redline | 60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe
Size

691KB
MD5

7c3275409a3c421c4c64c84557d0369e
SHA1

040731069fd061021fd8b3a0cb0531eed1824492
SHA256

60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39
SHA512

0e12ae1e1c7c8a3bd040ab215d6a4129898b8a356981a68e808bed17ad101c821bba6fcc5a1295d2b89a2fde2282542b633f062ea309b578268d24a47da0ab80
SSDEEP

12288:Dy90PWUJi5+BLKRv4AdCYcmrIlzyesue2Q7wVgANBZSSr4b5PKq:DyQWZyk4XtJyxt2iANeSkb5Pd

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4432-241-0x0000000007920000-0x0000000007F38000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	16087329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	16087329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	16087329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	16087329.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	16087329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	16087329.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2752	un851024.exe
3132	16087329.exe
4056	rk984009.exe
4436	rk984009.exe
4432	si636532.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	16087329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	16087329.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un851024.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un851024.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4056 set thread context of 4436	4056	rk984009.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4620	3132	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3132	16087329.exe
3132	16087329.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3132	16087329.exe
Token: SeDebugPrivilege	4436	rk984009.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2752	1484	60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe	84
PID 1484 wrote to memory of 2752	1484	60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe	84
PID 1484 wrote to memory of 2752	1484	60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe	84
PID 2752 wrote to memory of 3132	2752	un851024.exe	85
PID 2752 wrote to memory of 3132	2752	un851024.exe	85
PID 2752 wrote to memory of 3132	2752	un851024.exe	85
PID 2752 wrote to memory of 4056	2752	un851024.exe	89
PID 2752 wrote to memory of 4056	2752	un851024.exe	89
PID 2752 wrote to memory of 4056	2752	un851024.exe	89
PID 4056 wrote to memory of 4436	4056	rk984009.exe	90
PID 4056 wrote to memory of 4436	4056	rk984009.exe	90
PID 4056 wrote to memory of 4436	4056	rk984009.exe	90
PID 4056 wrote to memory of 4436	4056	rk984009.exe	90
PID 4056 wrote to memory of 4436	4056	rk984009.exe	90
PID 4056 wrote to memory of 4436	4056	rk984009.exe	90
PID 4056 wrote to memory of 4436	4056	rk984009.exe	90
PID 4056 wrote to memory of 4436	4056	rk984009.exe	90
PID 4056 wrote to memory of 4436	4056	rk984009.exe	90
PID 1484 wrote to memory of 4432	1484	60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe	91
PID 1484 wrote to memory of 4432	1484	60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe	91
PID 1484 wrote to memory of 4432	1484	60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe	91

C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe
"C:\Users\Admin\AppData\Local\Temp\60030ecc6b5fd606c7f00bdbceb76de28a8f554e6ab1836fc3f58d86d7ad8b39.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1088
      4⤵
      Program crash
      PID:4620
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4436
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe
  2⤵
  - Executes dropped EXE
  PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3132 -ip 3132
1⤵
PID:3640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636532.exe

Filesize
136KB

MD5
e1c805d3cefe221689da30b8a2d944f2

SHA1
a9a94fd89ed22c2a127c81f6e57f822eae1d9f26

SHA256
32023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a

SHA512
7801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe

Filesize
537KB

MD5
923dd840d11ad83a7b8a0aa0ec580bd9

SHA1
998c072ba8715c67129b0d4c2e47402b316778ab

SHA256
2ee4de028dbab8107c78417ed2820c7938a19b036a4ac19ffe323b4bf121f8f2

SHA512
487e6e25cc437077e42f3c138f216d5956e8d26152d03bda268f6afe606be64585dd39f45dbbd117ad3a6aeb027466a77b1203b9d2291a5c8c3e1e99c6f62a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un851024.exe

Filesize
537KB

MD5
923dd840d11ad83a7b8a0aa0ec580bd9

SHA1
998c072ba8715c67129b0d4c2e47402b316778ab

SHA256
2ee4de028dbab8107c78417ed2820c7938a19b036a4ac19ffe323b4bf121f8f2

SHA512
487e6e25cc437077e42f3c138f216d5956e8d26152d03bda268f6afe606be64585dd39f45dbbd117ad3a6aeb027466a77b1203b9d2291a5c8c3e1e99c6f62a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe

Filesize
259KB

MD5
e316c2de777d55b98eb76fa4b278de7f

SHA1
11cac13b2850abeef8d1d359f24fb7865173f6dd

SHA256
bc3e53579b9cde6683fa8d45c6e62e53c6c337e9f0f44ff7808ab58474060c17

SHA512
ef9c8ea766877b8ae7413d17d565a6a43af6f641fe8e344a0036cd8eb0ac060a3a98c7ce7aa21ffdd7242b4b44d187ab64e966d7af4e50db58bc64d21d6e4104

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\16087329.exe

Filesize
259KB

MD5
e316c2de777d55b98eb76fa4b278de7f

SHA1
11cac13b2850abeef8d1d359f24fb7865173f6dd

SHA256
bc3e53579b9cde6683fa8d45c6e62e53c6c337e9f0f44ff7808ab58474060c17

SHA512
ef9c8ea766877b8ae7413d17d565a6a43af6f641fe8e344a0036cd8eb0ac060a3a98c7ce7aa21ffdd7242b4b44d187ab64e966d7af4e50db58bc64d21d6e4104

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe

Filesize
342KB

MD5
bf70b37bcbd0f719e03a982c6c588d77

SHA1
32a932047845ebe2a8a2b22d48dc2af192a18d91

SHA256
17ed923cb1e879ec89be82253dbfda9a6d14d4f1272706bd340f589df2874279

SHA512
27e03eabf35e3c507fb943b4953e1919c386ef986683d81e650a0dda5185907eb032e1acb3fa493f8e768b36439ddf61e2cfea76979d001c4986a609f588e0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe

Filesize
342KB

MD5
bf70b37bcbd0f719e03a982c6c588d77

SHA1
32a932047845ebe2a8a2b22d48dc2af192a18d91

SHA256
17ed923cb1e879ec89be82253dbfda9a6d14d4f1272706bd340f589df2874279

SHA512
27e03eabf35e3c507fb943b4953e1919c386ef986683d81e650a0dda5185907eb032e1acb3fa493f8e768b36439ddf61e2cfea76979d001c4986a609f588e0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk984009.exe

Filesize
342KB

MD5
bf70b37bcbd0f719e03a982c6c588d77

SHA1
32a932047845ebe2a8a2b22d48dc2af192a18d91

SHA256
17ed923cb1e879ec89be82253dbfda9a6d14d4f1272706bd340f589df2874279

SHA512
27e03eabf35e3c507fb943b4953e1919c386ef986683d81e650a0dda5185907eb032e1acb3fa493f8e768b36439ddf61e2cfea76979d001c4986a609f588e0bd

Download Submit
memory/3132-154-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/3132-180-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download
memory/3132-155-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/3132-156-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/3132-157-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download
memory/3132-158-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download
memory/3132-166-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download
memory/3132-168-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download
memory/3132-164-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download
memory/3132-162-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download
memory/3132-160-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download
memory/3132-170-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download
memory/3132-172-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download
memory/3132-174-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download
memory/3132-176-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download
memory/3132-178-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download
memory/3132-182-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download
memory/3132-148-0x0000000004B00000-0x00000000050A4000-memory.dmp

Filesize
5.6MB

Download
memory/3132-184-0x00000000022D0000-0x00000000022E3000-memory.dmp

Filesize
76KB

Download
memory/3132-188-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3132-153-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3132-152-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/3132-149-0x0000000000460000-0x000000000048D000-memory.dmp

Filesize
180KB

Download
memory/3132-151-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/3132-150-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/4056-196-0x00000000020A0000-0x00000000020E7000-memory.dmp

Filesize
284KB

Download
memory/4432-372-0x0000000007760000-0x0000000007770000-memory.dmp

Filesize
64KB

Download
memory/4432-1010-0x0000000007760000-0x0000000007770000-memory.dmp

Filesize
64KB

Download
memory/4432-241-0x0000000007920000-0x0000000007F38000-memory.dmp

Filesize
6.1MB

Download
memory/4432-203-0x0000000000650000-0x0000000000678000-memory.dmp

Filesize
160KB

Download
memory/4432-369-0x00000000073E0000-0x000000000741C000-memory.dmp

Filesize
240KB

Download
memory/4432-278-0x00000000074B0000-0x00000000075BA000-memory.dmp

Filesize
1.0MB

Download
memory/4432-243-0x0000000007380000-0x0000000007392000-memory.dmp

Filesize
72KB

Download
memory/4436-197-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4436-209-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/4436-213-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/4436-217-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/4436-215-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/4436-219-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4436-221-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/4436-220-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4436-224-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/4436-225-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4436-227-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/4436-222-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4436-229-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/4436-231-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/4436-233-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/4436-211-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/4436-207-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/4436-205-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/4436-204-0x0000000004980000-0x00000000049B5000-memory.dmp

Filesize
212KB

Download
memory/4436-198-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4436-1005-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4436-1007-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4436-1008-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4436-1009-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4436-194-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4436-1011-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download