redline | 4f6727e86addd48855bb2cf5a392a2349a512d4d7daaa79747a152d02e967a94

General

Target

4f6727e86addd48855bb2cf5a392a2349a512d4d7daaa79747a152d02e967a94.exe
Size

480KB
MD5

18429e1455814d91116c6823d52994fc
SHA1

2401319267ab2856d0bf5b58f8c5cbe39636e7e3
SHA256

4f6727e86addd48855bb2cf5a392a2349a512d4d7daaa79747a152d02e967a94
SHA512

8a7ee7588a3a1eb90cf43bdbf232dab1acce7d8692c261cceb2333d336862fcb3bad794b4ff6e6b31bce81292dd44c42441e598489c22349555fb3b258bed064
SSDEEP

12288:5Mrny907BKE1n8uxNbszrrOzjdN0PdvWDMrimi:eycBPV8uxNAz+ox+ki

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/628-186-0x0000000008070000-0x0000000008688000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3205754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3205754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3205754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3205754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3205754.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a3205754.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2116	v1835862.exe
4844	a3205754.exe
628	b4659357.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a3205754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3205754.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4f6727e86addd48855bb2cf5a392a2349a512d4d7daaa79747a152d02e967a94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4f6727e86addd48855bb2cf5a392a2349a512d4d7daaa79747a152d02e967a94.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1835862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1835862.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4844	a3205754.exe
4844	a3205754.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4844	a3205754.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 2116	3920	4f6727e86addd48855bb2cf5a392a2349a512d4d7daaa79747a152d02e967a94.exe	83
PID 3920 wrote to memory of 2116	3920	4f6727e86addd48855bb2cf5a392a2349a512d4d7daaa79747a152d02e967a94.exe	83
PID 3920 wrote to memory of 2116	3920	4f6727e86addd48855bb2cf5a392a2349a512d4d7daaa79747a152d02e967a94.exe	83
PID 2116 wrote to memory of 4844	2116	v1835862.exe	84
PID 2116 wrote to memory of 4844	2116	v1835862.exe	84
PID 2116 wrote to memory of 4844	2116	v1835862.exe	84
PID 2116 wrote to memory of 628	2116	v1835862.exe	87
PID 2116 wrote to memory of 628	2116	v1835862.exe	87
PID 2116 wrote to memory of 628	2116	v1835862.exe	87

C:\Users\Admin\AppData\Local\Temp\4f6727e86addd48855bb2cf5a392a2349a512d4d7daaa79747a152d02e967a94.exe
"C:\Users\Admin\AppData\Local\Temp\4f6727e86addd48855bb2cf5a392a2349a512d4d7daaa79747a152d02e967a94.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1835862.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1835862.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3205754.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3205754.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b4659357.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b4659357.exe
    3⤵
    - Executes dropped EXE
    PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1835862.exe

Filesize
308KB

MD5
e1c4b113792ff6dc7a97a0386443efbd

SHA1
d130ead6183a417bbf689bd0d8c8e8555485e0dc

SHA256
fa4fbc329db878e4b114c09689f8a3683741364847ce245a50c1ffda7b5d2e16

SHA512
20025612317a4e394b3c40e5d0b991d576eec487f8e6c1a9ba073c30cd7080df954251b9db4a994450b01a64da6dcd0d02a7a02a41258d299a7b4737ce8ed1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1835862.exe

Filesize
308KB

MD5
e1c4b113792ff6dc7a97a0386443efbd

SHA1
d130ead6183a417bbf689bd0d8c8e8555485e0dc

SHA256
fa4fbc329db878e4b114c09689f8a3683741364847ce245a50c1ffda7b5d2e16

SHA512
20025612317a4e394b3c40e5d0b991d576eec487f8e6c1a9ba073c30cd7080df954251b9db4a994450b01a64da6dcd0d02a7a02a41258d299a7b4737ce8ed1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3205754.exe

Filesize
175KB

MD5
74992d395f5eecdce6a6a5b8aaf66a46

SHA1
65073574e06982396cd264c5f0898d8632a2707b

SHA256
a36eae5358307ba061bcf351be91a55d2747609835a54dedc92d5db8d71fdf13

SHA512
6816df01cc280509d5803e0ec8cd36be3bec4c77eeafa4473f0cb78598ce83158a35002a293eda9534133d8079fa954751c3fd7e2b786c91319e632d56a8e1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3205754.exe

Filesize
175KB

MD5
74992d395f5eecdce6a6a5b8aaf66a46

SHA1
65073574e06982396cd264c5f0898d8632a2707b

SHA256
a36eae5358307ba061bcf351be91a55d2747609835a54dedc92d5db8d71fdf13

SHA512
6816df01cc280509d5803e0ec8cd36be3bec4c77eeafa4473f0cb78598ce83158a35002a293eda9534133d8079fa954751c3fd7e2b786c91319e632d56a8e1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b4659357.exe

Filesize
136KB

MD5
8ccbf43e056898c8d5101da2cf11a00e

SHA1
0b600ecee4acb5dd768672ed267d468d34ea20ae

SHA256
cd9b4b1d6bbf6189efc57ec5f2ddad5cbea967783ab37653a907fd3d1e8fd61e

SHA512
67f80ee91f61912758ad4bcacfdbde141b98f9922ae80201bccc65328335b374d42bfc86b73a03497e0b479b14b6945faef0ba137a341bf25f325b1e6f68d782

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b4659357.exe

Filesize
136KB

MD5
8ccbf43e056898c8d5101da2cf11a00e

SHA1
0b600ecee4acb5dd768672ed267d468d34ea20ae

SHA256
cd9b4b1d6bbf6189efc57ec5f2ddad5cbea967783ab37653a907fd3d1e8fd61e

SHA512
67f80ee91f61912758ad4bcacfdbde141b98f9922ae80201bccc65328335b374d42bfc86b73a03497e0b479b14b6945faef0ba137a341bf25f325b1e6f68d782

Download Submit
memory/628-189-0x0000000007B40000-0x0000000007B7C000-memory.dmp

Filesize
240KB

Download
memory/628-188-0x0000000007C10000-0x0000000007D1A000-memory.dmp

Filesize
1.0MB

Download
memory/628-187-0x0000000007AE0000-0x0000000007AF2000-memory.dmp

Filesize
72KB

Download
memory/628-186-0x0000000008070000-0x0000000008688000-memory.dmp

Filesize
6.1MB

Download
memory/628-185-0x0000000000DB0000-0x0000000000DD8000-memory.dmp

Filesize
160KB

Download
memory/628-190-0x0000000007F10000-0x0000000007F20000-memory.dmp

Filesize
64KB

Download
memory/628-191-0x0000000007F10000-0x0000000007F20000-memory.dmp

Filesize
64KB

Download
memory/4844-164-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4844-180-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4844-162-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4844-158-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4844-166-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4844-168-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4844-170-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4844-174-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4844-172-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4844-176-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4844-178-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4844-160-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4844-156-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4844-154-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4844-153-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4844-152-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/4844-151-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/4844-148-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/4844-149-0x0000000004A80000-0x0000000005024000-memory.dmp

Filesize
5.6MB

Download
memory/4844-150-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/4844-147-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads