redline | 3b853f65024e01f4f79d4f3df711fd9cca77f330d729844a1416667520fd7a69

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b853f65024e01f4f79d4f3df711fd9cca77f330d729844a1416667520fd7a69.exe
Size

1.1MB
MD5

ceed9926c5bf5710aee782849b97a673
SHA1

a8d1d01daa24a5f5cb8a2852766ccd60f7a4bd60
SHA256

3b853f65024e01f4f79d4f3df711fd9cca77f330d729844a1416667520fd7a69
SHA512

aa44a2586006ba3ced0a07168ccbf6d94b1cd9cb75a747f173d6e3806a12f7aef9522cee024e57b9b33dccb6f3313fd5dc106c21f44544a17951b08d9685d0a4
SSDEEP

24576:Sy3mYAinZqbzOZNBz5CG1xhNPgaprYlzov+Pi7dbl63Kq+ec:5ruOPBAG1xj4apclAzdbls

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4176-996-0x0000000007920000-0x0000000007F38000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	57164204.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	57164204.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	57164204.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	57164204.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	57164204.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	57164204.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4388	za787097.exe
2144	za209146.exe
408	57164204.exe
4176	w11QU73.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	57164204.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	57164204.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3b853f65024e01f4f79d4f3df711fd9cca77f330d729844a1416667520fd7a69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3b853f65024e01f4f79d4f3df711fd9cca77f330d729844a1416667520fd7a69.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za787097.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za787097.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za209146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za209146.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3172	408	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
408	57164204.exe
408	57164204.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	408	57164204.exe
Token: SeDebugPrivilege	4176	w11QU73.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 4388	1200	3b853f65024e01f4f79d4f3df711fd9cca77f330d729844a1416667520fd7a69.exe	81
PID 1200 wrote to memory of 4388	1200	3b853f65024e01f4f79d4f3df711fd9cca77f330d729844a1416667520fd7a69.exe	81
PID 1200 wrote to memory of 4388	1200	3b853f65024e01f4f79d4f3df711fd9cca77f330d729844a1416667520fd7a69.exe	81
PID 4388 wrote to memory of 2144	4388	za787097.exe	82
PID 4388 wrote to memory of 2144	4388	za787097.exe	82
PID 4388 wrote to memory of 2144	4388	za787097.exe	82
PID 2144 wrote to memory of 408	2144	za209146.exe	83
PID 2144 wrote to memory of 408	2144	za209146.exe	83
PID 2144 wrote to memory of 408	2144	za209146.exe	83
PID 2144 wrote to memory of 4176	2144	za209146.exe	90
PID 2144 wrote to memory of 4176	2144	za209146.exe	90
PID 2144 wrote to memory of 4176	2144	za209146.exe	90

C:\Users\Admin\AppData\Local\Temp\3b853f65024e01f4f79d4f3df711fd9cca77f330d729844a1416667520fd7a69.exe
"C:\Users\Admin\AppData\Local\Temp\3b853f65024e01f4f79d4f3df711fd9cca77f330d729844a1416667520fd7a69.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za787097.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za787097.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za209146.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za209146.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\57164204.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\57164204.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:408
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1084
        5⤵
        Program crash
        
        PID:3172
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11QU73.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11QU73.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 408 -ip 408
1⤵
PID:3836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za787097.exe

Filesize
775KB

MD5
7bf1fa1fc25a717976a1d527a44d0073

SHA1
a9c415a807dd9ff9a5a2aa49d22575b0d5f6f4ae

SHA256
98f2fbae8209149262382c3c28be9d1a0577df40434b71dee24ace2223d4940d

SHA512
e924d74b20cc205a3291a537776566c71d91f3dbe4d7f17025927ebb6cfc17f89223785267c792b33e4a3085f7468bcea69cea902f02fe8d076454ca21dde435

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za787097.exe

Filesize
775KB

MD5
7bf1fa1fc25a717976a1d527a44d0073

SHA1
a9c415a807dd9ff9a5a2aa49d22575b0d5f6f4ae

SHA256
98f2fbae8209149262382c3c28be9d1a0577df40434b71dee24ace2223d4940d

SHA512
e924d74b20cc205a3291a537776566c71d91f3dbe4d7f17025927ebb6cfc17f89223785267c792b33e4a3085f7468bcea69cea902f02fe8d076454ca21dde435

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za209146.exe

Filesize
593KB

MD5
158b6da2018cec07e393e84809d93e25

SHA1
44eba44c2a339363bde1d8156bf25c6be69ca61a

SHA256
d9faba8a8e5d66f96c89d119c9c0733a8bc915171e78027268cf7f028cc5c4bc

SHA512
3c146b045490beba66f0f1f2a232b267435f68117b6235713874260ccf65e1a2562f6a63f48fb7318c552acde7fe48ee4847b2938b97871f95d8cef401eacbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za209146.exe

Filesize
593KB

MD5
158b6da2018cec07e393e84809d93e25

SHA1
44eba44c2a339363bde1d8156bf25c6be69ca61a

SHA256
d9faba8a8e5d66f96c89d119c9c0733a8bc915171e78027268cf7f028cc5c4bc

SHA512
3c146b045490beba66f0f1f2a232b267435f68117b6235713874260ccf65e1a2562f6a63f48fb7318c552acde7fe48ee4847b2938b97871f95d8cef401eacbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\57164204.exe

Filesize
377KB

MD5
b87944d4e4208098315a7961f3617e44

SHA1
5cfd58eb2016c645593f6fc5f027932bc097d049

SHA256
02d4fa840e5225dc03c23188247faed6351ffc8b7abfa38b3ef84383ecd6c336

SHA512
a84462642dcf91334c81dfb38a03f4bff751d4731d308fd9f2a3bc9a1f5b8c49f85760f316af328f15b3103e2f2c2d8f7e88be1347384559784f929ee771d5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\57164204.exe

Filesize
377KB

MD5
b87944d4e4208098315a7961f3617e44

SHA1
5cfd58eb2016c645593f6fc5f027932bc097d049

SHA256
02d4fa840e5225dc03c23188247faed6351ffc8b7abfa38b3ef84383ecd6c336

SHA512
a84462642dcf91334c81dfb38a03f4bff751d4731d308fd9f2a3bc9a1f5b8c49f85760f316af328f15b3103e2f2c2d8f7e88be1347384559784f929ee771d5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11QU73.exe

Filesize
459KB

MD5
c18ce635d6d9106610d11398b938e462

SHA1
c5c1ee545a2145920711b10ddf89e93c9c833483

SHA256
5ff013f7fdf8466b0601f38b95111b2fa9963ddac705a00cface3cbfa1d7f069

SHA512
66ba9ed6bd3a2755e848debe785f19db1187ccd3c11a05c87ae0d875dcf01b79b2377f01b6421996a246516809e78cdaa4d919f39c67f719f70e80c2223d0a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w11QU73.exe

Filesize
459KB

MD5
c18ce635d6d9106610d11398b938e462

SHA1
c5c1ee545a2145920711b10ddf89e93c9c833483

SHA256
5ff013f7fdf8466b0601f38b95111b2fa9963ddac705a00cface3cbfa1d7f069

SHA512
66ba9ed6bd3a2755e848debe785f19db1187ccd3c11a05c87ae0d875dcf01b79b2377f01b6421996a246516809e78cdaa4d919f39c67f719f70e80c2223d0a9d

Download Submit
memory/408-192-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/408-159-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/408-161-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/408-169-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/408-171-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/408-173-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/408-167-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/408-165-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/408-179-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/408-177-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/408-175-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/408-163-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/408-181-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/408-183-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/408-184-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/408-185-0x0000000000A00000-0x0000000000A2D000-memory.dmp

Filesize
180KB

Download
memory/408-186-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/408-187-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/408-188-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/408-190-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/408-191-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/408-156-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/408-195-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/408-157-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/408-155-0x0000000004F90000-0x0000000005534000-memory.dmp

Filesize
5.6MB

Download
memory/4176-203-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-229-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-200-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-205-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-207-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-209-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-211-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-213-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-215-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-217-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-219-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-221-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-223-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-225-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-227-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-201-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-231-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/4176-365-0x00000000008F0000-0x0000000000936000-memory.dmp

Filesize
280KB

Download
memory/4176-367-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4176-369-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4176-372-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4176-996-0x0000000007920000-0x0000000007F38000-memory.dmp

Filesize
6.1MB

Download
memory/4176-997-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/4176-998-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/4176-999-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/4176-1000-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4176-1002-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4176-1003-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4176-1004-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4176-1005-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download