redline | 06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe
Size

747KB
MD5

bf11028a9e04429e455cf58ded552c33
SHA1

56ab4b5e04bc8974db09cace011dbf6bf14d7ec8
SHA256

06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8
SHA512

351a3aa741f3e5169347971c4717a30261302baa4b309d9a8aaf5f730d239d66af4f380e21f0aefee7752a43eb88f39193450a31cf353591ffeccd5726d8428d
SSDEEP

12288:Jy90CSWL2KN4I/DL9C3kb8tzqbMIPV4wuP9FUGiARO9RYBtAmXuSLdMid1lCG:JyzSW6g/9CUb8tzq4IPVK9F9ipoAmXzj

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/752-986-0x0000000007A80000-0x0000000008098000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	99332290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	99332290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	99332290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	99332290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	99332290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	99332290.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
5100	un461277.exe
4912	99332290.exe
752	rk005766.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	99332290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	99332290.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un461277.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un461277.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
412	4912	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4912	99332290.exe
4912	99332290.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	99332290.exe
Token: SeDebugPrivilege	752	rk005766.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 5100	1232	06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe	85
PID 1232 wrote to memory of 5100	1232	06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe	85
PID 1232 wrote to memory of 5100	1232	06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe	85
PID 5100 wrote to memory of 4912	5100	un461277.exe	86
PID 5100 wrote to memory of 4912	5100	un461277.exe	86
PID 5100 wrote to memory of 4912	5100	un461277.exe	86
PID 5100 wrote to memory of 752	5100	un461277.exe	89
PID 5100 wrote to memory of 752	5100	un461277.exe	89
PID 5100 wrote to memory of 752	5100	un461277.exe	89

C:\Users\Admin\AppData\Local\Temp\06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe
"C:\Users\Admin\AppData\Local\Temp\06dde7c50269c70b91806f90c5b2438e4edcbf645f733349d452def46bdf7bf8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461277.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461277.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\99332290.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\99332290.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1080
      4⤵
      Program crash
      PID:412
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005766.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005766.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4912 -ip 4912
1⤵
PID:736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461277.exe

Filesize
592KB

MD5
8b7b15854936f57225667578a79ee2e1

SHA1
9a30ae196f01fd455b6e2f638f5f806daf03b1a7

SHA256
87bd121f389874788d90c7f96e039d7a58f06d7600fbeea42ea8812b54af6251

SHA512
176f5eb6a30604b814bce0753fcb9735f6271bc1af7e58684d9a670b5ed58e5494e02985ccf974712c6e10e3e035578929233ffd023772c3bb86d05e922a0d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un461277.exe

Filesize
592KB

MD5
8b7b15854936f57225667578a79ee2e1

SHA1
9a30ae196f01fd455b6e2f638f5f806daf03b1a7

SHA256
87bd121f389874788d90c7f96e039d7a58f06d7600fbeea42ea8812b54af6251

SHA512
176f5eb6a30604b814bce0753fcb9735f6271bc1af7e58684d9a670b5ed58e5494e02985ccf974712c6e10e3e035578929233ffd023772c3bb86d05e922a0d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\99332290.exe

Filesize
376KB

MD5
c67f301303ed143dad3f0053b754ab86

SHA1
e3be7b6f463b705f538e8c13c8f90004dda01239

SHA256
ce54846fdafdd44540d486217224cb8b02d0fb0fa337386e228d2ed562290d54

SHA512
90b5b5cefafde070b00723529313e60ac941ec43a4d03865008190a6648a503b9566e4baee914cc27ebdcd3faff33950219e6f3a3212e0b277cf0e23a5d077fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\99332290.exe

Filesize
376KB

MD5
c67f301303ed143dad3f0053b754ab86

SHA1
e3be7b6f463b705f538e8c13c8f90004dda01239

SHA256
ce54846fdafdd44540d486217224cb8b02d0fb0fa337386e228d2ed562290d54

SHA512
90b5b5cefafde070b00723529313e60ac941ec43a4d03865008190a6648a503b9566e4baee914cc27ebdcd3faff33950219e6f3a3212e0b277cf0e23a5d077fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005766.exe

Filesize
459KB

MD5
584a1f3abf5239460a2f3e3a3272e086

SHA1
f7ff95cefa51c7dae09da93eacfc45bc58f02e44

SHA256
21a817006dbc9ec175bfca0db3f4572bbf85e77e0b2e29aea121cd36e894e0e3

SHA512
bcf39f06012f6ad3b8cdce117c3d28d2541669a52ad2241edf07801658aff5b5ecf4ddb5feae6f13e48631d4db82c28d4e0b7a587db12c82930b194aa2b3c857

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk005766.exe

Filesize
459KB

MD5
584a1f3abf5239460a2f3e3a3272e086

SHA1
f7ff95cefa51c7dae09da93eacfc45bc58f02e44

SHA256
21a817006dbc9ec175bfca0db3f4572bbf85e77e0b2e29aea121cd36e894e0e3

SHA512
bcf39f06012f6ad3b8cdce117c3d28d2541669a52ad2241edf07801658aff5b5ecf4ddb5feae6f13e48631d4db82c28d4e0b7a587db12c82930b194aa2b3c857

Download Submit
memory/752-218-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-224-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-994-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/752-993-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/752-992-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/752-990-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/752-989-0x00000000081F0000-0x000000000822C000-memory.dmp

Filesize
240KB

Download
memory/752-191-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-987-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/752-196-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-986-0x0000000007A80000-0x0000000008098000-memory.dmp

Filesize
6.1MB

Download
memory/752-242-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/752-240-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/752-238-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/752-194-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-198-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-222-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-220-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-216-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-214-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-212-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-210-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-208-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-206-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-204-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-192-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-202-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/752-988-0x00000000080D0000-0x00000000081DA000-memory.dmp

Filesize
1.0MB

Download
memory/752-200-0x0000000004F00000-0x0000000004F35000-memory.dmp

Filesize
212KB

Download
memory/4912-178-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/4912-166-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/4912-151-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/4912-149-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4912-150-0x0000000004E70000-0x0000000005414000-memory.dmp

Filesize
5.6MB

Download
memory/4912-186-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4912-185-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4912-184-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4912-182-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4912-181-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4912-148-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/4912-180-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4912-179-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4912-176-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/4912-174-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/4912-172-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/4912-170-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/4912-168-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/4912-164-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/4912-162-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/4912-160-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/4912-158-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/4912-156-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/4912-154-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/4912-152-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download