca9d51f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48651618.exe

Filesize
264KB

MD5
1d37a9350af96f84499f78213563da4c

SHA1
90fea2b6ab19cd27f3ef52476e5f31f21b2347ee

SHA256
ca49127e2a33d65c81aad0ef86d763abd7c665a7ff3883cc1b7430d0c4ca36a3

SHA512
bb4487e3f1861acccee14ddfe5c7b2bf0580f7552905fcfdeb29b00dea6eadbe42aca2f5fb735c788c006d6322e3cc7231e22be70f2488155914c702ca9d51f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk219844.exe

Filesize
348KB

MD5
1084a9bd05558047d820b11e971a3d9c

SHA1
5df23c1c9986fbcf12116a23e71a1977155be30d

SHA256
6c70a632789265ce4c5183784e7369583c7994f46289ad51b6775bc5974d3008

SHA512
370d1223c7869088573984cc72378b0e0f07128a8f474b617ca4dadae87a064ab6fbe3c08dacf388b98cd68e18bbacb7d03e8aaf2e3411347cd6cddd3b12c3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk219844.exe

Filesize
348KB

MD5
1084a9bd05558047d820b11e971a3d9c

SHA1
5df23c1c9986fbcf12116a23e71a1977155be30d

SHA256
6c70a632789265ce4c5183784e7369583c7994f46289ad51b6775bc5974d3008

SHA512
370d1223c7869088573984cc72378b0e0f07128a8f474b617ca4dadae87a064ab6fbe3c08dacf388b98cd68e18bbacb7d03e8aaf2e3411347cd6cddd3b12c3d8

Download Submit
memory/60-167-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/60-163-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/60-153-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/60-155-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/60-157-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/60-159-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/60-161-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/60-151-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/60-165-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/60-150-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/60-169-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/60-171-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/60-173-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/60-175-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/60-177-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/60-178-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/60-179-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/60-180-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/60-181-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/60-183-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/60-184-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/60-185-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/60-186-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/60-149-0x00000000072C0000-0x0000000007864000-memory.dmp

Filesize
5.6MB

Download
memory/60-148-0x0000000002C70000-0x0000000002C9D000-memory.dmp

Filesize
180KB

Download
memory/4288-223-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-372-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4288-988-0x0000000009D20000-0x000000000A338000-memory.dmp

Filesize
6.1MB

Download
memory/4288-193-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-199-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-201-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-203-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-209-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-207-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-211-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-205-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-213-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-215-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-192-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-197-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-217-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-989-0x00000000072B0000-0x00000000072C2000-memory.dmp

Filesize
72KB

Download
memory/4288-219-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-368-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4288-370-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4288-366-0x0000000002E00000-0x0000000002E46000-memory.dmp

Filesize
280KB

Download
memory/4288-195-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-221-0x0000000004D10000-0x0000000004D45000-memory.dmp

Filesize
212KB

Download
memory/4288-990-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/4288-991-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/4288-992-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4288-994-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4288-995-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4288-996-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4288-997-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download