redline | 707a4a5849b9a08d47a4225eafb62a72b07c70422d27d1dc0eabe029878c9069

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

707a4a5849b9a08d47a4225eafb62a72b07c70422d27d1dc0eabe029878c9069.exe
Size

690KB
MD5

3505c8ad496e8c4f508394f746584699
SHA1

c9248c34a7f9d3569b296829b236afc91084b532
SHA256

707a4a5849b9a08d47a4225eafb62a72b07c70422d27d1dc0eabe029878c9069
SHA512

78099402e60dd94ce843368aa2d1f10d0f216b66e7a20d089d8a20e92dc62e2b1e6bea667349e72c13f19d844a4c07061c5ab37909e9bb08817e125d1d3343ec
SSDEEP

12288:py90eqFt3sojvYDNf1bQdACIl74cJw/22VBn1l1Ci9qCR4p0MB+nMYDBwjj:py2L8uyTbQdACIlbwe2DYik9p0MELqX

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1196-986-0x0000000007540000-0x0000000007B58000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	14119056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	14119056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	14119056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	14119056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	14119056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	14119056.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3328	un665397.exe
4828	14119056.exe
1196	rk980250.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	14119056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	14119056.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un665397.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	707a4a5849b9a08d47a4225eafb62a72b07c70422d27d1dc0eabe029878c9069.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	707a4a5849b9a08d47a4225eafb62a72b07c70422d27d1dc0eabe029878c9069.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un665397.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1760	4828	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4828	14119056.exe
4828	14119056.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4828	14119056.exe
Token: SeDebugPrivilege	1196	rk980250.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 3328	4476	707a4a5849b9a08d47a4225eafb62a72b07c70422d27d1dc0eabe029878c9069.exe	88
PID 4476 wrote to memory of 3328	4476	707a4a5849b9a08d47a4225eafb62a72b07c70422d27d1dc0eabe029878c9069.exe	88
PID 4476 wrote to memory of 3328	4476	707a4a5849b9a08d47a4225eafb62a72b07c70422d27d1dc0eabe029878c9069.exe	88
PID 3328 wrote to memory of 4828	3328	un665397.exe	89
PID 3328 wrote to memory of 4828	3328	un665397.exe	89
PID 3328 wrote to memory of 4828	3328	un665397.exe	89
PID 3328 wrote to memory of 1196	3328	un665397.exe	92
PID 3328 wrote to memory of 1196	3328	un665397.exe	92
PID 3328 wrote to memory of 1196	3328	un665397.exe	92

C:\Users\Admin\AppData\Local\Temp\707a4a5849b9a08d47a4225eafb62a72b07c70422d27d1dc0eabe029878c9069.exe
"C:\Users\Admin\AppData\Local\Temp\707a4a5849b9a08d47a4225eafb62a72b07c70422d27d1dc0eabe029878c9069.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un665397.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un665397.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14119056.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14119056.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1092
      4⤵
      Program crash
      PID:1760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk980250.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk980250.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4828 -ip 4828
1⤵
PID:400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un665397.exe

Filesize
536KB

MD5
a0505808eb99741df72ce31edac252ab

SHA1
a855d9af5f7e093ed4e814166e0a3e156d76e90f

SHA256
0c3b4839efcd4a0e03d184af9339d4691d247cc4e54729f27c0b6e6207c365c6

SHA512
b8a797ff04cea8c774b5ebdd197b2e41b73b8f00e4285f3f65d4bdaaf50a9fff342877232db84c94102ceeaef89924f142b77c0efc83ff3afb996a8b6bf75409

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un665397.exe

Filesize
536KB

MD5
a0505808eb99741df72ce31edac252ab

SHA1
a855d9af5f7e093ed4e814166e0a3e156d76e90f

SHA256
0c3b4839efcd4a0e03d184af9339d4691d247cc4e54729f27c0b6e6207c365c6

SHA512
b8a797ff04cea8c774b5ebdd197b2e41b73b8f00e4285f3f65d4bdaaf50a9fff342877232db84c94102ceeaef89924f142b77c0efc83ff3afb996a8b6bf75409

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14119056.exe

Filesize
259KB

MD5
5e6db10f9cb98737663c3a79827c3ab4

SHA1
9dbc66c31507b5994a3213dfef049181b65269b6

SHA256
1a11b0ea9724066aaf61dda7c30aeb75a0cf677792ba9258713f9a4fec8efa1f

SHA512
6c62dc7776e6e7d39870392f0c84f752bf5064e7245a7aa43aabca50ac4cdf84b96efdb998fcb72f0e1aa3794488b76e2155f8bebfaf5ee73545c5ae91933ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\14119056.exe

Filesize
259KB

MD5
5e6db10f9cb98737663c3a79827c3ab4

SHA1
9dbc66c31507b5994a3213dfef049181b65269b6

SHA256
1a11b0ea9724066aaf61dda7c30aeb75a0cf677792ba9258713f9a4fec8efa1f

SHA512
6c62dc7776e6e7d39870392f0c84f752bf5064e7245a7aa43aabca50ac4cdf84b96efdb998fcb72f0e1aa3794488b76e2155f8bebfaf5ee73545c5ae91933ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk980250.exe

Filesize
341KB

MD5
bbd8e6c31f5f5ebf9b157b5bfc4139a7

SHA1
8bda37c5db5119bc5d5f702c8a5e15d76bede147

SHA256
05ff2cd9f4f21d62a9c854e0798c00e854904cc0a73baefad6d479d951071461

SHA512
4312ead056a0009ee09b8ea39b8a37287b6c3d74394e9514bf28506e2c12e40e008f04ca3c8774f33137c7c8c14dabd09f72fb9c183127d44dbd1d7b90360bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk980250.exe

Filesize
341KB

MD5
bbd8e6c31f5f5ebf9b157b5bfc4139a7

SHA1
8bda37c5db5119bc5d5f702c8a5e15d76bede147

SHA256
05ff2cd9f4f21d62a9c854e0798c00e854904cc0a73baefad6d479d951071461

SHA512
4312ead056a0009ee09b8ea39b8a37287b6c3d74394e9514bf28506e2c12e40e008f04ca3c8774f33137c7c8c14dabd09f72fb9c183127d44dbd1d7b90360bc1

Download Submit
memory/1196-215-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-223-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-995-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1196-994-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1196-993-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1196-992-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1196-990-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1196-196-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-989-0x0000000007D00000-0x0000000007D3C000-memory.dmp

Filesize
240KB

Download
memory/1196-988-0x0000000007BE0000-0x0000000007CEA000-memory.dmp

Filesize
1.0MB

Download
memory/1196-987-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/1196-194-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-227-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-225-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-192-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-200-0x0000000000700000-0x0000000000746000-memory.dmp

Filesize
280KB

Download
memory/1196-221-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-219-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-217-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-213-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-211-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-209-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-207-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-203-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1196-205-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-191-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-202-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/1196-986-0x0000000007540000-0x0000000007B58000-memory.dmp

Filesize
6.1MB

Download
memory/1196-201-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1196-198-0x0000000004A50000-0x0000000004A85000-memory.dmp

Filesize
212KB

Download
memory/4828-174-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4828-158-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4828-151-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4828-149-0x00000000005D0000-0x00000000005FD000-memory.dmp

Filesize
180KB

Download
memory/4828-150-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4828-186-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4828-184-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4828-183-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4828-182-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4828-148-0x0000000004DC0000-0x0000000005364000-memory.dmp

Filesize
5.6MB

Download
memory/4828-181-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4828-180-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4828-178-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4828-176-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4828-172-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4828-170-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4828-168-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4828-166-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4828-164-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4828-162-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4828-160-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4828-154-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4828-156-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4828-153-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4828-152-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download