redline | 070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10

Analysis

max time kernel
141s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe
Size

690KB
MD5

7d3e77b531fa906c491afb739756564e
SHA1

c3efa185e85308bdbdff907f2e6c9ca504a5f0e5
SHA256

070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10
SHA512

3c846accbc29b857c9a5ae996f1d2d35e36448aeab8e0e20bf53b269e52c0272b9c9af266e6831b82b48272ef8d95a99a4291533013404c722b72199edddd155
SSDEEP

12288:fy90H1RzuQ2zRpvwGrHg1/wioK2oL0y0sHD2nm9T5Wu2mHxb:fyyyQAfvVEFw9K2oLNj2nsT5WuHHxb

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2912-985-0x0000000007640000-0x0000000007C58000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	42068703.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	42068703.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	42068703.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	42068703.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	42068703.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	42068703.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1292	un355417.exe
2088	42068703.exe
2912	rk446965.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	42068703.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	42068703.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un355417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un355417.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
736	2088	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2088	42068703.exe
2088	42068703.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	42068703.exe
Token: SeDebugPrivilege	2912	rk446965.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1292	5072	070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe	82
PID 5072 wrote to memory of 1292	5072	070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe	82
PID 5072 wrote to memory of 1292	5072	070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe	82
PID 1292 wrote to memory of 2088	1292	un355417.exe	83
PID 1292 wrote to memory of 2088	1292	un355417.exe	83
PID 1292 wrote to memory of 2088	1292	un355417.exe	83
PID 1292 wrote to memory of 2912	1292	un355417.exe	87
PID 1292 wrote to memory of 2912	1292	un355417.exe	87
PID 1292 wrote to memory of 2912	1292	un355417.exe	87

C:\Users\Admin\AppData\Local\Temp\070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe
"C:\Users\Admin\AppData\Local\Temp\070632abba4a80ed2f56473b2bda4c2865c095673aa47f09b7d15611e1bd0f10.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355417.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355417.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42068703.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42068703.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1016
      4⤵
      Program crash
      PID:736
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446965.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446965.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2088 -ip 2088
1⤵
PID:4012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355417.exe

Filesize
536KB

MD5
492146f1c10e0110c3232e556a66d5ef

SHA1
39b74e8d9a5cec0a7bc613d1649bcecc0e1382ad

SHA256
052e944b1b6fc35951ab32af01e0aace8406e6dcc253b6ef3d080b4757576b0d

SHA512
df8dc8f14b4228e6a7a8c7434534ccc711b46c8710acc774507399da4f3e3fad5edc28ce299a9294e201f0f04ef79d12b095801e0dd2524e8d03b4853cb463a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355417.exe

Filesize
536KB

MD5
492146f1c10e0110c3232e556a66d5ef

SHA1
39b74e8d9a5cec0a7bc613d1649bcecc0e1382ad

SHA256
052e944b1b6fc35951ab32af01e0aace8406e6dcc253b6ef3d080b4757576b0d

SHA512
df8dc8f14b4228e6a7a8c7434534ccc711b46c8710acc774507399da4f3e3fad5edc28ce299a9294e201f0f04ef79d12b095801e0dd2524e8d03b4853cb463a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42068703.exe

Filesize
259KB

MD5
6464efb10e8de22c45fb1a68de531d89

SHA1
3dda413055918f372363f3fe262dd0a6af4cb0aa

SHA256
9df94038effc7c846346d2380a7865c0e36b4fa4ddf91be5c56282bc295596f1

SHA512
932f533e93351c8be7b98f88a3508a759085696ca897296ece9da624e04e0d6642df2e9c206ac1513c30b6339b5d54fd459dae5445768014c709c9de6123bfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42068703.exe

Filesize
259KB

MD5
6464efb10e8de22c45fb1a68de531d89

SHA1
3dda413055918f372363f3fe262dd0a6af4cb0aa

SHA256
9df94038effc7c846346d2380a7865c0e36b4fa4ddf91be5c56282bc295596f1

SHA512
932f533e93351c8be7b98f88a3508a759085696ca897296ece9da624e04e0d6642df2e9c206ac1513c30b6339b5d54fd459dae5445768014c709c9de6123bfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446965.exe

Filesize
341KB

MD5
31e0512f93413fbf567f1efed7809bd9

SHA1
27a67baede2f40e092a0b97f909e6995215b70a8

SHA256
1cb932428ea6656fd7f05803e92992c47581f499f9bca0ea301558d466d1c7e6

SHA512
ad726b48a9b5332cdd096046c576b719cba08318369b127db46e92231d216932fa34a4d17d19619d055315b6242f9a6e5f4975ed8bda68631cffe515050f6562

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk446965.exe

Filesize
341KB

MD5
31e0512f93413fbf567f1efed7809bd9

SHA1
27a67baede2f40e092a0b97f909e6995215b70a8

SHA256
1cb932428ea6656fd7f05803e92992c47581f499f9bca0ea301558d466d1c7e6

SHA512
ad726b48a9b5332cdd096046c576b719cba08318369b127db46e92231d216932fa34a4d17d19619d055315b6242f9a6e5f4975ed8bda68631cffe515050f6562

Download Submit
memory/2088-163-0x00000000023A0000-0x00000000023B3000-memory.dmp

Filesize
76KB

Download
memory/2088-185-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2088-152-0x00000000023A0000-0x00000000023B3000-memory.dmp

Filesize
76KB

Download
memory/2088-153-0x00000000023A0000-0x00000000023B3000-memory.dmp

Filesize
76KB

Download
memory/2088-155-0x00000000023A0000-0x00000000023B3000-memory.dmp

Filesize
76KB

Download
memory/2088-157-0x00000000023A0000-0x00000000023B3000-memory.dmp

Filesize
76KB

Download
memory/2088-159-0x00000000023A0000-0x00000000023B3000-memory.dmp

Filesize
76KB

Download
memory/2088-161-0x00000000023A0000-0x00000000023B3000-memory.dmp

Filesize
76KB

Download
memory/2088-150-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2088-165-0x00000000023A0000-0x00000000023B3000-memory.dmp

Filesize
76KB

Download
memory/2088-167-0x00000000023A0000-0x00000000023B3000-memory.dmp

Filesize
76KB

Download
memory/2088-169-0x00000000023A0000-0x00000000023B3000-memory.dmp

Filesize
76KB

Download
memory/2088-171-0x00000000023A0000-0x00000000023B3000-memory.dmp

Filesize
76KB

Download
memory/2088-173-0x00000000023A0000-0x00000000023B3000-memory.dmp

Filesize
76KB

Download
memory/2088-175-0x00000000023A0000-0x00000000023B3000-memory.dmp

Filesize
76KB

Download
memory/2088-177-0x00000000023A0000-0x00000000023B3000-memory.dmp

Filesize
76KB

Download
memory/2088-179-0x00000000023A0000-0x00000000023B3000-memory.dmp

Filesize
76KB

Download
memory/2088-180-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2088-181-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2088-182-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2088-183-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2088-151-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2088-149-0x00000000005C0000-0x00000000005ED000-memory.dmp

Filesize
180KB

Download
memory/2088-148-0x0000000004C70000-0x0000000005214000-memory.dmp

Filesize
5.6MB

Download
memory/2912-358-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/2912-217-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-197-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-987-0x0000000007D20000-0x0000000007E2A000-memory.dmp

Filesize
1.0MB

Download
memory/2912-193-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-201-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-199-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-203-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-205-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-207-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-209-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-211-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-213-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-190-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-191-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-221-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-215-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-223-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-356-0x0000000000700000-0x0000000000746000-memory.dmp

Filesize
280KB

Download
memory/2912-985-0x0000000007640000-0x0000000007C58000-memory.dmp

Filesize
6.1MB

Download
memory/2912-360-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/2912-219-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-986-0x0000000007D00000-0x0000000007D12000-memory.dmp

Filesize
72KB

Download
memory/2912-195-0x0000000005110000-0x0000000005145000-memory.dmp

Filesize
212KB

Download
memory/2912-988-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/2912-989-0x0000000007E40000-0x0000000007E7C000-memory.dmp

Filesize
240KB

Download
memory/2912-991-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/2912-992-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/2912-993-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download