redline | 48b8d126b248ad586458a97e93d265aa886bab9cf9dbd290f9854782d1812e6a

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48b8d126b248ad586458a97e93d265aa886bab9cf9dbd290f9854782d1812e6a.exe
Size

696KB
MD5

f6c7c39a5fa47f15d419d7333fa8e430
SHA1

4951675310d368a4b529196d56100aaccde9d604
SHA256

48b8d126b248ad586458a97e93d265aa886bab9cf9dbd290f9854782d1812e6a
SHA512

25c487c7c91c193f6a095e41c0a8f58d8f5199c7aedd2ab5338483c71f81e6b7ed993beb3a47761261d83a367bce7b691ad07df3a9b8e7335199993cb8fe3b7f
SSDEEP

12288:Vy90T/D2lTyX0d5+7zHeZ2P3mUFIEHxBq8dLljHigOsqfLL2G:Vy+/D2li0f+/73mUFhRBq8HT47

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1300-987-0x0000000009CD0000-0x000000000A2E8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	31732495.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	31732495.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	31732495.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	31732495.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	31732495.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	31732495.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4292	un315558.exe
3076	31732495.exe
1300	rk465141.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	31732495.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	31732495.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un315558.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	48b8d126b248ad586458a97e93d265aa886bab9cf9dbd290f9854782d1812e6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	48b8d126b248ad586458a97e93d265aa886bab9cf9dbd290f9854782d1812e6a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un315558.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
212	3076	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3076	31732495.exe
3076	31732495.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	31732495.exe
Token: SeDebugPrivilege	1300	rk465141.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 4292	1980	48b8d126b248ad586458a97e93d265aa886bab9cf9dbd290f9854782d1812e6a.exe	84
PID 1980 wrote to memory of 4292	1980	48b8d126b248ad586458a97e93d265aa886bab9cf9dbd290f9854782d1812e6a.exe	84
PID 1980 wrote to memory of 4292	1980	48b8d126b248ad586458a97e93d265aa886bab9cf9dbd290f9854782d1812e6a.exe	84
PID 4292 wrote to memory of 3076	4292	un315558.exe	85
PID 4292 wrote to memory of 3076	4292	un315558.exe	85
PID 4292 wrote to memory of 3076	4292	un315558.exe	85
PID 4292 wrote to memory of 1300	4292	un315558.exe	88
PID 4292 wrote to memory of 1300	4292	un315558.exe	88
PID 4292 wrote to memory of 1300	4292	un315558.exe	88

C:\Users\Admin\AppData\Local\Temp\48b8d126b248ad586458a97e93d265aa886bab9cf9dbd290f9854782d1812e6a.exe
"C:\Users\Admin\AppData\Local\Temp\48b8d126b248ad586458a97e93d265aa886bab9cf9dbd290f9854782d1812e6a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un315558.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un315558.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\31732495.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\31732495.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1096
      4⤵
      Program crash
      PID:212
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk465141.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk465141.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3076 -ip 3076
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un315558.exe

Filesize
542KB

MD5
25ed5843372463206c53dc42394ab7c4

SHA1
0789e3474641e9b7880a3a9ab4e86888b2460be1

SHA256
5fa2aa3eead6875aa0c95d752e78a941b02f9fa69b7925a601fbb360be2d6a15

SHA512
a38630447e255c26d3bec32e6aa4d74057e615bce427752d592f9900cbc8d0568be66671b7748f2ef12d6e96162fe7e9f228ac9661775413d01a2e0128a3f536

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un315558.exe

Filesize
542KB

MD5
25ed5843372463206c53dc42394ab7c4

SHA1
0789e3474641e9b7880a3a9ab4e86888b2460be1

SHA256
5fa2aa3eead6875aa0c95d752e78a941b02f9fa69b7925a601fbb360be2d6a15

SHA512
a38630447e255c26d3bec32e6aa4d74057e615bce427752d592f9900cbc8d0568be66671b7748f2ef12d6e96162fe7e9f228ac9661775413d01a2e0128a3f536

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\31732495.exe

Filesize
263KB

MD5
00fa75c2a80ed33678169b6533dd76df

SHA1
8f4fad961c740e7fc69fe0f2250a6e97bd11de8d

SHA256
6c6c5d831b74cd054d3198f99c8476958750568b49fa0ed0f80235c08503926e

SHA512
d90f2332d578e72a7588ebcae7f0beeb393c9464e3ebda25f6a06e3c28a96b2651de72e8a83167721928cd2c9e3f0f71828f799b7cedb4960920fbf6393524e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\31732495.exe

Filesize
263KB

MD5
00fa75c2a80ed33678169b6533dd76df

SHA1
8f4fad961c740e7fc69fe0f2250a6e97bd11de8d

SHA256
6c6c5d831b74cd054d3198f99c8476958750568b49fa0ed0f80235c08503926e

SHA512
d90f2332d578e72a7588ebcae7f0beeb393c9464e3ebda25f6a06e3c28a96b2651de72e8a83167721928cd2c9e3f0f71828f799b7cedb4960920fbf6393524e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk465141.exe

Filesize
328KB

MD5
04928267b0443d2e60b1f71474b82d76

SHA1
0781094c83c1f02a1e3376fdd8a4870a7fe94cde

SHA256
1da83bad9bb8304d142435f50fc7447c3af10f6a8ab6a3eb8844cac90df7dfb8

SHA512
6518abd2d1373a2ee69e90404745460c530ea6430a418c59b4056ea319d2ccfa9bdbdbb3d5f8b483446f0fbaed2f7cfa3869f9229e160241a94f3fc537427ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk465141.exe

Filesize
328KB

MD5
04928267b0443d2e60b1f71474b82d76

SHA1
0781094c83c1f02a1e3376fdd8a4870a7fe94cde

SHA256
1da83bad9bb8304d142435f50fc7447c3af10f6a8ab6a3eb8844cac90df7dfb8

SHA512
6518abd2d1373a2ee69e90404745460c530ea6430a418c59b4056ea319d2ccfa9bdbdbb3d5f8b483446f0fbaed2f7cfa3869f9229e160241a94f3fc537427ee6

Download Submit
memory/1300-214-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-218-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-996-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1300-995-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1300-994-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1300-993-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1300-991-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1300-990-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/1300-989-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/1300-192-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1300-987-0x0000000009CD0000-0x000000000A2E8000-memory.dmp

Filesize
6.1MB

Download
memory/1300-228-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-194-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1300-224-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-222-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-220-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-193-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/1300-216-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-212-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-210-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-208-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-206-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-204-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-202-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-200-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-191-0x0000000002D10000-0x0000000002D56000-memory.dmp

Filesize
280KB

Download
memory/1300-198-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-226-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-988-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/1300-195-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/1300-196-0x0000000007190000-0x00000000071C5000-memory.dmp

Filesize
212KB

Download
memory/3076-156-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3076-174-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3076-150-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3076-186-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/3076-184-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3076-183-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3076-182-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3076-181-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/3076-148-0x0000000002CF0000-0x0000000002D1D000-memory.dmp

Filesize
180KB

Download
memory/3076-180-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3076-178-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3076-151-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3076-149-0x00000000071C0000-0x0000000007764000-memory.dmp

Filesize
5.6MB

Download
memory/3076-170-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3076-176-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3076-168-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3076-166-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3076-172-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3076-162-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3076-160-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3076-158-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3076-164-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3076-154-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3076-153-0x0000000004BD0000-0x0000000004BE3000-memory.dmp

Filesize
76KB

Download
memory/3076-152-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download