redline | 417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f

Analysis

max time kernel
181s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe
Size

687KB
MD5

368aeae2615e04206a681ae23c2261f3
SHA1

699d81f3dc94f143a70a842f4fb2d72f1b70317f
SHA256

417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f
SHA512

6c3800ed3c19e6d930c3860c7d2c33dd89c96d991862d6a6d33f4765386f44b065ebaacc793a5b926db845ec05a3e85b083a7166ce537d5a3abb347926168c07
SSDEEP

12288:By90Dts40uRElGYihKjF/yCSQiGW2MCBkKQhuY67J5g1h9/0vz/CwD:By2s/u+GXEj1SB4MCrQhux7fgV0VD

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3748-986-0x0000000009D40000-0x000000000A358000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	77017595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	77017595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	77017595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	77017595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	77017595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	77017595.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4608	un207151.exe
4372	77017595.exe
3748	rk024429.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	77017595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	77017595.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un207151.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un207151.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4332	4372	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4372	77017595.exe
4372	77017595.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4372	77017595.exe
Token: SeDebugPrivilege	3748	rk024429.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 4608	868	417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe	81
PID 868 wrote to memory of 4608	868	417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe	81
PID 868 wrote to memory of 4608	868	417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe	81
PID 4608 wrote to memory of 4372	4608	un207151.exe	82
PID 4608 wrote to memory of 4372	4608	un207151.exe	82
PID 4608 wrote to memory of 4372	4608	un207151.exe	82
PID 4608 wrote to memory of 3748	4608	un207151.exe	85
PID 4608 wrote to memory of 3748	4608	un207151.exe	85
PID 4608 wrote to memory of 3748	4608	un207151.exe	85

C:\Users\Admin\AppData\Local\Temp\417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe
"C:\Users\Admin\AppData\Local\Temp\417b79f779ad971f8046fa12cfa764fbba9058eebfa1392bee3145f09ab8127f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1100
      4⤵
      Program crash
      PID:4332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk024429.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk024429.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4372 -ip 4372
1⤵
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe

Filesize
533KB

MD5
250a87f319f17b2131259f5d09b4e634

SHA1
2d0a958c580e7ab690c4514c1924b8fc8d1b2afd

SHA256
59c26d5d1f7d6630549eb2ce771fdda2da1e7905a686742f5ea2fcad28f0ca1a

SHA512
aa0825ed72d5dab3e33cd2a0e16147c7daa87cc623577ad18f15938c649c9e22bfde36427829597de9b35f00ace7af022ccece8ef154d8ccec3781a1d967e13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207151.exe

Filesize
533KB

MD5
250a87f319f17b2131259f5d09b4e634

SHA1
2d0a958c580e7ab690c4514c1924b8fc8d1b2afd

SHA256
59c26d5d1f7d6630549eb2ce771fdda2da1e7905a686742f5ea2fcad28f0ca1a

SHA512
aa0825ed72d5dab3e33cd2a0e16147c7daa87cc623577ad18f15938c649c9e22bfde36427829597de9b35f00ace7af022ccece8ef154d8ccec3781a1d967e13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe

Filesize
249KB

MD5
2456620741866590a7e6eda7da890903

SHA1
36bdeb0817699bc77b2a4bc2079bace8a6e8258f

SHA256
3271d6ef8386011ca04fec7cd84c01efc91fa95e6b54551eb5e8bf8c12747d31

SHA512
c7f7c4699187fb318c899afc17831ee062d51d5900a4e06653d22fce1bdd4687e98bc30d9a684d0096a744ae0257a1eadac4242dc74c1ef6c30dbb25bf7ff71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\77017595.exe

Filesize
249KB

MD5
2456620741866590a7e6eda7da890903

SHA1
36bdeb0817699bc77b2a4bc2079bace8a6e8258f

SHA256
3271d6ef8386011ca04fec7cd84c01efc91fa95e6b54551eb5e8bf8c12747d31

SHA512
c7f7c4699187fb318c899afc17831ee062d51d5900a4e06653d22fce1bdd4687e98bc30d9a684d0096a744ae0257a1eadac4242dc74c1ef6c30dbb25bf7ff71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk024429.exe

Filesize
332KB

MD5
35d55ca228efd1b0a0a973c71717abc9

SHA1
1fa49ff50e1b83bdad6a54cee87ea1bc6fbf1546

SHA256
4ee14db05f35df1980245c4e0834eeefa0f1972d36f9a150d20ba464d4f084bc

SHA512
96fb42f7ce5cfba67858333c51d1dc1ed7615c55dcd08135140bad6430e39742a98352bae9ec9ca95997588aa6b8f8d7954e2d10b55f951e1242fe39d64b1346

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk024429.exe

Filesize
332KB

MD5
35d55ca228efd1b0a0a973c71717abc9

SHA1
1fa49ff50e1b83bdad6a54cee87ea1bc6fbf1546

SHA256
4ee14db05f35df1980245c4e0834eeefa0f1972d36f9a150d20ba464d4f084bc

SHA512
96fb42f7ce5cfba67858333c51d1dc1ed7615c55dcd08135140bad6430e39742a98352bae9ec9ca95997588aa6b8f8d7954e2d10b55f951e1242fe39d64b1346

Download Submit
memory/3748-215-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-217-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-995-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3748-994-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3748-993-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3748-992-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3748-990-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3748-989-0x000000000A470000-0x000000000A4AC000-memory.dmp

Filesize
240KB

Download
memory/3748-988-0x000000000A360000-0x000000000A46A000-memory.dmp

Filesize
1.0MB

Download
memory/3748-197-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-986-0x0000000009D40000-0x000000000A358000-memory.dmp

Filesize
6.1MB

Download
memory/3748-223-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-221-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-219-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-195-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-213-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-211-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-208-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-209-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3748-207-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3748-205-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3748-190-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-191-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-193-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-204-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-987-0x00000000072A0000-0x00000000072B2000-memory.dmp

Filesize
72KB

Download
memory/3748-199-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-201-0x00000000071E0000-0x0000000007215000-memory.dmp

Filesize
212KB

Download
memory/3748-203-0x0000000002D50000-0x0000000002D96000-memory.dmp

Filesize
280KB

Download
memory/4372-171-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4372-175-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4372-150-0x0000000007470000-0x0000000007480000-memory.dmp

Filesize
64KB

Download
memory/4372-182-0x0000000000400000-0x0000000002B9A000-memory.dmp

Filesize
39.6MB

Download
memory/4372-180-0x0000000000400000-0x0000000002B9A000-memory.dmp

Filesize
39.6MB

Download
memory/4372-179-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4372-177-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4372-148-0x0000000002D00000-0x0000000002D2D000-memory.dmp

Filesize
180KB

Download
memory/4372-169-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4372-151-0x0000000007480000-0x0000000007A24000-memory.dmp

Filesize
5.6MB

Download
memory/4372-149-0x0000000007470000-0x0000000007480000-memory.dmp

Filesize
64KB

Download
memory/4372-167-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4372-173-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4372-165-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4372-163-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4372-157-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4372-159-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4372-161-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4372-155-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4372-153-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download
memory/4372-152-0x00000000049E0000-0x00000000049F3000-memory.dmp

Filesize
76KB

Download