redline | b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8

Analysis

max time kernel
201s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe
Size

690KB
MD5

f3d76114bb3d37f07092c2065af67b9e
SHA1

8bfe88e9f2a49d883b43b62930bd64fd7291eec0
SHA256

b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8
SHA512

4cd3f7e315d677390d35dd2fe9da721db87853abbd0a911d97070519eb9b285b72ff622da27b4ec939b4b6bfd059546c3dd2ea8d156f0ec6230ad5415cf32211
SSDEEP

12288:2y90MFhE0jMyvXQHOUaYGw4r3DExQByzZIJbQBXaq41EMbrLyrNb6RfTYCWygxx:2yPBMEQbay4bDEhzZqgaQMb3yrNb6RTm

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3900-989-0x00000000075E0000-0x0000000007BF8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	47738677.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	47738677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	47738677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	47738677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	47738677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	47738677.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2844	un303104.exe
3840	47738677.exe
3900	rk667911.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	47738677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	47738677.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un303104.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un303104.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1116	3840	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3840	47738677.exe
3840	47738677.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3840	47738677.exe
Token: SeDebugPrivilege	3900	rk667911.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 2844	736	b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe	78
PID 736 wrote to memory of 2844	736	b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe	78
PID 736 wrote to memory of 2844	736	b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe	78
PID 2844 wrote to memory of 3840	2844	un303104.exe	79
PID 2844 wrote to memory of 3840	2844	un303104.exe	79
PID 2844 wrote to memory of 3840	2844	un303104.exe	79
PID 2844 wrote to memory of 3900	2844	un303104.exe	83
PID 2844 wrote to memory of 3900	2844	un303104.exe	83
PID 2844 wrote to memory of 3900	2844	un303104.exe	83

C:\Users\Admin\AppData\Local\Temp\b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe
"C:\Users\Admin\AppData\Local\Temp\b679418ae771b1052717ff2abed4836bd1c1ff20a3396697304e508c85c9f4f8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un303104.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un303104.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47738677.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47738677.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1084
      4⤵
      Program crash
      PID:1116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk667911.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk667911.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3840 -ip 3840
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un303104.exe

Filesize
536KB

MD5
d67b01a4f6a9f71498dea3f4cb75af96

SHA1
aca861f0945ff570a36266c8a273c4d2e2cdc7be

SHA256
686bc71c4f6934ef3e485d4b159ecb219188e001fdd49b2799845b23ed762d8b

SHA512
0436fd680fd39549a8ee0341a6aee7a1adca382a6596978421bab10d1131996e04a8b2c4858cab353b8407974ffaefceb344e98d36cdc1a7ab823d572253da15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un303104.exe

Filesize
536KB

MD5
d67b01a4f6a9f71498dea3f4cb75af96

SHA1
aca861f0945ff570a36266c8a273c4d2e2cdc7be

SHA256
686bc71c4f6934ef3e485d4b159ecb219188e001fdd49b2799845b23ed762d8b

SHA512
0436fd680fd39549a8ee0341a6aee7a1adca382a6596978421bab10d1131996e04a8b2c4858cab353b8407974ffaefceb344e98d36cdc1a7ab823d572253da15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47738677.exe

Filesize
259KB

MD5
a6b1b652fa34cd189d4703f3f45287ac

SHA1
1face5536f7834054e0d79a276d1e24e95fba4fd

SHA256
3c7da38d33869080b83fdf5a49edbfd031034da8848242c8b8dfd0dcdf3ff910

SHA512
4e326c4531abffbfaa32e8686579246fd07bef1faa253ea29d18f85d932745c94a7e03e0acfb523cb018f74bf23a6e93d3696b82e7203e1eac5383b42caa25e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47738677.exe

Filesize
259KB

MD5
a6b1b652fa34cd189d4703f3f45287ac

SHA1
1face5536f7834054e0d79a276d1e24e95fba4fd

SHA256
3c7da38d33869080b83fdf5a49edbfd031034da8848242c8b8dfd0dcdf3ff910

SHA512
4e326c4531abffbfaa32e8686579246fd07bef1faa253ea29d18f85d932745c94a7e03e0acfb523cb018f74bf23a6e93d3696b82e7203e1eac5383b42caa25e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk667911.exe

Filesize
341KB

MD5
76331c95647aefe4de939f6c7fc1de13

SHA1
5496a07d4c48414c8f0c3d9256967178f0f0a203

SHA256
f858f6e16f3ef0caf2102404e02f0573809b0385fe13fd903bd54de3cbd03022

SHA512
0012bd11c847a84466e09cff190c380fe22fafc09333223ec976a355f931192acac00e80fe01995679bc87346202d6efcfd4b130b2ac7517649e8502fc0fe506

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk667911.exe

Filesize
341KB

MD5
76331c95647aefe4de939f6c7fc1de13

SHA1
5496a07d4c48414c8f0c3d9256967178f0f0a203

SHA256
f858f6e16f3ef0caf2102404e02f0573809b0385fe13fd903bd54de3cbd03022

SHA512
0012bd11c847a84466e09cff190c380fe22fafc09333223ec976a355f931192acac00e80fe01995679bc87346202d6efcfd4b130b2ac7517649e8502fc0fe506

Download Submit
memory/3840-162-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/3840-186-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3840-152-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/3840-153-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/3840-154-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/3840-156-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/3840-158-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/3840-160-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/3840-151-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/3840-164-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/3840-166-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/3840-168-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/3840-170-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/3840-176-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/3840-174-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/3840-172-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/3840-178-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/3840-180-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/3840-181-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3840-182-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/3840-183-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/3840-150-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/3840-149-0x00000000004E0000-0x000000000050D000-memory.dmp

Filesize
180KB

Download
memory/3840-148-0x0000000004AA0000-0x0000000005044000-memory.dmp

Filesize
5.6MB

Download
memory/3900-463-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/3900-220-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-200-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-992-0x0000000007D10000-0x0000000007D4C000-memory.dmp

Filesize
240KB

Download
memory/3900-196-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-202-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-204-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-206-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-208-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-210-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-212-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-214-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-216-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-193-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-194-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-460-0x0000000001FE0000-0x0000000002026000-memory.dmp

Filesize
280KB

Download
memory/3900-218-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-462-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/3900-466-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/3900-990-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/3900-989-0x00000000075E0000-0x0000000007BF8000-memory.dmp

Filesize
6.1MB

Download
memory/3900-222-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-991-0x0000000007C00000-0x0000000007D0A000-memory.dmp

Filesize
1.0MB

Download
memory/3900-198-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/3900-993-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/3900-995-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/3900-996-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/3900-997-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/3900-998-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download