redline | d87f19cf81ca9d0c25e45a56110d417d7252d95ac50bc26dde7192aa0251c6bb

Analysis

max time kernel
183s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d87f19cf81ca9d0c25e45a56110d417d7252d95ac50bc26dde7192aa0251c6bb.exe
Size

1001KB
MD5

271c98dbb8b5d6123e331ffbdebdaf93
SHA1

ac65817e425800c4bf824c5666c4e9e73afb6e3f
SHA256

d87f19cf81ca9d0c25e45a56110d417d7252d95ac50bc26dde7192aa0251c6bb
SHA512

3591f4c73ac8bf18e5abc01aabbdfa5a1a9d039de38c18e2ca06d240493f5418823b727728c7527c041a6085fee854f57b7bc5322ff7267b3f5e2677bc610de5
SSDEEP

24576:9yVFX9UTSkaVewTF2MwQelhsVE0d2GBbwsBCot:YVFXu8ZTF2MLEI2cb

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4584-996-0x00000000079B0000-0x0000000007FC8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	03812737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	03812737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	03812737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	03812737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	03812737.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	03812737.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
5020	za451175.exe
1084	za361494.exe
3472	03812737.exe
4584	w62Nj98.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	03812737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	03812737.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za361494.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d87f19cf81ca9d0c25e45a56110d417d7252d95ac50bc26dde7192aa0251c6bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d87f19cf81ca9d0c25e45a56110d417d7252d95ac50bc26dde7192aa0251c6bb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za451175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za451175.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za361494.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1696	3472	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3472	03812737.exe
3472	03812737.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	03812737.exe
Token: SeDebugPrivilege	4584	w62Nj98.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 5020	3788	d87f19cf81ca9d0c25e45a56110d417d7252d95ac50bc26dde7192aa0251c6bb.exe	80
PID 3788 wrote to memory of 5020	3788	d87f19cf81ca9d0c25e45a56110d417d7252d95ac50bc26dde7192aa0251c6bb.exe	80
PID 3788 wrote to memory of 5020	3788	d87f19cf81ca9d0c25e45a56110d417d7252d95ac50bc26dde7192aa0251c6bb.exe	80
PID 5020 wrote to memory of 1084	5020	za451175.exe	81
PID 5020 wrote to memory of 1084	5020	za451175.exe	81
PID 5020 wrote to memory of 1084	5020	za451175.exe	81
PID 1084 wrote to memory of 3472	1084	za361494.exe	82
PID 1084 wrote to memory of 3472	1084	za361494.exe	82
PID 1084 wrote to memory of 3472	1084	za361494.exe	82
PID 1084 wrote to memory of 4584	1084	za361494.exe	86
PID 1084 wrote to memory of 4584	1084	za361494.exe	86
PID 1084 wrote to memory of 4584	1084	za361494.exe	86

C:\Users\Admin\AppData\Local\Temp\d87f19cf81ca9d0c25e45a56110d417d7252d95ac50bc26dde7192aa0251c6bb.exe
"C:\Users\Admin\AppData\Local\Temp\d87f19cf81ca9d0c25e45a56110d417d7252d95ac50bc26dde7192aa0251c6bb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za451175.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za451175.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za361494.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za361494.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\03812737.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\03812737.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3472
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1092
        5⤵
        Program crash
        
        PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w62Nj98.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w62Nj98.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3472 -ip 3472
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za451175.exe

Filesize
781KB

MD5
48c4c4476d0957a2341918d6f960a9b7

SHA1
9e47d1885490bff7197bd89ea49a85d73128ade4

SHA256
e8eeb2ebab63e6b60ac55310601036381229c9578272e290bc218311950f78c6

SHA512
f903473fc8e073e85073415a6507def8e3fca36a1170a2fc33e8aada07683cd1fafc3ad179ae4e9a68fdcc3e0cc97a8bd495d6e33f30bc54299714fe7a09f35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za451175.exe

Filesize
781KB

MD5
48c4c4476d0957a2341918d6f960a9b7

SHA1
9e47d1885490bff7197bd89ea49a85d73128ade4

SHA256
e8eeb2ebab63e6b60ac55310601036381229c9578272e290bc218311950f78c6

SHA512
f903473fc8e073e85073415a6507def8e3fca36a1170a2fc33e8aada07683cd1fafc3ad179ae4e9a68fdcc3e0cc97a8bd495d6e33f30bc54299714fe7a09f35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za361494.exe

Filesize
598KB

MD5
c3b5096315f97e16cc440b532945308b

SHA1
f9c38dc676231abe176c61445ee536d471ac2cc5

SHA256
95f810626cb1c4307a9e32747b8d8b0231703504fff1237a930b75fefa82fd92

SHA512
11ad6751b09139f2fc71bfc95c9b4242539a09065a42b2aa73a3fb08e3eb06c95e39726c2df115b94d9447e40a3495db46c1a20978b99e0a6a7429034852a644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za361494.exe

Filesize
598KB

MD5
c3b5096315f97e16cc440b532945308b

SHA1
f9c38dc676231abe176c61445ee536d471ac2cc5

SHA256
95f810626cb1c4307a9e32747b8d8b0231703504fff1237a930b75fefa82fd92

SHA512
11ad6751b09139f2fc71bfc95c9b4242539a09065a42b2aa73a3fb08e3eb06c95e39726c2df115b94d9447e40a3495db46c1a20978b99e0a6a7429034852a644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\03812737.exe

Filesize
395KB

MD5
18f410f1df37a398ef353262202cbf24

SHA1
38960e2c4b98cffe3ade6c590ebcbc134df99cca

SHA256
7a4dc6d7a6d6478115aa8a70e049c4505fe7ff64a7496ecacb21429b49ae5ff7

SHA512
1435144965f85f71a73b9531d11730c1e4fbe7eff72b3d63f1a1d76fe0ae2812e40ff56ad2fe26dfbbaeb837cfc3e3eb0908f216ee2cb6947f3a0a6c919b2a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\03812737.exe

Filesize
395KB

MD5
18f410f1df37a398ef353262202cbf24

SHA1
38960e2c4b98cffe3ade6c590ebcbc134df99cca

SHA256
7a4dc6d7a6d6478115aa8a70e049c4505fe7ff64a7496ecacb21429b49ae5ff7

SHA512
1435144965f85f71a73b9531d11730c1e4fbe7eff72b3d63f1a1d76fe0ae2812e40ff56ad2fe26dfbbaeb837cfc3e3eb0908f216ee2cb6947f3a0a6c919b2a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w62Nj98.exe

Filesize
478KB

MD5
3f77b1718f21f408e089f9de3ee1a5ad

SHA1
d0fec9c47f21e008e106487ea880e6b7563f0b7d

SHA256
89690ffdefb7f4c4c5588b285fe3f4b7282824ca9c6d96254c86d37e0f4a09c3

SHA512
7fad86f919adb2cb3579e11bbf7788ff92fcbaf824b159240984486fb52b0b784b7fbc46dc6404b904e53046b32ab608810b0c84c6106206f02c353a40efedae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w62Nj98.exe

Filesize
478KB

MD5
3f77b1718f21f408e089f9de3ee1a5ad

SHA1
d0fec9c47f21e008e106487ea880e6b7563f0b7d

SHA256
89690ffdefb7f4c4c5588b285fe3f4b7282824ca9c6d96254c86d37e0f4a09c3

SHA512
7fad86f919adb2cb3579e11bbf7788ff92fcbaf824b159240984486fb52b0b784b7fbc46dc6404b904e53046b32ab608810b0c84c6106206f02c353a40efedae

Download Submit
memory/3472-192-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3472-158-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3472-160-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3472-162-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3472-164-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3472-166-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3472-168-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3472-170-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3472-172-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3472-174-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3472-176-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3472-178-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3472-180-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3472-182-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3472-184-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3472-185-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3472-186-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3472-187-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3472-188-0x0000000000400000-0x0000000000808000-memory.dmp

Filesize
4.0MB

Download
memory/3472-190-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3472-191-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3472-157-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/3472-194-0x0000000000400000-0x0000000000808000-memory.dmp

Filesize
4.0MB

Download
memory/3472-156-0x0000000005090000-0x0000000005634000-memory.dmp

Filesize
5.6MB

Download
memory/3472-155-0x0000000000960000-0x000000000098D000-memory.dmp

Filesize
180KB

Download
memory/4584-204-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-225-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-202-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-206-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-208-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-210-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-212-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-214-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-216-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-218-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-223-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4584-221-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-220-0x0000000000980000-0x00000000009C6000-memory.dmp

Filesize
280KB

Download
memory/4584-201-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-224-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4584-227-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-229-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-231-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-233-0x0000000004ED0000-0x0000000004F05000-memory.dmp

Filesize
212KB

Download
memory/4584-996-0x00000000079B0000-0x0000000007FC8000-memory.dmp

Filesize
6.1MB

Download
memory/4584-997-0x0000000008070000-0x0000000008082000-memory.dmp

Filesize
72KB

Download
memory/4584-998-0x0000000008090000-0x000000000819A000-memory.dmp

Filesize
1.0MB

Download
memory/4584-999-0x00000000081B0000-0x00000000081EC000-memory.dmp

Filesize
240KB

Download
memory/4584-1000-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4584-1002-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4584-1003-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4584-1004-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4584-1005-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download