redline | e42696c7c9b453a4eadcd3525546e52e8cdca1428b6756dd4da81accaa6727b9

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e42696c7c9b453a4eadcd3525546e52e8cdca1428b6756dd4da81accaa6727b9.exe
Size

697KB
MD5

ce672596a28d6809f004a6715e937c80
SHA1

768df5b999c2175ce5f2608d4726877b4d4f1658
SHA256

e42696c7c9b453a4eadcd3525546e52e8cdca1428b6756dd4da81accaa6727b9
SHA512

7919c0dbe1b38679dde534cd4f4de38233552969393016cd69399694ab00adf56257f0821eaa54837e48399e39dfeeb379ee41fffd37929a2c97a3c27c27b1da
SSDEEP

12288:Ny90U5ZNVavsxieCHnQLGZbal4fDZBH1K4x2r8Mgj0Pz8xd:Ny/nNVavAd0QLGnlBVK4xA8Mgje8xd

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1944-989-0x0000000009C90000-0x000000000A2A8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	08930235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	08930235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	08930235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	08930235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	08930235.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	08930235.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1844	un948306.exe
1236	08930235.exe
1944	rk406481.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	08930235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	08930235.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e42696c7c9b453a4eadcd3525546e52e8cdca1428b6756dd4da81accaa6727b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e42696c7c9b453a4eadcd3525546e52e8cdca1428b6756dd4da81accaa6727b9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un948306.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un948306.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4480	1236	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1236	08930235.exe
1236	08930235.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1236	08930235.exe
Token: SeDebugPrivilege	1944	rk406481.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 1844	4104	e42696c7c9b453a4eadcd3525546e52e8cdca1428b6756dd4da81accaa6727b9.exe	84
PID 4104 wrote to memory of 1844	4104	e42696c7c9b453a4eadcd3525546e52e8cdca1428b6756dd4da81accaa6727b9.exe	84
PID 4104 wrote to memory of 1844	4104	e42696c7c9b453a4eadcd3525546e52e8cdca1428b6756dd4da81accaa6727b9.exe	84
PID 1844 wrote to memory of 1236	1844	un948306.exe	85
PID 1844 wrote to memory of 1236	1844	un948306.exe	85
PID 1844 wrote to memory of 1236	1844	un948306.exe	85
PID 1844 wrote to memory of 1944	1844	un948306.exe	88
PID 1844 wrote to memory of 1944	1844	un948306.exe	88
PID 1844 wrote to memory of 1944	1844	un948306.exe	88

C:\Users\Admin\AppData\Local\Temp\e42696c7c9b453a4eadcd3525546e52e8cdca1428b6756dd4da81accaa6727b9.exe
"C:\Users\Admin\AppData\Local\Temp\e42696c7c9b453a4eadcd3525546e52e8cdca1428b6756dd4da81accaa6727b9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un948306.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un948306.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08930235.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08930235.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1236
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 1080
      4⤵
      Program crash
      PID:4480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk406481.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk406481.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1236 -ip 1236
1⤵
PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un948306.exe

Filesize
543KB

MD5
587903a5d4fe4394817b546d07bbdfff

SHA1
bc747674392d8731c1186ddc29054c5d193ad573

SHA256
b74a29181a07edfa3fc6b4f172f4f2725186d9cb4587971e3f78c6b40e1bad9b

SHA512
0856de5cde56d50d9a0b0c06e5f141494bbda0d1ec27c2f4490071ac07171fc0d66fdb61ec16e1dd2621c69873a367067b6a56293d3c66f940cc3bfaa5c3dae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un948306.exe

Filesize
543KB

MD5
587903a5d4fe4394817b546d07bbdfff

SHA1
bc747674392d8731c1186ddc29054c5d193ad573

SHA256
b74a29181a07edfa3fc6b4f172f4f2725186d9cb4587971e3f78c6b40e1bad9b

SHA512
0856de5cde56d50d9a0b0c06e5f141494bbda0d1ec27c2f4490071ac07171fc0d66fdb61ec16e1dd2621c69873a367067b6a56293d3c66f940cc3bfaa5c3dae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08930235.exe

Filesize
265KB

MD5
d4506eafc71cf445f86b3abfc937c798

SHA1
ce9d4dd42dd059b71086ede74a33352b9a11d6a0

SHA256
44adf9fd9f771c7f1ad7273f87a8dbebb5d6666ebb50d58b1b1416f31d0dd08f

SHA512
507b777eee9112dd99650bb264c11b1b529e9b735c631e335fa3a8c2dd861d71287c970f2bc7484ab9e840b8e78d4a879a3efc2c448bb1e4dd2ee876cadc37e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08930235.exe

Filesize
265KB

MD5
d4506eafc71cf445f86b3abfc937c798

SHA1
ce9d4dd42dd059b71086ede74a33352b9a11d6a0

SHA256
44adf9fd9f771c7f1ad7273f87a8dbebb5d6666ebb50d58b1b1416f31d0dd08f

SHA512
507b777eee9112dd99650bb264c11b1b529e9b735c631e335fa3a8c2dd861d71287c970f2bc7484ab9e840b8e78d4a879a3efc2c448bb1e4dd2ee876cadc37e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk406481.exe

Filesize
347KB

MD5
612a62dc14bd801993e6f3d48f38b999

SHA1
5e8859e444a131878032e0d2b1985da22fa4f442

SHA256
c835cdc2325c1c7d9ed802e93761f5990646eda19737080d35b1e1cffc0866b1

SHA512
d35414ae25d8bbf7f8dcbb1b7823559d7049cc708530cd1b7f17e7bcca28cd2aa60e9b963e05b7670c01ec80b0bff3c980fa94d4109864aa449fc2edd6d66aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk406481.exe

Filesize
347KB

MD5
612a62dc14bd801993e6f3d48f38b999

SHA1
5e8859e444a131878032e0d2b1985da22fa4f442

SHA256
c835cdc2325c1c7d9ed802e93761f5990646eda19737080d35b1e1cffc0866b1

SHA512
d35414ae25d8bbf7f8dcbb1b7823559d7049cc708530cd1b7f17e7bcca28cd2aa60e9b963e05b7670c01ec80b0bff3c980fa94d4109864aa449fc2edd6d66aa5

Download Submit
memory/1236-164-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/1236-152-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/1236-151-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/1236-153-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/1236-154-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/1236-156-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/1236-158-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/1236-160-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/1236-162-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/1236-150-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/1236-166-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/1236-168-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/1236-170-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/1236-172-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/1236-174-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/1236-176-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/1236-178-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/1236-180-0x0000000007100000-0x0000000007113000-memory.dmp

Filesize
76KB

Download
memory/1236-181-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/1236-183-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/1236-184-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/1236-185-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/1236-186-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/1236-149-0x0000000002F40000-0x0000000002F6D000-memory.dmp

Filesize
180KB

Download
memory/1236-148-0x00000000071B0000-0x0000000007754000-memory.dmp

Filesize
5.6MB

Download
memory/1944-990-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/1944-218-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-192-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1944-226-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-196-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-198-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-200-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-202-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-206-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-204-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-208-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-210-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-212-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-214-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-216-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-191-0x00000000046F0000-0x0000000004736000-memory.dmp

Filesize
280KB

Download
memory/1944-220-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-222-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-224-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-194-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-425-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1944-987-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1944-988-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1944-989-0x0000000009C90000-0x000000000A2A8000-memory.dmp

Filesize
6.1MB

Download
memory/1944-193-0x00000000071C0000-0x00000000071F5000-memory.dmp

Filesize
212KB

Download
memory/1944-991-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/1944-992-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/1944-993-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/1944-995-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download