redline | 6dec6fbc08f72cd75f83901acfac971d5a7303555cb562b85bfcd1b219e37302

Analysis

max time kernel
177s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dec6fbc08f72cd75f83901acfac971d5a7303555cb562b85bfcd1b219e37302.exe
Size

612KB
MD5

5fadd395151a2dc7a6fbdf729438624a
SHA1

0bee04c2f712d9380cb5d637140463f0922dc9fa
SHA256

6dec6fbc08f72cd75f83901acfac971d5a7303555cb562b85bfcd1b219e37302
SHA512

79ecec33904526fc9d2c6ee17003828bc317dc21a2ce2113dd33cfb80456971dcef78435096229bbe7948ab9803a2b924d1fa8155794c8fd1e2abc6725e409ba
SSDEEP

12288:ky900cg5+A8n98FdISCLw2gii6Wdx7w83xb3FLS+kI:kyFci+B9AHQw29Dac8hb6I

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4404-955-0x0000000007960000-0x0000000007F78000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	26289110.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	26289110.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	26289110.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	26289110.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	26289110.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	26289110.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1304	st244268.exe
4460	26289110.exe
4404	kp242149.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	26289110.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6dec6fbc08f72cd75f83901acfac971d5a7303555cb562b85bfcd1b219e37302.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6dec6fbc08f72cd75f83901acfac971d5a7303555cb562b85bfcd1b219e37302.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st244268.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st244268.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4460	26289110.exe
4460	26289110.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	26289110.exe
Token: SeDebugPrivilege	4404	kp242149.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1304	2504	6dec6fbc08f72cd75f83901acfac971d5a7303555cb562b85bfcd1b219e37302.exe	81
PID 2504 wrote to memory of 1304	2504	6dec6fbc08f72cd75f83901acfac971d5a7303555cb562b85bfcd1b219e37302.exe	81
PID 2504 wrote to memory of 1304	2504	6dec6fbc08f72cd75f83901acfac971d5a7303555cb562b85bfcd1b219e37302.exe	81
PID 1304 wrote to memory of 4460	1304	st244268.exe	82
PID 1304 wrote to memory of 4460	1304	st244268.exe	82
PID 1304 wrote to memory of 4404	1304	st244268.exe	83
PID 1304 wrote to memory of 4404	1304	st244268.exe	83
PID 1304 wrote to memory of 4404	1304	st244268.exe	83

C:\Users\Admin\AppData\Local\Temp\6dec6fbc08f72cd75f83901acfac971d5a7303555cb562b85bfcd1b219e37302.exe
"C:\Users\Admin\AppData\Local\Temp\6dec6fbc08f72cd75f83901acfac971d5a7303555cb562b85bfcd1b219e37302.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st244268.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st244268.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\26289110.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\26289110.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp242149.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp242149.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st244268.exe

Filesize
458KB

MD5
67f920374b633a3655589e776b93b030

SHA1
11854d118b863681e9bcc637266d526e1c69cd5b

SHA256
3d47555dc63dddaf1ffb2c3dcd03529e7bf2a3c4c057d66c8e7b267a4756ca28

SHA512
f9e90468112c07fa1cbbf307f211c942b2d9e159a32347b3b4a010ffa1efe61ef4ed31298ee0feaae4e92a814f8eef9446acaa1eec5f2855ca660a2b57d1f894

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st244268.exe

Filesize
458KB

MD5
67f920374b633a3655589e776b93b030

SHA1
11854d118b863681e9bcc637266d526e1c69cd5b

SHA256
3d47555dc63dddaf1ffb2c3dcd03529e7bf2a3c4c057d66c8e7b267a4756ca28

SHA512
f9e90468112c07fa1cbbf307f211c942b2d9e159a32347b3b4a010ffa1efe61ef4ed31298ee0feaae4e92a814f8eef9446acaa1eec5f2855ca660a2b57d1f894

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\26289110.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\26289110.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp242149.exe

Filesize
460KB

MD5
48743041504b7db5dfeff86d32de1297

SHA1
5ba0583f1d62ea8afc0f88ac7cb489982314c162

SHA256
bf00e3c45fe737c7df71058966df5ac172a748eb7f297906f87e68f6d561cb97

SHA512
db8af7eb56dc9591e8f29ce04ea7f07afaf522a320ccd3cc73b0b87ee7f8ce3abe09aaec12dd4ec910e4c8e573cdf96bc7d7aaf48dfba6b5c00cf433eb8e05b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp242149.exe

Filesize
460KB

MD5
48743041504b7db5dfeff86d32de1297

SHA1
5ba0583f1d62ea8afc0f88ac7cb489982314c162

SHA256
bf00e3c45fe737c7df71058966df5ac172a748eb7f297906f87e68f6d561cb97

SHA512
db8af7eb56dc9591e8f29ce04ea7f07afaf522a320ccd3cc73b0b87ee7f8ce3abe09aaec12dd4ec910e4c8e573cdf96bc7d7aaf48dfba6b5c00cf433eb8e05b3

Download Submit
memory/4404-153-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/4404-154-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4404-155-0x0000000004F30000-0x00000000054D4000-memory.dmp

Filesize
5.6MB

Download
memory/4404-156-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4404-157-0x0000000000400000-0x0000000000818000-memory.dmp

Filesize
4.1MB

Download
memory/4404-159-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4404-160-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4404-161-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4404-163-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-164-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-166-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-168-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-170-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-172-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-174-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-176-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-178-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-180-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-182-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-184-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-186-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-188-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-190-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-192-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-194-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-196-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-198-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-200-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-202-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-204-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-208-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-206-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-210-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-212-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-214-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-216-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-218-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-220-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-222-0x0000000002A70000-0x0000000002AA5000-memory.dmp

Filesize
212KB

Download
memory/4404-955-0x0000000007960000-0x0000000007F78000-memory.dmp

Filesize
6.1MB

Download
memory/4404-956-0x0000000007F80000-0x0000000007F92000-memory.dmp

Filesize
72KB

Download
memory/4404-957-0x0000000007FA0000-0x00000000080AA000-memory.dmp

Filesize
1.0MB

Download
memory/4404-958-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4404-959-0x0000000008330000-0x000000000836C000-memory.dmp

Filesize
240KB

Download
memory/4404-961-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4460-147-0x0000000000010000-0x000000000001A000-memory.dmp

Filesize
40KB

Download