redline | dbd9066bc8a1c5a15986e9eea7cb2a866a5eab54078247ec0d6eb28e440e1643 | Triage

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:59 UTC

Sharing

Report Analysis Logs

General

Target

dbd9066bc8a1c5a15986e9eea7cb2a866a5eab54078247ec0d6eb28e440e1643.exe
Size

690KB
MD5

00cfa935e1f3d8f6908394aa7e4f0d1b
SHA1

9923a91b0f7e63a49919004f4ad41ec53b194898
SHA256

dbd9066bc8a1c5a15986e9eea7cb2a866a5eab54078247ec0d6eb28e440e1643
SHA512

cb4a9c0cc480d08277147f23190919d83b5ff46365fc6274903292bbb26fd9eba822929b9564c5a4320a509c84e7b6b011c667d703490699e70d3c3a9aaef65a
SSDEEP

12288:7y90kyLaEtZ98UMF4TjkfRkiuB84bGgniN1mgXE6yNdBLf:7y3U98HFgGRWB84aN7+Lf

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

resource	yara_rule
behavioral2/memory/216-985-0x0000000007550000-0x0000000007B68000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

Modify Registry

Modify Existing Service

Disabling Security Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	48225604.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	48225604.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	48225604.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	48225604.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	48225604.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	48225604.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1888	un387279.exe
2416	48225604.exe
216	rk462972.exe

Windows security modification 2 TTPs 2 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	48225604.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	48225604.exe

Adds Run key to start application 2 TTPs 4 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dbd9066bc8a1c5a15986e9eea7cb2a866a5eab54078247ec0d6eb28e440e1643.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dbd9066bc8a1c5a15986e9eea7cb2a866a5eab54078247ec0d6eb28e440e1643.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un387279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un387279.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2416	48225604.exe
2416	48225604.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	48225604.exe
Token: SeDebugPrivilege	216	rk462972.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 1888	3336	dbd9066bc8a1c5a15986e9eea7cb2a866a5eab54078247ec0d6eb28e440e1643.exe	83
PID 3336 wrote to memory of 1888	3336	dbd9066bc8a1c5a15986e9eea7cb2a866a5eab54078247ec0d6eb28e440e1643.exe	83
PID 3336 wrote to memory of 1888	3336	dbd9066bc8a1c5a15986e9eea7cb2a866a5eab54078247ec0d6eb28e440e1643.exe	83
PID 1888 wrote to memory of 2416	1888	un387279.exe	84
PID 1888 wrote to memory of 2416	1888	un387279.exe	84
PID 1888 wrote to memory of 2416	1888	un387279.exe	84
PID 1888 wrote to memory of 216	1888	un387279.exe	85
PID 1888 wrote to memory of 216	1888	un387279.exe	85
PID 1888 wrote to memory of 216	1888	un387279.exe	85

C:\Users\Admin\AppData\Local\Temp\dbd9066bc8a1c5a15986e9eea7cb2a866a5eab54078247ec0d6eb28e440e1643.exe
"C:\Users\Admin\AppData\Local\Temp\dbd9066bc8a1c5a15986e9eea7cb2a866a5eab54078247ec0d6eb28e440e1643.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387279.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387279.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48225604.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48225604.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462972.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462972.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:216

Network

DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

8.3.197.209.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.3.197.209.in-addr.arpa

IN PTR

Response

8.3.197.209.in-addr.arpa

IN PTR

vip0x008map2sslhwcdnnet
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

1.77.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.77.109.52.in-addr.arpa

IN PTR

Response

20.189.173.7:443

322 B
7
185.161.248.143:38452

rk462972.exe

260 B
5
185.161.248.143:38452

rk462972.exe

260 B
5
173.223.113.164:443

322 B
7
173.223.113.131:80

322 B
7
131.253.33.203:80

322 B
7
185.161.248.143:38452

rk462972.exe

260 B
5
185.161.248.143:38452

rk462972.exe

260 B
5
185.161.248.143:38452

rk462972.exe

260 B
5

8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

8.3.197.209.in-addr.arpa

dns

70 B
111 B
1
1

DNS Request

8.3.197.209.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

1.77.109.52.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

1.77.109.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387279.exe

Filesize
536KB

MD5
ea2eedcb44a2458016f322aea377d348

SHA1
c832581e0a3467813ce85cf2d9dfb985351368d0

SHA256
768115576168dec02ae6c7565384b82161b4908130d7463e2047eb561f0bd78c

SHA512
168850465ba0efcb547afd2759dcf755f60a8d0d36d72680e9b69517677ad1bfe88e0c96fa5f3d9406719b87eda9e9a569afb31b43e2de4153ac5c4ec0e19baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un387279.exe

Filesize
536KB

MD5
ea2eedcb44a2458016f322aea377d348

SHA1
c832581e0a3467813ce85cf2d9dfb985351368d0

SHA256
768115576168dec02ae6c7565384b82161b4908130d7463e2047eb561f0bd78c

SHA512
168850465ba0efcb547afd2759dcf755f60a8d0d36d72680e9b69517677ad1bfe88e0c96fa5f3d9406719b87eda9e9a569afb31b43e2de4153ac5c4ec0e19baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48225604.exe

Filesize
258KB

MD5
c98580790ed4b813cef3355fc63b57ba

SHA1
8bfeea54109d30d5171abec7c1604f5fa36a958b

SHA256
9b222804e2d805b64db13d9cf8baaa658a44fe830336fae5fd0ce455c9e57fd0

SHA512
962946757db26857e2e8c70a1c822c1dcda5a6f4953176d32561ad27cfef699346c92826a692b203f4ae67dcad5f43f64e575d7437b257560612a7dec069490c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48225604.exe

Filesize
258KB

MD5
c98580790ed4b813cef3355fc63b57ba

SHA1
8bfeea54109d30d5171abec7c1604f5fa36a958b

SHA256
9b222804e2d805b64db13d9cf8baaa658a44fe830336fae5fd0ce455c9e57fd0

SHA512
962946757db26857e2e8c70a1c822c1dcda5a6f4953176d32561ad27cfef699346c92826a692b203f4ae67dcad5f43f64e575d7437b257560612a7dec069490c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462972.exe

Filesize
341KB

MD5
c89e5faadd68d16103ef7decffd06e07

SHA1
92ea11a3380a0b955d8cb798aeaabaf7e44c6bcf

SHA256
bfabf63cdcd7f88f339721af88cbd2c426fa15940a016d3a0b252862867214d9

SHA512
cfe6b76cec8339d0d5fb4d7177e503bcfd51e7cd3bc6e469af81ad5f1685561745a5213f0d94bb190fe0a6ffa3dce37b06552ec94a66261100aab074b60fd97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk462972.exe

Filesize
341KB

MD5
c89e5faadd68d16103ef7decffd06e07

SHA1
92ea11a3380a0b955d8cb798aeaabaf7e44c6bcf

SHA256
bfabf63cdcd7f88f339721af88cbd2c426fa15940a016d3a0b252862867214d9

SHA512
cfe6b76cec8339d0d5fb4d7177e503bcfd51e7cd3bc6e469af81ad5f1685561745a5213f0d94bb190fe0a6ffa3dce37b06552ec94a66261100aab074b60fd97b

Download Submit
memory/216-212-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-216-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-993-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/216-992-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/216-991-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/216-989-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/216-988-0x0000000007D00000-0x0000000007D3C000-memory.dmp

Filesize
240KB

Download
memory/216-987-0x0000000007BE0000-0x0000000007CEA000-memory.dmp

Filesize
1.0MB

Download
memory/216-191-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-985-0x0000000007550000-0x0000000007B68000-memory.dmp

Filesize
6.1MB

Download
memory/216-224-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-222-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-220-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-218-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-192-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-214-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-194-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-208-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-206-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-204-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-202-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-200-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-197-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/216-198-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/216-196-0x00000000020D0000-0x0000000002116000-memory.dmp

Filesize
280KB

Download
memory/216-986-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/216-210-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/2416-155-0x0000000002590000-0x00000000025A3000-memory.dmp

Filesize
76KB

Download
memory/2416-181-0x0000000002590000-0x00000000025A3000-memory.dmp

Filesize
76KB

Download
memory/2416-150-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download
memory/2416-186-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2416-183-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download
memory/2416-182-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download
memory/2416-151-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download
memory/2416-179-0x0000000002590000-0x00000000025A3000-memory.dmp

Filesize
76KB

Download
memory/2416-177-0x0000000002590000-0x00000000025A3000-memory.dmp

Filesize
76KB

Download
memory/2416-148-0x00000000005B0000-0x00000000005DD000-memory.dmp

Filesize
180KB

Download
memory/2416-149-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download
memory/2416-175-0x0000000002590000-0x00000000025A3000-memory.dmp

Filesize
76KB

Download
memory/2416-163-0x0000000002590000-0x00000000025A3000-memory.dmp

Filesize
76KB

Download
memory/2416-173-0x0000000002590000-0x00000000025A3000-memory.dmp

Filesize
76KB

Download
memory/2416-167-0x0000000002590000-0x00000000025A3000-memory.dmp

Filesize
76KB

Download
memory/2416-165-0x0000000002590000-0x00000000025A3000-memory.dmp

Filesize
76KB

Download
memory/2416-169-0x0000000002590000-0x00000000025A3000-memory.dmp

Filesize
76KB

Download
memory/2416-161-0x0000000002590000-0x00000000025A3000-memory.dmp

Filesize
76KB

Download
memory/2416-159-0x0000000002590000-0x00000000025A3000-memory.dmp

Filesize
76KB

Download
memory/2416-157-0x0000000002590000-0x00000000025A3000-memory.dmp

Filesize
76KB

Download
memory/2416-171-0x0000000002590000-0x00000000025A3000-memory.dmp

Filesize
76KB

Download
memory/2416-154-0x0000000002590000-0x00000000025A3000-memory.dmp

Filesize
76KB

Download
memory/2416-153-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2416-152-0x0000000004A10000-0x0000000004FB4000-memory.dmp

Filesize
5.6MB

Download