redline | 7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48

Analysis

max time kernel
148s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe
Size

693KB
MD5

abaf3e8bf1aabaf5a140468a6b451acd
SHA1

7d84edc4a58f261271566512ecaaafdd787fe2fd
SHA256

7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48
SHA512

96d7b49705b50c39aa7832c1c60328c00e05c6599f5981fa4a65bfe17c64b80a897dd4c313d1c5e56395870ddd335c75efb46a2b23e94aea069601a08ccb6db2
SSDEEP

12288:ay90e3s3k2SNH/d47C9HVwaARjl0MYtWCOW16FT18bJK7A+p+w2lWrb:ay53hzNH/dTeaARjatLt6FT18bJsDkWn

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/220-987-0x0000000009C40000-0x000000000A258000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	20636919.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	20636919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	20636919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	20636919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	20636919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	20636919.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3564	un864612.exe
1356	20636919.exe
220	rk671639.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	20636919.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	20636919.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un864612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un864612.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3024	1356	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1356	20636919.exe
1356	20636919.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	20636919.exe
Token: SeDebugPrivilege	220	rk671639.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 3564	4956	7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe	84
PID 4956 wrote to memory of 3564	4956	7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe	84
PID 4956 wrote to memory of 3564	4956	7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe	84
PID 3564 wrote to memory of 1356	3564	un864612.exe	85
PID 3564 wrote to memory of 1356	3564	un864612.exe	85
PID 3564 wrote to memory of 1356	3564	un864612.exe	85
PID 3564 wrote to memory of 220	3564	un864612.exe	89
PID 3564 wrote to memory of 220	3564	un864612.exe	89
PID 3564 wrote to memory of 220	3564	un864612.exe	89

C:\Users\Admin\AppData\Local\Temp\7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe
"C:\Users\Admin\AppData\Local\Temp\7024f95991767b39327f265a8a5be2252a5d2bc5295a62745c41b3ee024d4d48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864612.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864612.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\20636919.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\20636919.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1080
      4⤵
      Program crash
      PID:3024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk671639.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk671639.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1356 -ip 1356
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864612.exe

Filesize
540KB

MD5
e775887d3c8244637bb54c06e6cb7dfd

SHA1
912e0e107b848d92d314a91edff7bc1fcd56ba2f

SHA256
62f94d6ac71c93d8d491041f11bc0cb8df9c48c9354076a38021ce5491044f9c

SHA512
6550a2370c5ede138f3be19d7a929ac85e221306258f2ae54786420ae6e3cb4e5c27955d4ced0d0df6710540badfdb6ddebc0ab932962deb67143eefc0028b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864612.exe

Filesize
540KB

MD5
e775887d3c8244637bb54c06e6cb7dfd

SHA1
912e0e107b848d92d314a91edff7bc1fcd56ba2f

SHA256
62f94d6ac71c93d8d491041f11bc0cb8df9c48c9354076a38021ce5491044f9c

SHA512
6550a2370c5ede138f3be19d7a929ac85e221306258f2ae54786420ae6e3cb4e5c27955d4ced0d0df6710540badfdb6ddebc0ab932962deb67143eefc0028b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\20636919.exe

Filesize
258KB

MD5
47aa9d06d353d34e3838885e244fc929

SHA1
2696199cfd0db93b128860868c2806c9ecbdef55

SHA256
dbe5083ab54677b90ac33ec791c129d519f8cddc5a94c9b675451c4849065184

SHA512
8b84251d0b2b6b8e2074cd7c426a5ad89c3d7313f3f7c6b7bee4f5969f2d2b41ff9b3304a48c018348785a364d5ce6a48b8a6800777077102584a5d0e572306f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\20636919.exe

Filesize
258KB

MD5
47aa9d06d353d34e3838885e244fc929

SHA1
2696199cfd0db93b128860868c2806c9ecbdef55

SHA256
dbe5083ab54677b90ac33ec791c129d519f8cddc5a94c9b675451c4849065184

SHA512
8b84251d0b2b6b8e2074cd7c426a5ad89c3d7313f3f7c6b7bee4f5969f2d2b41ff9b3304a48c018348785a364d5ce6a48b8a6800777077102584a5d0e572306f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk671639.exe

Filesize
340KB

MD5
3921f97a143df458fe9275a78550bf60

SHA1
79e622017a26cebb16317c1a53bc4f66bf12162f

SHA256
cab4238710d09bb4f7c5b334c28d405a1ebbf2983aad6d106d1262206db60ae6

SHA512
9f7b47cfdd3d4558cfd5e156a7ff080fd22495aa2aef8e48acacda41742e672d10cddc1ddf1218da80c709cb7da419b07af77910c2f5c42c1906dfe9663c9801

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk671639.exe

Filesize
340KB

MD5
3921f97a143df458fe9275a78550bf60

SHA1
79e622017a26cebb16317c1a53bc4f66bf12162f

SHA256
cab4238710d09bb4f7c5b334c28d405a1ebbf2983aad6d106d1262206db60ae6

SHA512
9f7b47cfdd3d4558cfd5e156a7ff080fd22495aa2aef8e48acacda41742e672d10cddc1ddf1218da80c709cb7da419b07af77910c2f5c42c1906dfe9663c9801

Download Submit
memory/220-220-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-512-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/220-996-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/220-995-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/220-994-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/220-993-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/220-991-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/220-198-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-989-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/220-196-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-988-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/220-987-0x0000000009C40000-0x000000000A258000-memory.dmp

Filesize
6.1MB

Download
memory/220-513-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/220-510-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/220-194-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-204-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-509-0x0000000002CC0000-0x0000000002D06000-memory.dmp

Filesize
280KB

Download
memory/220-222-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-218-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-216-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-214-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-212-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-210-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-208-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-191-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-192-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-206-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-990-0x00000000071B0000-0x00000000071C0000-memory.dmp

Filesize
64KB

Download
memory/220-202-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/220-200-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/1356-175-0x00000000076C0000-0x00000000076D3000-memory.dmp

Filesize
76KB

Download
memory/1356-165-0x00000000076C0000-0x00000000076D3000-memory.dmp

Filesize
76KB

Download
memory/1356-151-0x0000000007080000-0x0000000007090000-memory.dmp

Filesize
64KB

Download
memory/1356-149-0x00000000070B0000-0x0000000007654000-memory.dmp

Filesize
5.6MB

Download
memory/1356-150-0x0000000007080000-0x0000000007090000-memory.dmp

Filesize
64KB

Download
memory/1356-185-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1356-183-0x0000000007080000-0x0000000007090000-memory.dmp

Filesize
64KB

Download
memory/1356-182-0x0000000007080000-0x0000000007090000-memory.dmp

Filesize
64KB

Download
memory/1356-181-0x0000000007080000-0x0000000007090000-memory.dmp

Filesize
64KB

Download
memory/1356-148-0x0000000002BE0000-0x0000000002C0D000-memory.dmp

Filesize
180KB

Download
memory/1356-180-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1356-179-0x00000000076C0000-0x00000000076D3000-memory.dmp

Filesize
76KB

Download
memory/1356-177-0x00000000076C0000-0x00000000076D3000-memory.dmp

Filesize
76KB

Download
memory/1356-173-0x00000000076C0000-0x00000000076D3000-memory.dmp

Filesize
76KB

Download
memory/1356-171-0x00000000076C0000-0x00000000076D3000-memory.dmp

Filesize
76KB

Download
memory/1356-169-0x00000000076C0000-0x00000000076D3000-memory.dmp

Filesize
76KB

Download
memory/1356-167-0x00000000076C0000-0x00000000076D3000-memory.dmp

Filesize
76KB

Download
memory/1356-163-0x00000000076C0000-0x00000000076D3000-memory.dmp

Filesize
76KB

Download
memory/1356-161-0x00000000076C0000-0x00000000076D3000-memory.dmp

Filesize
76KB

Download
memory/1356-159-0x00000000076C0000-0x00000000076D3000-memory.dmp

Filesize
76KB

Download
memory/1356-157-0x00000000076C0000-0x00000000076D3000-memory.dmp

Filesize
76KB

Download
memory/1356-155-0x00000000076C0000-0x00000000076D3000-memory.dmp

Filesize
76KB

Download
memory/1356-153-0x00000000076C0000-0x00000000076D3000-memory.dmp

Filesize
76KB

Download
memory/1356-152-0x00000000076C0000-0x00000000076D3000-memory.dmp

Filesize
76KB

Download