redline | 6ae57748482acc9905de34af00fe086639700828e91d12dc114b484a38b685cd

Analysis

max time kernel
184s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ae57748482acc9905de34af00fe086639700828e91d12dc114b484a38b685cd.exe
Size

752KB
MD5

068373078336a1f9de329e6552ef03cd
SHA1

c826d8e37bc346f08e276ee86d643bd7753e1f24
SHA256

6ae57748482acc9905de34af00fe086639700828e91d12dc114b484a38b685cd
SHA512

33e8b399832d452ea8045d37795dd7832a3748a4ecdb59a57139e2e119ea40bab33d95ba861c5aef1b701e8b517ed4b1efcef02bfe8b97379376a3bf40fcd267
SSDEEP

12288:3y90SFvqw0yS4vb66+8MJjVOsC4wQIeZjxdQC4WD6Vth+r/KiNz:3yTvqVXceBNVey/iCLCth+jKix

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2904-990-0x00000000079D0000-0x0000000007FE8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	02692585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	02692585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	02692585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	02692585.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	02692585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	02692585.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1924	un423781.exe
2072	02692585.exe
2904	rk175020.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	02692585.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	02692585.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6ae57748482acc9905de34af00fe086639700828e91d12dc114b484a38b685cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6ae57748482acc9905de34af00fe086639700828e91d12dc114b484a38b685cd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un423781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un423781.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2072	02692585.exe
2072	02692585.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	02692585.exe
Token: SeDebugPrivilege	2904	rk175020.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1924	1064	6ae57748482acc9905de34af00fe086639700828e91d12dc114b484a38b685cd.exe	81
PID 1064 wrote to memory of 1924	1064	6ae57748482acc9905de34af00fe086639700828e91d12dc114b484a38b685cd.exe	81
PID 1064 wrote to memory of 1924	1064	6ae57748482acc9905de34af00fe086639700828e91d12dc114b484a38b685cd.exe	81
PID 1924 wrote to memory of 2072	1924	un423781.exe	82
PID 1924 wrote to memory of 2072	1924	un423781.exe	82
PID 1924 wrote to memory of 2072	1924	un423781.exe	82
PID 1924 wrote to memory of 2904	1924	un423781.exe	87
PID 1924 wrote to memory of 2904	1924	un423781.exe	87
PID 1924 wrote to memory of 2904	1924	un423781.exe	87

C:\Users\Admin\AppData\Local\Temp\6ae57748482acc9905de34af00fe086639700828e91d12dc114b484a38b685cd.exe
"C:\Users\Admin\AppData\Local\Temp\6ae57748482acc9905de34af00fe086639700828e91d12dc114b484a38b685cd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un423781.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un423781.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02692585.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02692585.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk175020.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk175020.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un423781.exe

Filesize
598KB

MD5
9cdd0c27c092631e914d4aa08ac164f0

SHA1
f2ee93f6253a9a811d6a5e9cf680080c3c79ace5

SHA256
61c34b052e79d00f5efefca8eb5c42a5fe1b1f8d4efb6733d2476bd630e56af7

SHA512
dd64d0fd40271e8072115e7b882eb3eb500e479bc3cfe255534562c9186dfd09a99a98e887096937b114209cb36b33bdbb10b270f262b9aac66577ac741f2753

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un423781.exe

Filesize
598KB

MD5
9cdd0c27c092631e914d4aa08ac164f0

SHA1
f2ee93f6253a9a811d6a5e9cf680080c3c79ace5

SHA256
61c34b052e79d00f5efefca8eb5c42a5fe1b1f8d4efb6733d2476bd630e56af7

SHA512
dd64d0fd40271e8072115e7b882eb3eb500e479bc3cfe255534562c9186dfd09a99a98e887096937b114209cb36b33bdbb10b270f262b9aac66577ac741f2753

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02692585.exe

Filesize
390KB

MD5
83782015280fc6704c298cc01f150a81

SHA1
e5a257df1611e22e71a093c2d87bd6e366640dab

SHA256
69121d52dd9352285c9aee21359e14ec35908174ee75d8865f3ae2ad31eff167

SHA512
05ed702d95fb8fdc6c38e3eec174ff4e5e7a33d00218deced12ac0d6ae39b77391d09a939613339f9ee1b8bc9f5fda12d8be16a2d311c0275fe31159dae7c503

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02692585.exe

Filesize
390KB

MD5
83782015280fc6704c298cc01f150a81

SHA1
e5a257df1611e22e71a093c2d87bd6e366640dab

SHA256
69121d52dd9352285c9aee21359e14ec35908174ee75d8865f3ae2ad31eff167

SHA512
05ed702d95fb8fdc6c38e3eec174ff4e5e7a33d00218deced12ac0d6ae39b77391d09a939613339f9ee1b8bc9f5fda12d8be16a2d311c0275fe31159dae7c503

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk175020.exe

Filesize
473KB

MD5
6bbbc4a0580b78dbdbf54f5a90a74ea8

SHA1
a1c8fae1dbe8c796cff13a4f1f02200ecd69cb2c

SHA256
d3b7ac7df8a490ab2e1c477e3be12ec1fb200fc6e9b44f8010d1646970c20e0f

SHA512
b5506fb387b4e379ed48780158e11bf3575cb88cd87462d874f00f779df0742dbc8b44727196a58823d7fd4114ed138761f0e6fda96fd35d44e4ab16dfbe561e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk175020.exe

Filesize
473KB

MD5
6bbbc4a0580b78dbdbf54f5a90a74ea8

SHA1
a1c8fae1dbe8c796cff13a4f1f02200ecd69cb2c

SHA256
d3b7ac7df8a490ab2e1c477e3be12ec1fb200fc6e9b44f8010d1646970c20e0f

SHA512
b5506fb387b4e379ed48780158e11bf3575cb88cd87462d874f00f779df0742dbc8b44727196a58823d7fd4114ed138761f0e6fda96fd35d44e4ab16dfbe561e

Download Submit
memory/2072-163-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/2072-189-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2072-153-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/2072-154-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/2072-155-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/2072-157-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/2072-159-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/2072-161-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/2072-151-0x0000000004E60000-0x0000000005404000-memory.dmp

Filesize
5.6MB

Download
memory/2072-165-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/2072-167-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/2072-169-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/2072-173-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/2072-171-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/2072-175-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/2072-177-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/2072-179-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/2072-181-0x00000000026E0000-0x00000000026F2000-memory.dmp

Filesize
72KB

Download
memory/2072-183-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/2072-184-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/2072-185-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/2072-152-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/2072-149-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2072-148-0x0000000000960000-0x000000000098D000-memory.dmp

Filesize
180KB

Download
memory/2904-227-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-217-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-198-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-993-0x0000000002C00000-0x0000000002C3C000-memory.dmp

Filesize
240KB

Download
memory/2904-196-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/2904-197-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/2904-201-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-203-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-205-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-207-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-209-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-211-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-213-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-194-0x0000000002500000-0x0000000002546000-memory.dmp

Filesize
280KB

Download
memory/2904-195-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-223-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-215-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-221-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-225-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-991-0x0000000002BE0000-0x0000000002BF2000-memory.dmp

Filesize
72KB

Download
memory/2904-990-0x00000000079D0000-0x0000000007FE8000-memory.dmp

Filesize
6.1MB

Download
memory/2904-219-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/2904-992-0x0000000007FF0000-0x00000000080FA000-memory.dmp

Filesize
1.0MB

Download
memory/2904-199-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/2904-994-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/2904-996-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/2904-997-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/2904-998-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/2904-999-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download