redline | 5a2eec63c40c3a7485f35dc85268e4348a771db7d1cd24ae186651234856918b

Analysis

max time kernel
152s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a2eec63c40c3a7485f35dc85268e4348a771db7d1cd24ae186651234856918b.exe
Size

1.5MB
MD5

cd8d70c5beedaaa383ce1e5e4f83f4c8
SHA1

c9c2c8843989aa08e82620a842c5c9f5b05d3017
SHA256

5a2eec63c40c3a7485f35dc85268e4348a771db7d1cd24ae186651234856918b
SHA512

845f8a273c69578d69309ba7201000983da6064204a6ad514b5943e1209cae7aa0dcc76bf3d5553d1e84003950ef99c38b75f25a7cac0ff4785c4aa2aa3baa74
SSDEEP

49152:y2g/5qe6Z/Gm0AoctbcnAZ081HKtSpyM:iRqecGRA9t3Z1kSpy

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1892-218-0x0000000007E80000-0x0000000008498000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a5165963.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5165963.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5165963.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5165963.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5165963.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5165963.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4592	v3821992.exe
1444	v7764490.exe
2664	v3331307.exe
428	v4056674.exe
2108	a5165963.exe
1892	b8604920.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a5165963.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5165963.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7764490.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7764490.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3331307.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4056674.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v4056674.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5a2eec63c40c3a7485f35dc85268e4348a771db7d1cd24ae186651234856918b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3821992.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3331307.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5a2eec63c40c3a7485f35dc85268e4348a771db7d1cd24ae186651234856918b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3821992.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4176	2108	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2108	a5165963.exe
2108	a5165963.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	a5165963.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 4592	1536	5a2eec63c40c3a7485f35dc85268e4348a771db7d1cd24ae186651234856918b.exe	84
PID 1536 wrote to memory of 4592	1536	5a2eec63c40c3a7485f35dc85268e4348a771db7d1cd24ae186651234856918b.exe	84
PID 1536 wrote to memory of 4592	1536	5a2eec63c40c3a7485f35dc85268e4348a771db7d1cd24ae186651234856918b.exe	84
PID 4592 wrote to memory of 1444	4592	v3821992.exe	85
PID 4592 wrote to memory of 1444	4592	v3821992.exe	85
PID 4592 wrote to memory of 1444	4592	v3821992.exe	85
PID 1444 wrote to memory of 2664	1444	v7764490.exe	86
PID 1444 wrote to memory of 2664	1444	v7764490.exe	86
PID 1444 wrote to memory of 2664	1444	v7764490.exe	86
PID 2664 wrote to memory of 428	2664	v3331307.exe	87
PID 2664 wrote to memory of 428	2664	v3331307.exe	87
PID 2664 wrote to memory of 428	2664	v3331307.exe	87
PID 428 wrote to memory of 2108	428	v4056674.exe	88
PID 428 wrote to memory of 2108	428	v4056674.exe	88
PID 428 wrote to memory of 2108	428	v4056674.exe	88
PID 428 wrote to memory of 1892	428	v4056674.exe	93
PID 428 wrote to memory of 1892	428	v4056674.exe	93
PID 428 wrote to memory of 1892	428	v4056674.exe	93

C:\Users\Admin\AppData\Local\Temp\5a2eec63c40c3a7485f35dc85268e4348a771db7d1cd24ae186651234856918b.exe
"C:\Users\Admin\AppData\Local\Temp\5a2eec63c40c3a7485f35dc85268e4348a771db7d1cd24ae186651234856918b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3821992.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3821992.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7764490.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7764490.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3331307.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3331307.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4056674.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4056674.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:428
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5165963.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5165963.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1088
        7⤵
        Program crash
        
        PID:4176
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8604920.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8604920.exe
        6⤵
        Executes dropped EXE
        
        PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2108 -ip 2108
1⤵
PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3821992.exe

Filesize
1.4MB

MD5
f822d983fb8d5eeeb09aa7aaa63d3dd6

SHA1
1e39c7256bb6cbb5dcb8a8eaa9d6912a051f86ab

SHA256
9507c9b8ec18c1c72bfd38f6e1373cf8d262717a8de5b53bb6cefcb40a819f2f

SHA512
90929b375484e327065e8c5811e66d4be36b42f6c65321b710b50ce8025a968dfc76645ecd8ca0e2781f78fca22031eb390abfe63a09f46a47b3ba2a393ca941

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3821992.exe

Filesize
1.4MB

MD5
f822d983fb8d5eeeb09aa7aaa63d3dd6

SHA1
1e39c7256bb6cbb5dcb8a8eaa9d6912a051f86ab

SHA256
9507c9b8ec18c1c72bfd38f6e1373cf8d262717a8de5b53bb6cefcb40a819f2f

SHA512
90929b375484e327065e8c5811e66d4be36b42f6c65321b710b50ce8025a968dfc76645ecd8ca0e2781f78fca22031eb390abfe63a09f46a47b3ba2a393ca941

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7764490.exe

Filesize
913KB

MD5
6b184f137865f85441b0273eb7aab58f

SHA1
554762329dc07b4afb2e3be2795768eaf730b671

SHA256
dd41faefa4bdd2e630ac49c2456bf2d80cb39cece63a8161758259403b44e797

SHA512
d41073e1b6a476a7a0f3fdbe971def8ed9ad3a63d00321590f5e59482ff56229d7e4bd9af08c8fe2252ebac19a31b8290e30927576202d388af38bfe0cabce28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7764490.exe

Filesize
913KB

MD5
6b184f137865f85441b0273eb7aab58f

SHA1
554762329dc07b4afb2e3be2795768eaf730b671

SHA256
dd41faefa4bdd2e630ac49c2456bf2d80cb39cece63a8161758259403b44e797

SHA512
d41073e1b6a476a7a0f3fdbe971def8ed9ad3a63d00321590f5e59482ff56229d7e4bd9af08c8fe2252ebac19a31b8290e30927576202d388af38bfe0cabce28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3331307.exe

Filesize
708KB

MD5
25e2ad6ae3156ff3c7af8007664be71f

SHA1
09fba2760a3b9ea36d4e8774df196b1e3a85c52a

SHA256
ce580df8980a31f0f4ec6a61c4175143810f53ff80d1d27a6674436a346ce1c8

SHA512
02545d7bdd37a6ceabae5326423cbb64afdccfedcc7323e5b1061f05edc821267a9976fc068588a40ced00b337e898947957b39c521365e8d8c02532c19ed463

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3331307.exe

Filesize
708KB

MD5
25e2ad6ae3156ff3c7af8007664be71f

SHA1
09fba2760a3b9ea36d4e8774df196b1e3a85c52a

SHA256
ce580df8980a31f0f4ec6a61c4175143810f53ff80d1d27a6674436a346ce1c8

SHA512
02545d7bdd37a6ceabae5326423cbb64afdccfedcc7323e5b1061f05edc821267a9976fc068588a40ced00b337e898947957b39c521365e8d8c02532c19ed463

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4056674.exe

Filesize
417KB

MD5
df7e7caebd25603336b4919e067a9795

SHA1
35ee8daf3edf494cf788b877b19b485a8f3e2995

SHA256
7483b350f14e2f1718c435fb2f7baa1ebba9df26cbd85b2f125427f0e332dd9f

SHA512
97f73f703e84ae247caa9a99d5e4904d6296e18fb50204d2d2341ce307dac81318169670432078d4af6595b3dc60bbc1982e918e12088ac10a5856de3c39a37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4056674.exe

Filesize
417KB

MD5
df7e7caebd25603336b4919e067a9795

SHA1
35ee8daf3edf494cf788b877b19b485a8f3e2995

SHA256
7483b350f14e2f1718c435fb2f7baa1ebba9df26cbd85b2f125427f0e332dd9f

SHA512
97f73f703e84ae247caa9a99d5e4904d6296e18fb50204d2d2341ce307dac81318169670432078d4af6595b3dc60bbc1982e918e12088ac10a5856de3c39a37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5165963.exe

Filesize
360KB

MD5
850acd9685df3ad087d239b7589b9e09

SHA1
a62073d24105aa31eceb5c9eba828a1bcac57d12

SHA256
6fa7e000b535e61110e940cd2a5d92bd15af01d2c680beae227081304d5d2b1f

SHA512
c36dc4751ce0bee6f92eec4ded085ae611cbe7ccb3763a09f31ff8cfe8d85cb49cf7fee16186e701ae9515bcb2796f9c4a258951570f070948f67166dcf7d786

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5165963.exe

Filesize
360KB

MD5
850acd9685df3ad087d239b7589b9e09

SHA1
a62073d24105aa31eceb5c9eba828a1bcac57d12

SHA256
6fa7e000b535e61110e940cd2a5d92bd15af01d2c680beae227081304d5d2b1f

SHA512
c36dc4751ce0bee6f92eec4ded085ae611cbe7ccb3763a09f31ff8cfe8d85cb49cf7fee16186e701ae9515bcb2796f9c4a258951570f070948f67166dcf7d786

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8604920.exe

Filesize
136KB

MD5
f7c6c79b6bdbf59944b371f4c4b88329

SHA1
06f43e28d739abfb5a739d9abcb8480d4e4ba4e9

SHA256
94a8f2714321247d02e8540620ae797b69e5991aa83d040f4fdb53048fc41ea7

SHA512
5ae92c27019e63c6eb752031b3958dcb333242295b9e65b44d27d401e4670a6767b3980845a7ed58410bfcdbc3e0b4135f281758525b900ba7664127b1967e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8604920.exe

Filesize
136KB

MD5
f7c6c79b6bdbf59944b371f4c4b88329

SHA1
06f43e28d739abfb5a739d9abcb8480d4e4ba4e9

SHA256
94a8f2714321247d02e8540620ae797b69e5991aa83d040f4fdb53048fc41ea7

SHA512
5ae92c27019e63c6eb752031b3958dcb333242295b9e65b44d27d401e4670a6767b3980845a7ed58410bfcdbc3e0b4135f281758525b900ba7664127b1967e4b

Download Submit
memory/1892-223-0x0000000007A20000-0x0000000007A30000-memory.dmp

Filesize
64KB

Download
memory/1892-222-0x0000000007970000-0x00000000079AC000-memory.dmp

Filesize
240KB

Download
memory/1892-221-0x0000000007A20000-0x0000000007A30000-memory.dmp

Filesize
64KB

Download
memory/1892-220-0x0000000007A40000-0x0000000007B4A000-memory.dmp

Filesize
1.0MB

Download
memory/1892-219-0x0000000007910000-0x0000000007922000-memory.dmp

Filesize
72KB

Download
memory/1892-218-0x0000000007E80000-0x0000000008498000-memory.dmp

Filesize
6.1MB

Download
memory/1892-217-0x0000000000BE0000-0x0000000000C08000-memory.dmp

Filesize
160KB

Download
memory/2108-190-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2108-204-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2108-188-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2108-184-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2108-192-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2108-194-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2108-196-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2108-198-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2108-199-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2108-200-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2108-201-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2108-202-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2108-203-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2108-186-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2108-205-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2108-210-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2108-182-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2108-180-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2108-178-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2108-176-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2108-174-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2108-172-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2108-171-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/2108-170-0x0000000004E20000-0x00000000053C4000-memory.dmp

Filesize
5.6MB

Download
memory/2108-169-0x0000000000990000-0x00000000009BD000-memory.dmp

Filesize
180KB

Download