redline | 56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f

General

Target

56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe
Size

479KB
MD5

5613f03a0c37b52aa972168a3d0036c0
SHA1

6ce1fc84ddf6ff43c2254bf557906a6f819e6702
SHA256

56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f
SHA512

83b140c4450257cf5eb0bd78b692693f355f480db3617f1f4219cc4a59895d99e269e81668dbaf206df140cb62934e4a364aa11a8e5019e000b385cf6329b345
SSDEEP

12288:yMrIy906hyRs/9x5c1u31uT4FskLvQbIzp2GN05UF7c:OylwRc9fXsTNGgIkq2D

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4244-187-0x0000000007770000-0x0000000007D88000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0926720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0926720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0926720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0926720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0926720.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k0926720.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1952	y1276762.exe
4088	k0926720.exe
4244	l6895564.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k0926720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0926720.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1276762.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1276762.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4088	k0926720.exe
4088	k0926720.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4088	k0926720.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 1952	336	56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe	82
PID 336 wrote to memory of 1952	336	56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe	82
PID 336 wrote to memory of 1952	336	56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe	82
PID 1952 wrote to memory of 4088	1952	y1276762.exe	83
PID 1952 wrote to memory of 4088	1952	y1276762.exe	83
PID 1952 wrote to memory of 4088	1952	y1276762.exe	83
PID 1952 wrote to memory of 4244	1952	y1276762.exe	84
PID 1952 wrote to memory of 4244	1952	y1276762.exe	84
PID 1952 wrote to memory of 4244	1952	y1276762.exe	84

C:\Users\Admin\AppData\Local\Temp\56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe
"C:\Users\Admin\AppData\Local\Temp\56cf6b59b79965565256280458c98e989433b4660c3644091f3410d661db987f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1276762.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1276762.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0926720.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0926720.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6895564.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6895564.exe
    3⤵
    - Executes dropped EXE
    PID:4244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1276762.exe

Filesize
307KB

MD5
6ae3909e97b1a72bdd1703aa32bb95dc

SHA1
c6f6fffe9ff72d6be295df1f70a41ed39e38427a

SHA256
d232f87402c4dede99ba9409835c41b8ae68e64e1f80bf00aca2b3346f944133

SHA512
e4fea778994d601d6a5b1c2c98cf2d2923c4227b51d3ef893d6af38344f911fbb6abbafd0095c5902c261321a184adf7e980685b7e0c348534c334936e4cd663

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1276762.exe

Filesize
307KB

MD5
6ae3909e97b1a72bdd1703aa32bb95dc

SHA1
c6f6fffe9ff72d6be295df1f70a41ed39e38427a

SHA256
d232f87402c4dede99ba9409835c41b8ae68e64e1f80bf00aca2b3346f944133

SHA512
e4fea778994d601d6a5b1c2c98cf2d2923c4227b51d3ef893d6af38344f911fbb6abbafd0095c5902c261321a184adf7e980685b7e0c348534c334936e4cd663

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0926720.exe

Filesize
175KB

MD5
c7d6fadff898ae219c318fbcbf089074

SHA1
6fe52888061afc4123ec2b5acce921744070033f

SHA256
53c22238130fa35873d8ed59dd64d92a754c0f819b280f517987c1b481ca7e0f

SHA512
c35ad38737f7d882de570bbc09c77802f1bf5202b138e081e27f240eaf7f8419c8325d5916db4ee12a938f59c14ebe82a1059988eea1ee7b8908b187e0be2972

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0926720.exe

Filesize
175KB

MD5
c7d6fadff898ae219c318fbcbf089074

SHA1
6fe52888061afc4123ec2b5acce921744070033f

SHA256
53c22238130fa35873d8ed59dd64d92a754c0f819b280f517987c1b481ca7e0f

SHA512
c35ad38737f7d882de570bbc09c77802f1bf5202b138e081e27f240eaf7f8419c8325d5916db4ee12a938f59c14ebe82a1059988eea1ee7b8908b187e0be2972

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6895564.exe

Filesize
137KB

MD5
0391590a54e3a8508bff8df1bd3ea712

SHA1
a12b4d2b8b2a9e8668225112132787e7f1cb089d

SHA256
277c773e3d6cf1c33c852012c3e0fb4ebca5b187237e4850e0f3182252426c06

SHA512
a77baaa921a71e1eca19f6b74a2428eb5ec775098b2ff34d61fd4c5b36366b7b0910d1aa45c8d966769936e8a8263108d6875176c28b0115d1bc2bfb4ebaadc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6895564.exe

Filesize
137KB

MD5
0391590a54e3a8508bff8df1bd3ea712

SHA1
a12b4d2b8b2a9e8668225112132787e7f1cb089d

SHA256
277c773e3d6cf1c33c852012c3e0fb4ebca5b187237e4850e0f3182252426c06

SHA512
a77baaa921a71e1eca19f6b74a2428eb5ec775098b2ff34d61fd4c5b36366b7b0910d1aa45c8d966769936e8a8263108d6875176c28b0115d1bc2bfb4ebaadc6

Download Submit
memory/4088-166-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4088-176-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4088-151-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4088-152-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4088-154-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4088-156-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4088-158-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4088-160-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4088-162-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4088-164-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4088-149-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/4088-172-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4088-170-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4088-168-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4088-174-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4088-150-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/4088-178-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/4088-179-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/4088-180-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/4088-181-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/4088-148-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/4088-147-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download
memory/4244-186-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4244-187-0x0000000007770000-0x0000000007D88000-memory.dmp

Filesize
6.1MB

Download
memory/4244-188-0x0000000002860000-0x0000000002872000-memory.dmp

Filesize
72KB

Download
memory/4244-189-0x0000000007260000-0x000000000736A000-memory.dmp

Filesize
1.0MB

Download
memory/4244-190-0x0000000007190000-0x00000000071CC000-memory.dmp

Filesize
240KB

Download
memory/4244-191-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/4244-192-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads