redline | ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1

Analysis

max time kernel
153s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe
Size

694KB
MD5

596c660def1a7e6df555c1966dc7bc89
SHA1

1a40868b4009ecc22041397333307979cf0384de
SHA256

ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1
SHA512

0d0e71d4f9d30ff263fcfd75e9b13355a808a28a9bae0b640ad48a159f0e7f73abcd16cbc1b82c27f0165124699e5771bd2dd9d4bf13cfde6ad2327a2a16ca8c
SSDEEP

12288:Wy90byBu1UQeU4ab+6BC8rgHRyKzbqLDZLS+WmjXrwQey59UZ0ysw5MJT7o+:Wy901QmK6wCYQKCsojbwQYPslo+

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1504-987-0x0000000009C40000-0x000000000A258000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	29477359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	29477359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	29477359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	29477359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	29477359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	29477359.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4572	un561800.exe
4592	29477359.exe
1504	rk628985.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	29477359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	29477359.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un561800.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un561800.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3736	4592	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4592	29477359.exe
4592	29477359.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	29477359.exe
Token: SeDebugPrivilege	1504	rk628985.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 4572	2804	ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe	84
PID 2804 wrote to memory of 4572	2804	ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe	84
PID 2804 wrote to memory of 4572	2804	ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe	84
PID 4572 wrote to memory of 4592	4572	un561800.exe	85
PID 4572 wrote to memory of 4592	4572	un561800.exe	85
PID 4572 wrote to memory of 4592	4572	un561800.exe	85
PID 4572 wrote to memory of 1504	4572	un561800.exe	90
PID 4572 wrote to memory of 1504	4572	un561800.exe	90
PID 4572 wrote to memory of 1504	4572	un561800.exe	90

C:\Users\Admin\AppData\Local\Temp\ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe
"C:\Users\Admin\AppData\Local\Temp\ece1d8ae55e1009cd2077b5ce974e67472b707a9d0dd53013c8521d64198cbd1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561800.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561800.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\29477359.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\29477359.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1080
      4⤵
      Program crash
      PID:3736
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628985.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628985.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4592 -ip 4592
1⤵
PID:3892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561800.exe

Filesize
540KB

MD5
9ec7ee85a41fb168de72a4c7dff6be76

SHA1
83ff05ab4d9236d082d8a8dfc579f6fd56bd43de

SHA256
1760e6199394e1c0756988c0f983c7a4dfaeb13a050fa7f3f50122e08d41e008

SHA512
f455fb2cfcbc1de29f3ea0def87dc84a467618504c73ea41a4faaff2b28d63f14988a40e5295259b3f5a79313ecc7a88116b11b562399ca99dfdb54df6adf480

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un561800.exe

Filesize
540KB

MD5
9ec7ee85a41fb168de72a4c7dff6be76

SHA1
83ff05ab4d9236d082d8a8dfc579f6fd56bd43de

SHA256
1760e6199394e1c0756988c0f983c7a4dfaeb13a050fa7f3f50122e08d41e008

SHA512
f455fb2cfcbc1de29f3ea0def87dc84a467618504c73ea41a4faaff2b28d63f14988a40e5295259b3f5a79313ecc7a88116b11b562399ca99dfdb54df6adf480

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\29477359.exe

Filesize
258KB

MD5
f0a970ca380e884c799ffe9ebee3f47d

SHA1
73e4a6290b002016235de8467c81a32d6fe74568

SHA256
6698877fb2c49ed322b65d96fb68a96acc8ce1d966480750bc424d8ffeeebe92

SHA512
ef6c2e90fe24c85f430e41a8e4807e0842c33385e442775e7b2f73ff19d56c475c37b1e011bc856d9d28d6f8e7360aae1d79586c135d1c255863b8358ffbd647

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\29477359.exe

Filesize
258KB

MD5
f0a970ca380e884c799ffe9ebee3f47d

SHA1
73e4a6290b002016235de8467c81a32d6fe74568

SHA256
6698877fb2c49ed322b65d96fb68a96acc8ce1d966480750bc424d8ffeeebe92

SHA512
ef6c2e90fe24c85f430e41a8e4807e0842c33385e442775e7b2f73ff19d56c475c37b1e011bc856d9d28d6f8e7360aae1d79586c135d1c255863b8358ffbd647

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628985.exe

Filesize
340KB

MD5
ffc8fdb0ff9f113860fa7c4f43182f12

SHA1
a7bd411a9a63791917affdc934bac77a4d96cb1c

SHA256
6288e7f32402e2710d28476ba98957dca7f3c0bec0bedb8c50b1e2bc576905e3

SHA512
950b9c5acb9ff491cb12326c3c6093adb3c1bf81c4ddcf666def51cfb64f8e387cafdfe476d8e99863c879cc3b1d4535486923a76acf1a99484ea3df09f8d28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk628985.exe

Filesize
340KB

MD5
ffc8fdb0ff9f113860fa7c4f43182f12

SHA1
a7bd411a9a63791917affdc934bac77a4d96cb1c

SHA256
6288e7f32402e2710d28476ba98957dca7f3c0bec0bedb8c50b1e2bc576905e3

SHA512
950b9c5acb9ff491cb12326c3c6093adb3c1bf81c4ddcf666def51cfb64f8e387cafdfe476d8e99863c879cc3b1d4535486923a76acf1a99484ea3df09f8d28d

Download Submit
memory/1504-213-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-223-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-994-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1504-993-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1504-991-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1504-990-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/1504-989-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/1504-193-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1504-987-0x0000000009C40000-0x000000000A258000-memory.dmp

Filesize
6.1MB

Download
memory/1504-194-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-246-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1504-227-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-225-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-195-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-192-0x0000000002CF0000-0x0000000002D36000-memory.dmp

Filesize
280KB

Download
memory/1504-221-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-219-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-217-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-215-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-211-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-209-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-207-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-205-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-203-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-199-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-201-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-197-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/1504-988-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/4592-174-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/4592-164-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/4592-151-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/4592-149-0x0000000007340000-0x00000000078E4000-memory.dmp

Filesize
5.6MB

Download
memory/4592-150-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/4592-187-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4592-186-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/4592-185-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/4592-184-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/4592-182-0x0000000002BE0000-0x0000000002C0D000-memory.dmp

Filesize
180KB

Download
memory/4592-181-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4592-148-0x0000000002BE0000-0x0000000002C0D000-memory.dmp

Filesize
180KB

Download
memory/4592-180-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/4592-178-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/4592-176-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/4592-172-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/4592-170-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/4592-168-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/4592-166-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/4592-162-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/4592-160-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/4592-158-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/4592-156-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/4592-154-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/4592-153-0x0000000007240000-0x0000000007253000-memory.dmp

Filesize
76KB

Download
memory/4592-152-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download