redline | d961f62a7c2812b7433a62a2442f922227cef301b2bf1ee7197b8bf6bf4ae323

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d961f62a7c2812b7433a62a2442f922227cef301b2bf1ee7197b8bf6bf4ae323.exe
Size

690KB
MD5

8320300b31c72556cab425788ab73f7e
SHA1

c563d003e2ccb37c1bd13270dea77ff209ac7b50
SHA256

d961f62a7c2812b7433a62a2442f922227cef301b2bf1ee7197b8bf6bf4ae323
SHA512

acd9f3ddc1352969cf739f6955d2b12398c31c7d5a8dae848f68b00d43f6838fb196c8ef18a1679b94674620732274438d8bd444deb2fc2a45f96af153ea129b
SSDEEP

12288:ky90uHaBS+qXUgicSNKkL+JiD0xsV2Bm2bdQ0b8pYM:kyhWHL+JL82BX1kx

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1048-986-0x0000000007540000-0x0000000007B58000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	58474897.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	58474897.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	58474897.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	58474897.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	58474897.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	58474897.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2280	un173034.exe
2016	58474897.exe
1048	rk218827.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	58474897.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	58474897.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un173034.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un173034.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d961f62a7c2812b7433a62a2442f922227cef301b2bf1ee7197b8bf6bf4ae323.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d961f62a7c2812b7433a62a2442f922227cef301b2bf1ee7197b8bf6bf4ae323.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2504	2016	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2016	58474897.exe
2016	58474897.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	58474897.exe
Token: SeDebugPrivilege	1048	rk218827.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 2280	4052	d961f62a7c2812b7433a62a2442f922227cef301b2bf1ee7197b8bf6bf4ae323.exe	84
PID 4052 wrote to memory of 2280	4052	d961f62a7c2812b7433a62a2442f922227cef301b2bf1ee7197b8bf6bf4ae323.exe	84
PID 4052 wrote to memory of 2280	4052	d961f62a7c2812b7433a62a2442f922227cef301b2bf1ee7197b8bf6bf4ae323.exe	84
PID 2280 wrote to memory of 2016	2280	un173034.exe	85
PID 2280 wrote to memory of 2016	2280	un173034.exe	85
PID 2280 wrote to memory of 2016	2280	un173034.exe	85
PID 2280 wrote to memory of 1048	2280	un173034.exe	95
PID 2280 wrote to memory of 1048	2280	un173034.exe	95
PID 2280 wrote to memory of 1048	2280	un173034.exe	95

C:\Users\Admin\AppData\Local\Temp\d961f62a7c2812b7433a62a2442f922227cef301b2bf1ee7197b8bf6bf4ae323.exe
"C:\Users\Admin\AppData\Local\Temp\d961f62a7c2812b7433a62a2442f922227cef301b2bf1ee7197b8bf6bf4ae323.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un173034.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un173034.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58474897.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58474897.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 1080
      4⤵
      Program crash
      PID:2504
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk218827.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk218827.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2016 -ip 2016
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un173034.exe

Filesize
536KB

MD5
c86910286351094e5e10c4354aa873b2

SHA1
8996bd39ab8b08b75491590a9b1e20cb6644e7f4

SHA256
52df465bb17447f004e48f2dd80153aa9f6d67d3eae229d5cf271041c66a4900

SHA512
8584c3e4d3bf674bce7c9ffb1e93aad41ec2759911666229725f75f26d1b7359167ba01d1a70b56b267913e6f65ce2e0aafd645ab1cfda570ce031ceb5da0ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un173034.exe

Filesize
536KB

MD5
c86910286351094e5e10c4354aa873b2

SHA1
8996bd39ab8b08b75491590a9b1e20cb6644e7f4

SHA256
52df465bb17447f004e48f2dd80153aa9f6d67d3eae229d5cf271041c66a4900

SHA512
8584c3e4d3bf674bce7c9ffb1e93aad41ec2759911666229725f75f26d1b7359167ba01d1a70b56b267913e6f65ce2e0aafd645ab1cfda570ce031ceb5da0ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58474897.exe

Filesize
259KB

MD5
4146a237141d33bea474084696f2e1fb

SHA1
673a290ae35af834a6ff97f450f8b2652dab7ac5

SHA256
745df8d9e8eac5ac531c323dcd3face5d71c2e1e1fb38aea53dc39af53578c5f

SHA512
3e79342c3fe776c76e28f612de68f30c5d1c4890bea2bb9fc917f38870967c8b61f546bf23a427866a1f967385b71349b1c1355d7f3fda2ec71d3da3d8976973

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58474897.exe

Filesize
259KB

MD5
4146a237141d33bea474084696f2e1fb

SHA1
673a290ae35af834a6ff97f450f8b2652dab7ac5

SHA256
745df8d9e8eac5ac531c323dcd3face5d71c2e1e1fb38aea53dc39af53578c5f

SHA512
3e79342c3fe776c76e28f612de68f30c5d1c4890bea2bb9fc917f38870967c8b61f546bf23a427866a1f967385b71349b1c1355d7f3fda2ec71d3da3d8976973

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk218827.exe

Filesize
341KB

MD5
67cdf99d3aef20061914bbe800a5dc20

SHA1
68ed836031f10d060adf6990d192c5909ad7491d

SHA256
a00b24c5f5c4dbfb5ffe70cced5ce7d9fc0cfbba71b3eea1f83116c2893ba937

SHA512
b9fedb4e3f7e2ae6d1df7db2ea8a0feb44f4149a746747502f428536b4f2fc1cfbd88fe69ae54762234d39b4b72cbaa387d368affc4fb759a7c5761c7859ef62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk218827.exe

Filesize
341KB

MD5
67cdf99d3aef20061914bbe800a5dc20

SHA1
68ed836031f10d060adf6990d192c5909ad7491d

SHA256
a00b24c5f5c4dbfb5ffe70cced5ce7d9fc0cfbba71b3eea1f83116c2893ba937

SHA512
b9fedb4e3f7e2ae6d1df7db2ea8a0feb44f4149a746747502f428536b4f2fc1cfbd88fe69ae54762234d39b4b72cbaa387d368affc4fb759a7c5761c7859ef62

Download Submit
memory/1048-215-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-223-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-995-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1048-994-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1048-993-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1048-992-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1048-990-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1048-195-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-989-0x0000000007D00000-0x0000000007D3C000-memory.dmp

Filesize
240KB

Download
memory/1048-988-0x0000000007BE0000-0x0000000007CEA000-memory.dmp

Filesize
1.0MB

Download
memory/1048-987-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/1048-193-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1048-227-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-225-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-192-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1048-199-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-221-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-219-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-217-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-213-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-211-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-209-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-207-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-203-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-190-0x00000000005E0000-0x0000000000626000-memory.dmp

Filesize
280KB

Download
memory/1048-191-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1048-205-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-986-0x0000000007540000-0x0000000007B58000-memory.dmp

Filesize
6.1MB

Download
memory/1048-201-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-194-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1048-197-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/2016-175-0x0000000004B00000-0x0000000004B13000-memory.dmp

Filesize
76KB

Download
memory/2016-163-0x0000000004B00000-0x0000000004B13000-memory.dmp

Filesize
76KB

Download
memory/2016-150-0x0000000004B00000-0x0000000004B13000-memory.dmp

Filesize
76KB

Download
memory/2016-149-0x0000000004BB0000-0x0000000005154000-memory.dmp

Filesize
5.6MB

Download
memory/2016-151-0x0000000004B00000-0x0000000004B13000-memory.dmp

Filesize
76KB

Download
memory/2016-185-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2016-183-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2016-182-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2016-148-0x0000000000530000-0x000000000055D000-memory.dmp

Filesize
180KB

Download
memory/2016-181-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2016-180-0x0000000004B00000-0x0000000004B13000-memory.dmp

Filesize
76KB

Download
memory/2016-174-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2016-178-0x0000000004B00000-0x0000000004B13000-memory.dmp

Filesize
76KB

Download
memory/2016-177-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2016-173-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2016-171-0x0000000004B00000-0x0000000004B13000-memory.dmp

Filesize
76KB

Download
memory/2016-169-0x0000000004B00000-0x0000000004B13000-memory.dmp

Filesize
76KB

Download
memory/2016-167-0x0000000004B00000-0x0000000004B13000-memory.dmp

Filesize
76KB

Download
memory/2016-165-0x0000000004B00000-0x0000000004B13000-memory.dmp

Filesize
76KB

Download
memory/2016-161-0x0000000004B00000-0x0000000004B13000-memory.dmp

Filesize
76KB

Download
memory/2016-159-0x0000000004B00000-0x0000000004B13000-memory.dmp

Filesize
76KB

Download
memory/2016-157-0x0000000004B00000-0x0000000004B13000-memory.dmp

Filesize
76KB

Download
memory/2016-155-0x0000000004B00000-0x0000000004B13000-memory.dmp

Filesize
76KB

Download
memory/2016-153-0x0000000004B00000-0x0000000004B13000-memory.dmp

Filesize
76KB

Download