redline | 6a0fd52012926bced3c7c551f27ba345b8cdbfe8462f48b81671bde2702e4766

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a0fd52012926bced3c7c551f27ba345b8cdbfe8462f48b81671bde2702e4766.exe
Size

1.5MB
MD5

3fea863686ae1eeaaa56b91d7ae2b5ba
SHA1

b49cd2d6cea2db1188a9ff27d8bec40342d61691
SHA256

6a0fd52012926bced3c7c551f27ba345b8cdbfe8462f48b81671bde2702e4766
SHA512

f49e8f295ccca3985fba7ab64029c2dde108ec5bd9de39282c67d63df293c98b215c4bac7bba36e6919905c991dff7b01e3fbdf2bca41a15aeeaa0ff4e969ccc
SSDEEP

24576:wy+Tz7NL9zt4a9IJJTFGF5ZTUXXG/Jmav/iIVCPhPfh+r/p:3+Tz7jR92JIFsnGxRacCPJ5

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4484-212-0x0000000007820000-0x0000000007E38000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5687081.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a5687081.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5687081.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5687081.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5687081.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5687081.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
3844	v0713775.exe
3772	v8114114.exe
228	v4592525.exe
4164	v7569805.exe
2184	a5687081.exe
4484	b8880821.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a5687081.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5687081.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6a0fd52012926bced3c7c551f27ba345b8cdbfe8462f48b81671bde2702e4766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6a0fd52012926bced3c7c551f27ba345b8cdbfe8462f48b81671bde2702e4766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0713775.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v7569805.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0713775.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8114114.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8114114.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4592525.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v4592525.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7569805.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4676	2184	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2184	a5687081.exe
2184	a5687081.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	a5687081.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 3844	772	6a0fd52012926bced3c7c551f27ba345b8cdbfe8462f48b81671bde2702e4766.exe	88
PID 772 wrote to memory of 3844	772	6a0fd52012926bced3c7c551f27ba345b8cdbfe8462f48b81671bde2702e4766.exe	88
PID 772 wrote to memory of 3844	772	6a0fd52012926bced3c7c551f27ba345b8cdbfe8462f48b81671bde2702e4766.exe	88
PID 3844 wrote to memory of 3772	3844	v0713775.exe	89
PID 3844 wrote to memory of 3772	3844	v0713775.exe	89
PID 3844 wrote to memory of 3772	3844	v0713775.exe	89
PID 3772 wrote to memory of 228	3772	v8114114.exe	90
PID 3772 wrote to memory of 228	3772	v8114114.exe	90
PID 3772 wrote to memory of 228	3772	v8114114.exe	90
PID 228 wrote to memory of 4164	228	v4592525.exe	91
PID 228 wrote to memory of 4164	228	v4592525.exe	91
PID 228 wrote to memory of 4164	228	v4592525.exe	91
PID 4164 wrote to memory of 2184	4164	v7569805.exe	92
PID 4164 wrote to memory of 2184	4164	v7569805.exe	92
PID 4164 wrote to memory of 2184	4164	v7569805.exe	92
PID 4164 wrote to memory of 4484	4164	v7569805.exe	98
PID 4164 wrote to memory of 4484	4164	v7569805.exe	98
PID 4164 wrote to memory of 4484	4164	v7569805.exe	98

C:\Users\Admin\AppData\Local\Temp\6a0fd52012926bced3c7c551f27ba345b8cdbfe8462f48b81671bde2702e4766.exe
"C:\Users\Admin\AppData\Local\Temp\6a0fd52012926bced3c7c551f27ba345b8cdbfe8462f48b81671bde2702e4766.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:772
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0713775.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0713775.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8114114.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8114114.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4592525.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4592525.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7569805.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7569805.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4164
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5687081.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5687081.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1080
        7⤵
        Program crash
        
        PID:4676
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8880821.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8880821.exe
        6⤵
        Executes dropped EXE
        
        PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2184 -ip 2184
1⤵
PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0713775.exe

Filesize
1.4MB

MD5
0803135a2b5ffe59320553142f64c6d1

SHA1
5cce330b28d07eb239f1768fbbadd69b343e2d1c

SHA256
12bc1f0140ab13874d794af8959d2d4f5ad8711714d7d212b8f59299196c8f04

SHA512
d4fc101796aa02d13c245d041bf0d6dd0dbf706434b41c4ff2269b785ea3b9d6613c0d407d946c56d5611a5aed1e6491638bf753ad676b1d50bdecea696a19c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0713775.exe

Filesize
1.4MB

MD5
0803135a2b5ffe59320553142f64c6d1

SHA1
5cce330b28d07eb239f1768fbbadd69b343e2d1c

SHA256
12bc1f0140ab13874d794af8959d2d4f5ad8711714d7d212b8f59299196c8f04

SHA512
d4fc101796aa02d13c245d041bf0d6dd0dbf706434b41c4ff2269b785ea3b9d6613c0d407d946c56d5611a5aed1e6491638bf753ad676b1d50bdecea696a19c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8114114.exe

Filesize
916KB

MD5
f713adbd31e640342e45e18d71e864a1

SHA1
663ff04e08a11b611ce0e27b9cabe3e9ded947a5

SHA256
4b91c27ed9e42efd024f2628bed25c0891bce367e2b33c1d98652e8a064b23fe

SHA512
074e5eab2ebff6e75794576ab55bf7f3f890cc11031785041f41e94c9d9ab64c161cb257f5f86d22391a3bc19489019bebe78cc3959eb4f02ec37fe4ff260f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8114114.exe

Filesize
916KB

MD5
f713adbd31e640342e45e18d71e864a1

SHA1
663ff04e08a11b611ce0e27b9cabe3e9ded947a5

SHA256
4b91c27ed9e42efd024f2628bed25c0891bce367e2b33c1d98652e8a064b23fe

SHA512
074e5eab2ebff6e75794576ab55bf7f3f890cc11031785041f41e94c9d9ab64c161cb257f5f86d22391a3bc19489019bebe78cc3959eb4f02ec37fe4ff260f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4592525.exe

Filesize
712KB

MD5
69a21bcc7a837736c72b13650dba6198

SHA1
d13f24ee6f5511b20e981463440dbe5018b60d76

SHA256
6053eddab1cd12bc84585152409af84cb9f8052a468d59ff6883ee9ea0ef3855

SHA512
5deb9e8c35e0eea9a053afee9adc899cf74926e9d0b6408b9ccf7f0791555ad27475fe19ecf54a23443c544b981690b8aedad39fd9c2c9caae413b9b422f19e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4592525.exe

Filesize
712KB

MD5
69a21bcc7a837736c72b13650dba6198

SHA1
d13f24ee6f5511b20e981463440dbe5018b60d76

SHA256
6053eddab1cd12bc84585152409af84cb9f8052a468d59ff6883ee9ea0ef3855

SHA512
5deb9e8c35e0eea9a053afee9adc899cf74926e9d0b6408b9ccf7f0791555ad27475fe19ecf54a23443c544b981690b8aedad39fd9c2c9caae413b9b422f19e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7569805.exe

Filesize
422KB

MD5
7254b27604e6c8377bcbef17f59529c1

SHA1
46c0a18b34f3f154afb49e1f94955a948460bc4c

SHA256
22c5c9568ed1c15480ea31ca19c2792cc221e0f56ae3e4615b387cdb8208f437

SHA512
b52ce81956e12f1a94c1aa39fd4d24d1f367796a1b68b4386e936793f04e3f5c857f1fd7a41e3cf88be09bac84bac6bca286fbd46bf48544e3ff3fb9e3cde7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7569805.exe

Filesize
422KB

MD5
7254b27604e6c8377bcbef17f59529c1

SHA1
46c0a18b34f3f154afb49e1f94955a948460bc4c

SHA256
22c5c9568ed1c15480ea31ca19c2792cc221e0f56ae3e4615b387cdb8208f437

SHA512
b52ce81956e12f1a94c1aa39fd4d24d1f367796a1b68b4386e936793f04e3f5c857f1fd7a41e3cf88be09bac84bac6bca286fbd46bf48544e3ff3fb9e3cde7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5687081.exe

Filesize
371KB

MD5
c056013b9500dcb49a1ed6c83a78bca2

SHA1
73868dd0b619895153c77ef04e709854b26c4072

SHA256
90dc8c38df84426211214da29e93ce2edd967333c6cb8db5fe77294d85e417c0

SHA512
85d8d76801f3a8c685d68f7163315071016e8e8774c5c65acf71fe0d727787e0b0ceaae2dbd154d1dd0810d66636dc205eb1e7a66ec6e8d38be50b905f7100f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5687081.exe

Filesize
371KB

MD5
c056013b9500dcb49a1ed6c83a78bca2

SHA1
73868dd0b619895153c77ef04e709854b26c4072

SHA256
90dc8c38df84426211214da29e93ce2edd967333c6cb8db5fe77294d85e417c0

SHA512
85d8d76801f3a8c685d68f7163315071016e8e8774c5c65acf71fe0d727787e0b0ceaae2dbd154d1dd0810d66636dc205eb1e7a66ec6e8d38be50b905f7100f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8880821.exe

Filesize
136KB

MD5
5fabdea12cd1693ab66a45e803699b99

SHA1
644fcc26f7a7f0955a6b29ebfc8223aeb6a354ed

SHA256
ea704adbd3c3005b9852e77fc8bd8d6daa2567f1f1169dbc8a56cd89eea08b10

SHA512
338252dee66964d9a6402b10be7f0c102cd8456eb95ee3406b77768ff224a874eed37b1c527be7373e5a68e6c3969659fc7afb28d19ca7278ddc5f1d77bd35b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8880821.exe

Filesize
136KB

MD5
5fabdea12cd1693ab66a45e803699b99

SHA1
644fcc26f7a7f0955a6b29ebfc8223aeb6a354ed

SHA256
ea704adbd3c3005b9852e77fc8bd8d6daa2567f1f1169dbc8a56cd89eea08b10

SHA512
338252dee66964d9a6402b10be7f0c102cd8456eb95ee3406b77768ff224a874eed37b1c527be7373e5a68e6c3969659fc7afb28d19ca7278ddc5f1d77bd35b4

Download Submit
memory/2184-187-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/2184-197-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/2184-172-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/2184-171-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2184-176-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2184-177-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/2184-183-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/2184-181-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/2184-179-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/2184-185-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/2184-173-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/2184-189-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/2184-191-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/2184-193-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/2184-195-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/2184-174-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2184-199-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/2184-201-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/2184-202-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2184-203-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2184-204-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2184-205-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2184-207-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2184-170-0x0000000004F90000-0x0000000005534000-memory.dmp

Filesize
5.6MB

Download
memory/2184-169-0x0000000000850000-0x000000000087D000-memory.dmp

Filesize
180KB

Download
memory/4484-211-0x0000000000590000-0x00000000005B8000-memory.dmp

Filesize
160KB

Download
memory/4484-212-0x0000000007820000-0x0000000007E38000-memory.dmp

Filesize
6.1MB

Download
memory/4484-213-0x00000000072A0000-0x00000000072B2000-memory.dmp

Filesize
72KB

Download
memory/4484-214-0x00000000073D0000-0x00000000074DA000-memory.dmp

Filesize
1.0MB

Download
memory/4484-215-0x0000000007300000-0x000000000733C000-memory.dmp

Filesize
240KB

Download
memory/4484-216-0x00000000076D0000-0x00000000076E0000-memory.dmp

Filesize
64KB

Download
memory/4484-217-0x00000000076D0000-0x00000000076E0000-memory.dmp

Filesize
64KB

Download