redline | f048445769a26a5e5382544cd310e51d06a718f729bb08f4caafde7ecb0db1ee

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f048445769a26a5e5382544cd310e51d06a718f729bb08f4caafde7ecb0db1ee.exe
Size

747KB
MD5

172a66ad6ae636055ee3ad1cb225f779
SHA1

06e23b794a6499044851514f94b43bf1c99006dc
SHA256

f048445769a26a5e5382544cd310e51d06a718f729bb08f4caafde7ecb0db1ee
SHA512

b2337fb25c834875bc85d18c773bd2e59fd0af254a50c5bd61be7914302a612f43f6ea0451f2d7beb99c616276e2c6caaeee4de791de62ae2cf77fcdec10b615
SSDEEP

12288:xy90iPYiyImSAE5ROSwZnGYTZDXNWpM3F5UHfuiypgc8PmZ6BdLmR0XzsqmxB9:xyCij5ROSAnG4v7efuntKmk3yBqm/

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1520-987-0x0000000007940000-0x0000000007F58000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	81551201.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	81551201.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	81551201.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	81551201.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	81551201.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	81551201.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4220	un756225.exe
1220	81551201.exe
1520	rk282175.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	81551201.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	81551201.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f048445769a26a5e5382544cd310e51d06a718f729bb08f4caafde7ecb0db1ee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un756225.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un756225.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f048445769a26a5e5382544cd310e51d06a718f729bb08f4caafde7ecb0db1ee.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4328	1220	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1220	81551201.exe
1220	81551201.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	81551201.exe
Token: SeDebugPrivilege	1520	rk282175.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 4220	2616	f048445769a26a5e5382544cd310e51d06a718f729bb08f4caafde7ecb0db1ee.exe	86
PID 2616 wrote to memory of 4220	2616	f048445769a26a5e5382544cd310e51d06a718f729bb08f4caafde7ecb0db1ee.exe	86
PID 2616 wrote to memory of 4220	2616	f048445769a26a5e5382544cd310e51d06a718f729bb08f4caafde7ecb0db1ee.exe	86
PID 4220 wrote to memory of 1220	4220	un756225.exe	87
PID 4220 wrote to memory of 1220	4220	un756225.exe	87
PID 4220 wrote to memory of 1220	4220	un756225.exe	87
PID 4220 wrote to memory of 1520	4220	un756225.exe	93
PID 4220 wrote to memory of 1520	4220	un756225.exe	93
PID 4220 wrote to memory of 1520	4220	un756225.exe	93

C:\Users\Admin\AppData\Local\Temp\f048445769a26a5e5382544cd310e51d06a718f729bb08f4caafde7ecb0db1ee.exe
"C:\Users\Admin\AppData\Local\Temp\f048445769a26a5e5382544cd310e51d06a718f729bb08f4caafde7ecb0db1ee.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un756225.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un756225.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\81551201.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\81551201.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 1080
      4⤵
      Program crash
      PID:4328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk282175.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk282175.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1220 -ip 1220
1⤵
PID:2748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un756225.exe

Filesize
593KB

MD5
81e15a5bd52f256fac175170b3d04ee6

SHA1
8fbef6513bde57b58981d2cfe5471da2e7f7c4fc

SHA256
9304c21d15d580675f8483e79d297880b1971c6f8103b7e508a1fd34ced47827

SHA512
35ca2743256b184a9f42377a5c77f05e1217f30d465c57e0654f53c20d48a3e26b072a928a7d037e3f1cd97de21a0a9b69503c213485068c6d6c5b8b594a31c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un756225.exe

Filesize
593KB

MD5
81e15a5bd52f256fac175170b3d04ee6

SHA1
8fbef6513bde57b58981d2cfe5471da2e7f7c4fc

SHA256
9304c21d15d580675f8483e79d297880b1971c6f8103b7e508a1fd34ced47827

SHA512
35ca2743256b184a9f42377a5c77f05e1217f30d465c57e0654f53c20d48a3e26b072a928a7d037e3f1cd97de21a0a9b69503c213485068c6d6c5b8b594a31c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\81551201.exe

Filesize
378KB

MD5
b071bcaf8748bd958d054bce3a6867f3

SHA1
4ceb7213e4c20c240f1cee6936d2df78be3e8529

SHA256
4528c2de8180b488d0f0111fccca98447d478026bb409a93469eb921dc53c844

SHA512
f700ea066a69a403b7ad8c6bc37a829041ac13385c6c606021e15f14bb6b82598ae4c3894d8c6de1ee960789c49f538e6f1fd6dbc419aff0be5e4d11caca7d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\81551201.exe

Filesize
378KB

MD5
b071bcaf8748bd958d054bce3a6867f3

SHA1
4ceb7213e4c20c240f1cee6936d2df78be3e8529

SHA256
4528c2de8180b488d0f0111fccca98447d478026bb409a93469eb921dc53c844

SHA512
f700ea066a69a403b7ad8c6bc37a829041ac13385c6c606021e15f14bb6b82598ae4c3894d8c6de1ee960789c49f538e6f1fd6dbc419aff0be5e4d11caca7d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk282175.exe

Filesize
460KB

MD5
9727a6a46e7461575b6b80881fd8ebc7

SHA1
87699e5a4a8dc175082b5f6f0b71385cf400420c

SHA256
45d23e4a3ef29a4f448e4438829a13301c91dac633d08be6ada37fb507fa09c3

SHA512
b9773b11fd7efb40c810e13de2c70f9ed609a8c8bb8654d2eb6aa35acdfab15a99612b2f71623ef78d7a8794f8a49a5452f262e8898d468aed7393fb4022f839

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk282175.exe

Filesize
460KB

MD5
9727a6a46e7461575b6b80881fd8ebc7

SHA1
87699e5a4a8dc175082b5f6f0b71385cf400420c

SHA256
45d23e4a3ef29a4f448e4438829a13301c91dac633d08be6ada37fb507fa09c3

SHA512
b9773b11fd7efb40c810e13de2c70f9ed609a8c8bb8654d2eb6aa35acdfab15a99612b2f71623ef78d7a8794f8a49a5452f262e8898d468aed7393fb4022f839

Download Submit
memory/1220-166-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1220-151-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1220-152-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1220-154-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1220-156-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1220-158-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1220-160-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1220-162-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1220-164-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1220-150-0x0000000004ED0000-0x0000000005474000-memory.dmp

Filesize
5.6MB

Download
memory/1220-168-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1220-170-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1220-172-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1220-174-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1220-176-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1220-178-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1220-179-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/1220-180-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/1220-181-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/1220-182-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/1220-184-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/1220-185-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/1220-186-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/1220-149-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/1220-148-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/1520-991-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/1520-216-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-191-0x00000000008F0000-0x0000000000936000-memory.dmp

Filesize
280KB

Download
memory/1520-204-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-195-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-196-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-198-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-200-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-202-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-194-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/1520-208-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-206-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-210-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-212-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-214-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-994-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/1520-218-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-220-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-222-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-224-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-228-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-226-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1520-987-0x0000000007940000-0x0000000007F58000-memory.dmp

Filesize
6.1MB

Download
memory/1520-988-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/1520-989-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/1520-990-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/1520-192-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/1520-993-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/1520-193-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/1520-995-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/1520-996-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download