redline | 06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96 | Triage

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:18 UTC

Sharing

Report Analysis Logs

General

Target

06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe
Size

746KB
MD5

6d42a5aa78213429190d0a0934dc6b24
SHA1

fd3d8d238440a2fab9cb6d5a9a93c741e1f2d8bf
SHA256

06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96
SHA512

b9722189ee2d67791996c6cfb182a52189c186b65e78df82ae9b4209faad150a9c41cc006dbd889a6d339fbbe18c3e216828dad963f66d53f9fc864431def0f6
SSDEEP

12288:9y90WArweOkO4mzxdXHxmGtHwSONtTEFNgxGuaq9jcBtgXPl8iVuGf4fBV25rW:9ymkMSzjBftHwSONtTEFNg7kgXNFVlMt

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

resource	yara_rule
behavioral2/memory/2628-987-0x00000000078E0000-0x0000000007EF8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

Modify Registry

Modify Existing Service

Disabling Security Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	53478779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	53478779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	53478779.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	53478779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	53478779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	53478779.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1136	un093638.exe
524	53478779.exe
2628	rk374421.exe

Windows security modification 2 TTPs 2 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	53478779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	53478779.exe

Adds Run key to start application 2 TTPs 4 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un093638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un093638.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4028	524	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
524	53478779.exe
524	53478779.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	524	53478779.exe
Token: SeDebugPrivilege	2628	rk374421.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 1136	2468	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe	83
PID 2468 wrote to memory of 1136	2468	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe	83
PID 2468 wrote to memory of 1136	2468	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe	83
PID 1136 wrote to memory of 524	1136	un093638.exe	84
PID 1136 wrote to memory of 524	1136	un093638.exe	84
PID 1136 wrote to memory of 524	1136	un093638.exe	84
PID 1136 wrote to memory of 2628	1136	un093638.exe	95
PID 1136 wrote to memory of 2628	1136	un093638.exe	95
PID 1136 wrote to memory of 2628	1136	un093638.exe	95

C:\Users\Admin\AppData\Local\Temp\06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe
"C:\Users\Admin\AppData\Local\Temp\06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093638.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093638.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 1040
      4⤵
      Program crash
      PID:4028
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 524 -ip 524
1⤵
PID:1688

Network

GET

http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20TLS%20Issuing%20CA%2001.crl

Remote address:

173.223.113.131:80

Request

GET /pkiops/crl/Microsoft%20Azure%20TLS%20Issuing%20CA%2001.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: www.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 2341
Content-Type: application/octet-stream
Content-MD5: O+jXXOVFpq1FWycJ67ndTg==
Last-Modified: Sat, 06 May 2023 18:29:07 GMT
ETag: 0x8DB4E5FC7545C9D
x-ms-request-id: 15ea2e0a-001e-0076-2b4a-80cdf8000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sat, 06 May 2023 21:11:29 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV311424bb.0
ms-cv-esi: CASMicrosoftCV311424bb.0
X-RTag: RT
DNS

254.161.241.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.161.241.8.in-addr.arpa

IN PTR

Response
DNS

76.38.195.152.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.38.195.152.in-addr.arpa

IN PTR

Response
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

42.220.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

42.220.44.20.in-addr.arpa

IN PTR

Response
DNS

14.103.197.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.103.197.20.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

233.141.123.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.141.123.20.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

2.36.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.36.159.162.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response

173.223.113.131:80

http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20TLS%20Issuing%20CA%2001.crl

http

498 B
3.1kB
7
6

HTTP Request

GET http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20TLS%20Issuing%20CA%2001.crl

HTTP Response

200
20.189.173.9:443

322 B
7
52.242.101.226:443

260 B
5
185.161.248.143:38452

rk374421.exe

260 B
5
52.242.101.226:443

260 B
5
185.161.248.143:38452

rk374421.exe

260 B
5
93.184.221.240:80

322 B
7
52.242.101.226:443

260 B
5
93.184.221.240:80

322 B
7
185.161.248.143:38452

rk374421.exe

260 B
5
20.54.89.15:443

260 B
5
185.161.248.143:38452

rk374421.exe

260 B
5
185.161.248.143:38452

rk374421.exe

260 B
5
185.161.248.143:38452

rk374421.exe

156 B
3

8.8.8.8:53

254.161.241.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

254.161.241.8.in-addr.arpa
8.8.8.8:53

76.38.195.152.in-addr.arpa

dns

72 B
143 B
1
1

DNS Request

76.38.195.152.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

42.220.44.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

42.220.44.20.in-addr.arpa
8.8.8.8:53

14.103.197.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.103.197.20.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

233.141.123.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

233.141.123.20.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

2.36.159.162.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

2.36.159.162.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093638.exe

Filesize
591KB

MD5
24b1cd9c4ccc60ba3566beccb1109306

SHA1
dd3caaa312cf66ac02419e6e88ac54e0453e6d47

SHA256
383e66da59f46ff6d582429855628930413245a1272de94c178d93512d3b6a5a

SHA512
d2f9bdf2c2a6628b504eb83506f36ca4e60c2b53c3c5b8440322cf192dfcc3356ec9a2358f3c5cb6a4457699630426050c7f299e228978279c13fd1a555f3abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093638.exe

Filesize
591KB

MD5
24b1cd9c4ccc60ba3566beccb1109306

SHA1
dd3caaa312cf66ac02419e6e88ac54e0453e6d47

SHA256
383e66da59f46ff6d582429855628930413245a1272de94c178d93512d3b6a5a

SHA512
d2f9bdf2c2a6628b504eb83506f36ca4e60c2b53c3c5b8440322cf192dfcc3356ec9a2358f3c5cb6a4457699630426050c7f299e228978279c13fd1a555f3abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe

Filesize
376KB

MD5
d20bd233473781a8759e9b4ea94e8a16

SHA1
8f93c9514cdc77d6124c180e2f1fe16f97fe43d9

SHA256
5193247b883b1d5d4b6f03348186d926ab7ffe4f931db76c8d5699cda0e92740

SHA512
a1b0d44fac8fd6c439c8e6a3426cb0f21327323fb8646b4feeb6faa7c935a079c8bc82c9ede31b0df4b9a457da46cdacd640217108ac04de5648ee312755676c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe

Filesize
376KB

MD5
d20bd233473781a8759e9b4ea94e8a16

SHA1
8f93c9514cdc77d6124c180e2f1fe16f97fe43d9

SHA256
5193247b883b1d5d4b6f03348186d926ab7ffe4f931db76c8d5699cda0e92740

SHA512
a1b0d44fac8fd6c439c8e6a3426cb0f21327323fb8646b4feeb6faa7c935a079c8bc82c9ede31b0df4b9a457da46cdacd640217108ac04de5648ee312755676c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe

Filesize
459KB

MD5
ad973c92036e4c84e4f20035e8892c2a

SHA1
eee57cdf949ebf435a5427ed79992e676979ef49

SHA256
c8daa664653aa59954af42734fcf66e8635172b09a02ec38960239960e509fb2

SHA512
94a4cdd400a459c8af02c700f3133b865eea8b61c8c3fc3f48152396977907dd9578ac6e31817d0c4ca3f002a3cf20c5c5204a96e487d6b52b1833d4db19be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe

Filesize
459KB

MD5
ad973c92036e4c84e4f20035e8892c2a

SHA1
eee57cdf949ebf435a5427ed79992e676979ef49

SHA256
c8daa664653aa59954af42734fcf66e8635172b09a02ec38960239960e509fb2

SHA512
94a4cdd400a459c8af02c700f3133b865eea8b61c8c3fc3f48152396977907dd9578ac6e31817d0c4ca3f002a3cf20c5c5204a96e487d6b52b1833d4db19be6d

Download Submit
memory/524-164-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-150-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/524-152-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/524-153-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-156-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-154-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-158-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-160-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-162-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-151-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/524-166-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-168-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-170-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-172-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-174-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-176-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-178-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-180-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-181-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/524-182-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/524-183-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/524-184-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/524-186-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/524-149-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download
memory/524-148-0x0000000000900000-0x000000000092D000-memory.dmp

Filesize
180KB

Download
memory/2628-226-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-216-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-990-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2628-193-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-199-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-201-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-203-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-205-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-207-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-209-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-211-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-213-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-215-0x00000000009F0000-0x0000000000A36000-memory.dmp

Filesize
280KB

Download
memory/2628-192-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-197-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-220-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-217-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2628-222-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-224-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-988-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/2628-987-0x00000000078E0000-0x0000000007EF8000-memory.dmp

Filesize
6.1MB

Download
memory/2628-219-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2628-989-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/2628-195-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-991-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/2628-993-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2628-995-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2628-994-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2628-996-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download