redline | ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a | Triage

Analysis

max time kernel
187s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:35 UTC

Sharing

Report Analysis Logs

General

Target

ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe
Size

1.2MB
MD5

d1d0ccd9c3c421aaeeadcbc0aaa99818
SHA1

4152e1f2e476da9220539114764f4d5c7f8a5c2b
SHA256

ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a
SHA512

ef2489127dde465be219595d02b7b448fc7899b0aa8cf28328cc59b17fe7a8cec2a35186519675f02621049e20cdedb3eae6691a129db9c1206a9c2f61487618
SSDEEP

24576:VCbht9y/vN4jFVkUI4Hiew2ltipvLt87VLLLVxCwaUdw578ObN/4SYrnP4uO:VCz9uyy4Hrw2lt2CxxCwbdw57fQSG

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

resource	yara_rule
behavioral2/memory/3424-1005-0x00000000078B0000-0x0000000007EC8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

Modify Registry

Modify Existing Service

Disabling Security Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	140109293.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	140109293.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	140109293.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	140109293.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	140109293.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	140109293.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
544	yO446889.exe
364	qB246406.exe
5016	140109293.exe
3424	274081212.exe

Windows security modification 2 TTPs 2 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	140109293.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	140109293.exe

Adds Run key to start application 2 TTPs 6 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	qB246406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	qB246406.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	yO446889.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yO446889.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5016	140109293.exe
5016	140109293.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5016	140109293.exe
Token: SeDebugPrivilege	3424	274081212.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 544	4632	ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe	80
PID 4632 wrote to memory of 544	4632	ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe	80
PID 4632 wrote to memory of 544	4632	ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe	80
PID 544 wrote to memory of 364	544	yO446889.exe	81
PID 544 wrote to memory of 364	544	yO446889.exe	81
PID 544 wrote to memory of 364	544	yO446889.exe	81
PID 364 wrote to memory of 5016	364	qB246406.exe	82
PID 364 wrote to memory of 5016	364	qB246406.exe	82
PID 364 wrote to memory of 5016	364	qB246406.exe	82
PID 364 wrote to memory of 3424	364	qB246406.exe	83
PID 364 wrote to memory of 3424	364	qB246406.exe	83
PID 364 wrote to memory of 3424	364	qB246406.exe	83

C:\Users\Admin\AppData\Local\Temp\ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe
"C:\Users\Admin\AppData\Local\Temp\ca06eb5f0ee2d47208441fad60a481705f51ddbffa51a5a1b982b3dddc43f50a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yO446889.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yO446889.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qB246406.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qB246406.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\140109293.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\140109293.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\274081212.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\274081212.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3424

Network

DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

240.232.18.117.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.232.18.117.in-addr.arpa

IN PTR

Response
DNS

64.13.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.13.109.52.in-addr.arpa

IN PTR

Response
DNS

143.145.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.145.190.20.in-addr.arpa

IN PTR

Response
DNS

76.38.195.152.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.38.195.152.in-addr.arpa

IN PTR

Response

40.125.122.176:443

260 B
5
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7
40.125.122.176:443

260 B
5
40.125.122.176:443

260 B
5
40.125.122.176:443

260 B
5
185.161.248.143:38452

274081212.exe

260 B
5
40.125.122.176:443

260 B
5
185.161.248.143:38452

274081212.exe

260 B
5
40.125.122.176:443

260 B
5
185.161.248.143:38452

274081212.exe

260 B
5
40.125.122.176:443

260 B
5
185.161.248.143:38452

274081212.exe

260 B
5
40.125.122.176:443

156 B
3
185.161.248.143:38452

274081212.exe

52 B
1

8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

240.232.18.117.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.232.18.117.in-addr.arpa
8.8.8.8:53

64.13.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

64.13.109.52.in-addr.arpa
8.8.8.8:53

143.145.190.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

143.145.190.20.in-addr.arpa
8.8.8.8:53

76.38.195.152.in-addr.arpa

dns

72 B
143 B
1
1

DNS Request

76.38.195.152.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yO446889.exe

Filesize
764KB

MD5
600476bf25074113fe6c45c5e40641b7

SHA1
b85e680f76ce4fe49940f83231f5a042f5c1ffbb

SHA256
3e712a0a91c15a1248bb2379a8319845bd03ac7bbb245652db0d28d78d803852

SHA512
3a6476379f08fd67f81095f52b3385872b8abcdba87908bc5260a35ce42289dfcf8e4433796caa80e8c9907e9d4eaedd61709b0d3cd1e513dfcaa4c124111795

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yO446889.exe

Filesize
764KB

MD5
600476bf25074113fe6c45c5e40641b7

SHA1
b85e680f76ce4fe49940f83231f5a042f5c1ffbb

SHA256
3e712a0a91c15a1248bb2379a8319845bd03ac7bbb245652db0d28d78d803852

SHA512
3a6476379f08fd67f81095f52b3385872b8abcdba87908bc5260a35ce42289dfcf8e4433796caa80e8c9907e9d4eaedd61709b0d3cd1e513dfcaa4c124111795

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qB246406.exe

Filesize
592KB

MD5
3415de0d7184a8e3cf4bbdb8bad1da3f

SHA1
45ae1c0661ecbf187cc7e81bec3a5c4172d13c85

SHA256
4b70ec7176f70274c52058887a5c28f0520b057a38a81e28689aeb33fa7ab756

SHA512
7f35d81b4e06777f7b8f9a58686450a7eb74209cde7d002f8ab2882c26ac3f96d3ed9e130db2eb3d166d92f411d9a83983f580c83ea9a4baa4da56a1e27b813c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qB246406.exe

Filesize
592KB

MD5
3415de0d7184a8e3cf4bbdb8bad1da3f

SHA1
45ae1c0661ecbf187cc7e81bec3a5c4172d13c85

SHA256
4b70ec7176f70274c52058887a5c28f0520b057a38a81e28689aeb33fa7ab756

SHA512
7f35d81b4e06777f7b8f9a58686450a7eb74209cde7d002f8ab2882c26ac3f96d3ed9e130db2eb3d166d92f411d9a83983f580c83ea9a4baa4da56a1e27b813c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\140109293.exe

Filesize
377KB

MD5
4c6f4b1b21c88d4c448735da40062b19

SHA1
db46ddbe0e87f3d4564920baa64cbcf36067372f

SHA256
454936c08ed3ee121e0f39dec419843247881c016b720eff6258fcae39c7c6ae

SHA512
0b790eefe656f6b5a87cf3d41cc86d6cf657988e2c2a74dec6299366e60dea60c2054fbec0676f2bbbb6ded87397e435a2b7194f946400b6737ffb3da300fcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\140109293.exe

Filesize
377KB

MD5
4c6f4b1b21c88d4c448735da40062b19

SHA1
db46ddbe0e87f3d4564920baa64cbcf36067372f

SHA256
454936c08ed3ee121e0f39dec419843247881c016b720eff6258fcae39c7c6ae

SHA512
0b790eefe656f6b5a87cf3d41cc86d6cf657988e2c2a74dec6299366e60dea60c2054fbec0676f2bbbb6ded87397e435a2b7194f946400b6737ffb3da300fcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\274081212.exe

Filesize
459KB

MD5
1bea2505609a88ba8f010303c0468d45

SHA1
9d199dd335b22ba2bb2dd70be5b88b1f16e18281

SHA256
9e3c72dd1a54b6571d5aa394845613c9e6f75738a56850b930a1f784a049fa1a

SHA512
98cc3f474f9b7b266a693646723105a23a8c0e8be0d47ca6b0e5238605778e93371ea35def47ffe049c1c3d6573a21d489ea650ed77c8ea0383515088913fb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\274081212.exe

Filesize
459KB

MD5
1bea2505609a88ba8f010303c0468d45

SHA1
9d199dd335b22ba2bb2dd70be5b88b1f16e18281

SHA256
9e3c72dd1a54b6571d5aa394845613c9e6f75738a56850b930a1f784a049fa1a

SHA512
98cc3f474f9b7b266a693646723105a23a8c0e8be0d47ca6b0e5238605778e93371ea35def47ffe049c1c3d6573a21d489ea650ed77c8ea0383515088913fb06

Download Submit
memory/3424-236-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3424-232-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3424-1012-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3424-1009-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/3424-1008-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3424-1007-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/3424-1006-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/3424-211-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3424-1005-0x00000000078B0000-0x0000000007EC8000-memory.dmp

Filesize
6.1MB

Download
memory/3424-238-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3424-208-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3424-233-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3424-234-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3424-229-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3424-230-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3424-1013-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3424-228-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/3424-226-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3424-223-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3424-209-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3424-1015-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/3424-221-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3424-219-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3424-217-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3424-215-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3424-213-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3424-1014-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4632-191-0x0000000002750000-0x0000000002856000-memory.dmp

Filesize
1.0MB

Download
memory/4632-190-0x0000000000400000-0x00000000008E0000-memory.dmp

Filesize
4.9MB

Download
memory/4632-134-0x0000000002750000-0x0000000002856000-memory.dmp

Filesize
1.0MB

Download
memory/5016-167-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/5016-203-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/5016-195-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/5016-194-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/5016-193-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/5016-192-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/5016-189-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/5016-187-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/5016-185-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/5016-183-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/5016-181-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/5016-179-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/5016-177-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/5016-175-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/5016-173-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/5016-171-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/5016-169-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/5016-165-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/5016-163-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/5016-162-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/5016-161-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/5016-160-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/5016-159-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/5016-157-0x0000000000910000-0x000000000093D000-memory.dmp

Filesize
180KB

Download
memory/5016-158-0x0000000004EC0000-0x0000000005464000-memory.dmp

Filesize
5.6MB

Download