redline | 06be24414a87e69b3334233c8902b8d079e18222bf5137dddd01abc7937924bd

Analysis

max time kernel
187s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06be24414a87e69b3334233c8902b8d079e18222bf5137dddd01abc7937924bd.exe
Size

1.5MB
MD5

f0e056b6e358dc8379a4c0fc638c6d6d
SHA1

e47228f86127857b12de44f440fb3fc1eb90daa9
SHA256

06be24414a87e69b3334233c8902b8d079e18222bf5137dddd01abc7937924bd
SHA512

05d736d461c1597573ee501ad21934a242538e934f3b7de55f2a698ff21f21d5bb446d3d53d88beba840c230921ba37f6ce8a376225fc0596d881cab2ef2bd6b
SSDEEP

49152:q1wUFUVUKnFwvMeqXPpR2C3UAqH+endax:aU+kvpXP/dkA09n

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4416-215-0x0000000007F50000-0x0000000008568000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0949608.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a0949608.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0949608.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0949608.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0949608.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0949608.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
5052	v6494028.exe
1928	v6263782.exe
604	v1077467.exe
544	v0868811.exe
2928	a0949608.exe
4416	b5923626.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a0949608.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0949608.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6263782.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1077467.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0868811.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v0868811.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	06be24414a87e69b3334233c8902b8d079e18222bf5137dddd01abc7937924bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	06be24414a87e69b3334233c8902b8d079e18222bf5137dddd01abc7937924bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6494028.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6494028.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6263782.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1077467.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4328	2928	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2928	a0949608.exe
2928	a0949608.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	a0949608.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 5052	4720	06be24414a87e69b3334233c8902b8d079e18222bf5137dddd01abc7937924bd.exe	80
PID 4720 wrote to memory of 5052	4720	06be24414a87e69b3334233c8902b8d079e18222bf5137dddd01abc7937924bd.exe	80
PID 4720 wrote to memory of 5052	4720	06be24414a87e69b3334233c8902b8d079e18222bf5137dddd01abc7937924bd.exe	80
PID 5052 wrote to memory of 1928	5052	v6494028.exe	81
PID 5052 wrote to memory of 1928	5052	v6494028.exe	81
PID 5052 wrote to memory of 1928	5052	v6494028.exe	81
PID 1928 wrote to memory of 604	1928	v6263782.exe	82
PID 1928 wrote to memory of 604	1928	v6263782.exe	82
PID 1928 wrote to memory of 604	1928	v6263782.exe	82
PID 604 wrote to memory of 544	604	v1077467.exe	83
PID 604 wrote to memory of 544	604	v1077467.exe	83
PID 604 wrote to memory of 544	604	v1077467.exe	83
PID 544 wrote to memory of 2928	544	v0868811.exe	84
PID 544 wrote to memory of 2928	544	v0868811.exe	84
PID 544 wrote to memory of 2928	544	v0868811.exe	84
PID 544 wrote to memory of 4416	544	v0868811.exe	87
PID 544 wrote to memory of 4416	544	v0868811.exe	87
PID 544 wrote to memory of 4416	544	v0868811.exe	87

C:\Users\Admin\AppData\Local\Temp\06be24414a87e69b3334233c8902b8d079e18222bf5137dddd01abc7937924bd.exe
"C:\Users\Admin\AppData\Local\Temp\06be24414a87e69b3334233c8902b8d079e18222bf5137dddd01abc7937924bd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6494028.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6494028.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6263782.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6263782.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1077467.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1077467.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:604
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0868811.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0868811.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:544
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0949608.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0949608.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 1080
        7⤵
        Program crash
        
        PID:4328
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5923626.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5923626.exe
        6⤵
        Executes dropped EXE
        
        PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2928 -ip 2928
1⤵
PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6494028.exe

Filesize
1.4MB

MD5
27d297b0eddea8ff46abeec6b19af121

SHA1
5870c74ce1bd1847c53358636bffc4608c75cb9d

SHA256
b0663d0f691711bbf1f902c6429df23e5928476e42a154ecbcd1bd947270cef0

SHA512
27d7aa4ab14024dd365b2631d0f5cc6129d8f44a798343e910ff9d9e527e3e87b05df622c469d3e50890a52ff06679549dfd0bcecd5abac1ecd683ebb28745cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6494028.exe

Filesize
1.4MB

MD5
27d297b0eddea8ff46abeec6b19af121

SHA1
5870c74ce1bd1847c53358636bffc4608c75cb9d

SHA256
b0663d0f691711bbf1f902c6429df23e5928476e42a154ecbcd1bd947270cef0

SHA512
27d7aa4ab14024dd365b2631d0f5cc6129d8f44a798343e910ff9d9e527e3e87b05df622c469d3e50890a52ff06679549dfd0bcecd5abac1ecd683ebb28745cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6263782.exe

Filesize
914KB

MD5
668138367730a3f735fd29b14e67cfbf

SHA1
f4b8670ba775429d584cf4bc0933847f7bf29aa2

SHA256
693e165a7814f5ff3d2c51ec444c614ebb07f71b151df42136d65bdc37daa50f

SHA512
37abc4bd62d81b24ccba58082c832daae06b7ee39b62cd23b9f157395f4e505252912da5b2601a8fbd3a9d40390b1535d0455567cb3225dfbd44ac7c96c52d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6263782.exe

Filesize
914KB

MD5
668138367730a3f735fd29b14e67cfbf

SHA1
f4b8670ba775429d584cf4bc0933847f7bf29aa2

SHA256
693e165a7814f5ff3d2c51ec444c614ebb07f71b151df42136d65bdc37daa50f

SHA512
37abc4bd62d81b24ccba58082c832daae06b7ee39b62cd23b9f157395f4e505252912da5b2601a8fbd3a9d40390b1535d0455567cb3225dfbd44ac7c96c52d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1077467.exe

Filesize
709KB

MD5
bfcbdc07177d92597c59827b4c39c071

SHA1
3f6e5e89196066fae9ab1405e80d3948282c834d

SHA256
c80957b3e6186e09218d53456006e7c4864c6ab2a1c9e29ce101a08309d1d31a

SHA512
c8712d83c0eda16ea76b7c3e45d712b1dc0ad0d8f434ae11b973bee2d23009c2211404f0dc87a3e012c8ccfd48d7fc676745a8cda9698d3a010041b1214e0f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1077467.exe

Filesize
709KB

MD5
bfcbdc07177d92597c59827b4c39c071

SHA1
3f6e5e89196066fae9ab1405e80d3948282c834d

SHA256
c80957b3e6186e09218d53456006e7c4864c6ab2a1c9e29ce101a08309d1d31a

SHA512
c8712d83c0eda16ea76b7c3e45d712b1dc0ad0d8f434ae11b973bee2d23009c2211404f0dc87a3e012c8ccfd48d7fc676745a8cda9698d3a010041b1214e0f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0868811.exe

Filesize
418KB

MD5
fca3a82e6f233f49584f4ea948aaefb0

SHA1
07e0e5ae48991914c41c3933d8373f95cea6e27e

SHA256
224ce4eca093f873707ff5bc219c2118ab1801df492275df7231f2f943d05709

SHA512
f5454b0688cbbb5ae6113babbcc3fd13cc585512a372948aa206d8756e3fdb13b5cb452e56359cf5b9b0cd8ce81dde21e99643c532c3542adcdb70dd645a33be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0868811.exe

Filesize
418KB

MD5
fca3a82e6f233f49584f4ea948aaefb0

SHA1
07e0e5ae48991914c41c3933d8373f95cea6e27e

SHA256
224ce4eca093f873707ff5bc219c2118ab1801df492275df7231f2f943d05709

SHA512
f5454b0688cbbb5ae6113babbcc3fd13cc585512a372948aa206d8756e3fdb13b5cb452e56359cf5b9b0cd8ce81dde21e99643c532c3542adcdb70dd645a33be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0949608.exe

Filesize
361KB

MD5
f5ddc1754f4476932cd320263f7f0886

SHA1
7e9f6573965046c7188bd6c97813c1fc40938acf

SHA256
ee8168a50d2178f2daf6877a10835a1dc3e79f69a45b7042dad391c500ed793b

SHA512
5bf8cdf0694218b6667430bed1a47e013f6bf336fe8bd119f6fd98c54fe6882869f5b70831a940fbb9eb3f3142e36d912ee0526e9d9db97d63a77759e7fdd674

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0949608.exe

Filesize
361KB

MD5
f5ddc1754f4476932cd320263f7f0886

SHA1
7e9f6573965046c7188bd6c97813c1fc40938acf

SHA256
ee8168a50d2178f2daf6877a10835a1dc3e79f69a45b7042dad391c500ed793b

SHA512
5bf8cdf0694218b6667430bed1a47e013f6bf336fe8bd119f6fd98c54fe6882869f5b70831a940fbb9eb3f3142e36d912ee0526e9d9db97d63a77759e7fdd674

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5923626.exe

Filesize
136KB

MD5
8a1d49fee0d2eb864a70d8404546ffcd

SHA1
3a7c9b648a0bc25027e6d13cd8ada264141b4db9

SHA256
92caff062c36f621f9d38959a76c8625e8222bca0a87d14eae5b5dd294ca994a

SHA512
c266ca5a29933e5b7b187769d18f0c61a32fa1d98fdc5c0cfea84c601bfa75b113925e46a318d8d09bb11d23dd82bfce04aed194401278ea33e43807db34fd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5923626.exe

Filesize
136KB

MD5
8a1d49fee0d2eb864a70d8404546ffcd

SHA1
3a7c9b648a0bc25027e6d13cd8ada264141b4db9

SHA256
92caff062c36f621f9d38959a76c8625e8222bca0a87d14eae5b5dd294ca994a

SHA512
c266ca5a29933e5b7b187769d18f0c61a32fa1d98fdc5c0cfea84c601bfa75b113925e46a318d8d09bb11d23dd82bfce04aed194401278ea33e43807db34fd86

Download Submit
memory/2928-187-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/2928-199-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/2928-173-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/2928-174-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/2928-175-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/2928-177-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/2928-179-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/2928-181-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/2928-183-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/2928-185-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/2928-172-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/2928-189-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/2928-191-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/2928-193-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/2928-195-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/2928-171-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/2928-201-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/2928-197-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/2928-202-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2928-203-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/2928-204-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/2928-205-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/2928-207-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2928-169-0x0000000002240000-0x000000000226D000-memory.dmp

Filesize
180KB

Download
memory/2928-170-0x0000000004F30000-0x00000000054D4000-memory.dmp

Filesize
5.6MB

Download
memory/4416-214-0x0000000000CE0000-0x0000000000D08000-memory.dmp

Filesize
160KB

Download
memory/4416-215-0x0000000007F50000-0x0000000008568000-memory.dmp

Filesize
6.1MB

Download
memory/4416-216-0x00000000079F0000-0x0000000007A02000-memory.dmp

Filesize
72KB

Download
memory/4416-217-0x0000000007B20000-0x0000000007C2A000-memory.dmp

Filesize
1.0MB

Download
memory/4416-218-0x0000000007A50000-0x0000000007A8C000-memory.dmp

Filesize
240KB

Download
memory/4416-219-0x0000000007DD0000-0x0000000007DE0000-memory.dmp

Filesize
64KB

Download
memory/4416-220-0x0000000007DD0000-0x0000000007DE0000-memory.dmp

Filesize
64KB

Download