redline | cfab7da011e6166e23da82d55f36cfd45133c378c508d6eb3a6cce7666c3a14a

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfab7da011e6166e23da82d55f36cfd45133c378c508d6eb3a6cce7666c3a14a.exe
Size

674KB
MD5

dcdf391cb2d4488e55439d1d99062505
SHA1

3c1cb12476bd0ddf1ffb79f252f75228b5038cfd
SHA256

cfab7da011e6166e23da82d55f36cfd45133c378c508d6eb3a6cce7666c3a14a
SHA512

a028c1edbca78bb569ba2b4e00737a70b8ab82f81c43f963506cc151e9bef4fe258a830410d2a7a33a82d06010b3823a49612908830b2ec9c3b100c1f29cd340
SSDEEP

12288:zy90vjJjbCfetJ3Pck0gULPHkKoNcC90wkwSAQ7W:zygBftJ3Pch/7HkKDwSNa

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/676-982-0x0000000007580000-0x0000000007B98000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	75918761.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	75918761.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	75918761.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	75918761.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	75918761.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	75918761.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
448	st101251.exe
1100	75918761.exe
676	kp143625.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	75918761.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	75918761.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cfab7da011e6166e23da82d55f36cfd45133c378c508d6eb3a6cce7666c3a14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cfab7da011e6166e23da82d55f36cfd45133c378c508d6eb3a6cce7666c3a14a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st101251.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st101251.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1100	75918761.exe
1100	75918761.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	75918761.exe
Token: SeDebugPrivilege	676	kp143625.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 448	1484	cfab7da011e6166e23da82d55f36cfd45133c378c508d6eb3a6cce7666c3a14a.exe	85
PID 1484 wrote to memory of 448	1484	cfab7da011e6166e23da82d55f36cfd45133c378c508d6eb3a6cce7666c3a14a.exe	85
PID 1484 wrote to memory of 448	1484	cfab7da011e6166e23da82d55f36cfd45133c378c508d6eb3a6cce7666c3a14a.exe	85
PID 448 wrote to memory of 1100	448	st101251.exe	86
PID 448 wrote to memory of 1100	448	st101251.exe	86
PID 448 wrote to memory of 1100	448	st101251.exe	86
PID 448 wrote to memory of 676	448	st101251.exe	87
PID 448 wrote to memory of 676	448	st101251.exe	87
PID 448 wrote to memory of 676	448	st101251.exe	87

C:\Users\Admin\AppData\Local\Temp\cfab7da011e6166e23da82d55f36cfd45133c378c508d6eb3a6cce7666c3a14a.exe
"C:\Users\Admin\AppData\Local\Temp\cfab7da011e6166e23da82d55f36cfd45133c378c508d6eb3a6cce7666c3a14a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st101251.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st101251.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\75918761.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\75918761.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp143625.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp143625.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st101251.exe

Filesize
519KB

MD5
fd1058da3daff6a8cfeddc90e8cf090b

SHA1
85beffcd242080357f7203d9d2fbc83638af2919

SHA256
4355e4cde75f1a40df3d10021a497ed80c4866488b5c5d91fabb5a7a6ad934c5

SHA512
efe4107eff3bf2ee453b50a26b7edef0a1d7dc5331773d8f5d1dc5fb7036a9e6555aaa443e5b0856b07b1bc830ece21119832b7235c9a9e61e80ac89a5a8b34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st101251.exe

Filesize
519KB

MD5
fd1058da3daff6a8cfeddc90e8cf090b

SHA1
85beffcd242080357f7203d9d2fbc83638af2919

SHA256
4355e4cde75f1a40df3d10021a497ed80c4866488b5c5d91fabb5a7a6ad934c5

SHA512
efe4107eff3bf2ee453b50a26b7edef0a1d7dc5331773d8f5d1dc5fb7036a9e6555aaa443e5b0856b07b1bc830ece21119832b7235c9a9e61e80ac89a5a8b34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\75918761.exe

Filesize
175KB

MD5
a165b5f6b0a4bdf808b71de57bf9347d

SHA1
39a7b301e819e386c162a47e046fa384bb5ab437

SHA256
68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

SHA512
3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\75918761.exe

Filesize
175KB

MD5
a165b5f6b0a4bdf808b71de57bf9347d

SHA1
39a7b301e819e386c162a47e046fa384bb5ab437

SHA256
68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

SHA512
3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp143625.exe

Filesize
415KB

MD5
44aab19749cee7b452fe98d8cf851619

SHA1
1c4e732554071f59561c74393caadca44bb4ed79

SHA256
760f3b974f5a437820cc80b4d41890198fccf01f11e2c6e84629322597e77a3b

SHA512
d69a740b7addbb067d0d7a7b697a30e2dba45c66558a2748525fcf0739cc232bc82ddd6ddc86b5803d42795693c244e0335db4f50c0fe3b64513e2adf9036146

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp143625.exe

Filesize
415KB

MD5
44aab19749cee7b452fe98d8cf851619

SHA1
1c4e732554071f59561c74393caadca44bb4ed79

SHA256
760f3b974f5a437820cc80b4d41890198fccf01f11e2c6e84629322597e77a3b

SHA512
d69a740b7addbb067d0d7a7b697a30e2dba45c66558a2748525fcf0739cc232bc82ddd6ddc86b5803d42795693c244e0335db4f50c0fe3b64513e2adf9036146

Download Submit
memory/676-211-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-219-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-991-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/676-990-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/676-989-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/676-988-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/676-986-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/676-192-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-984-0x0000000007BF0000-0x0000000007CFA000-memory.dmp

Filesize
1.0MB

Download
memory/676-983-0x0000000007BD0000-0x0000000007BE2000-memory.dmp

Filesize
72KB

Download
memory/676-982-0x0000000007580000-0x0000000007B98000-memory.dmp

Filesize
6.1MB

Download
memory/676-225-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-223-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-221-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-194-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/676-217-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-213-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-215-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-209-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-207-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-205-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-197-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-187-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-189-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-191-0x00000000006F0000-0x0000000000736000-memory.dmp

Filesize
280KB

Download
memory/676-193-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/676-203-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-985-0x0000000007D20000-0x0000000007D5C000-memory.dmp

Filesize
240KB

Download
memory/676-186-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-196-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/676-199-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/676-201-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1100-171-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/1100-175-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/1100-149-0x0000000004BF0000-0x0000000005194000-memory.dmp

Filesize
5.6MB

Download
memory/1100-180-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1100-147-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1100-179-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1100-178-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1100-177-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/1100-169-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/1100-150-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/1100-148-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1100-167-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/1100-173-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/1100-165-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/1100-163-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/1100-161-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/1100-159-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/1100-157-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/1100-155-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/1100-153-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download
memory/1100-151-0x0000000004A90000-0x0000000004AA3000-memory.dmp

Filesize
76KB

Download