redline | bc6b2c6478f7462db0ef9d954aee580e3d83ecb8da646316804a3dce11e09716

Analysis

max time kernel
219s
max time network
229s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc6b2c6478f7462db0ef9d954aee580e3d83ecb8da646316804a3dce11e09716.exe
Size

1.0MB
MD5

c24465100d43503a13a1de45a091a1d8
SHA1

b17c6a3cdf29dc916ef8fb82fcdeeac62b307694
SHA256

bc6b2c6478f7462db0ef9d954aee580e3d83ecb8da646316804a3dce11e09716
SHA512

1f036f7d03250f3903d3409c5a22a49f6f34eaf7169109198d4a359fc6fe285a071b71c228a9d0b593ed6bca5e44402486319aacd0742ba2e37b3b267a8ee42e
SSDEEP

12288:Zy90pEvZe7nT2lGVKvpgz1QwWoEVTlA7DjxvU8zKHLIxdclgWG6VDbWh1h/Qu6gE:Zyhe7l1fa5spU8zEaml2CH8z/QJOu

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1236-997-0x00000000078F0000-0x0000000007F08000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	197294511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	197294511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	197294511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	197294511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	197294511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	197294511.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
340	RS103643.exe
1584	ZI764762.exe
4624	197294511.exe
1236	249998071.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	197294511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	197294511.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	RS103643.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ZI764762.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ZI764762.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bc6b2c6478f7462db0ef9d954aee580e3d83ecb8da646316804a3dce11e09716.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bc6b2c6478f7462db0ef9d954aee580e3d83ecb8da646316804a3dce11e09716.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	RS103643.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4624	197294511.exe
4624	197294511.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4624	197294511.exe
Token: SeDebugPrivilege	1236	249998071.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 340	3116	bc6b2c6478f7462db0ef9d954aee580e3d83ecb8da646316804a3dce11e09716.exe	80
PID 3116 wrote to memory of 340	3116	bc6b2c6478f7462db0ef9d954aee580e3d83ecb8da646316804a3dce11e09716.exe	80
PID 3116 wrote to memory of 340	3116	bc6b2c6478f7462db0ef9d954aee580e3d83ecb8da646316804a3dce11e09716.exe	80
PID 340 wrote to memory of 1584	340	RS103643.exe	81
PID 340 wrote to memory of 1584	340	RS103643.exe	81
PID 340 wrote to memory of 1584	340	RS103643.exe	81
PID 1584 wrote to memory of 4624	1584	ZI764762.exe	82
PID 1584 wrote to memory of 4624	1584	ZI764762.exe	82
PID 1584 wrote to memory of 4624	1584	ZI764762.exe	82
PID 1584 wrote to memory of 1236	1584	ZI764762.exe	83
PID 1584 wrote to memory of 1236	1584	ZI764762.exe	83
PID 1584 wrote to memory of 1236	1584	ZI764762.exe	83

C:\Users\Admin\AppData\Local\Temp\bc6b2c6478f7462db0ef9d954aee580e3d83ecb8da646316804a3dce11e09716.exe
"C:\Users\Admin\AppData\Local\Temp\bc6b2c6478f7462db0ef9d954aee580e3d83ecb8da646316804a3dce11e09716.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RS103643.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RS103643.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZI764762.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZI764762.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\197294511.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\197294511.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\249998071.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\249998071.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RS103643.exe

Filesize
770KB

MD5
08e4f0c55be17a256b1e3c11900f60c9

SHA1
74fb8a1d7f24543732f2b4130159cd9967c8a1ce

SHA256
650200ac93464fef3e9afe8e1e91e7206fd147241ca041d45d781778359e5793

SHA512
6934aaf69a09e78786ae521e1512fbcb14a84d424fc18d28ad0d6cc72a7fcbd30eaf56a5947ec23e25ad7f8d7a410f302d353009adf8bb2105c2ec2a261aaae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RS103643.exe

Filesize
770KB

MD5
08e4f0c55be17a256b1e3c11900f60c9

SHA1
74fb8a1d7f24543732f2b4130159cd9967c8a1ce

SHA256
650200ac93464fef3e9afe8e1e91e7206fd147241ca041d45d781778359e5793

SHA512
6934aaf69a09e78786ae521e1512fbcb14a84d424fc18d28ad0d6cc72a7fcbd30eaf56a5947ec23e25ad7f8d7a410f302d353009adf8bb2105c2ec2a261aaae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZI764762.exe

Filesize
598KB

MD5
457ffb6790af160bb4ee266a0775ca17

SHA1
279ec9ab4d7dae0ece4eca3a421c40c125d19048

SHA256
21b6b593b64843a3e5503f96d369862d87c924de8efeac946e57233fc2defade

SHA512
16ddcca970aa6b5c63bf4753d00e63b27d08719b1496a56c23a8b606c2fe6ed5633377949887b61908cc6593370f85ebefbf353b0744df0e3d9a324f5293f48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZI764762.exe

Filesize
598KB

MD5
457ffb6790af160bb4ee266a0775ca17

SHA1
279ec9ab4d7dae0ece4eca3a421c40c125d19048

SHA256
21b6b593b64843a3e5503f96d369862d87c924de8efeac946e57233fc2defade

SHA512
16ddcca970aa6b5c63bf4753d00e63b27d08719b1496a56c23a8b606c2fe6ed5633377949887b61908cc6593370f85ebefbf353b0744df0e3d9a324f5293f48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\197294511.exe

Filesize
390KB

MD5
b05707c4da4faf3cb1031d6536be5e96

SHA1
2e2cbcbe7de3bef64857427e5502947136fe65ad

SHA256
8503741dc35685ee12be49f49e91e934cd125076ee67cc9b5de4023b2e2593ad

SHA512
7a6d76eb85e1c9e557ee76666c4eb6afba56c8c5b3e439287d602a43b539967fe4efb9b6f900882b35d7803cfe274a425506b8d7f20d9201d62d773c1bcf7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\197294511.exe

Filesize
390KB

MD5
b05707c4da4faf3cb1031d6536be5e96

SHA1
2e2cbcbe7de3bef64857427e5502947136fe65ad

SHA256
8503741dc35685ee12be49f49e91e934cd125076ee67cc9b5de4023b2e2593ad

SHA512
7a6d76eb85e1c9e557ee76666c4eb6afba56c8c5b3e439287d602a43b539967fe4efb9b6f900882b35d7803cfe274a425506b8d7f20d9201d62d773c1bcf7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\249998071.exe

Filesize
473KB

MD5
4bcab34d0ce5c714fd1cd918a5a74be6

SHA1
71e7c548e4ae903e57f379d41d5028d4af5f96e8

SHA256
238fc5169139e8d50e176fe6cb4e8433a7a5eebe323823485c03996e70851067

SHA512
4236877abfda7ae28fc65383e8d4ee57b33365d26797c55efc9cc94331ce063aa0b57c2b9eeda41b28ffeac4a1e79f09d944e73b090d2188f0d00c8af79e6fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\249998071.exe

Filesize
473KB

MD5
4bcab34d0ce5c714fd1cd918a5a74be6

SHA1
71e7c548e4ae903e57f379d41d5028d4af5f96e8

SHA256
238fc5169139e8d50e176fe6cb4e8433a7a5eebe323823485c03996e70851067

SHA512
4236877abfda7ae28fc65383e8d4ee57b33365d26797c55efc9cc94331ce063aa0b57c2b9eeda41b28ffeac4a1e79f09d944e73b090d2188f0d00c8af79e6fc0

Download Submit
memory/1236-344-0x0000000000D70000-0x0000000000DB6000-memory.dmp

Filesize
280KB

Download
memory/1236-227-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1236-1002-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/1236-1001-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/1236-1000-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/1236-998-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/1236-997-0x00000000078F0000-0x0000000007F08000-memory.dmp

Filesize
6.1MB

Download
memory/1236-1004-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/1236-348-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/1236-346-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/1236-207-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1236-231-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1236-229-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1236-1003-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/1236-225-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1236-223-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1236-221-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1236-219-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1236-217-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1236-215-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1236-213-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1236-211-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1236-209-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1236-1005-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/1236-1007-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/1236-203-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1236-202-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1236-205-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/4624-164-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4624-197-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4624-191-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4624-190-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4624-189-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4624-188-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4624-186-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4624-184-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4624-182-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4624-180-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4624-178-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4624-176-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4624-174-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4624-172-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4624-170-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4624-168-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4624-166-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4624-162-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4624-161-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4624-160-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4624-159-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4624-158-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4624-157-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4624-156-0x0000000005060000-0x0000000005604000-memory.dmp

Filesize
5.6MB

Download
memory/4624-155-0x0000000000970000-0x000000000099D000-memory.dmp

Filesize
180KB

Download