redline | 4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d

Analysis

max time kernel
157s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe
Size

747KB
MD5

e98ec7a8ec64df9a42fbe22c7c441fa8
SHA1

4d487c60d7e64b08cc28ff9dc3ad719bb870dc3c
SHA256

4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d
SHA512

9af8df4894db7086e88b609d5681ba0233cd5ec0d677dcc0d77bd2186e3afbbca752a3fb4bcbf4ef915cdd49ad71616355e8488a3dcc2c5fbfa44f8ebe59dc0b
SSDEEP

12288:vy90Qbde6OAXQvEu05q6bCSaUmh7pyawKWU9Ur7TqRUyCi:vyXoE95qSv+7/yTq1Ci

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4492-996-0x00000000078B0000-0x0000000007EC8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	95478020.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	95478020.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	95478020.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	95478020.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	95478020.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	95478020.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1616	un650476.exe
3456	95478020.exe
4492	rk481565.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	95478020.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	95478020.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un650476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un650476.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1104	3456	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3456	95478020.exe
3456	95478020.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3456	95478020.exe
Token: SeDebugPrivilege	4492	rk481565.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 1616	3564	4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe	84
PID 3564 wrote to memory of 1616	3564	4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe	84
PID 3564 wrote to memory of 1616	3564	4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe	84
PID 1616 wrote to memory of 3456	1616	un650476.exe	85
PID 1616 wrote to memory of 3456	1616	un650476.exe	85
PID 1616 wrote to memory of 3456	1616	un650476.exe	85
PID 1616 wrote to memory of 4492	1616	un650476.exe	90
PID 1616 wrote to memory of 4492	1616	un650476.exe	90
PID 1616 wrote to memory of 4492	1616	un650476.exe	90

C:\Users\Admin\AppData\Local\Temp\4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe
"C:\Users\Admin\AppData\Local\Temp\4303d04a946734723b946d660fe4006880d6b088d7b573289bafe66d0bbd787d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650476.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650476.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95478020.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95478020.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 236
      4⤵
      Program crash
      PID:1104
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk481565.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk481565.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3456 -ip 3456
1⤵
PID:3856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650476.exe

Filesize
593KB

MD5
946315dd9d1081f780642b371226eab0

SHA1
0e3725a53a44d2dde7767791406161ce14ab054c

SHA256
2e487294bb4cf571aa979adf9892784e184b3824c0f8c2ce33bdb3c51bcfa054

SHA512
8cb800e240c5b776c01d90e9d60420d6d7267745057ae369167863368826baa9ab2540e9ba769f086310c02155181d6686d35ec3d8398ed5bd2fc66373cbea3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un650476.exe

Filesize
593KB

MD5
946315dd9d1081f780642b371226eab0

SHA1
0e3725a53a44d2dde7767791406161ce14ab054c

SHA256
2e487294bb4cf571aa979adf9892784e184b3824c0f8c2ce33bdb3c51bcfa054

SHA512
8cb800e240c5b776c01d90e9d60420d6d7267745057ae369167863368826baa9ab2540e9ba769f086310c02155181d6686d35ec3d8398ed5bd2fc66373cbea3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95478020.exe

Filesize
377KB

MD5
07dc6fe6f7351ff67a1fd0e6bfbd51e3

SHA1
a1881c8f03bb323408b4a5b46cb41e435b7037b2

SHA256
a6b8e0b91961b03bfd7ffd9f60e18c5286eb67b3661dca0157e5a870ea7904e0

SHA512
d57798978cc2393f71c14b7cac5100c16002fa8368b3d241736b3a6c81926938f4b75e0b5c9536f48e269c5bef5b274f36b66de3e9e169a5d6a5b99c250376bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\95478020.exe

Filesize
377KB

MD5
07dc6fe6f7351ff67a1fd0e6bfbd51e3

SHA1
a1881c8f03bb323408b4a5b46cb41e435b7037b2

SHA256
a6b8e0b91961b03bfd7ffd9f60e18c5286eb67b3661dca0157e5a870ea7904e0

SHA512
d57798978cc2393f71c14b7cac5100c16002fa8368b3d241736b3a6c81926938f4b75e0b5c9536f48e269c5bef5b274f36b66de3e9e169a5d6a5b99c250376bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk481565.exe

Filesize
460KB

MD5
ea7a7e86eebd76d894a80466ddea56a5

SHA1
7063f6ec517966e63a485f8a386d7e05f1ab48fa

SHA256
cb0349d7f2f388159c26592429b39d78b636f7e28691cb53465e4ceb6cdd4016

SHA512
3cb4256c263f177dba7f341783c28985a71b5f220a1eb02df8c9611faedc36366723f2629036d27c157bce5f9d9ff941fa7c288961e0500e0966369c9dafaa54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk481565.exe

Filesize
460KB

MD5
ea7a7e86eebd76d894a80466ddea56a5

SHA1
7063f6ec517966e63a485f8a386d7e05f1ab48fa

SHA256
cb0349d7f2f388159c26592429b39d78b636f7e28691cb53465e4ceb6cdd4016

SHA512
3cb4256c263f177dba7f341783c28985a71b5f220a1eb02df8c9611faedc36366723f2629036d27c157bce5f9d9ff941fa7c288961e0500e0966369c9dafaa54

Download Submit
memory/3456-184-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/3456-148-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/3456-153-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3456-155-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3456-157-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3456-159-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3456-161-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3456-163-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3456-165-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3456-167-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3456-169-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3456-171-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3456-173-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3456-175-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3456-177-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3456-178-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/3456-179-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/3456-180-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/3456-181-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3456-182-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/3456-183-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/3456-150-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/3456-186-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3456-149-0x0000000004F60000-0x0000000005504000-memory.dmp

Filesize
5.6MB

Download
memory/3456-151-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4492-998-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/4492-216-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4492-201-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/4492-203-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4492-204-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4492-206-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4492-208-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4492-210-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4492-212-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4492-214-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4492-202-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/4492-218-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4492-220-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4492-222-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4492-224-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4492-226-0x0000000005380000-0x00000000053B5000-memory.dmp

Filesize
212KB

Download
memory/4492-596-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/4492-996-0x00000000078B0000-0x0000000007EC8000-memory.dmp

Filesize
6.1MB

Download
memory/4492-997-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/4492-200-0x00000000008F0000-0x0000000000936000-memory.dmp

Filesize
280KB

Download
memory/4492-999-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/4492-1000-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/4492-1002-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/4492-1003-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/4492-1004-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/4492-1005-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download