redline | ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f

Analysis

max time kernel
140s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 20:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe
Size

697KB
MD5

54a70ee5d2e97b18cc473dad5fe1a26c
SHA1

fc03856a2b334b32932868d3e234648f4546a178
SHA256

ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f
SHA512

588fe6d2095e6ae6fd7d045890a9302fbd835d8c7c39191d653e2e8e74e046f885b113244d32b599d63a3463c3efb87c0334f5d7028034efdf78e10e300bc70e
SSDEEP

12288:Qy90Yht7YUjvir5uCD0wvAj7cjSunMBe9rd5fO+oE/2il4:Qy8Ujqr5PDYAj3Mgrv5n1C

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4936-986-0x0000000009D40000-0x000000000A358000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	40335334.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	40335334.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	40335334.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	40335334.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	40335334.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	40335334.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1728	un806944.exe
2292	40335334.exe
4936	rk156799.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	40335334.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	40335334.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un806944.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un806944.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
516	2292	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2292	40335334.exe
2292	40335334.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	40335334.exe
Token: SeDebugPrivilege	4936	rk156799.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1728	1504	ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe	84
PID 1504 wrote to memory of 1728	1504	ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe	84
PID 1504 wrote to memory of 1728	1504	ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe	84
PID 1728 wrote to memory of 2292	1728	un806944.exe	85
PID 1728 wrote to memory of 2292	1728	un806944.exe	85
PID 1728 wrote to memory of 2292	1728	un806944.exe	85
PID 1728 wrote to memory of 4936	1728	un806944.exe	91
PID 1728 wrote to memory of 4936	1728	un806944.exe	91
PID 1728 wrote to memory of 4936	1728	un806944.exe	91

C:\Users\Admin\AppData\Local\Temp\ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe
"C:\Users\Admin\AppData\Local\Temp\ed9ccb0ed6487b59c0f9ca132581034de85e4ce75e54b797e069663bbb02111f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un806944.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un806944.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\40335334.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\40335334.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1080
      4⤵
      Program crash
      PID:516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk156799.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk156799.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2292 -ip 2292
1⤵
PID:4192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un806944.exe

Filesize
542KB

MD5
d421b51f96bb2cfa314b4c2261677ae8

SHA1
ccf75a9fc4d26f704c6e2d8673f9d6bbca9db9cb

SHA256
7a0d39aa5c26eee67e4c52be07eba9b6327b2ce35a63aef5ebc2ce54c0f23e64

SHA512
94b319afb5dc7b910fe88aa532d1eae70be4e76d57cb98e107a6222b4957512cd96a3c412b99844ade53bb60921611a57cf1850e4e7dfbe47bfcea81b3ab40a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un806944.exe

Filesize
542KB

MD5
d421b51f96bb2cfa314b4c2261677ae8

SHA1
ccf75a9fc4d26f704c6e2d8673f9d6bbca9db9cb

SHA256
7a0d39aa5c26eee67e4c52be07eba9b6327b2ce35a63aef5ebc2ce54c0f23e64

SHA512
94b319afb5dc7b910fe88aa532d1eae70be4e76d57cb98e107a6222b4957512cd96a3c412b99844ade53bb60921611a57cf1850e4e7dfbe47bfcea81b3ab40a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\40335334.exe

Filesize
263KB

MD5
4582a154c4c531d80e40a04f01a36259

SHA1
5966184689822d954b82757455998be9d66ce98a

SHA256
977d0535c2d634eb2cbbccee3e7e8afd497bb0cae59a97c73784de21448dede5

SHA512
98569c1bcc878f6701df0bef941b48765d56aaa72a90a862e553b3b03a0a4ee9169f5e1a334d91bab87a6c94dfb3729f0e1f0541d8f0ee49b7f583fd059a63ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\40335334.exe

Filesize
263KB

MD5
4582a154c4c531d80e40a04f01a36259

SHA1
5966184689822d954b82757455998be9d66ce98a

SHA256
977d0535c2d634eb2cbbccee3e7e8afd497bb0cae59a97c73784de21448dede5

SHA512
98569c1bcc878f6701df0bef941b48765d56aaa72a90a862e553b3b03a0a4ee9169f5e1a334d91bab87a6c94dfb3729f0e1f0541d8f0ee49b7f583fd059a63ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk156799.exe

Filesize
328KB

MD5
502fa85972c7067b182795cc27aa510c

SHA1
c05715d94988867ffeaf74f034b3ce448741254a

SHA256
f117cda72db57e6e27acc2aaf29c03272f9112563096755370767bea80ba7550

SHA512
c5c81f749b8a9460ecdff117dbe4b7940fea6b39ab322a67258e62809718cf9c08c57faf51cb924629bb5e51460ff425fd74d995b3c835c9b72661df272dd304

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk156799.exe

Filesize
328KB

MD5
502fa85972c7067b182795cc27aa510c

SHA1
c05715d94988867ffeaf74f034b3ce448741254a

SHA256
f117cda72db57e6e27acc2aaf29c03272f9112563096755370767bea80ba7550

SHA512
c5c81f749b8a9460ecdff117dbe4b7940fea6b39ab322a67258e62809718cf9c08c57faf51cb924629bb5e51460ff425fd74d995b3c835c9b72661df272dd304

Download Submit
memory/2292-148-0x0000000002C20000-0x0000000002C4D000-memory.dmp

Filesize
180KB

Download
memory/2292-150-0x0000000007300000-0x00000000078A4000-memory.dmp

Filesize
5.6MB

Download
memory/2292-149-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/2292-151-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/2292-152-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/2292-153-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/2292-155-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/2292-157-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/2292-159-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/2292-161-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/2292-163-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/2292-165-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/2292-167-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/2292-169-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/2292-171-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/2292-173-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/2292-175-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/2292-177-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/2292-179-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/2292-180-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/2292-181-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/2292-182-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/2292-183-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/2292-185-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/4936-191-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-193-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-190-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-195-0x0000000002E10000-0x0000000002E56000-memory.dmp

Filesize
280KB

Download
memory/4936-197-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/4936-199-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/4936-200-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-202-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/4936-196-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-203-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-205-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-207-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-209-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-211-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-213-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-215-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-217-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-219-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-221-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-223-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-225-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-227-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/4936-986-0x0000000009D40000-0x000000000A358000-memory.dmp

Filesize
6.1MB

Download
memory/4936-987-0x00000000072A0000-0x00000000072B2000-memory.dmp

Filesize
72KB

Download
memory/4936-988-0x000000000A360000-0x000000000A46A000-memory.dmp

Filesize
1.0MB

Download
memory/4936-989-0x000000000A470000-0x000000000A4AC000-memory.dmp

Filesize
240KB

Download
memory/4936-990-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/4936-992-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/4936-993-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/4936-994-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/4936-995-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download