redline | d0aa3df71a9943907e9ef016c47d2133690c60c0f8323518bd779c0802577cb9

Analysis

max time kernel
141s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0aa3df71a9943907e9ef016c47d2133690c60c0f8323518bd779c0802577cb9.exe
Size

697KB
MD5

c6cffa513a9f7eaab59a15c8595e276c
SHA1

952b4069097235d093c3f4a5f91735017bac7811
SHA256

d0aa3df71a9943907e9ef016c47d2133690c60c0f8323518bd779c0802577cb9
SHA512

b1e96465b65a79f482a69d58544cecd355aebc32903c9c6d0cc9c72050fad2208241e740d0049f238a50fb0572abf6d79f27fce6c33878d8f3634a25f26b599a
SSDEEP

12288:sy90jkqwaRC8pmGmnXQxywvAjeZjxz9Bm2cJNIE2V7tNHSWa1c6k:symsawTGmXQxyLAjM2uS/Rh8c6k

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3084-987-0x0000000009CC0000-0x000000000A2D8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	79626243.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	79626243.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	79626243.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	79626243.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	79626243.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	79626243.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1584	un855735.exe
2044	79626243.exe
3084	rk346782.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	79626243.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	79626243.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d0aa3df71a9943907e9ef016c47d2133690c60c0f8323518bd779c0802577cb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d0aa3df71a9943907e9ef016c47d2133690c60c0f8323518bd779c0802577cb9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un855735.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un855735.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4564	2044	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2044	79626243.exe
2044	79626243.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	79626243.exe
Token: SeDebugPrivilege	3084	rk346782.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 1584	3240	d0aa3df71a9943907e9ef016c47d2133690c60c0f8323518bd779c0802577cb9.exe	82
PID 3240 wrote to memory of 1584	3240	d0aa3df71a9943907e9ef016c47d2133690c60c0f8323518bd779c0802577cb9.exe	82
PID 3240 wrote to memory of 1584	3240	d0aa3df71a9943907e9ef016c47d2133690c60c0f8323518bd779c0802577cb9.exe	82
PID 1584 wrote to memory of 2044	1584	un855735.exe	83
PID 1584 wrote to memory of 2044	1584	un855735.exe	83
PID 1584 wrote to memory of 2044	1584	un855735.exe	83
PID 1584 wrote to memory of 3084	1584	un855735.exe	90
PID 1584 wrote to memory of 3084	1584	un855735.exe	90
PID 1584 wrote to memory of 3084	1584	un855735.exe	90

C:\Users\Admin\AppData\Local\Temp\d0aa3df71a9943907e9ef016c47d2133690c60c0f8323518bd779c0802577cb9.exe
"C:\Users\Admin\AppData\Local\Temp\d0aa3df71a9943907e9ef016c47d2133690c60c0f8323518bd779c0802577cb9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un855735.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un855735.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79626243.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79626243.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1080
      4⤵
      Program crash
      PID:4564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk346782.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk346782.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2044 -ip 2044
1⤵
PID:2480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un855735.exe

Filesize
543KB

MD5
392265fa634ad111c20ce760b126c045

SHA1
e83f0ea66f6f56b2fafb9d1bd6ba5c2de7843b9b

SHA256
cdf0980b713c33a34fdbabe794727ffae99d8b9f35426342565f51c491bd2cbf

SHA512
bc5b1ec2403768a0de3d321d9cc82abd3c80da7e74f6fd1a751c53f7415628c4194bcb613e7b60bc250401e76bd2ad779999cc3d6ce70b39cbc496af302ae178

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un855735.exe

Filesize
543KB

MD5
392265fa634ad111c20ce760b126c045

SHA1
e83f0ea66f6f56b2fafb9d1bd6ba5c2de7843b9b

SHA256
cdf0980b713c33a34fdbabe794727ffae99d8b9f35426342565f51c491bd2cbf

SHA512
bc5b1ec2403768a0de3d321d9cc82abd3c80da7e74f6fd1a751c53f7415628c4194bcb613e7b60bc250401e76bd2ad779999cc3d6ce70b39cbc496af302ae178

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79626243.exe

Filesize
263KB

MD5
e0157c7e823d513fb8f8fa3b2a862770

SHA1
b9ecdb2c518b226e1b4782cf2198f85d8f4a5b0b

SHA256
6151f57b5c083b5ad37c4849040c48717ad157dddd2f6c31271a93e04c715b29

SHA512
3b29bb1d73f26b3023f3cba453aad81f76218b5567e96439da0cdacce1193859ee048c07c2a4354194a07af0768b84fb12e0a8cdb7cb2d555f1ee28ffe7e165c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79626243.exe

Filesize
263KB

MD5
e0157c7e823d513fb8f8fa3b2a862770

SHA1
b9ecdb2c518b226e1b4782cf2198f85d8f4a5b0b

SHA256
6151f57b5c083b5ad37c4849040c48717ad157dddd2f6c31271a93e04c715b29

SHA512
3b29bb1d73f26b3023f3cba453aad81f76218b5567e96439da0cdacce1193859ee048c07c2a4354194a07af0768b84fb12e0a8cdb7cb2d555f1ee28ffe7e165c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk346782.exe

Filesize
328KB

MD5
d3c887ffdd796175ae11f5c6eca49393

SHA1
6770ebf510b60b5ec1b43ce9e06b9a36cc0d20fa

SHA256
d5248c945dd288f4df2e869df94201ab9ead97d3c8ffe6c4c78547b257556bbd

SHA512
daeed55fa47002d6567d648259e0de42ad814a8a3ef068ec5a632165cffaebb77ee065c110c7ed118c5fa862b454099df9080391e0c37b298cbf26e3c19ba86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk346782.exe

Filesize
328KB

MD5
d3c887ffdd796175ae11f5c6eca49393

SHA1
6770ebf510b60b5ec1b43ce9e06b9a36cc0d20fa

SHA256
d5248c945dd288f4df2e869df94201ab9ead97d3c8ffe6c4c78547b257556bbd

SHA512
daeed55fa47002d6567d648259e0de42ad814a8a3ef068ec5a632165cffaebb77ee065c110c7ed118c5fa862b454099df9080391e0c37b298cbf26e3c19ba86a

Download Submit
memory/2044-164-0x0000000004A80000-0x0000000004A93000-memory.dmp

Filesize
76KB

Download
memory/2044-156-0x0000000004A80000-0x0000000004A93000-memory.dmp

Filesize
76KB

Download
memory/2044-153-0x0000000004A80000-0x0000000004A93000-memory.dmp

Filesize
76KB

Download
memory/2044-155-0x0000000007590000-0x00000000075A0000-memory.dmp

Filesize
64KB

Download
memory/2044-160-0x0000000004A80000-0x0000000004A93000-memory.dmp

Filesize
76KB

Download
memory/2044-158-0x0000000007590000-0x00000000075A0000-memory.dmp

Filesize
64KB

Download
memory/2044-157-0x0000000007590000-0x00000000075A0000-memory.dmp

Filesize
64KB

Download
memory/2044-151-0x0000000004A80000-0x0000000004A93000-memory.dmp

Filesize
76KB

Download
memory/2044-162-0x0000000004A80000-0x0000000004A93000-memory.dmp

Filesize
76KB

Download
memory/2044-150-0x0000000004A80000-0x0000000004A93000-memory.dmp

Filesize
76KB

Download
memory/2044-166-0x0000000004A80000-0x0000000004A93000-memory.dmp

Filesize
76KB

Download
memory/2044-168-0x0000000004A80000-0x0000000004A93000-memory.dmp

Filesize
76KB

Download
memory/2044-170-0x0000000004A80000-0x0000000004A93000-memory.dmp

Filesize
76KB

Download
memory/2044-172-0x0000000004A80000-0x0000000004A93000-memory.dmp

Filesize
76KB

Download
memory/2044-174-0x0000000004A80000-0x0000000004A93000-memory.dmp

Filesize
76KB

Download
memory/2044-176-0x0000000004A80000-0x0000000004A93000-memory.dmp

Filesize
76KB

Download
memory/2044-178-0x0000000004A80000-0x0000000004A93000-memory.dmp

Filesize
76KB

Download
memory/2044-180-0x0000000004A80000-0x0000000004A93000-memory.dmp

Filesize
76KB

Download
memory/2044-181-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/2044-183-0x0000000007590000-0x00000000075A0000-memory.dmp

Filesize
64KB

Download
memory/2044-184-0x0000000007590000-0x00000000075A0000-memory.dmp

Filesize
64KB

Download
memory/2044-185-0x0000000007590000-0x00000000075A0000-memory.dmp

Filesize
64KB

Download
memory/2044-186-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/2044-149-0x00000000075A0000-0x0000000007B44000-memory.dmp

Filesize
5.6MB

Download
memory/2044-148-0x00000000047F0000-0x000000000481D000-memory.dmp

Filesize
180KB

Download
memory/3084-218-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3084-226-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-228-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-192-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-198-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-200-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-204-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-202-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-206-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-208-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-210-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-212-0x00000000046F0000-0x0000000004736000-memory.dmp

Filesize
280KB

Download
memory/3084-214-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3084-191-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-196-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-215-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3084-987-0x0000000009CC0000-0x000000000A2D8000-memory.dmp

Filesize
6.1MB

Download
memory/3084-213-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-217-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-224-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-222-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-194-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-220-0x00000000077C0000-0x00000000077F5000-memory.dmp

Filesize
212KB

Download
memory/3084-988-0x00000000071E0000-0x00000000071F2000-memory.dmp

Filesize
72KB

Download
memory/3084-989-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/3084-990-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3084-991-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/3084-993-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3084-994-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/3084-995-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download