redline | 048c42be57401ba3c401ad41986945d4ca6fe1a62573a415bfa4fe32c33b58f0

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

048c42be57401ba3c401ad41986945d4ca6fe1a62573a415bfa4fe32c33b58f0.exe
Size

1.0MB
MD5

3a043f8ffff450fc393c68641d7f515d
SHA1

cfce811c0ae1f3aa3f7d50c4ee421928252a01fc
SHA256

048c42be57401ba3c401ad41986945d4ca6fe1a62573a415bfa4fe32c33b58f0
SHA512

9a28a72a00f3ebae119e861b1972d3c59caae7fc4a65a212de48f7df35412b4f0d5b45a0a3f2c5b49d9e3af67ac2a1b53d66aee925591639610b680cfae54971
SSDEEP

24576:3yBg7CJJn8p2wUyk30h9ZrpR1p+c4pOQyWrN0vXUHzYJ3o:CBq0g2H2f1p+Dp5ewu

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4012-969-0x0000000009C80000-0x000000000A298000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz4263.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz4263.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz4263.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz4263.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz4263.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz4263.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2236	za773585.exe
2392	za670455.exe
1012	za425747.exe
3540	tz4263.exe
4012	v8540Iw.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz4263.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za425747.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	048c42be57401ba3c401ad41986945d4ca6fe1a62573a415bfa4fe32c33b58f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	048c42be57401ba3c401ad41986945d4ca6fe1a62573a415bfa4fe32c33b58f0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za773585.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za773585.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za670455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za670455.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za425747.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3540	tz4263.exe
3540	tz4263.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3540	tz4263.exe
Token: SeDebugPrivilege	4012	v8540Iw.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 2236	452	048c42be57401ba3c401ad41986945d4ca6fe1a62573a415bfa4fe32c33b58f0.exe	84
PID 452 wrote to memory of 2236	452	048c42be57401ba3c401ad41986945d4ca6fe1a62573a415bfa4fe32c33b58f0.exe	84
PID 452 wrote to memory of 2236	452	048c42be57401ba3c401ad41986945d4ca6fe1a62573a415bfa4fe32c33b58f0.exe	84
PID 2236 wrote to memory of 2392	2236	za773585.exe	85
PID 2236 wrote to memory of 2392	2236	za773585.exe	85
PID 2236 wrote to memory of 2392	2236	za773585.exe	85
PID 2392 wrote to memory of 1012	2392	za670455.exe	86
PID 2392 wrote to memory of 1012	2392	za670455.exe	86
PID 2392 wrote to memory of 1012	2392	za670455.exe	86
PID 1012 wrote to memory of 3540	1012	za425747.exe	87
PID 1012 wrote to memory of 3540	1012	za425747.exe	87
PID 1012 wrote to memory of 4012	1012	za425747.exe	92
PID 1012 wrote to memory of 4012	1012	za425747.exe	92
PID 1012 wrote to memory of 4012	1012	za425747.exe	92

C:\Users\Admin\AppData\Local\Temp\048c42be57401ba3c401ad41986945d4ca6fe1a62573a415bfa4fe32c33b58f0.exe
"C:\Users\Admin\AppData\Local\Temp\048c42be57401ba3c401ad41986945d4ca6fe1a62573a415bfa4fe32c33b58f0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za773585.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za773585.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za670455.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za670455.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za425747.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za425747.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4263.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4263.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3540
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8540Iw.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8540Iw.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za773585.exe

Filesize
885KB

MD5
826538b93edb90bb962c975a841ff6f8

SHA1
3b0ee16bb1de6ddecbce34691c0d5a16f1902086

SHA256
96a74655be36f7671d64acf19cc709bf1a96690acbde9084164abf89340e0a49

SHA512
23d07309564d77d173d3bb5a988151e4d9ec1202b3e0faa17e10b7b27f9afff136e91b818537545804348d7206b47186b0960c9852e7b49069f3632ab8e3af5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za773585.exe

Filesize
885KB

MD5
826538b93edb90bb962c975a841ff6f8

SHA1
3b0ee16bb1de6ddecbce34691c0d5a16f1902086

SHA256
96a74655be36f7671d64acf19cc709bf1a96690acbde9084164abf89340e0a49

SHA512
23d07309564d77d173d3bb5a988151e4d9ec1202b3e0faa17e10b7b27f9afff136e91b818537545804348d7206b47186b0960c9852e7b49069f3632ab8e3af5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za670455.exe

Filesize
673KB

MD5
5e3399f4da4cf263f89646c6d2439622

SHA1
7dd780d411c105ea6ea30ad577584970103679d7

SHA256
c1d99cccf991693bc983bf80e7ca77c303cde464701ae03a806f187111bf120f

SHA512
f5d3539c933120e9aeaf2ce24a9127010ec00c4f71eca2af30663935db2878ff07f1afb68c9d543b6f39efc23191ca5d2bbaa0fe4fa223f7ad1e14312f75823a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za670455.exe

Filesize
673KB

MD5
5e3399f4da4cf263f89646c6d2439622

SHA1
7dd780d411c105ea6ea30ad577584970103679d7

SHA256
c1d99cccf991693bc983bf80e7ca77c303cde464701ae03a806f187111bf120f

SHA512
f5d3539c933120e9aeaf2ce24a9127010ec00c4f71eca2af30663935db2878ff07f1afb68c9d543b6f39efc23191ca5d2bbaa0fe4fa223f7ad1e14312f75823a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za425747.exe

Filesize
404KB

MD5
170424ee81510b103fec9a4a5bce7b52

SHA1
5f47582ac486d00ec526270e6cd80b18ea47c788

SHA256
f49d3fdc7e0ff23b4988a9d4bdec65901998e482127bd80ba39bdcee23366abd

SHA512
a3019f9edfcc9c786f28aa452e9ba51166299431211de61811638624aaa55c869016bf5f848da9360b803868377503524fd8f364a46cde734b2c066e875fce44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za425747.exe

Filesize
404KB

MD5
170424ee81510b103fec9a4a5bce7b52

SHA1
5f47582ac486d00ec526270e6cd80b18ea47c788

SHA256
f49d3fdc7e0ff23b4988a9d4bdec65901998e482127bd80ba39bdcee23366abd

SHA512
a3019f9edfcc9c786f28aa452e9ba51166299431211de61811638624aaa55c869016bf5f848da9360b803868377503524fd8f364a46cde734b2c066e875fce44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4263.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz4263.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8540Iw.exe

Filesize
360KB

MD5
b501ab2e47dbe6bfba3d380b479cba76

SHA1
eb9c780e42a6c541be622f263f303ec1c4f81b70

SHA256
0ceb9dca45dc2c79f10a3b2a9ba5d585e061a1ec89b50b9795a436dfbf3e35f1

SHA512
52ffb082595e4fd3e257aed3682aa83b3a83724303f1b2679d892f2af052920f3b3627dee29d82074125f039c2be1f6dee8527f1bc0724ea4adce5c81b607b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8540Iw.exe

Filesize
360KB

MD5
b501ab2e47dbe6bfba3d380b479cba76

SHA1
eb9c780e42a6c541be622f263f303ec1c4f81b70

SHA256
0ceb9dca45dc2c79f10a3b2a9ba5d585e061a1ec89b50b9795a436dfbf3e35f1

SHA512
52ffb082595e4fd3e257aed3682aa83b3a83724303f1b2679d892f2af052920f3b3627dee29d82074125f039c2be1f6dee8527f1bc0724ea4adce5c81b607b7d

Download Submit
memory/3540-161-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/4012-167-0x0000000007210000-0x00000000077B4000-memory.dmp

Filesize
5.6MB

Download
memory/4012-168-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

Filesize
280KB

Download
memory/4012-169-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/4012-170-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/4012-171-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/4012-172-0x0000000000400000-0x0000000002BC3000-memory.dmp

Filesize
39.8MB

Download
memory/4012-173-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-174-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-176-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-178-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-180-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-182-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-184-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-186-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-188-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-190-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-192-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-194-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-196-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-198-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-200-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-202-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-204-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-206-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-208-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-210-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-212-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-214-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-218-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-216-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-220-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-222-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-224-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-226-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-228-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-230-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-232-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-234-0x0000000007170000-0x00000000071A5000-memory.dmp

Filesize
212KB

Download
memory/4012-965-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/4012-966-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/4012-967-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/4012-969-0x0000000009C80000-0x000000000A298000-memory.dmp

Filesize
6.1MB

Download
memory/4012-970-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/4012-971-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/4012-972-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/4012-973-0x000000000A470000-0x000000000A4AC000-memory.dmp

Filesize
240KB

Download
memory/4012-975-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download