redline | 70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6

Analysis

max time kernel
259s
max time network
317s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe
Size

643KB
MD5

c757fbb6177e19ce4f7d043634d888dd
SHA1

16b13ce330435fe2b80fbcd1f4813d29f08b8b6d
SHA256

70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6
SHA512

e64c2feb1e085777ab2b6c0eae350f4cdab21e97f41e8c2fb8ff9e8c4891f86bf1cb4162901fa1693c1dd2c69de903ae02e6beca4f12cd764c2610ac4adc0eb3
SSDEEP

12288:py90chrHstjNIkHHv2LZTrX7jxPV8q3suYkqxE/S+Bc1gJUyb9JWG:pyVHstScHohrBVUurqq/41gxhMG

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1792-984-0x0000000009C50000-0x000000000A268000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	66841873.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	66841873.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	66841873.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	66841873.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	66841873.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	66841873.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
872	st180668.exe
224	66841873.exe
1792	kp267984.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	66841873.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	66841873.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st180668.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st180668.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
224	66841873.exe
224	66841873.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	224	66841873.exe
Token: SeDebugPrivilege	1792	kp267984.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 872	4920	70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe	79
PID 4920 wrote to memory of 872	4920	70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe	79
PID 4920 wrote to memory of 872	4920	70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe	79
PID 872 wrote to memory of 224	872	st180668.exe	80
PID 872 wrote to memory of 224	872	st180668.exe	80
PID 872 wrote to memory of 224	872	st180668.exe	80
PID 872 wrote to memory of 1792	872	st180668.exe	84
PID 872 wrote to memory of 1792	872	st180668.exe	84
PID 872 wrote to memory of 1792	872	st180668.exe	84

C:\Users\Admin\AppData\Local\Temp\70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe
"C:\Users\Admin\AppData\Local\Temp\70b671c7eb5ee48628e96439d58e01a899278c569e6dc1c67e8d6da24e599df6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st180668.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st180668.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66841873.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66841873.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp267984.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp267984.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st180668.exe

Filesize
489KB

MD5
e61ec5f867465cb46d83306e6797783d

SHA1
1e0dc7b4d18a11529fdc334ff0d9e105f9f2ccae

SHA256
de8b19bb8800221b83faf86600ce65dc814efd96de5909caed7862a89288c8c9

SHA512
45c971931ea20998750bf0d3e76dbc71f657ec38b2473d209b6f258a9cf3938ea6ac25556363564d4151b13d4c260d537d924729cad27d7a7e139d86a0f06f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st180668.exe

Filesize
489KB

MD5
e61ec5f867465cb46d83306e6797783d

SHA1
1e0dc7b4d18a11529fdc334ff0d9e105f9f2ccae

SHA256
de8b19bb8800221b83faf86600ce65dc814efd96de5909caed7862a89288c8c9

SHA512
45c971931ea20998750bf0d3e76dbc71f657ec38b2473d209b6f258a9cf3938ea6ac25556363564d4151b13d4c260d537d924729cad27d7a7e139d86a0f06f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66841873.exe

Filesize
175KB

MD5
3d10b67208452d7a91d7bd7066067676

SHA1
e6c3ab7b6da65c8cc7dd95351f118caf3a50248d

SHA256
5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302

SHA512
b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66841873.exe

Filesize
175KB

MD5
3d10b67208452d7a91d7bd7066067676

SHA1
e6c3ab7b6da65c8cc7dd95351f118caf3a50248d

SHA256
5c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302

SHA512
b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp267984.exe

Filesize
332KB

MD5
7d960538a58918d64d1727e03dfd2fea

SHA1
cf8869976030ffa688159808301e8b8506b4df73

SHA256
df53fa299e0eabd450144aec19a0ff0af3b6f6000f7250574bedd21e228d7258

SHA512
826df6af6379cd450aa988be227e540ae941e5bff452209f4595bee3eae8f4c42ed62953c1ec5b5e8311461c1a6cbaf8605ef35e19067edb9f21dc2dfea358bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp267984.exe

Filesize
332KB

MD5
7d960538a58918d64d1727e03dfd2fea

SHA1
cf8869976030ffa688159808301e8b8506b4df73

SHA256
df53fa299e0eabd450144aec19a0ff0af3b6f6000f7250574bedd21e228d7258

SHA512
826df6af6379cd450aa988be227e540ae941e5bff452209f4595bee3eae8f4c42ed62953c1ec5b5e8311461c1a6cbaf8605ef35e19067edb9f21dc2dfea358bd

Download Submit
memory/224-147-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/224-148-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/224-149-0x0000000004B00000-0x00000000050A4000-memory.dmp

Filesize
5.6MB

Download
memory/224-150-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/224-151-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/224-152-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/224-154-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/224-156-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/224-158-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/224-160-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/224-162-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/224-164-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/224-166-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/224-168-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/224-170-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/224-172-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/224-174-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/224-176-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/224-178-0x0000000004960000-0x0000000004973000-memory.dmp

Filesize
76KB

Download
memory/1792-184-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-185-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-187-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-189-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-191-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-193-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-195-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-197-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-199-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-201-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-203-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-205-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-207-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-209-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-211-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-213-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-215-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-217-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-219-0x0000000004E00000-0x0000000004E35000-memory.dmp

Filesize
212KB

Download
memory/1792-309-0x0000000002D20000-0x0000000002D66000-memory.dmp

Filesize
280KB

Download
memory/1792-319-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1792-320-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1792-322-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1792-982-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1792-984-0x0000000009C50000-0x000000000A268000-memory.dmp

Filesize
6.1MB

Download
memory/1792-985-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/1792-986-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/1792-987-0x000000000A480000-0x000000000A4BC000-memory.dmp

Filesize
240KB

Download
memory/1792-988-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1792-990-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download