redline | e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38

Analysis

max time kernel
178s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe
Size

694KB
MD5

323bf2284b64ea6435a12f51e09d57ea
SHA1

944ffac2f8a682ea209d3d4f48e6a7379cf36fc9
SHA256

e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38
SHA512

f08b599e19aabc4f6c47f6e860866b36136ce4a4bab291a178794b52ef36bd2c384d34073a8b6dcfbba1b4a660ecec129b505d992384d79bab78e80d8a4127b5
SSDEEP

12288:Uy90diNrF0XOt6eRlanHwpFT4WcIePBy+DPuWA6Fl18byKrA+FB1:Uy5NrFccjCHoFRcIeJk6Fl18byUf

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4252-989-0x0000000009C60000-0x000000000A278000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	04247859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	04247859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	04247859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	04247859.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	04247859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	04247859.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
544	un354758.exe
4908	04247859.exe
4252	rk790284.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	04247859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	04247859.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un354758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un354758.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2124	4908	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4908	04247859.exe
4908	04247859.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	04247859.exe
Token: SeDebugPrivilege	4252	rk790284.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 544	4208	e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe	79
PID 4208 wrote to memory of 544	4208	e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe	79
PID 4208 wrote to memory of 544	4208	e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe	79
PID 544 wrote to memory of 4908	544	un354758.exe	80
PID 544 wrote to memory of 4908	544	un354758.exe	80
PID 544 wrote to memory of 4908	544	un354758.exe	80
PID 544 wrote to memory of 4252	544	un354758.exe	85
PID 544 wrote to memory of 4252	544	un354758.exe	85
PID 544 wrote to memory of 4252	544	un354758.exe	85

C:\Users\Admin\AppData\Local\Temp\e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe
"C:\Users\Admin\AppData\Local\Temp\e6604b62a1ef728f5e19137eac424db10b5392b82798991a79101a48dc780f38.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un354758.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un354758.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04247859.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04247859.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1100
      4⤵
      Program crash
      PID:2124
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk790284.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk790284.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4908 -ip 4908
1⤵
PID:512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un354758.exe

Filesize
540KB

MD5
a627f1e8e57fcb834b80cb818ee3008a

SHA1
7d773a11c79a61fa0bc09bc2e61f00d5f0dd89db

SHA256
67216d71d170a0d8567a302ec4bb99726c83fa4cbd200a9481262df9ebc303b1

SHA512
77937c335cf30c2d62e49aabde270e58a38aa63d4d04f96a49d317aaab54bc273a3bf4e4d13559df557bfa108588c374ad047b110e2452eb04da6adcbed1c2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un354758.exe

Filesize
540KB

MD5
a627f1e8e57fcb834b80cb818ee3008a

SHA1
7d773a11c79a61fa0bc09bc2e61f00d5f0dd89db

SHA256
67216d71d170a0d8567a302ec4bb99726c83fa4cbd200a9481262df9ebc303b1

SHA512
77937c335cf30c2d62e49aabde270e58a38aa63d4d04f96a49d317aaab54bc273a3bf4e4d13559df557bfa108588c374ad047b110e2452eb04da6adcbed1c2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04247859.exe

Filesize
258KB

MD5
1940d4e23854773dbee39b5035f61ee8

SHA1
4282c5693d94af778957d248b9b82d8d04aa5562

SHA256
650104b200ec79c2b052245ee2f7c1ec4ead72d7fb2c0ab67100ab831d52ff80

SHA512
f8c7ede96bc44759d75f8ea0e0f1d4c752b91e3f61e3549e434019ce4568f1ee6dba12d971f5a61b5472b9c840c72b1f4bff0bd303654a23429581e99badd644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04247859.exe

Filesize
258KB

MD5
1940d4e23854773dbee39b5035f61ee8

SHA1
4282c5693d94af778957d248b9b82d8d04aa5562

SHA256
650104b200ec79c2b052245ee2f7c1ec4ead72d7fb2c0ab67100ab831d52ff80

SHA512
f8c7ede96bc44759d75f8ea0e0f1d4c752b91e3f61e3549e434019ce4568f1ee6dba12d971f5a61b5472b9c840c72b1f4bff0bd303654a23429581e99badd644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk790284.exe

Filesize
340KB

MD5
9bca28fffc025863f67bd84429986c45

SHA1
caa4b58c7a23a62bcaca46ab8e6e54b0a9f85ed7

SHA256
52463781dec963fc0f389ee80f9fa2ba5445fedb27dcbba978ccc2e09670b4bc

SHA512
f5d4aa79699d9673a7b71c0f7e2acd3512c05092acdfd82464af03d76f0bdadd327833dccaf48158fe6df1a27cc34545754b1224248053575fb1b40779cf31f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk790284.exe

Filesize
340KB

MD5
9bca28fffc025863f67bd84429986c45

SHA1
caa4b58c7a23a62bcaca46ab8e6e54b0a9f85ed7

SHA256
52463781dec963fc0f389ee80f9fa2ba5445fedb27dcbba978ccc2e09670b4bc

SHA512
f5d4aa79699d9673a7b71c0f7e2acd3512c05092acdfd82464af03d76f0bdadd327833dccaf48158fe6df1a27cc34545754b1224248053575fb1b40779cf31f1

Download Submit
memory/4252-223-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4252-217-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4252-992-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/4252-991-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/4252-990-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/4252-989-0x0000000009C60000-0x000000000A278000-memory.dmp

Filesize
6.1MB

Download
memory/4252-245-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/4252-244-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/4252-995-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/4252-242-0x0000000002E10000-0x0000000002E56000-memory.dmp

Filesize
280KB

Download
memory/4252-194-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4252-221-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4252-219-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4252-993-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/4252-215-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4252-213-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4252-211-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4252-209-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4252-207-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4252-205-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4252-203-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4252-201-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4252-199-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4252-996-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/4252-997-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/4252-195-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4252-197-0x0000000007080000-0x00000000070B5000-memory.dmp

Filesize
212KB

Download
memory/4908-164-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4908-186-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4908-184-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/4908-183-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/4908-182-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/4908-181-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/4908-180-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4908-178-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4908-176-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4908-172-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4908-174-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4908-170-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4908-168-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4908-166-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4908-162-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4908-160-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4908-158-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/4908-156-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/4908-153-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4908-157-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4908-154-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/4908-152-0x0000000002CD0000-0x0000000002CFD000-memory.dmp

Filesize
180KB

Download
memory/4908-150-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4908-149-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4908-148-0x0000000007260000-0x0000000007804000-memory.dmp

Filesize
5.6MB

Download