redline | c9d08b394b221a01b5f34d1a1d4be3851f733fcdb034bc4fec2a9472e4c69b49

Analysis

max time kernel
184s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c9d08b394b221a01b5f34d1a1d4be3851f733fcdb034bc4fec2a9472e4c69b49.exe
Size

1.5MB
MD5

1b6ec75ca5fb03d61529a4415245f221
SHA1

4e4bffe043e1e3492f23f11ba3627abe13a85e56
SHA256

c9d08b394b221a01b5f34d1a1d4be3851f733fcdb034bc4fec2a9472e4c69b49
SHA512

41523a7eb45a74a7cc31e18958e19c52677b43934e6bcbc1fbfddff85950b3592bd2b93e9a6281f0f965206b68758eccf8d46ffadde7dfd43d1f751a99443b8a
SSDEEP

49152:fUEDid+7eqxn1us5m2w7A0H1R9GBWtN9uksa:MEe0eqmiJw7fR9GBQuks

Score

10^/10

redline discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4540-214-0x0000000007FA0000-0x00000000085B8000-memory.dmp	redline_stealer
behavioral2/memory/4540-220-0x00000000085C0000-0x0000000008626000-memory.dmp	redline_stealer
behavioral2/memory/4540-223-0x0000000009390000-0x0000000009552000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3012305.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a3012305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3012305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3012305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3012305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3012305.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
2300	v6948406.exe
1132	v3273089.exe
3844	v7876041.exe
3836	v0447421.exe
2980	a3012305.exe
4540	b6026800.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a3012305.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3012305.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7876041.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7876041.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6948406.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3273089.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3273089.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0447421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v0447421.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c9d08b394b221a01b5f34d1a1d4be3851f733fcdb034bc4fec2a9472e4c69b49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c9d08b394b221a01b5f34d1a1d4be3851f733fcdb034bc4fec2a9472e4c69b49.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6948406.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
752	2980	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2980	a3012305.exe
2980	a3012305.exe
4540	b6026800.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	a3012305.exe
Token: SeDebugPrivilege	4540	b6026800.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 2300	4300	c9d08b394b221a01b5f34d1a1d4be3851f733fcdb034bc4fec2a9472e4c69b49.exe	81
PID 4300 wrote to memory of 2300	4300	c9d08b394b221a01b5f34d1a1d4be3851f733fcdb034bc4fec2a9472e4c69b49.exe	81
PID 4300 wrote to memory of 2300	4300	c9d08b394b221a01b5f34d1a1d4be3851f733fcdb034bc4fec2a9472e4c69b49.exe	81
PID 2300 wrote to memory of 1132	2300	v6948406.exe	82
PID 2300 wrote to memory of 1132	2300	v6948406.exe	82
PID 2300 wrote to memory of 1132	2300	v6948406.exe	82
PID 1132 wrote to memory of 3844	1132	v3273089.exe	83
PID 1132 wrote to memory of 3844	1132	v3273089.exe	83
PID 1132 wrote to memory of 3844	1132	v3273089.exe	83
PID 3844 wrote to memory of 3836	3844	v7876041.exe	84
PID 3844 wrote to memory of 3836	3844	v7876041.exe	84
PID 3844 wrote to memory of 3836	3844	v7876041.exe	84
PID 3836 wrote to memory of 2980	3836	v0447421.exe	85
PID 3836 wrote to memory of 2980	3836	v0447421.exe	85
PID 3836 wrote to memory of 2980	3836	v0447421.exe	85
PID 3836 wrote to memory of 4540	3836	v0447421.exe	96
PID 3836 wrote to memory of 4540	3836	v0447421.exe	96
PID 3836 wrote to memory of 4540	3836	v0447421.exe	96

C:\Users\Admin\AppData\Local\Temp\c9d08b394b221a01b5f34d1a1d4be3851f733fcdb034bc4fec2a9472e4c69b49.exe
"C:\Users\Admin\AppData\Local\Temp\c9d08b394b221a01b5f34d1a1d4be3851f733fcdb034bc4fec2a9472e4c69b49.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6948406.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6948406.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3273089.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3273089.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7876041.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7876041.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0447421.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0447421.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3836
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3012305.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3012305.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 1080
        7⤵
        Program crash
        
        PID:752
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6026800.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6026800.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2980 -ip 2980
1⤵
PID:3384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6948406.exe

Filesize
1.4MB

MD5
347dc06c71f4c988e010e14b4c231171

SHA1
4cc95a08404be4a1e7b2f2452c62b31ea806a34d

SHA256
e93f3707f71ad7d01b011bdf63e86d22d9e500a4fd9be0495c5960453da474eb

SHA512
fa70572ff9b9fa0dab4142edb408a90ed968933c6e508834f25849626df0e1a3c19438e615a9bbbe4134c2db435faa28837c42e4b773e2192a093acdd44511b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6948406.exe

Filesize
1.4MB

MD5
347dc06c71f4c988e010e14b4c231171

SHA1
4cc95a08404be4a1e7b2f2452c62b31ea806a34d

SHA256
e93f3707f71ad7d01b011bdf63e86d22d9e500a4fd9be0495c5960453da474eb

SHA512
fa70572ff9b9fa0dab4142edb408a90ed968933c6e508834f25849626df0e1a3c19438e615a9bbbe4134c2db435faa28837c42e4b773e2192a093acdd44511b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3273089.exe

Filesize
911KB

MD5
02dfbf433405ad80bd7187dc4417f27b

SHA1
5d0325b8d58148804355ec9f81f3f0e753be1bc4

SHA256
fefb757b7c24ea29f6fd14581fa3497ce8b9d72135e95375bd4a6b4e21dbbe8e

SHA512
dbc06a4da259599bcc93bcc726e23debccfd7fc04e2658cdfae3138b9606e36994918b1a2433f501ce8f5c927092b3e63d9837cb52d405feef79afb8832c77a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3273089.exe

Filesize
911KB

MD5
02dfbf433405ad80bd7187dc4417f27b

SHA1
5d0325b8d58148804355ec9f81f3f0e753be1bc4

SHA256
fefb757b7c24ea29f6fd14581fa3497ce8b9d72135e95375bd4a6b4e21dbbe8e

SHA512
dbc06a4da259599bcc93bcc726e23debccfd7fc04e2658cdfae3138b9606e36994918b1a2433f501ce8f5c927092b3e63d9837cb52d405feef79afb8832c77a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7876041.exe

Filesize
707KB

MD5
4414bc876b04b0f6ac64f3e9357872b0

SHA1
fe3ff423b545eacfbbe9e960bad18ef97e2c763a

SHA256
c32f63cc87c5717e02a18590155992554a266e266cafc0974e31d4df0a449531

SHA512
6fded2e4d309c22a1cf89ca901d13201bcc8283559b38923aa5b7b915ec6aa44a56b09c11ae9d4dedd8d66e01b1be4ba0a1258f26f02d30d1ae4510e23c3dbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7876041.exe

Filesize
707KB

MD5
4414bc876b04b0f6ac64f3e9357872b0

SHA1
fe3ff423b545eacfbbe9e960bad18ef97e2c763a

SHA256
c32f63cc87c5717e02a18590155992554a266e266cafc0974e31d4df0a449531

SHA512
6fded2e4d309c22a1cf89ca901d13201bcc8283559b38923aa5b7b915ec6aa44a56b09c11ae9d4dedd8d66e01b1be4ba0a1258f26f02d30d1ae4510e23c3dbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0447421.exe

Filesize
416KB

MD5
0813eb3f31ed726bae8ee891595ed78d

SHA1
310521c8e9927d834cc97297ab3fe63ece9d7d28

SHA256
f1a9038f928d3056376a875e5023a21ee66a92618d160acb0f56cdb30d21b3f1

SHA512
8c8dafc20b1fbdbc6430e5aa7290b67f0e260aa3799cdfb1d3b860d60c714cc99b671a122e8a7939f3a5888f3f91ebf5d14452d19fc0dfbb47d674ef2b401b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0447421.exe

Filesize
416KB

MD5
0813eb3f31ed726bae8ee891595ed78d

SHA1
310521c8e9927d834cc97297ab3fe63ece9d7d28

SHA256
f1a9038f928d3056376a875e5023a21ee66a92618d160acb0f56cdb30d21b3f1

SHA512
8c8dafc20b1fbdbc6430e5aa7290b67f0e260aa3799cdfb1d3b860d60c714cc99b671a122e8a7939f3a5888f3f91ebf5d14452d19fc0dfbb47d674ef2b401b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3012305.exe

Filesize
360KB

MD5
fb4c880c4f644f149e3bfcb5adcaff29

SHA1
a516629b5388535298cf468ddbd5eeeb0d25ef47

SHA256
05ad440171c12a56e03aeb38db49a662218f8f4cd0975eb3f1c6738928010272

SHA512
8dc3cab931473e2834a6defb0d33979f4397e0ff4fe0f42828adf42420da4a6458b1098eb139b89bff0686be57201a41101a736e311eb5a3d4fafe63d224c185

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3012305.exe

Filesize
360KB

MD5
fb4c880c4f644f149e3bfcb5adcaff29

SHA1
a516629b5388535298cf468ddbd5eeeb0d25ef47

SHA256
05ad440171c12a56e03aeb38db49a662218f8f4cd0975eb3f1c6738928010272

SHA512
8dc3cab931473e2834a6defb0d33979f4397e0ff4fe0f42828adf42420da4a6458b1098eb139b89bff0686be57201a41101a736e311eb5a3d4fafe63d224c185

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6026800.exe

Filesize
136KB

MD5
79d27e67cb74402ee422c5a16f045347

SHA1
7e67d65198d4563fabdbef118f7b3aecb2da0ac8

SHA256
d3f8faee0da94f608d11060061e025031ebc0e7090211d6f4af17fa312da30b6

SHA512
ca562024d3193b1fdd503cf4cffffb9fa132a35412c21b9c137010850f0fa1afce505154c1992443c20412a55b1d98b566829df5837cab49a0389c661b68f129

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6026800.exe

Filesize
136KB

MD5
79d27e67cb74402ee422c5a16f045347

SHA1
7e67d65198d4563fabdbef118f7b3aecb2da0ac8

SHA256
d3f8faee0da94f608d11060061e025031ebc0e7090211d6f4af17fa312da30b6

SHA512
ca562024d3193b1fdd503cf4cffffb9fa132a35412c21b9c137010850f0fa1afce505154c1992443c20412a55b1d98b566829df5837cab49a0389c661b68f129

Download Submit
memory/2980-170-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2980-201-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2980-173-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/2980-174-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2980-177-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2980-175-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2980-179-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2980-181-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2980-183-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2980-185-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2980-187-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2980-189-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2980-191-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2980-193-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2980-195-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2980-197-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2980-199-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2980-172-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2980-202-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2980-204-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2980-171-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2980-169-0x00000000009A0000-0x00000000009CD000-memory.dmp

Filesize
180KB

Download
memory/4540-219-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/4540-214-0x0000000007FA0000-0x00000000085B8000-memory.dmp

Filesize
6.1MB

Download
memory/4540-215-0x0000000007A40000-0x0000000007A52000-memory.dmp

Filesize
72KB

Download
memory/4540-216-0x0000000007B70000-0x0000000007C7A000-memory.dmp

Filesize
1.0MB

Download
memory/4540-217-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/4540-218-0x0000000007AE0000-0x0000000007B1C000-memory.dmp

Filesize
240KB

Download
memory/4540-213-0x0000000000D30000-0x0000000000D58000-memory.dmp

Filesize
160KB

Download
memory/4540-220-0x00000000085C0000-0x0000000008626000-memory.dmp

Filesize
408KB

Download
memory/4540-221-0x00000000088D0000-0x0000000008962000-memory.dmp

Filesize
584KB

Download
memory/4540-222-0x00000000089F0000-0x0000000008A66000-memory.dmp

Filesize
472KB

Download
memory/4540-223-0x0000000009390000-0x0000000009552000-memory.dmp

Filesize
1.8MB

Download
memory/4540-224-0x0000000009A90000-0x0000000009FBC000-memory.dmp

Filesize
5.2MB

Download
memory/4540-225-0x0000000008C10000-0x0000000008C2E000-memory.dmp

Filesize
120KB

Download