redline | f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe
Size

695KB
MD5

48fd845cfc42eb2c4dc4cb03c23b27c8
SHA1

3dc94ca3d3de1979949d0440cdc8103cff8064c6
SHA256

f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec
SHA512

fe3ee9eae6f79dbedea2d4ad6796d678bdae181a6be06c92876d7fc29de6359d907ae330d48727575ae26ea6129f83b5fc3996b04b000e38509f5a64a440af4d
SSDEEP

12288:cy90kUn4MnLH7mFrehcUXUdun1Jr2Kix3xTHQq8sXowQDySyUdJOvmxQAE:cyBUnlnTaVehc23nqBxhTHQ1s4wQ7Aog

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3456-989-0x0000000009D70000-0x000000000A388000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	62353108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	62353108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	62353108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	62353108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	62353108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	62353108.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1564	un624240.exe
3880	62353108.exe
3456	rk268966.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	62353108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	62353108.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un624240.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un624240.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2404	3880	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3880	62353108.exe
3880	62353108.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3880	62353108.exe
Token: SeDebugPrivilege	3456	rk268966.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1564	2152	f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe	84
PID 2152 wrote to memory of 1564	2152	f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe	84
PID 2152 wrote to memory of 1564	2152	f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe	84
PID 1564 wrote to memory of 3880	1564	un624240.exe	85
PID 1564 wrote to memory of 3880	1564	un624240.exe	85
PID 1564 wrote to memory of 3880	1564	un624240.exe	85
PID 1564 wrote to memory of 3456	1564	un624240.exe	89
PID 1564 wrote to memory of 3456	1564	un624240.exe	89
PID 1564 wrote to memory of 3456	1564	un624240.exe	89

C:\Users\Admin\AppData\Local\Temp\f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe
"C:\Users\Admin\AppData\Local\Temp\f2f68f672b62fc65e343afea6c3e49a2cd43905904eb68de308fcc3bc6d8e3ec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un624240.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un624240.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62353108.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62353108.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1080
      4⤵
      Program crash
      PID:2404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk268966.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk268966.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3880 -ip 3880
1⤵
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un624240.exe

Filesize
541KB

MD5
8164882881ededdf303d24ac9bb0324e

SHA1
d0d4beffc960cdc16706f8702597a7979794d0c4

SHA256
70a4131cd81bf886f1c34d81ab8c61197bc6b38017145cd584c412da74c78d2b

SHA512
aaad4fa2ad278f66d1aba044ab1e0dc852c1fadf99f93dfb32f63072ffb1594ff4351dbe9a87e0194705675a81312a08c50e2dc5c6c00851b3f5cfb1e1f19a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un624240.exe

Filesize
541KB

MD5
8164882881ededdf303d24ac9bb0324e

SHA1
d0d4beffc960cdc16706f8702597a7979794d0c4

SHA256
70a4131cd81bf886f1c34d81ab8c61197bc6b38017145cd584c412da74c78d2b

SHA512
aaad4fa2ad278f66d1aba044ab1e0dc852c1fadf99f93dfb32f63072ffb1594ff4351dbe9a87e0194705675a81312a08c50e2dc5c6c00851b3f5cfb1e1f19a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62353108.exe

Filesize
258KB

MD5
c671d754003666106ee51a7020e62adb

SHA1
6c05148cf75558a82598fd8357c86ed6bdcc9063

SHA256
1bd5d6df4d767ec3f59248526cb7efb4389f55ff56fe622f84c2ce05baf75d26

SHA512
5f8f93f7d830903688790182667955bbec924d36c1f732ca86bc2c4e7f8dffa0724de2e9df432924b685c1e13a64343c8cf7e080f44cc5f9bf3d0bcca6dc550b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\62353108.exe

Filesize
258KB

MD5
c671d754003666106ee51a7020e62adb

SHA1
6c05148cf75558a82598fd8357c86ed6bdcc9063

SHA256
1bd5d6df4d767ec3f59248526cb7efb4389f55ff56fe622f84c2ce05baf75d26

SHA512
5f8f93f7d830903688790182667955bbec924d36c1f732ca86bc2c4e7f8dffa0724de2e9df432924b685c1e13a64343c8cf7e080f44cc5f9bf3d0bcca6dc550b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk268966.exe

Filesize
340KB

MD5
b383cd533b43586dcabf78c4407c2c75

SHA1
7dd51a068af50c5887d0cf3f5fda4c029c50aea5

SHA256
31d8b295af54119bf497aff31d29d7fb63ebc7cc93834ff84524b68c86fdffff

SHA512
50e3024c047e1945ecd8ccec19a6865dde0d9fc6a7dccdba15848170c1dea69955de21e6d0c4b17209edbc395d522a689a1b79a106739cb83658be11cd1b6cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk268966.exe

Filesize
340KB

MD5
b383cd533b43586dcabf78c4407c2c75

SHA1
7dd51a068af50c5887d0cf3f5fda4c029c50aea5

SHA256
31d8b295af54119bf497aff31d29d7fb63ebc7cc93834ff84524b68c86fdffff

SHA512
50e3024c047e1945ecd8ccec19a6865dde0d9fc6a7dccdba15848170c1dea69955de21e6d0c4b17209edbc395d522a689a1b79a106739cb83658be11cd1b6cea

Download Submit
memory/3456-220-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-224-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-998-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3456-996-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3456-196-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-995-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3456-993-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3456-992-0x0000000004F90000-0x0000000004FCC000-memory.dmp

Filesize
240KB

Download
memory/3456-991-0x000000000A390000-0x000000000A49A000-memory.dmp

Filesize
1.0MB

Download
memory/3456-990-0x0000000004F60000-0x0000000004F72000-memory.dmp

Filesize
72KB

Download
memory/3456-989-0x0000000009D70000-0x000000000A388000-memory.dmp

Filesize
6.1MB

Download
memory/3456-327-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3456-323-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3456-325-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3456-321-0x00000000046B0000-0x00000000046F6000-memory.dmp

Filesize
280KB

Download
memory/3456-222-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-218-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-198-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-214-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-212-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-210-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-208-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-194-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-206-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-204-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-193-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-202-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-997-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3456-216-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3456-200-0x0000000004C00000-0x0000000004C35000-memory.dmp

Filesize
212KB

Download
memory/3880-149-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3880-184-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3880-187-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3880-183-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3880-152-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3880-182-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3880-181-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3880-170-0x0000000004A60000-0x0000000004A73000-memory.dmp

Filesize
76KB

Download
memory/3880-178-0x0000000004A60000-0x0000000004A73000-memory.dmp

Filesize
76KB

Download
memory/3880-150-0x0000000007230000-0x00000000077D4000-memory.dmp

Filesize
5.6MB

Download
memory/3880-176-0x0000000004A60000-0x0000000004A73000-memory.dmp

Filesize
76KB

Download
memory/3880-148-0x0000000002BE0000-0x0000000002C0D000-memory.dmp

Filesize
180KB

Download
memory/3880-172-0x0000000004A60000-0x0000000004A73000-memory.dmp

Filesize
76KB

Download
memory/3880-174-0x0000000004A60000-0x0000000004A73000-memory.dmp

Filesize
76KB

Download
memory/3880-180-0x0000000004A60000-0x0000000004A73000-memory.dmp

Filesize
76KB

Download
memory/3880-168-0x0000000004A60000-0x0000000004A73000-memory.dmp

Filesize
76KB

Download
memory/3880-166-0x0000000004A60000-0x0000000004A73000-memory.dmp

Filesize
76KB

Download
memory/3880-164-0x0000000004A60000-0x0000000004A73000-memory.dmp

Filesize
76KB

Download
memory/3880-162-0x0000000004A60000-0x0000000004A73000-memory.dmp

Filesize
76KB

Download
memory/3880-160-0x0000000004A60000-0x0000000004A73000-memory.dmp

Filesize
76KB

Download
memory/3880-158-0x0000000004A60000-0x0000000004A73000-memory.dmp

Filesize
76KB

Download
memory/3880-156-0x0000000004A60000-0x0000000004A73000-memory.dmp

Filesize
76KB

Download
memory/3880-154-0x0000000004A60000-0x0000000004A73000-memory.dmp

Filesize
76KB

Download
memory/3880-153-0x0000000004A60000-0x0000000004A73000-memory.dmp

Filesize
76KB

Download
memory/3880-151-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download