redline | 69ba307a1ec0be1a27f9fcf3d8aaa8512433f95794f4d277c3b7f72bf110af8d

Analysis

max time kernel
181s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69ba307a1ec0be1a27f9fcf3d8aaa8512433f95794f4d277c3b7f72bf110af8d.exe
Size

694KB
MD5

43cfd310e632c792b3d8dd12d7cd7fec
SHA1

ded4aabe5846eca4eb8d5cfeece1dd554264e983
SHA256

69ba307a1ec0be1a27f9fcf3d8aaa8512433f95794f4d277c3b7f72bf110af8d
SHA512

ac434b31a8770b85b894b3c017ebad1a179de56307fdef309874d84db7d9200a3d2a7bcd71825561b4d79e585da54fcc745689201b95ff212a2c442097af0ea9
SSDEEP

12288:yy90R4duSoFsa+6NI2Y4Nr80KMZ3bYrFloJzNG0ttquOYE6hWlwnCBQCuy:yyU4dHoFsaXzZ80f/7OSoGCC+

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1652-987-0x0000000009C50000-0x000000000A268000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	36597227.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	36597227.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	36597227.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	36597227.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	36597227.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	36597227.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3996	un845047.exe
232	36597227.exe
1652	rk290061.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	36597227.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	36597227.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un845047.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un845047.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	69ba307a1ec0be1a27f9fcf3d8aaa8512433f95794f4d277c3b7f72bf110af8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	69ba307a1ec0be1a27f9fcf3d8aaa8512433f95794f4d277c3b7f72bf110af8d.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2088	232	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
232	36597227.exe
232	36597227.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	232	36597227.exe
Token: SeDebugPrivilege	1652	rk290061.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 3996	4740	69ba307a1ec0be1a27f9fcf3d8aaa8512433f95794f4d277c3b7f72bf110af8d.exe	81
PID 4740 wrote to memory of 3996	4740	69ba307a1ec0be1a27f9fcf3d8aaa8512433f95794f4d277c3b7f72bf110af8d.exe	81
PID 4740 wrote to memory of 3996	4740	69ba307a1ec0be1a27f9fcf3d8aaa8512433f95794f4d277c3b7f72bf110af8d.exe	81
PID 3996 wrote to memory of 232	3996	un845047.exe	82
PID 3996 wrote to memory of 232	3996	un845047.exe	82
PID 3996 wrote to memory of 232	3996	un845047.exe	82
PID 3996 wrote to memory of 1652	3996	un845047.exe	85
PID 3996 wrote to memory of 1652	3996	un845047.exe	85
PID 3996 wrote to memory of 1652	3996	un845047.exe	85

C:\Users\Admin\AppData\Local\Temp\69ba307a1ec0be1a27f9fcf3d8aaa8512433f95794f4d277c3b7f72bf110af8d.exe
"C:\Users\Admin\AppData\Local\Temp\69ba307a1ec0be1a27f9fcf3d8aaa8512433f95794f4d277c3b7f72bf110af8d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un845047.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un845047.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36597227.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36597227.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1080
      4⤵
      Program crash
      PID:2088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk290061.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk290061.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 232 -ip 232
1⤵
PID:2076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un845047.exe

Filesize
540KB

MD5
beb8a71e681cb7a584d124d309335c9c

SHA1
cabdd5e364695bf1acc93b195c996193b5e1a55e

SHA256
dfbd70fdbac5063d74502a1df53c730117c30843c5895f320f5e1f94f317153c

SHA512
ca701165e80a95717620a657a0b69e61e5262431c3c5be7b62cde05c2c616e103b3d20bbeac39518f5d725e8ed1c7d2d02ea6862957f0f8ce965198e2e6f00bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un845047.exe

Filesize
540KB

MD5
beb8a71e681cb7a584d124d309335c9c

SHA1
cabdd5e364695bf1acc93b195c996193b5e1a55e

SHA256
dfbd70fdbac5063d74502a1df53c730117c30843c5895f320f5e1f94f317153c

SHA512
ca701165e80a95717620a657a0b69e61e5262431c3c5be7b62cde05c2c616e103b3d20bbeac39518f5d725e8ed1c7d2d02ea6862957f0f8ce965198e2e6f00bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36597227.exe

Filesize
258KB

MD5
9217eb2f56685a41b1d8734647a23e19

SHA1
b95b15278640cc98288c3de97cae65959f6c60e2

SHA256
be5cf8b4fcdf52d4a4c05804ee34b41fb9d5930f9d8f6985e2633a9aeb18f8b2

SHA512
67eaae5973c5d45280b19ff719ebaf4b49c8cc81eaa1baecb4c9774dbf7a78eeb5f5cd8a90a7c7c526c3ab2a06348d6428be6eaf34c415acf5a20de3549b70d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36597227.exe

Filesize
258KB

MD5
9217eb2f56685a41b1d8734647a23e19

SHA1
b95b15278640cc98288c3de97cae65959f6c60e2

SHA256
be5cf8b4fcdf52d4a4c05804ee34b41fb9d5930f9d8f6985e2633a9aeb18f8b2

SHA512
67eaae5973c5d45280b19ff719ebaf4b49c8cc81eaa1baecb4c9774dbf7a78eeb5f5cd8a90a7c7c526c3ab2a06348d6428be6eaf34c415acf5a20de3549b70d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk290061.exe

Filesize
340KB

MD5
814f8c208602ab33ca78e5539441c0d2

SHA1
31ea25449c6b6042bdcfb7bb63000c1e66fd652b

SHA256
30f48f5c9ee6464a2172532fbcbb03e63725da5dadbaa9052be5cfafe80ec7c7

SHA512
550264f2eb62c687dcda316925e38009fbb39856c53742ace67901fbb204a2a39b7953ae5f335b9ecf89278754499033c69b4f3b30cf9820f716ecbf60bcb894

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk290061.exe

Filesize
340KB

MD5
814f8c208602ab33ca78e5539441c0d2

SHA1
31ea25449c6b6042bdcfb7bb63000c1e66fd652b

SHA256
30f48f5c9ee6464a2172532fbcbb03e63725da5dadbaa9052be5cfafe80ec7c7

SHA512
550264f2eb62c687dcda316925e38009fbb39856c53742ace67901fbb204a2a39b7953ae5f335b9ecf89278754499033c69b4f3b30cf9820f716ecbf60bcb894

Download Submit
memory/232-169-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/232-151-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/232-159-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/232-173-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/232-179-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/232-177-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/232-175-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/232-171-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/232-150-0x00000000071B0000-0x0000000007754000-memory.dmp

Filesize
5.6MB

Download
memory/232-167-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/232-165-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/232-163-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/232-161-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/232-157-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/232-155-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/232-153-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/232-152-0x0000000004CB0000-0x0000000004CC3000-memory.dmp

Filesize
76KB

Download
memory/232-180-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/232-181-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/232-182-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/232-183-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/232-186-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/232-149-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/232-148-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/1652-993-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/1652-220-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-191-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-194-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-989-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/1652-200-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-204-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-202-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-206-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-208-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-210-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-212-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-214-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-216-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-218-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-192-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-222-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-228-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/1652-226-0x0000000002BB0000-0x0000000002BF6000-memory.dmp

Filesize
280KB

Download
memory/1652-232-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/1652-230-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/1652-987-0x0000000009C50000-0x000000000A268000-memory.dmp

Filesize
6.1MB

Download
memory/1652-988-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/1652-198-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-990-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/1652-991-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/1652-196-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/1652-994-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/1652-995-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download