redline | 65d35a45909653e15ff8ba54114dba4002664b9eaf0836d194c8bcff196e5f4c

Analysis

max time kernel
206s
max time network
227s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65d35a45909653e15ff8ba54114dba4002664b9eaf0836d194c8bcff196e5f4c.exe
Size

691KB
MD5

10b96237995960e340c60b48a46f5f87
SHA1

0b91fbc514e75f6925e39194ab8261d36520f7fc
SHA256

65d35a45909653e15ff8ba54114dba4002664b9eaf0836d194c8bcff196e5f4c
SHA512

c767c276965fff8d2498682d61ddca3e59693762c41f27ad18e7a8b455fa08297dfd8a66f4184c43529fa6304e974c3582c85f248db0d374ceaaa9bf883114c6
SSDEEP

12288:dy909U6qZFo/ZUsPdVXiSuw6f/ywcYqIc+o9CqcfjB3j219rSVbh22mrpkUt6E:dyGU6qZFoBUMddipw6f/ywAVjpQF21cm

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2820-994-0x0000000007500000-0x0000000007B18000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	32643724.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	32643724.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	32643724.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	32643724.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	32643724.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	32643724.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4644	un183679.exe
3640	32643724.exe
2820	rk106626.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	32643724.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	32643724.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	65d35a45909653e15ff8ba54114dba4002664b9eaf0836d194c8bcff196e5f4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	65d35a45909653e15ff8ba54114dba4002664b9eaf0836d194c8bcff196e5f4c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un183679.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un183679.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3412	3640	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3640	32643724.exe
3640	32643724.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3640	32643724.exe
Token: SeDebugPrivilege	2820	rk106626.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 4644	2420	65d35a45909653e15ff8ba54114dba4002664b9eaf0836d194c8bcff196e5f4c.exe	82
PID 2420 wrote to memory of 4644	2420	65d35a45909653e15ff8ba54114dba4002664b9eaf0836d194c8bcff196e5f4c.exe	82
PID 2420 wrote to memory of 4644	2420	65d35a45909653e15ff8ba54114dba4002664b9eaf0836d194c8bcff196e5f4c.exe	82
PID 4644 wrote to memory of 3640	4644	un183679.exe	83
PID 4644 wrote to memory of 3640	4644	un183679.exe	83
PID 4644 wrote to memory of 3640	4644	un183679.exe	83
PID 4644 wrote to memory of 2820	4644	un183679.exe	87
PID 4644 wrote to memory of 2820	4644	un183679.exe	87
PID 4644 wrote to memory of 2820	4644	un183679.exe	87

C:\Users\Admin\AppData\Local\Temp\65d35a45909653e15ff8ba54114dba4002664b9eaf0836d194c8bcff196e5f4c.exe
"C:\Users\Admin\AppData\Local\Temp\65d35a45909653e15ff8ba54114dba4002664b9eaf0836d194c8bcff196e5f4c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un183679.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un183679.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\32643724.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\32643724.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1048
      4⤵
      Program crash
      PID:3412
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk106626.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk106626.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3640 -ip 3640
1⤵
PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un183679.exe

Filesize
537KB

MD5
06235252e3c13811687fee1953fe25e1

SHA1
8f611fce48687503f55b580bcc2baf7f364e3ffd

SHA256
e7207fff1dcbf6cd727fbf985575b55c78d605ec92ca2ac1e3c3fbff6e953efc

SHA512
07846631a98e80b5b694b0d32d19d88c0c4fed5c6580def61d6ddd46c902ae67d7f04f88c42112cf6cfece44d11aefe84a9528d927da696c0cdf657569a8a2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un183679.exe

Filesize
537KB

MD5
06235252e3c13811687fee1953fe25e1

SHA1
8f611fce48687503f55b580bcc2baf7f364e3ffd

SHA256
e7207fff1dcbf6cd727fbf985575b55c78d605ec92ca2ac1e3c3fbff6e953efc

SHA512
07846631a98e80b5b694b0d32d19d88c0c4fed5c6580def61d6ddd46c902ae67d7f04f88c42112cf6cfece44d11aefe84a9528d927da696c0cdf657569a8a2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\32643724.exe

Filesize
259KB

MD5
86ad93a30584ca04c0d11d2c6ccfdec0

SHA1
7abc87b8b68f137a85ff28823e18bd3f531b993f

SHA256
86aaf5c6d98282a31b5a95782dec5ba86e59d16aac4c471f949b4cff481a491c

SHA512
c5bd2324dc7fb82853053378f31147042dbf4b081c0f959178096607cde02e182c08fca5c6e763c13f5f50b06bb212d11608d0e371cdb6d3069941dd264e1c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\32643724.exe

Filesize
259KB

MD5
86ad93a30584ca04c0d11d2c6ccfdec0

SHA1
7abc87b8b68f137a85ff28823e18bd3f531b993f

SHA256
86aaf5c6d98282a31b5a95782dec5ba86e59d16aac4c471f949b4cff481a491c

SHA512
c5bd2324dc7fb82853053378f31147042dbf4b081c0f959178096607cde02e182c08fca5c6e763c13f5f50b06bb212d11608d0e371cdb6d3069941dd264e1c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk106626.exe

Filesize
341KB

MD5
5876a0c65c22908132457d7892a75cad

SHA1
51c38c6e7287de31c81d88292ba37f64e2deaeaf

SHA256
aa655bc2c21877b5f98ac044aec4c9d308ab418cf802f77782750228c1b7f567

SHA512
3111b80a7a2e78e9d84a99954857d9582c65389145dcdaa569c4416957a4e1964344cb974eec81f490cb28db84f7623dccc4c8f31ed7d61c83ebcf57e7fc8f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk106626.exe

Filesize
341KB

MD5
5876a0c65c22908132457d7892a75cad

SHA1
51c38c6e7287de31c81d88292ba37f64e2deaeaf

SHA256
aa655bc2c21877b5f98ac044aec4c9d308ab418cf802f77782750228c1b7f567

SHA512
3111b80a7a2e78e9d84a99954857d9582c65389145dcdaa569c4416957a4e1964344cb974eec81f490cb28db84f7623dccc4c8f31ed7d61c83ebcf57e7fc8f2e

Download Submit
memory/2820-426-0x0000000000750000-0x0000000000796000-memory.dmp

Filesize
280KB

Download
memory/2820-220-0x0000000004FD0000-0x0000000005005000-memory.dmp

Filesize
212KB

Download
memory/2820-998-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/2820-997-0x0000000007D00000-0x0000000007D3C000-memory.dmp

Filesize
240KB

Download
memory/2820-996-0x0000000007BE0000-0x0000000007CEA000-memory.dmp

Filesize
1.0MB

Download
memory/2820-995-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/2820-994-0x0000000007500000-0x0000000007B18000-memory.dmp

Filesize
6.1MB

Download
memory/2820-430-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/2820-1001-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/2820-427-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/2820-200-0x0000000004FD0000-0x0000000005005000-memory.dmp

Filesize
212KB

Download
memory/2820-224-0x0000000004FD0000-0x0000000005005000-memory.dmp

Filesize
212KB

Download
memory/2820-222-0x0000000004FD0000-0x0000000005005000-memory.dmp

Filesize
212KB

Download
memory/2820-1000-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/2820-218-0x0000000004FD0000-0x0000000005005000-memory.dmp

Filesize
212KB

Download
memory/2820-216-0x0000000004FD0000-0x0000000005005000-memory.dmp

Filesize
212KB

Download
memory/2820-214-0x0000000004FD0000-0x0000000005005000-memory.dmp

Filesize
212KB

Download
memory/2820-212-0x0000000004FD0000-0x0000000005005000-memory.dmp

Filesize
212KB

Download
memory/2820-210-0x0000000004FD0000-0x0000000005005000-memory.dmp

Filesize
212KB

Download
memory/2820-208-0x0000000004FD0000-0x0000000005005000-memory.dmp

Filesize
212KB

Download
memory/2820-206-0x0000000004FD0000-0x0000000005005000-memory.dmp

Filesize
212KB

Download
memory/2820-204-0x0000000004FD0000-0x0000000005005000-memory.dmp

Filesize
212KB

Download
memory/2820-202-0x0000000004FD0000-0x0000000005005000-memory.dmp

Filesize
212KB

Download
memory/2820-1002-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/2820-1003-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/2820-199-0x0000000004FD0000-0x0000000005005000-memory.dmp

Filesize
212KB

Download
memory/3640-162-0x0000000004B10000-0x0000000004B23000-memory.dmp

Filesize
76KB

Download
memory/3640-189-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3640-184-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3640-183-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3640-182-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3640-181-0x0000000000570000-0x000000000059D000-memory.dmp

Filesize
180KB

Download
memory/3640-180-0x0000000004B10000-0x0000000004B23000-memory.dmp

Filesize
76KB

Download
memory/3640-178-0x0000000004B10000-0x0000000004B23000-memory.dmp

Filesize
76KB

Download
memory/3640-176-0x0000000004B10000-0x0000000004B23000-memory.dmp

Filesize
76KB

Download
memory/3640-174-0x0000000004B10000-0x0000000004B23000-memory.dmp

Filesize
76KB

Download
memory/3640-172-0x0000000004B10000-0x0000000004B23000-memory.dmp

Filesize
76KB

Download
memory/3640-170-0x0000000004B10000-0x0000000004B23000-memory.dmp

Filesize
76KB

Download
memory/3640-168-0x0000000004B10000-0x0000000004B23000-memory.dmp

Filesize
76KB

Download
memory/3640-166-0x0000000004B10000-0x0000000004B23000-memory.dmp

Filesize
76KB

Download
memory/3640-164-0x0000000004B10000-0x0000000004B23000-memory.dmp

Filesize
76KB

Download
memory/3640-160-0x0000000004B10000-0x0000000004B23000-memory.dmp

Filesize
76KB

Download
memory/3640-158-0x0000000004B10000-0x0000000004B23000-memory.dmp

Filesize
76KB

Download
memory/3640-156-0x0000000004B10000-0x0000000004B23000-memory.dmp

Filesize
76KB

Download
memory/3640-153-0x0000000004B10000-0x0000000004B23000-memory.dmp

Filesize
76KB

Download
memory/3640-154-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3640-152-0x0000000004B10000-0x0000000004B23000-memory.dmp

Filesize
76KB

Download
memory/3640-151-0x0000000004CD0000-0x0000000005274000-memory.dmp

Filesize
5.6MB

Download
memory/3640-150-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3640-149-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3640-148-0x0000000000570000-0x000000000059D000-memory.dmp

Filesize
180KB

Download