redline | 06f923789847124d5cf5af1c138cb8ca0acdba28915b51263c57a5e01bfe395a

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06f923789847124d5cf5af1c138cb8ca0acdba28915b51263c57a5e01bfe395a.exe
Size

1.0MB
MD5

8559dc4b4c935e16dce9b3c56fb87ee5
SHA1

42b37881d55a9cff8534c7fda2286c6bd775bc95
SHA256

06f923789847124d5cf5af1c138cb8ca0acdba28915b51263c57a5e01bfe395a
SHA512

7eb88f1d8eeb7c0712ab985ae2c2860724dc8bb78c0988cad1372310997fe9b1021f2b018313122e0b9424fcb3e206c7071067a3f192f5682bd0a424cf3ea75b
SSDEEP

24576:2yhhkLPHnfKkTCnxRw/JsImsi4nyrzb9JxT3B/n:FhhkLPHfZWxRQJxpyrzb1N/

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1732-995-0x00000000078B0000-0x0000000007EC8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	94719278.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	94719278.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	94719278.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	94719278.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	94719278.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	94719278.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4440	za915788.exe
4172	za944897.exe
3500	94719278.exe
1732	w83SK94.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	94719278.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	94719278.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	06f923789847124d5cf5af1c138cb8ca0acdba28915b51263c57a5e01bfe395a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	06f923789847124d5cf5af1c138cb8ca0acdba28915b51263c57a5e01bfe395a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za915788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za915788.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za944897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za944897.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3500	94719278.exe
3500	94719278.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3500	94719278.exe
Token: SeDebugPrivilege	1732	w83SK94.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 4440	2544	06f923789847124d5cf5af1c138cb8ca0acdba28915b51263c57a5e01bfe395a.exe	83
PID 2544 wrote to memory of 4440	2544	06f923789847124d5cf5af1c138cb8ca0acdba28915b51263c57a5e01bfe395a.exe	83
PID 2544 wrote to memory of 4440	2544	06f923789847124d5cf5af1c138cb8ca0acdba28915b51263c57a5e01bfe395a.exe	83
PID 4440 wrote to memory of 4172	4440	za915788.exe	84
PID 4440 wrote to memory of 4172	4440	za915788.exe	84
PID 4440 wrote to memory of 4172	4440	za915788.exe	84
PID 4172 wrote to memory of 3500	4172	za944897.exe	85
PID 4172 wrote to memory of 3500	4172	za944897.exe	85
PID 4172 wrote to memory of 3500	4172	za944897.exe	85
PID 4172 wrote to memory of 1732	4172	za944897.exe	87
PID 4172 wrote to memory of 1732	4172	za944897.exe	87
PID 4172 wrote to memory of 1732	4172	za944897.exe	87

C:\Users\Admin\AppData\Local\Temp\06f923789847124d5cf5af1c138cb8ca0acdba28915b51263c57a5e01bfe395a.exe
"C:\Users\Admin\AppData\Local\Temp\06f923789847124d5cf5af1c138cb8ca0acdba28915b51263c57a5e01bfe395a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za915788.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za915788.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za944897.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za944897.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\94719278.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\94719278.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3500
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83SK94.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83SK94.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1732

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 2252 -i 2252 -h 448 -j 452 -s 460 -d 4780
1⤵
PID:3656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za915788.exe

Filesize
775KB

MD5
d2d0eb5fc1730dd8b4b5a60867ba0339

SHA1
57c4bbfdd19fdbe4f4f4d2fcab0196533589271e

SHA256
e83e740253077a2b455d22e7e580db98e4f4348ebfdc156a07b37eec30ed2e80

SHA512
0d647684049e910ebf6286124068071bd992374c5bd02cfe226acc9c93df8f50dc7515befa5296c16286c854585cfb93b7e7cd8ffdbbb44771457d20e229c6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za915788.exe

Filesize
775KB

MD5
d2d0eb5fc1730dd8b4b5a60867ba0339

SHA1
57c4bbfdd19fdbe4f4f4d2fcab0196533589271e

SHA256
e83e740253077a2b455d22e7e580db98e4f4348ebfdc156a07b37eec30ed2e80

SHA512
0d647684049e910ebf6286124068071bd992374c5bd02cfe226acc9c93df8f50dc7515befa5296c16286c854585cfb93b7e7cd8ffdbbb44771457d20e229c6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za944897.exe

Filesize
592KB

MD5
0738f122da5ea083d91a535be4d2d63a

SHA1
f6677a1c994047138bb8b43f5467ba3b3e7ae275

SHA256
5af40ba4b89f5c22aaac54abeb88611524622fee0af2b5fff821f7f12ae0d14e

SHA512
13f3f2d825d4271d78268dff35dfc83cade619f2c2afa5762066b5ac7fe193b6003d052eecf3a6abef01de8288fac0b20618bd1e35564cd843ec86fee79b0c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za944897.exe

Filesize
592KB

MD5
0738f122da5ea083d91a535be4d2d63a

SHA1
f6677a1c994047138bb8b43f5467ba3b3e7ae275

SHA256
5af40ba4b89f5c22aaac54abeb88611524622fee0af2b5fff821f7f12ae0d14e

SHA512
13f3f2d825d4271d78268dff35dfc83cade619f2c2afa5762066b5ac7fe193b6003d052eecf3a6abef01de8288fac0b20618bd1e35564cd843ec86fee79b0c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\94719278.exe

Filesize
377KB

MD5
cd74bfda8a7df788c9f3421b6c810a3a

SHA1
7aad29ed789b32b3efa67ac5da3027597ccd19e4

SHA256
879ed32cf0d8c805610d6a415e272a26a31708f464f93c8e1527beb432770614

SHA512
d4f33cea0c460317f3c02ae54f70973687623e9ab2a9b863f5d18fe3a5380ad8a25612eacb8cb4d31e931999dddbbf37ea5c7ab926169da3ae14e80e0c8e154a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\94719278.exe

Filesize
377KB

MD5
cd74bfda8a7df788c9f3421b6c810a3a

SHA1
7aad29ed789b32b3efa67ac5da3027597ccd19e4

SHA256
879ed32cf0d8c805610d6a415e272a26a31708f464f93c8e1527beb432770614

SHA512
d4f33cea0c460317f3c02ae54f70973687623e9ab2a9b863f5d18fe3a5380ad8a25612eacb8cb4d31e931999dddbbf37ea5c7ab926169da3ae14e80e0c8e154a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83SK94.exe

Filesize
459KB

MD5
ecd5c9208701e9d74a5ad2b714155bd3

SHA1
27fdf77bdeabacf3fa027d3db5c6105004901f14

SHA256
c6fde9050eb858d97515c324565ccba43ef49bde77b7e83f2f62ad09b2e7e115

SHA512
495217cc5a44df5081c5ae1b11a38bf120c34a8167dfc1d0b5c84ef5c1a437919265d53e8675e14921e2b6c4971cf3bd4c0eb2d52e33cbabf4f80bae5f1c0c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w83SK94.exe

Filesize
459KB

MD5
ecd5c9208701e9d74a5ad2b714155bd3

SHA1
27fdf77bdeabacf3fa027d3db5c6105004901f14

SHA256
c6fde9050eb858d97515c324565ccba43ef49bde77b7e83f2f62ad09b2e7e115

SHA512
495217cc5a44df5081c5ae1b11a38bf120c34a8167dfc1d0b5c84ef5c1a437919265d53e8675e14921e2b6c4971cf3bd4c0eb2d52e33cbabf4f80bae5f1c0c00

Download Submit
memory/1732-463-0x0000000000940000-0x0000000000986000-memory.dmp

Filesize
280KB

Download
memory/1732-220-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-998-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/1732-997-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/1732-996-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/1732-995-0x00000000078B0000-0x0000000007EC8000-memory.dmp

Filesize
6.1MB

Download
memory/1732-468-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/1732-1001-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/1732-467-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/1732-464-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/1732-206-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-226-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-228-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-230-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-224-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-999-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/1732-222-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-216-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-218-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-214-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-212-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-210-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-204-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-1002-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/1732-1003-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/1732-199-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-200-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-202-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/1732-208-0x0000000005390000-0x00000000053C5000-memory.dmp

Filesize
212KB

Download
memory/3500-170-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3500-193-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3500-191-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/3500-190-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/3500-189-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/3500-188-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3500-187-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/3500-186-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/3500-185-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/3500-184-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3500-182-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3500-180-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3500-178-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3500-176-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3500-174-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3500-172-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3500-168-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3500-166-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3500-164-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3500-162-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3500-160-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3500-158-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3500-157-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3500-156-0x0000000004E40000-0x00000000053E4000-memory.dmp

Filesize
5.6MB

Download
memory/3500-155-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download