redline | b684daa3c34aa840255d46d1ba002519587e2704cca10f4aee8d8922c6860370

Analysis

max time kernel
145s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b684daa3c34aa840255d46d1ba002519587e2704cca10f4aee8d8922c6860370.exe
Size

1.0MB
MD5

e8a38a7d4ced39ff3a03fa3899919492
SHA1

9422f5e17796ce68c30a58034cdd9123ae63efae
SHA256

b684daa3c34aa840255d46d1ba002519587e2704cca10f4aee8d8922c6860370
SHA512

d7681e83110fb36eed70143afa839058a71756be344e39cbed863795978d9ec9c05153942da88a1e66217ee99d7e2461ce5c01712851f33522212f1158ee7fa1
SSDEEP

24576:kykIlFn/PC+KMWgxQIoGjqcAaOuUAnHj82GZK1GvEw:zkIXn/P3KqxQKjp7nD8o1Gv

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3916-993-0x0000000007900000-0x0000000007F18000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	13356134.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	13356134.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	13356134.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	13356134.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	13356134.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	13356134.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4216	za857528.exe
1972	za142039.exe
2216	13356134.exe
3916	w21Sw65.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	13356134.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	13356134.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b684daa3c34aa840255d46d1ba002519587e2704cca10f4aee8d8922c6860370.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b684daa3c34aa840255d46d1ba002519587e2704cca10f4aee8d8922c6860370.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za857528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za857528.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za142039.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za142039.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4204	2216	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2216	13356134.exe
2216	13356134.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	13356134.exe
Token: SeDebugPrivilege	3916	w21Sw65.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 4216	2076	b684daa3c34aa840255d46d1ba002519587e2704cca10f4aee8d8922c6860370.exe	83
PID 2076 wrote to memory of 4216	2076	b684daa3c34aa840255d46d1ba002519587e2704cca10f4aee8d8922c6860370.exe	83
PID 2076 wrote to memory of 4216	2076	b684daa3c34aa840255d46d1ba002519587e2704cca10f4aee8d8922c6860370.exe	83
PID 4216 wrote to memory of 1972	4216	za857528.exe	84
PID 4216 wrote to memory of 1972	4216	za857528.exe	84
PID 4216 wrote to memory of 1972	4216	za857528.exe	84
PID 1972 wrote to memory of 2216	1972	za142039.exe	85
PID 1972 wrote to memory of 2216	1972	za142039.exe	85
PID 1972 wrote to memory of 2216	1972	za142039.exe	85
PID 1972 wrote to memory of 3916	1972	za142039.exe	95
PID 1972 wrote to memory of 3916	1972	za142039.exe	95
PID 1972 wrote to memory of 3916	1972	za142039.exe	95

C:\Users\Admin\AppData\Local\Temp\b684daa3c34aa840255d46d1ba002519587e2704cca10f4aee8d8922c6860370.exe
"C:\Users\Admin\AppData\Local\Temp\b684daa3c34aa840255d46d1ba002519587e2704cca10f4aee8d8922c6860370.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za857528.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za857528.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za142039.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za142039.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\13356134.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\13356134.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1080
        5⤵
        Program crash
        
        PID:4204
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w21Sw65.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w21Sw65.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2216 -ip 2216
1⤵
PID:3076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za857528.exe

Filesize
774KB

MD5
c425fa2c0d692d766cc133da247080a8

SHA1
aded8fc55dd44bed8e1a1c376839f79dabcccf8e

SHA256
f9fd664a3113b660286a3bac31f88e33c8933165e8c3b3c728b5195f257d3d59

SHA512
ea73651f8ad379f6a765b281206ad65094e83453b4114a8b0ef61ea7645d8831e77919ad2a787c620b142e105ac01b8445747b43b436cd66f375cbb784aa637d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za857528.exe

Filesize
774KB

MD5
c425fa2c0d692d766cc133da247080a8

SHA1
aded8fc55dd44bed8e1a1c376839f79dabcccf8e

SHA256
f9fd664a3113b660286a3bac31f88e33c8933165e8c3b3c728b5195f257d3d59

SHA512
ea73651f8ad379f6a765b281206ad65094e83453b4114a8b0ef61ea7645d8831e77919ad2a787c620b142e105ac01b8445747b43b436cd66f375cbb784aa637d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za142039.exe

Filesize
592KB

MD5
c4fb61a589d41bb40140ffc6df9eb4e3

SHA1
0d0348dafc3d451b2165e82a2de02f3f0724800a

SHA256
de70984841daf6489c7275504d02ef78518432df5c0a6593a141c08dc8eb6002

SHA512
876a20009fbe8a7ef51f14bc03e04faeb98b4b41c5381a721b959dfa3b1a7eeee3a96169c30c07d9c366d81f5247e1d7a94b86b369aca0c03e5ca384e0222724

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za142039.exe

Filesize
592KB

MD5
c4fb61a589d41bb40140ffc6df9eb4e3

SHA1
0d0348dafc3d451b2165e82a2de02f3f0724800a

SHA256
de70984841daf6489c7275504d02ef78518432df5c0a6593a141c08dc8eb6002

SHA512
876a20009fbe8a7ef51f14bc03e04faeb98b4b41c5381a721b959dfa3b1a7eeee3a96169c30c07d9c366d81f5247e1d7a94b86b369aca0c03e5ca384e0222724

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\13356134.exe

Filesize
376KB

MD5
0be4cbdedff8e963795332922708a279

SHA1
3aa8beff78ba9b7167e44a925c8d90f392a9016c

SHA256
3a3c1508f8054ac086636a90827cf0e486ec4f7e516f8ab663dd2e04cff0ab00

SHA512
f2824d78f5173dbfae4abd2b305991461ee319dfea2d7bb76e4f403b1c93763d5746599a17ad657c61cba4311f1d4961016515ce9b542278fcf3dceefd818c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\13356134.exe

Filesize
376KB

MD5
0be4cbdedff8e963795332922708a279

SHA1
3aa8beff78ba9b7167e44a925c8d90f392a9016c

SHA256
3a3c1508f8054ac086636a90827cf0e486ec4f7e516f8ab663dd2e04cff0ab00

SHA512
f2824d78f5173dbfae4abd2b305991461ee319dfea2d7bb76e4f403b1c93763d5746599a17ad657c61cba4311f1d4961016515ce9b542278fcf3dceefd818c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w21Sw65.exe

Filesize
459KB

MD5
24196892443a821ee2c506fe71864951

SHA1
af38f3bb51a0ec56b34e3b7f812adf82588dada7

SHA256
dcf7ce9a14c4e9250a0d591b298c6fa649bb62ca59f4bb5db2bf668a027e9b7e

SHA512
0ebddc2ca7947010a3dd509ec57163ea9a8e891859a023fa7a8170afda58bd68c34b9f71c7fa6630686d2bb4489da3806417c83348a837f0433de932b97e57e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w21Sw65.exe

Filesize
459KB

MD5
24196892443a821ee2c506fe71864951

SHA1
af38f3bb51a0ec56b34e3b7f812adf82588dada7

SHA256
dcf7ce9a14c4e9250a0d591b298c6fa649bb62ca59f4bb5db2bf668a027e9b7e

SHA512
0ebddc2ca7947010a3dd509ec57163ea9a8e891859a023fa7a8170afda58bd68c34b9f71c7fa6630686d2bb4489da3806417c83348a837f0433de932b97e57e8

Download Submit
memory/2216-167-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2216-156-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/2216-159-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/2216-160-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2216-161-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2216-163-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2216-165-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2216-157-0x0000000004F30000-0x00000000054D4000-memory.dmp

Filesize
5.6MB

Download
memory/2216-169-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2216-171-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2216-173-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2216-175-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2216-177-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2216-179-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2216-181-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2216-183-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2216-185-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2216-187-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/2216-188-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2216-189-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/2216-190-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/2216-192-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2216-158-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/2216-155-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/3916-202-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-226-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-200-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-197-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-204-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-206-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-208-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-210-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-212-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-214-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-216-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-218-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-220-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-224-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-222-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-198-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-228-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-230-0x0000000002770000-0x00000000027A5000-memory.dmp

Filesize
212KB

Download
memory/3916-262-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3916-264-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3916-260-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/3916-265-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3916-993-0x0000000007900000-0x0000000007F18000-memory.dmp

Filesize
6.1MB

Download
memory/3916-994-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/3916-995-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/3916-996-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/3916-997-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3916-999-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3916-1000-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3916-1001-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3916-1002-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download