redline | dc1fe88b850316faa04de4a0fe7dcfc4be4fff47653c80448484e0c8e118f81b

Analysis

max time kernel
196s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc1fe88b850316faa04de4a0fe7dcfc4be4fff47653c80448484e0c8e118f81b.exe
Size

690KB
MD5

be24f4e10108b443e7a42ea938abac43
SHA1

841ab6d568523bf683d433450ddc96f2b714f98d
SHA256

dc1fe88b850316faa04de4a0fe7dcfc4be4fff47653c80448484e0c8e118f81b
SHA512

7676342a039ab89ae81e334db81619b4ec46d0fa445ced96bbc8c94097e0aba779ecddae757aeed3c6a650fc2639858b1cf246e2e45096612e66ca6bad19ffa1
SSDEEP

12288:ry90Drt9LsJckfRk8kC1VCgGJniN+m5G6Bx1IAJGL:rykKJcGRFCsNy6xvQ

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1696-991-0x0000000007500000-0x0000000007B18000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	12294416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	12294416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	12294416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	12294416.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	12294416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	12294416.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1988	un703295.exe
2976	12294416.exe
1696	rk685701.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	12294416.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	12294416.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un703295.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dc1fe88b850316faa04de4a0fe7dcfc4be4fff47653c80448484e0c8e118f81b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dc1fe88b850316faa04de4a0fe7dcfc4be4fff47653c80448484e0c8e118f81b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un703295.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3048	2976	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2976	12294416.exe
2976	12294416.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	12294416.exe
Token: SeDebugPrivilege	1696	rk685701.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 1988	3780	dc1fe88b850316faa04de4a0fe7dcfc4be4fff47653c80448484e0c8e118f81b.exe	82
PID 3780 wrote to memory of 1988	3780	dc1fe88b850316faa04de4a0fe7dcfc4be4fff47653c80448484e0c8e118f81b.exe	82
PID 3780 wrote to memory of 1988	3780	dc1fe88b850316faa04de4a0fe7dcfc4be4fff47653c80448484e0c8e118f81b.exe	82
PID 1988 wrote to memory of 2976	1988	un703295.exe	83
PID 1988 wrote to memory of 2976	1988	un703295.exe	83
PID 1988 wrote to memory of 2976	1988	un703295.exe	83
PID 1988 wrote to memory of 1696	1988	un703295.exe	87
PID 1988 wrote to memory of 1696	1988	un703295.exe	87
PID 1988 wrote to memory of 1696	1988	un703295.exe	87

C:\Users\Admin\AppData\Local\Temp\dc1fe88b850316faa04de4a0fe7dcfc4be4fff47653c80448484e0c8e118f81b.exe
"C:\Users\Admin\AppData\Local\Temp\dc1fe88b850316faa04de4a0fe7dcfc4be4fff47653c80448484e0c8e118f81b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un703295.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un703295.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12294416.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12294416.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 1088
      4⤵
      Program crash
      PID:3048
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk685701.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk685701.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2976 -ip 2976
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un703295.exe

Filesize
536KB

MD5
bb9a9f4f3f933fd27d9b9019178dadd8

SHA1
e38441299c00c47c791af59ae505231bcca16183

SHA256
6f8fbf44017c466b209e5ff042e9839670cbd812108919a931d7c520ae558454

SHA512
7d8fff8af1c1475b1979dcb632446b192fb856ca272c75622fc8415cfd3a08d46a34b745c4531ab44655617617cad0851030d8d2337307c78b41d28acc9056c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un703295.exe

Filesize
536KB

MD5
bb9a9f4f3f933fd27d9b9019178dadd8

SHA1
e38441299c00c47c791af59ae505231bcca16183

SHA256
6f8fbf44017c466b209e5ff042e9839670cbd812108919a931d7c520ae558454

SHA512
7d8fff8af1c1475b1979dcb632446b192fb856ca272c75622fc8415cfd3a08d46a34b745c4531ab44655617617cad0851030d8d2337307c78b41d28acc9056c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12294416.exe

Filesize
258KB

MD5
666a8e72ecbcba74b1d2c16daf2eb070

SHA1
ff58cdbd5342bd4c5b0d2532c271eb4860ff90b3

SHA256
a0b49bf484c00026edbdb883d9e44a8fc6653c8c0a1df37cb368c6b72f71b60b

SHA512
bfb6966dc7a10f40d9a018dccc5c34b81cac4a73783b1dd581399c154fa235f2bee395c3665b30e245d96179298b24ea0364d5d4771c1a35de3957f20cda197e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12294416.exe

Filesize
258KB

MD5
666a8e72ecbcba74b1d2c16daf2eb070

SHA1
ff58cdbd5342bd4c5b0d2532c271eb4860ff90b3

SHA256
a0b49bf484c00026edbdb883d9e44a8fc6653c8c0a1df37cb368c6b72f71b60b

SHA512
bfb6966dc7a10f40d9a018dccc5c34b81cac4a73783b1dd581399c154fa235f2bee395c3665b30e245d96179298b24ea0364d5d4771c1a35de3957f20cda197e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk685701.exe

Filesize
341KB

MD5
a195519ebbd4dfc1e6e51e65a322ee57

SHA1
6156a150abc37da2ba093e02519d6cc754e40a38

SHA256
8bdb9d5b28e5a8b1c6c276e96da39bf66bf7a237a363c265e01fbda4169e7f95

SHA512
2b9b260e17365c2a626b8ede3df20eba4cd3cee3575922dc777288f6e8f2d840b38bffabc92cc06d8912c3f2607604430ce2ecb96f95e01d96971d0391c0b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk685701.exe

Filesize
341KB

MD5
a195519ebbd4dfc1e6e51e65a322ee57

SHA1
6156a150abc37da2ba093e02519d6cc754e40a38

SHA256
8bdb9d5b28e5a8b1c6c276e96da39bf66bf7a237a363c265e01fbda4169e7f95

SHA512
2b9b260e17365c2a626b8ede3df20eba4cd3cee3575922dc777288f6e8f2d840b38bffabc92cc06d8912c3f2607604430ce2ecb96f95e01d96971d0391c0b253

Download Submit
memory/1696-222-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-416-0x00000000006F0000-0x0000000000736000-memory.dmp

Filesize
280KB

Download
memory/1696-196-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-1002-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1696-1000-0x0000000007D00000-0x0000000007D3C000-memory.dmp

Filesize
240KB

Download
memory/1696-999-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1696-997-0x0000000007BE0000-0x0000000007CEA000-memory.dmp

Filesize
1.0MB

Download
memory/1696-198-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-995-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1696-994-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1696-992-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/1696-991-0x0000000007500000-0x0000000007B18000-memory.dmp

Filesize
6.1MB

Download
memory/1696-200-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-420-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1696-418-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1696-224-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-220-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-218-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-216-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-214-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-212-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-210-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-208-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-206-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-204-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-195-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-202-0x0000000005000000-0x0000000005035000-memory.dmp

Filesize
212KB

Download
memory/1696-996-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1696-422-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/2976-149-0x0000000004B80000-0x0000000005124000-memory.dmp

Filesize
5.6MB

Download
memory/2976-184-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2976-153-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/2976-187-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2976-150-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/2976-183-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2976-182-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2976-175-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/2976-180-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2976-179-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/2976-148-0x0000000000980000-0x00000000009AD000-memory.dmp

Filesize
180KB

Download
memory/2976-155-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/2976-177-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/2976-151-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/2976-181-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2976-173-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/2976-171-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/2976-169-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/2976-167-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/2976-165-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/2976-163-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/2976-161-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/2976-159-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/2976-157-0x0000000002670000-0x0000000002683000-memory.dmp

Filesize
76KB

Download
memory/2976-178-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download