redline | 064f64f786dca12c052b72854095d23ae28a5a0fff32f2458158a7c8ad386171

Analysis

max time kernel
145s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

064f64f786dca12c052b72854095d23ae28a5a0fff32f2458158a7c8ad386171.exe
Size

618KB
MD5

95b4ed8d0970e066eeb69c015c020123
SHA1

6544bfff3a57ebcd77599eb071aac69b5b50393c
SHA256

064f64f786dca12c052b72854095d23ae28a5a0fff32f2458158a7c8ad386171
SHA512

4dfc5defb7cf5b7f78b83049791b9d113b450e8ceaac6836cb3442cc2f3b5f1bb2c4b3b790c8b0978c84992dcf60747dbb0b2cd7fd7457107e7b739b75cd15f0
SSDEEP

12288:Oy904wihH0OW3xIkaDVo2wj4H+N1yB2KCqD7OmnsT:OyHUvKoFtXlqDajT

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/928-950-0x00000000079E0000-0x0000000007FF8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	39918282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	39918282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	39918282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	39918282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	39918282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	39918282.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2944	st293748.exe
2064	39918282.exe
928	kp811705.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	39918282.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st293748.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	064f64f786dca12c052b72854095d23ae28a5a0fff32f2458158a7c8ad386171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	064f64f786dca12c052b72854095d23ae28a5a0fff32f2458158a7c8ad386171.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st293748.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2064	39918282.exe
2064	39918282.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	39918282.exe
Token: SeDebugPrivilege	928	kp811705.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 2944	3132	064f64f786dca12c052b72854095d23ae28a5a0fff32f2458158a7c8ad386171.exe	83
PID 3132 wrote to memory of 2944	3132	064f64f786dca12c052b72854095d23ae28a5a0fff32f2458158a7c8ad386171.exe	83
PID 3132 wrote to memory of 2944	3132	064f64f786dca12c052b72854095d23ae28a5a0fff32f2458158a7c8ad386171.exe	83
PID 2944 wrote to memory of 2064	2944	st293748.exe	84
PID 2944 wrote to memory of 2064	2944	st293748.exe	84
PID 2944 wrote to memory of 928	2944	st293748.exe	85
PID 2944 wrote to memory of 928	2944	st293748.exe	85
PID 2944 wrote to memory of 928	2944	st293748.exe	85

C:\Users\Admin\AppData\Local\Temp\064f64f786dca12c052b72854095d23ae28a5a0fff32f2458158a7c8ad386171.exe
"C:\Users\Admin\AppData\Local\Temp\064f64f786dca12c052b72854095d23ae28a5a0fff32f2458158a7c8ad386171.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st293748.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st293748.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\39918282.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\39918282.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp811705.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp811705.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st293748.exe

Filesize
464KB

MD5
4b000683d4fa7b04d94f120af3a6ba67

SHA1
2fa39a45493d10f4c7efd0e2065431fb05a91b64

SHA256
c79967d8c4c52bc7eb1f8334350ac7765d2329a28ea6794f34f6bb118f219cdb

SHA512
3903b6e673ab9e473ee64debafc50c7f376b9017c4c48731bb7556b7f115cc9e7ecac946266960fe797a5db2f94be9b490cc2c50f850d4a43dba3803c732715a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st293748.exe

Filesize
464KB

MD5
4b000683d4fa7b04d94f120af3a6ba67

SHA1
2fa39a45493d10f4c7efd0e2065431fb05a91b64

SHA256
c79967d8c4c52bc7eb1f8334350ac7765d2329a28ea6794f34f6bb118f219cdb

SHA512
3903b6e673ab9e473ee64debafc50c7f376b9017c4c48731bb7556b7f115cc9e7ecac946266960fe797a5db2f94be9b490cc2c50f850d4a43dba3803c732715a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\39918282.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\39918282.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp811705.exe

Filesize
478KB

MD5
cdbab84493e0a54f88c264ca48c346b9

SHA1
2ca2e003be25c98d4fcdc85cfc77f2f8851f2d0c

SHA256
e53a7f045172922bf8ae9a22b0c3742eae66cb3bf06bb9f1f192637e9517025e

SHA512
77cf47c23a4f2be366d1ff8b0675ed3f24e5e4b09b82e60c02f1ea53961f287fbbcfd92860b8db524101dd3e6bec7da0b8c0dc40002f95a77c9c5bf8af13062a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp811705.exe

Filesize
478KB

MD5
cdbab84493e0a54f88c264ca48c346b9

SHA1
2ca2e003be25c98d4fcdc85cfc77f2f8851f2d0c

SHA256
e53a7f045172922bf8ae9a22b0c3742eae66cb3bf06bb9f1f192637e9517025e

SHA512
77cf47c23a4f2be366d1ff8b0675ed3f24e5e4b09b82e60c02f1ea53961f287fbbcfd92860b8db524101dd3e6bec7da0b8c0dc40002f95a77c9c5bf8af13062a

Download Submit
memory/928-153-0x0000000000CB0000-0x0000000000CF6000-memory.dmp

Filesize
280KB

Download
memory/928-154-0x0000000004FB0000-0x0000000005554000-memory.dmp

Filesize
5.6MB

Download
memory/928-155-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/928-156-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/928-158-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-157-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-160-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-162-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-164-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-166-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-168-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-170-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-172-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-174-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-176-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-178-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-180-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-184-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-182-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-186-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-188-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-190-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-192-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-194-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-196-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-198-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-200-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-202-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-204-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-206-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-208-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-210-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-212-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-214-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-216-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-218-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-220-0x0000000002A60000-0x0000000002A95000-memory.dmp

Filesize
212KB

Download
memory/928-950-0x00000000079E0000-0x0000000007FF8000-memory.dmp

Filesize
6.1MB

Download
memory/928-951-0x0000000002BC0000-0x0000000002BD2000-memory.dmp

Filesize
72KB

Download
memory/928-952-0x0000000008000000-0x000000000810A000-memory.dmp

Filesize
1.0MB

Download
memory/928-953-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/928-954-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/928-955-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/928-957-0x0000000002C10000-0x0000000002C4C000-memory.dmp

Filesize
240KB

Download
memory/928-958-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/2064-147-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download