redline | 58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319

General

Target

58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe
Size

480KB
MD5

fd7bbd313416dfe87fddad9c104bf4bc
SHA1

cb81658f3475838486ae2dfb32e08a4ca32f7bec
SHA256

58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319
SHA512

ac1f7001f766a6e65701c74e2ea70d22a959a93f829962ede5bf474259b72150934b6137b145cdccd40a5d543ff4adc32f697b3d10bfde983d144edac3143078
SSDEEP

6144:KVy+bnr+Ip0yN90QEFHs4lKeE9eps3N4x5tOMIxRIFTUtP+0l6+0yDflnib/JBkq:bMrUy90k4lKBTi5kMbTUFl6Afln6/E+

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3824-186-0x00000000081F0000-0x0000000008808000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k7815453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k7815453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k7815453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k7815453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k7815453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k7815453.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2512	y7850969.exe
1716	k7815453.exe
3824	l3237088.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k7815453.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k7815453.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7850969.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7850969.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1716	k7815453.exe
1716	k7815453.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	k7815453.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 2512	628	58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe	82
PID 628 wrote to memory of 2512	628	58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe	82
PID 628 wrote to memory of 2512	628	58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe	82
PID 2512 wrote to memory of 1716	2512	y7850969.exe	83
PID 2512 wrote to memory of 1716	2512	y7850969.exe	83
PID 2512 wrote to memory of 1716	2512	y7850969.exe	83
PID 2512 wrote to memory of 3824	2512	y7850969.exe	84
PID 2512 wrote to memory of 3824	2512	y7850969.exe	84
PID 2512 wrote to memory of 3824	2512	y7850969.exe	84

C:\Users\Admin\AppData\Local\Temp\58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe
"C:\Users\Admin\AppData\Local\Temp\58040f3feee721fff6e6fc62e986a6462f9ad8485a5d29d463e9869a7c232319.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7850969.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7850969.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7815453.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7815453.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3237088.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3237088.exe
    3⤵
    - Executes dropped EXE
    PID:3824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7850969.exe

Filesize
308KB

MD5
be27fd153053198b678edf35064169a7

SHA1
1b0876ebc7226743b7878ec2f3e57e52f5f1e138

SHA256
1a056863a81f40724c27ee77d5432a43c60526009c1292fce4556e75a5e5c148

SHA512
6a4f4037422010a055ad8ec1652d7e14c40daea1dcd98ec46fb66c1325bf7e0ce766ad3291ce28107b2506b84f84fb3945c90ec66c4f0b8631ebad3ff12adcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7850969.exe

Filesize
308KB

MD5
be27fd153053198b678edf35064169a7

SHA1
1b0876ebc7226743b7878ec2f3e57e52f5f1e138

SHA256
1a056863a81f40724c27ee77d5432a43c60526009c1292fce4556e75a5e5c148

SHA512
6a4f4037422010a055ad8ec1652d7e14c40daea1dcd98ec46fb66c1325bf7e0ce766ad3291ce28107b2506b84f84fb3945c90ec66c4f0b8631ebad3ff12adcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7815453.exe

Filesize
175KB

MD5
f1ac76a6bbf434763908e06abf8cb5fc

SHA1
3e96465ed99d15efe9996a1a0248c429882eec88

SHA256
4923c187145b1e822a3beb7868166ed43e159b13ae3d89606e7d3019b418c8b3

SHA512
c504dae1999c7c65d5e55597146bd278f89d080d9d07debdc9f493c8fbc3ff0d3c261660e07ea666b1837a0df3bbfd38b1107e4680313ddbd94fe28e78534049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7815453.exe

Filesize
175KB

MD5
f1ac76a6bbf434763908e06abf8cb5fc

SHA1
3e96465ed99d15efe9996a1a0248c429882eec88

SHA256
4923c187145b1e822a3beb7868166ed43e159b13ae3d89606e7d3019b418c8b3

SHA512
c504dae1999c7c65d5e55597146bd278f89d080d9d07debdc9f493c8fbc3ff0d3c261660e07ea666b1837a0df3bbfd38b1107e4680313ddbd94fe28e78534049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3237088.exe

Filesize
136KB

MD5
2fdd14078cf0d9e61417f82476797cfe

SHA1
bd5c98b60c515eb68aa4be41d32f5107f9f206e3

SHA256
1953a613971ced35646f9c7f9dab8190419377555c449227658b6c45b394f9c4

SHA512
4511453fabfd015290f152868e0b5629a98f9f45d36995b8fd09fd3dd539c14a5c5cdabbd8c5d872b128c4caadde004c1f68bfbeeec22ed50b2a5ab423f7e3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3237088.exe

Filesize
136KB

MD5
2fdd14078cf0d9e61417f82476797cfe

SHA1
bd5c98b60c515eb68aa4be41d32f5107f9f206e3

SHA256
1953a613971ced35646f9c7f9dab8190419377555c449227658b6c45b394f9c4

SHA512
4511453fabfd015290f152868e0b5629a98f9f45d36995b8fd09fd3dd539c14a5c5cdabbd8c5d872b128c4caadde004c1f68bfbeeec22ed50b2a5ab423f7e3b0

Download Submit
memory/1716-171-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1716-169-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/1716-153-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/1716-155-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/1716-157-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/1716-159-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/1716-161-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/1716-163-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/1716-165-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/1716-167-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1716-149-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/1716-172-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/1716-168-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1716-151-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/1716-174-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/1716-178-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/1716-176-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/1716-179-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1716-180-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/1716-148-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/1716-147-0x0000000004AD0000-0x0000000005074000-memory.dmp

Filesize
5.6MB

Download
memory/3824-185-0x0000000000F60000-0x0000000000F88000-memory.dmp

Filesize
160KB

Download
memory/3824-186-0x00000000081F0000-0x0000000008808000-memory.dmp

Filesize
6.1MB

Download
memory/3824-187-0x0000000007C90000-0x0000000007CA2000-memory.dmp

Filesize
72KB

Download
memory/3824-188-0x0000000007DC0000-0x0000000007ECA000-memory.dmp

Filesize
1.0MB

Download
memory/3824-189-0x0000000005750000-0x000000000578C000-memory.dmp

Filesize
240KB

Download
memory/3824-190-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/3824-191-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads