redline | 06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe
Size

746KB
MD5

6d42a5aa78213429190d0a0934dc6b24
SHA1

fd3d8d238440a2fab9cb6d5a9a93c741e1f2d8bf
SHA256

06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96
SHA512

b9722189ee2d67791996c6cfb182a52189c186b65e78df82ae9b4209faad150a9c41cc006dbd889a6d339fbbe18c3e216828dad963f66d53f9fc864431def0f6
SSDEEP

12288:9y90WArweOkO4mzxdXHxmGtHwSONtTEFNgxGuaq9jcBtgXPl8iVuGf4fBV25rW:9ymkMSzjBftHwSONtTEFNg7kgXNFVlMt

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2628-987-0x00000000078E0000-0x0000000007EF8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	53478779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	53478779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	53478779.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	53478779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	53478779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	53478779.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1136	un093638.exe
524	53478779.exe
2628	rk374421.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	53478779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	53478779.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un093638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un093638.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4028	524	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
524	53478779.exe
524	53478779.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	524	53478779.exe
Token: SeDebugPrivilege	2628	rk374421.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 1136	2468	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe	83
PID 2468 wrote to memory of 1136	2468	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe	83
PID 2468 wrote to memory of 1136	2468	06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe	83
PID 1136 wrote to memory of 524	1136	un093638.exe	84
PID 1136 wrote to memory of 524	1136	un093638.exe	84
PID 1136 wrote to memory of 524	1136	un093638.exe	84
PID 1136 wrote to memory of 2628	1136	un093638.exe	95
PID 1136 wrote to memory of 2628	1136	un093638.exe	95
PID 1136 wrote to memory of 2628	1136	un093638.exe	95

C:\Users\Admin\AppData\Local\Temp\06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe
"C:\Users\Admin\AppData\Local\Temp\06963107e2991f18b4ee70d8bcad3b3ef13166c1b1ee34993cba2208f7834d96.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093638.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093638.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 1040
      4⤵
      Program crash
      PID:4028
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 524 -ip 524
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093638.exe

Filesize
591KB

MD5
24b1cd9c4ccc60ba3566beccb1109306

SHA1
dd3caaa312cf66ac02419e6e88ac54e0453e6d47

SHA256
383e66da59f46ff6d582429855628930413245a1272de94c178d93512d3b6a5a

SHA512
d2f9bdf2c2a6628b504eb83506f36ca4e60c2b53c3c5b8440322cf192dfcc3356ec9a2358f3c5cb6a4457699630426050c7f299e228978279c13fd1a555f3abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un093638.exe

Filesize
591KB

MD5
24b1cd9c4ccc60ba3566beccb1109306

SHA1
dd3caaa312cf66ac02419e6e88ac54e0453e6d47

SHA256
383e66da59f46ff6d582429855628930413245a1272de94c178d93512d3b6a5a

SHA512
d2f9bdf2c2a6628b504eb83506f36ca4e60c2b53c3c5b8440322cf192dfcc3356ec9a2358f3c5cb6a4457699630426050c7f299e228978279c13fd1a555f3abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe

Filesize
376KB

MD5
d20bd233473781a8759e9b4ea94e8a16

SHA1
8f93c9514cdc77d6124c180e2f1fe16f97fe43d9

SHA256
5193247b883b1d5d4b6f03348186d926ab7ffe4f931db76c8d5699cda0e92740

SHA512
a1b0d44fac8fd6c439c8e6a3426cb0f21327323fb8646b4feeb6faa7c935a079c8bc82c9ede31b0df4b9a457da46cdacd640217108ac04de5648ee312755676c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53478779.exe

Filesize
376KB

MD5
d20bd233473781a8759e9b4ea94e8a16

SHA1
8f93c9514cdc77d6124c180e2f1fe16f97fe43d9

SHA256
5193247b883b1d5d4b6f03348186d926ab7ffe4f931db76c8d5699cda0e92740

SHA512
a1b0d44fac8fd6c439c8e6a3426cb0f21327323fb8646b4feeb6faa7c935a079c8bc82c9ede31b0df4b9a457da46cdacd640217108ac04de5648ee312755676c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe

Filesize
459KB

MD5
ad973c92036e4c84e4f20035e8892c2a

SHA1
eee57cdf949ebf435a5427ed79992e676979ef49

SHA256
c8daa664653aa59954af42734fcf66e8635172b09a02ec38960239960e509fb2

SHA512
94a4cdd400a459c8af02c700f3133b865eea8b61c8c3fc3f48152396977907dd9578ac6e31817d0c4ca3f002a3cf20c5c5204a96e487d6b52b1833d4db19be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk374421.exe

Filesize
459KB

MD5
ad973c92036e4c84e4f20035e8892c2a

SHA1
eee57cdf949ebf435a5427ed79992e676979ef49

SHA256
c8daa664653aa59954af42734fcf66e8635172b09a02ec38960239960e509fb2

SHA512
94a4cdd400a459c8af02c700f3133b865eea8b61c8c3fc3f48152396977907dd9578ac6e31817d0c4ca3f002a3cf20c5c5204a96e487d6b52b1833d4db19be6d

Download Submit
memory/524-164-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-150-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/524-152-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/524-153-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-156-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-154-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-158-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-160-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-162-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-151-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/524-166-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-168-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-170-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-172-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-174-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-176-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-178-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-180-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/524-181-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/524-182-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/524-183-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/524-184-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/524-186-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/524-149-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download
memory/524-148-0x0000000000900000-0x000000000092D000-memory.dmp

Filesize
180KB

Download
memory/2628-226-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-216-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-990-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2628-193-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-199-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-201-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-203-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-205-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-207-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-209-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-211-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-213-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-215-0x00000000009F0000-0x0000000000A36000-memory.dmp

Filesize
280KB

Download
memory/2628-192-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-197-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-220-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-217-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2628-222-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-224-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-988-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/2628-987-0x00000000078E0000-0x0000000007EF8000-memory.dmp

Filesize
6.1MB

Download
memory/2628-219-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2628-989-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/2628-195-0x0000000004DF0000-0x0000000004E25000-memory.dmp

Filesize
212KB

Download
memory/2628-991-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/2628-993-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2628-995-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2628-994-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2628-996-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download