redline | d5d1e22d50d0de3b37efb5fee5dab4d2214fd41674f9766da8522301541a003e

Analysis

max time kernel
149s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d5d1e22d50d0de3b37efb5fee5dab4d2214fd41674f9766da8522301541a003e.exe
Size

691KB
MD5

de474c4a6cfc7a36ea9d962210511065
SHA1

83c696b9d0947ac30246ee0275154bf370b6d36d
SHA256

d5d1e22d50d0de3b37efb5fee5dab4d2214fd41674f9766da8522301541a003e
SHA512

a54a13f91354e7bfa2cf345178384cdd2e74e3ac41df907b52fae14e8b81fc1796c2a6c14947c462d8757a00531730be2dd681503f4057dab0410a90b88a4be0
SSDEEP

12288:3y90z30/2An/rwPevtPbU14v0bVpVLRmqm/YMlQzuDe2Z7ijAANBknoXD2s:3yWo/Ig1bTYnRm5YMnq2tAN/2s

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4352-207-0x0000000007F70000-0x0000000008588000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	98494058.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	98494058.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	98494058.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	98494058.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	98494058.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	98494058.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
224	un410175.exe
1476	98494058.exe
3852	rk927631.exe
1500	rk927631.exe
4352	si282080.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	98494058.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	98494058.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d5d1e22d50d0de3b37efb5fee5dab4d2214fd41674f9766da8522301541a003e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d5d1e22d50d0de3b37efb5fee5dab4d2214fd41674f9766da8522301541a003e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un410175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un410175.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3852 set thread context of 1500	3852	rk927631.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3228	1476	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1476	98494058.exe
1476	98494058.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	98494058.exe
Token: SeDebugPrivilege	1500	rk927631.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 224	2044	d5d1e22d50d0de3b37efb5fee5dab4d2214fd41674f9766da8522301541a003e.exe	83
PID 2044 wrote to memory of 224	2044	d5d1e22d50d0de3b37efb5fee5dab4d2214fd41674f9766da8522301541a003e.exe	83
PID 2044 wrote to memory of 224	2044	d5d1e22d50d0de3b37efb5fee5dab4d2214fd41674f9766da8522301541a003e.exe	83
PID 224 wrote to memory of 1476	224	un410175.exe	84
PID 224 wrote to memory of 1476	224	un410175.exe	84
PID 224 wrote to memory of 1476	224	un410175.exe	84
PID 224 wrote to memory of 3852	224	un410175.exe	88
PID 224 wrote to memory of 3852	224	un410175.exe	88
PID 224 wrote to memory of 3852	224	un410175.exe	88
PID 3852 wrote to memory of 1500	3852	rk927631.exe	89
PID 3852 wrote to memory of 1500	3852	rk927631.exe	89
PID 3852 wrote to memory of 1500	3852	rk927631.exe	89
PID 3852 wrote to memory of 1500	3852	rk927631.exe	89
PID 3852 wrote to memory of 1500	3852	rk927631.exe	89
PID 3852 wrote to memory of 1500	3852	rk927631.exe	89
PID 3852 wrote to memory of 1500	3852	rk927631.exe	89
PID 3852 wrote to memory of 1500	3852	rk927631.exe	89
PID 3852 wrote to memory of 1500	3852	rk927631.exe	89
PID 2044 wrote to memory of 4352	2044	d5d1e22d50d0de3b37efb5fee5dab4d2214fd41674f9766da8522301541a003e.exe	90
PID 2044 wrote to memory of 4352	2044	d5d1e22d50d0de3b37efb5fee5dab4d2214fd41674f9766da8522301541a003e.exe	90
PID 2044 wrote to memory of 4352	2044	d5d1e22d50d0de3b37efb5fee5dab4d2214fd41674f9766da8522301541a003e.exe	90

C:\Users\Admin\AppData\Local\Temp\d5d1e22d50d0de3b37efb5fee5dab4d2214fd41674f9766da8522301541a003e.exe
"C:\Users\Admin\AppData\Local\Temp\d5d1e22d50d0de3b37efb5fee5dab4d2214fd41674f9766da8522301541a003e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un410175.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un410175.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\98494058.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\98494058.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1020
      4⤵
      Program crash
      PID:3228
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk927631.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk927631.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk927631.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk927631.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1500
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si282080.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si282080.exe
  2⤵
  - Executes dropped EXE
  PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1476 -ip 1476
1⤵
PID:2804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si282080.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si282080.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un410175.exe

Filesize
537KB

MD5
a32942f3405606c46ca059e20bba0986

SHA1
9488b600ba950eb76b248c98f01daa0a41ac5438

SHA256
bf9065956448e79697ed8145cde8034123d31b07eca87314b79576ffd238fb11

SHA512
30715d90cf8ed9d4a838c431b26e5090ec33d14eda5773ae470a2be876478d64be1b96a2b7b3672639b4588cf1901905fbfc086531c5de35e88d46efa46cbc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un410175.exe

Filesize
537KB

MD5
a32942f3405606c46ca059e20bba0986

SHA1
9488b600ba950eb76b248c98f01daa0a41ac5438

SHA256
bf9065956448e79697ed8145cde8034123d31b07eca87314b79576ffd238fb11

SHA512
30715d90cf8ed9d4a838c431b26e5090ec33d14eda5773ae470a2be876478d64be1b96a2b7b3672639b4588cf1901905fbfc086531c5de35e88d46efa46cbc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\98494058.exe

Filesize
259KB

MD5
7bac2e7d745908af9967d4c65ca4c251

SHA1
94ceba13a42226e840220315581a3b2ef5cf3d27

SHA256
c246290bd1107dae37cdd1c1692a765916ce0d90fe1e93efa7658275f19c3936

SHA512
228585d08bafc53e6b0d8bbab00f1e202890eaf3562de7d01339d36bc8c3f3da31ec67c4cded629d6a281b6abcac30152cd5effef150659b5c01f2ff2e5f3304

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\98494058.exe

Filesize
259KB

MD5
7bac2e7d745908af9967d4c65ca4c251

SHA1
94ceba13a42226e840220315581a3b2ef5cf3d27

SHA256
c246290bd1107dae37cdd1c1692a765916ce0d90fe1e93efa7658275f19c3936

SHA512
228585d08bafc53e6b0d8bbab00f1e202890eaf3562de7d01339d36bc8c3f3da31ec67c4cded629d6a281b6abcac30152cd5effef150659b5c01f2ff2e5f3304

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk927631.exe

Filesize
342KB

MD5
6b24d9de5f9545bbac9474a09a5041ab

SHA1
2091a68baa5e507d1a1d13859589918098149403

SHA256
c0e6a9d30e8674d3500dad599a5d49a8bd45569dd6011778791f17952811c398

SHA512
d232dfaaf1f3c880cdcb22539bbf02be56c8d7d8fcccb3816c8277567dbe41b751b0f939411e8117cfc05760b876d32ac387b88e690c8563812466ed786bf7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk927631.exe

Filesize
342KB

MD5
6b24d9de5f9545bbac9474a09a5041ab

SHA1
2091a68baa5e507d1a1d13859589918098149403

SHA256
c0e6a9d30e8674d3500dad599a5d49a8bd45569dd6011778791f17952811c398

SHA512
d232dfaaf1f3c880cdcb22539bbf02be56c8d7d8fcccb3816c8277567dbe41b751b0f939411e8117cfc05760b876d32ac387b88e690c8563812466ed786bf7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk927631.exe

Filesize
342KB

MD5
6b24d9de5f9545bbac9474a09a5041ab

SHA1
2091a68baa5e507d1a1d13859589918098149403

SHA256
c0e6a9d30e8674d3500dad599a5d49a8bd45569dd6011778791f17952811c398

SHA512
d232dfaaf1f3c880cdcb22539bbf02be56c8d7d8fcccb3816c8277567dbe41b751b0f939411e8117cfc05760b876d32ac387b88e690c8563812466ed786bf7a2

Download Submit
memory/1476-167-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/1476-179-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/1476-157-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/1476-159-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/1476-163-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/1476-161-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/1476-165-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/1476-153-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/1476-169-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/1476-171-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/1476-173-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/1476-175-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/1476-177-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/1476-155-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/1476-180-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/1476-181-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1476-182-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/1476-183-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/1476-184-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/1476-186-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1476-152-0x0000000004F90000-0x0000000004FA3000-memory.dmp

Filesize
76KB

Download
memory/1476-151-0x00000000049E0000-0x0000000004F84000-memory.dmp

Filesize
5.6MB

Download
memory/1476-150-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/1476-149-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/1476-148-0x0000000000860000-0x000000000088D000-memory.dmp

Filesize
180KB

Download
memory/1500-194-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1500-220-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1500-1009-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/1500-1008-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/1500-197-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1500-204-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1500-1007-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/1500-205-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1500-208-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1500-1005-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/1500-211-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1500-214-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1500-307-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/1500-216-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1500-218-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1500-198-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1500-222-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1500-224-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1500-226-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1500-228-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1500-230-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1500-232-0x00000000049A0000-0x00000000049D5000-memory.dmp

Filesize
212KB

Download
memory/1500-309-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/1500-303-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1500-305-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3852-196-0x0000000000520000-0x0000000000567000-memory.dmp

Filesize
284KB

Download
memory/4352-233-0x0000000007A70000-0x0000000007AAC000-memory.dmp

Filesize
240KB

Download
memory/4352-213-0x0000000007B40000-0x0000000007C4A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-311-0x0000000007D90000-0x0000000007DA0000-memory.dmp

Filesize
64KB

Download
memory/4352-210-0x0000000007A10000-0x0000000007A22000-memory.dmp

Filesize
72KB

Download
memory/4352-207-0x0000000007F70000-0x0000000008588000-memory.dmp

Filesize
6.1MB

Download
memory/4352-203-0x0000000000CE0000-0x0000000000D08000-memory.dmp

Filesize
160KB

Download