redline | f1a75f4157997d32b6e983571e161fc9e4a1d3560e28d13d73505b503645381f

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1a75f4157997d32b6e983571e161fc9e4a1d3560e28d13d73505b503645381f.exe
Size

690KB
MD5

1cc4c9a6f2548fc9013171a43f905145
SHA1

2005b7be2493fc4cae583c7c17cdcce4aaab18e6
SHA256

f1a75f4157997d32b6e983571e161fc9e4a1d3560e28d13d73505b503645381f
SHA512

5abc213ad1d557a25820296196112da9287ad1d5fdd0218b9fbf7b19b454785502457ed00b8536df6309e459e4e23e404f6e57d62e15116cc48d5685fa0ca108
SSDEEP

12288:Gy902Lsg+iywMHHCRvbHczVdsyJWXoOkHbuGDQkX8eE/UUh:Gybsg+GMnccYy4GbuGMkX8nh

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/112-986-0x0000000007520000-0x0000000007B38000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	47892940.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	47892940.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	47892940.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	47892940.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	47892940.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	47892940.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1584	un529960.exe
1936	47892940.exe
112	rk935178.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	47892940.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	47892940.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f1a75f4157997d32b6e983571e161fc9e4a1d3560e28d13d73505b503645381f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un529960.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un529960.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f1a75f4157997d32b6e983571e161fc9e4a1d3560e28d13d73505b503645381f.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
32	1936	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1936	47892940.exe
1936	47892940.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	47892940.exe
Token: SeDebugPrivilege	112	rk935178.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1584	2292	f1a75f4157997d32b6e983571e161fc9e4a1d3560e28d13d73505b503645381f.exe	81
PID 2292 wrote to memory of 1584	2292	f1a75f4157997d32b6e983571e161fc9e4a1d3560e28d13d73505b503645381f.exe	81
PID 2292 wrote to memory of 1584	2292	f1a75f4157997d32b6e983571e161fc9e4a1d3560e28d13d73505b503645381f.exe	81
PID 1584 wrote to memory of 1936	1584	un529960.exe	82
PID 1584 wrote to memory of 1936	1584	un529960.exe	82
PID 1584 wrote to memory of 1936	1584	un529960.exe	82
PID 1584 wrote to memory of 112	1584	un529960.exe	86
PID 1584 wrote to memory of 112	1584	un529960.exe	86
PID 1584 wrote to memory of 112	1584	un529960.exe	86

C:\Users\Admin\AppData\Local\Temp\f1a75f4157997d32b6e983571e161fc9e4a1d3560e28d13d73505b503645381f.exe
"C:\Users\Admin\AppData\Local\Temp\f1a75f4157997d32b6e983571e161fc9e4a1d3560e28d13d73505b503645381f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un529960.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un529960.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47892940.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47892940.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1084
      4⤵
      Program crash
      PID:32
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk935178.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk935178.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1936 -ip 1936
1⤵
PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un529960.exe

Filesize
536KB

MD5
e6b4b35623e61313efd7515dc1f56b15

SHA1
2f9ee71bf740c9b3b3c99a38e811d1ceaf462a18

SHA256
6f81250dc520299f1daf2a3c875a72ce36635a640a70acf65fc6fe565638850e

SHA512
1a89b81a666cb929cee763206903f6bfb1f423ac179adf47925764fd710f61799511b944e1f6f6bfbd4263decfb0ceaa5a8f175af4e12279f5053534fe550a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un529960.exe

Filesize
536KB

MD5
e6b4b35623e61313efd7515dc1f56b15

SHA1
2f9ee71bf740c9b3b3c99a38e811d1ceaf462a18

SHA256
6f81250dc520299f1daf2a3c875a72ce36635a640a70acf65fc6fe565638850e

SHA512
1a89b81a666cb929cee763206903f6bfb1f423ac179adf47925764fd710f61799511b944e1f6f6bfbd4263decfb0ceaa5a8f175af4e12279f5053534fe550a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47892940.exe

Filesize
258KB

MD5
a5878a357647e0e52cb5617bb5abcc72

SHA1
dba6357f9af8c29a42d7c6f7e5c7c39fc4ed5ae0

SHA256
8b670eeab81aa7e80b7790218a81286592a85654fe5b4d5004ca32253a9e6076

SHA512
6d6a1747f06b8bc4b6b95d9ca47e5fb0b6efa9a984588fa5b0ea714a781ff89422bb7cb7be3c719ae8c70dfed8d321a5cfa13547c5c5b63f0245d16141fa9ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47892940.exe

Filesize
258KB

MD5
a5878a357647e0e52cb5617bb5abcc72

SHA1
dba6357f9af8c29a42d7c6f7e5c7c39fc4ed5ae0

SHA256
8b670eeab81aa7e80b7790218a81286592a85654fe5b4d5004ca32253a9e6076

SHA512
6d6a1747f06b8bc4b6b95d9ca47e5fb0b6efa9a984588fa5b0ea714a781ff89422bb7cb7be3c719ae8c70dfed8d321a5cfa13547c5c5b63f0245d16141fa9ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk935178.exe

Filesize
342KB

MD5
f5192484593a4263b6a4591b64d44eaa

SHA1
e15cad8ef519848aa0849dcfdea407d0f24b9008

SHA256
50e715df7472c04284e42a11dc41b207eab96e46ed7fdad254a7e1fe37302c57

SHA512
0bb875d6a7d17302d85fe19e807113814dbf48690f5cb31cc2800a1cc3b2c9ac974224de3b67e64d731cf288cfea7c399fa78613e41db7fa94c64240ab4efe95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk935178.exe

Filesize
342KB

MD5
f5192484593a4263b6a4591b64d44eaa

SHA1
e15cad8ef519848aa0849dcfdea407d0f24b9008

SHA256
50e715df7472c04284e42a11dc41b207eab96e46ed7fdad254a7e1fe37302c57

SHA512
0bb875d6a7d17302d85fe19e807113814dbf48690f5cb31cc2800a1cc3b2c9ac974224de3b67e64d731cf288cfea7c399fa78613e41db7fa94c64240ab4efe95

Download Submit
memory/112-219-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-223-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-995-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/112-994-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/112-195-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-992-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/112-990-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/112-989-0x0000000007D00000-0x0000000007D3C000-memory.dmp

Filesize
240KB

Download
memory/112-988-0x0000000007BE0000-0x0000000007CEA000-memory.dmp

Filesize
1.0MB

Download
memory/112-987-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/112-986-0x0000000007520000-0x0000000007B38000-memory.dmp

Filesize
6.1MB

Download
memory/112-324-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/112-322-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/112-320-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/112-319-0x0000000002140000-0x0000000002186000-memory.dmp

Filesize
280KB

Download
memory/112-221-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-217-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-197-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-213-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-211-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-209-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-207-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-193-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-205-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-191-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-190-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-203-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-993-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/112-215-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-199-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/112-201-0x0000000004A20000-0x0000000004A55000-memory.dmp

Filesize
212KB

Download
memory/1936-183-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1936-156-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1936-185-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1936-172-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1936-182-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1936-181-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1936-170-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1936-178-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1936-148-0x00000000005B0000-0x00000000005DD000-memory.dmp

Filesize
180KB

Download
memory/1936-176-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1936-152-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1936-174-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1936-166-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1936-180-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1936-150-0x0000000004A80000-0x0000000005024000-memory.dmp

Filesize
5.6MB

Download
memory/1936-168-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1936-162-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1936-165-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1936-164-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1936-160-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1936-158-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1936-149-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/1936-154-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download
memory/1936-151-0x00000000049C0000-0x00000000049D3000-memory.dmp

Filesize
76KB

Download