redline | 435a66be0cabd0af032975c916cd9dc206fa806034b406d4443f9a493bfe740b

Analysis

max time kernel
217s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

435a66be0cabd0af032975c916cd9dc206fa806034b406d4443f9a493bfe740b.exe
Size

1.5MB
MD5

887909de6766ea2b5bbc8be75afd58d2
SHA1

92d5375abcc5ef913a0d9407e8e9e2294f7370b6
SHA256

435a66be0cabd0af032975c916cd9dc206fa806034b406d4443f9a493bfe740b
SHA512

9ab8679ce077cb426fb96df2660f3a4686ad1a9e9741bcd3d3d35db00b3d338fbd823170e7b72fdbaf7ffad2771fb62b881f95f31cd153a0d2e747b2f72d7f06
SSDEEP

24576:rymVm9mrPk8wG9sfxNXHlVoHYseMAorGF+mb26vyemTM72PkI8grLf18g2m:eskmRmFVDsrr0B66vyemTMKsrgD

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1848-215-0x0000000007F90000-0x00000000085A8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8040712.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8040712.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a8040712.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8040712.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8040712.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8040712.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4248	v5163647.exe
3592	v7205465.exe
1828	v7544933.exe
2516	v2564549.exe
552	a8040712.exe
1848	b2967650.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8040712.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a8040712.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7205465.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7544933.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7544933.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2564549.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5163647.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7205465.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5163647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2564549.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	435a66be0cabd0af032975c916cd9dc206fa806034b406d4443f9a493bfe740b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	435a66be0cabd0af032975c916cd9dc206fa806034b406d4443f9a493bfe740b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
552	a8040712.exe
552	a8040712.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	a8040712.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 4248	4336	435a66be0cabd0af032975c916cd9dc206fa806034b406d4443f9a493bfe740b.exe	77
PID 4336 wrote to memory of 4248	4336	435a66be0cabd0af032975c916cd9dc206fa806034b406d4443f9a493bfe740b.exe	77
PID 4336 wrote to memory of 4248	4336	435a66be0cabd0af032975c916cd9dc206fa806034b406d4443f9a493bfe740b.exe	77
PID 4248 wrote to memory of 3592	4248	v5163647.exe	78
PID 4248 wrote to memory of 3592	4248	v5163647.exe	78
PID 4248 wrote to memory of 3592	4248	v5163647.exe	78
PID 3592 wrote to memory of 1828	3592	v7205465.exe	79
PID 3592 wrote to memory of 1828	3592	v7205465.exe	79
PID 3592 wrote to memory of 1828	3592	v7205465.exe	79
PID 1828 wrote to memory of 2516	1828	v7544933.exe	80
PID 1828 wrote to memory of 2516	1828	v7544933.exe	80
PID 1828 wrote to memory of 2516	1828	v7544933.exe	80
PID 2516 wrote to memory of 552	2516	v2564549.exe	81
PID 2516 wrote to memory of 552	2516	v2564549.exe	81
PID 2516 wrote to memory of 552	2516	v2564549.exe	81
PID 2516 wrote to memory of 1848	2516	v2564549.exe	88
PID 2516 wrote to memory of 1848	2516	v2564549.exe	88
PID 2516 wrote to memory of 1848	2516	v2564549.exe	88

C:\Users\Admin\AppData\Local\Temp\435a66be0cabd0af032975c916cd9dc206fa806034b406d4443f9a493bfe740b.exe
"C:\Users\Admin\AppData\Local\Temp\435a66be0cabd0af032975c916cd9dc206fa806034b406d4443f9a493bfe740b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5163647.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5163647.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7205465.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7205465.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7544933.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7544933.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2564549.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2564549.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8040712.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8040712.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2967650.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2967650.exe
        6⤵
        Executes dropped EXE
        
        PID:1848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5163647.exe

Filesize
1.4MB

MD5
e987fd49691fed614429d2296b8a46f6

SHA1
c9dc3b57956195916baebc1ddebe7d73b8c6b30f

SHA256
6027e7a4e21e51c87407c0afab0fa3d42390e41618f6e46d7b6ed677013a0f35

SHA512
eeba56e95958aa3f3fe8d277e64780ff03db001c49488d27aa563f39bb23554a6993b6e28519e7b7738157b0ec9eeae47e4030aa90a4ebd3657eb6a88d6adc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5163647.exe

Filesize
1.4MB

MD5
e987fd49691fed614429d2296b8a46f6

SHA1
c9dc3b57956195916baebc1ddebe7d73b8c6b30f

SHA256
6027e7a4e21e51c87407c0afab0fa3d42390e41618f6e46d7b6ed677013a0f35

SHA512
eeba56e95958aa3f3fe8d277e64780ff03db001c49488d27aa563f39bb23554a6993b6e28519e7b7738157b0ec9eeae47e4030aa90a4ebd3657eb6a88d6adc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7205465.exe

Filesize
917KB

MD5
def2a7e11eceb8ff4862d37bae78b6be

SHA1
953d2662ee1c4e6572075f6d6f1e8eac6fd0a279

SHA256
fbeef878f16aa0178afd70f67a35e5ca079fefde1a751f2181f7b990e6cbc67b

SHA512
34ab8514d834d224acffcc16a753cffdcd207b6005b400ae34d176f73021027ebb5a2a599d5e3f29be85f3c3514978a0b969d544fd873e98b6a0596cef84cfbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7205465.exe

Filesize
917KB

MD5
def2a7e11eceb8ff4862d37bae78b6be

SHA1
953d2662ee1c4e6572075f6d6f1e8eac6fd0a279

SHA256
fbeef878f16aa0178afd70f67a35e5ca079fefde1a751f2181f7b990e6cbc67b

SHA512
34ab8514d834d224acffcc16a753cffdcd207b6005b400ae34d176f73021027ebb5a2a599d5e3f29be85f3c3514978a0b969d544fd873e98b6a0596cef84cfbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7544933.exe

Filesize
713KB

MD5
0379caedc2288f5f1600afb3d767829f

SHA1
34fa38185985db4a9c8dda5b37206ff09dbb3c86

SHA256
08ead9796f429ba4682d941bad9871738a747538874d9a28203f95710c30a9b3

SHA512
55458225cf3955827ceb0436d4cca12ada12e967d6b4e0dab8a85779ccbe8dad71ac78764b1fe8fe47b51297de5d8fb86ccb4a67738f0763856d212ca1884cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7544933.exe

Filesize
713KB

MD5
0379caedc2288f5f1600afb3d767829f

SHA1
34fa38185985db4a9c8dda5b37206ff09dbb3c86

SHA256
08ead9796f429ba4682d941bad9871738a747538874d9a28203f95710c30a9b3

SHA512
55458225cf3955827ceb0436d4cca12ada12e967d6b4e0dab8a85779ccbe8dad71ac78764b1fe8fe47b51297de5d8fb86ccb4a67738f0763856d212ca1884cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2564549.exe

Filesize
422KB

MD5
36586c4f0253b9dae3691281a8ecfbe9

SHA1
5d2bdafd861f98122325dae369b3c506b34fdc43

SHA256
d870bfe214ffaa00ea0f9786a4fbc94efbdcb352abb243bcafef36b6b47bcf8d

SHA512
dfd1b468245d2357ce89c38349bf0f8b1333bd9b351c78ba26d65e15279a0947a5c8ea4de9044f8bf2b20b728cfe1586238b95baf882a999bd7a4836ffe1728d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2564549.exe

Filesize
422KB

MD5
36586c4f0253b9dae3691281a8ecfbe9

SHA1
5d2bdafd861f98122325dae369b3c506b34fdc43

SHA256
d870bfe214ffaa00ea0f9786a4fbc94efbdcb352abb243bcafef36b6b47bcf8d

SHA512
dfd1b468245d2357ce89c38349bf0f8b1333bd9b351c78ba26d65e15279a0947a5c8ea4de9044f8bf2b20b728cfe1586238b95baf882a999bd7a4836ffe1728d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8040712.exe

Filesize
371KB

MD5
7fd2b3167fdddf8420f55948de867691

SHA1
8b42f3afa086f18c5d0f64007965993877caf1b1

SHA256
59e09741fbb801d2b7d255c599fb4f4101a6ecbec5b04b04619365cb117eb64e

SHA512
c57f12dde1e60597a5f37483160b4c67d92e5c8978be5a6624ebaf5ac7ce58f3c516ca4b1093aeadcabd8889d88ccd1d2bb5e65d8ff4b9245700bb6ad702c29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8040712.exe

Filesize
371KB

MD5
7fd2b3167fdddf8420f55948de867691

SHA1
8b42f3afa086f18c5d0f64007965993877caf1b1

SHA256
59e09741fbb801d2b7d255c599fb4f4101a6ecbec5b04b04619365cb117eb64e

SHA512
c57f12dde1e60597a5f37483160b4c67d92e5c8978be5a6624ebaf5ac7ce58f3c516ca4b1093aeadcabd8889d88ccd1d2bb5e65d8ff4b9245700bb6ad702c29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2967650.exe

Filesize
136KB

MD5
6c431ec5db8901eb5d7860026ddb7723

SHA1
2c59314f164eae684134d0bc73dfabb873b5cd3b

SHA256
8d18a506f48d23d5005b228ff9adc2d9e8536a723e4551ff02c9d5750d9bfebc

SHA512
6fbc4ee13182f7a80d76b7cbd5e164bc1c20fab5ad859caa302f177abc6ec7a7ba43f4f8361e3c880e325d5397e4ed0150949af958d3d90a23fe1b6b762539ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2967650.exe

Filesize
136KB

MD5
6c431ec5db8901eb5d7860026ddb7723

SHA1
2c59314f164eae684134d0bc73dfabb873b5cd3b

SHA256
8d18a506f48d23d5005b228ff9adc2d9e8536a723e4551ff02c9d5750d9bfebc

SHA512
6fbc4ee13182f7a80d76b7cbd5e164bc1c20fab5ad859caa302f177abc6ec7a7ba43f4f8361e3c880e325d5397e4ed0150949af958d3d90a23fe1b6b762539ce

Download Submit
memory/552-186-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/552-199-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/552-174-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/552-176-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/552-178-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/552-182-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/552-180-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/552-184-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/552-171-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/552-188-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/552-190-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/552-192-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/552-194-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/552-196-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/552-198-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/552-172-0x0000000004C60000-0x0000000004C72000-memory.dmp

Filesize
72KB

Download
memory/552-200-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/552-201-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/552-203-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/552-204-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/552-205-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/552-208-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/552-170-0x0000000004CD0000-0x0000000005274000-memory.dmp

Filesize
5.6MB

Download
memory/552-169-0x0000000000860000-0x000000000088D000-memory.dmp

Filesize
180KB

Download
memory/1848-214-0x0000000000D10000-0x0000000000D38000-memory.dmp

Filesize
160KB

Download
memory/1848-215-0x0000000007F90000-0x00000000085A8000-memory.dmp

Filesize
6.1MB

Download
memory/1848-216-0x0000000007A20000-0x0000000007A32000-memory.dmp

Filesize
72KB

Download
memory/1848-217-0x0000000007B50000-0x0000000007C5A000-memory.dmp

Filesize
1.0MB

Download
memory/1848-218-0x0000000007A50000-0x0000000007A60000-memory.dmp

Filesize
64KB

Download
memory/1848-219-0x0000000007A50000-0x0000000007A60000-memory.dmp

Filesize
64KB

Download
memory/1848-220-0x0000000007AA0000-0x0000000007ADC000-memory.dmp

Filesize
240KB

Download