redline | 074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e

Analysis

max time kernel
141s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe
Size

703KB
MD5

ceaf0ce3b0036d2e17a179a1eec7ddc0
SHA1

40367912bcfce0c977206a4070a79910e4703d31
SHA256

074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e
SHA512

ea608b1108c33702c55342c005e7b5d200eb37e961159ac6476c0278a5f9ac2ecedfefec496e72715770948d556a1d0ccf15c1dd0f38305f1886c4885043c592
SSDEEP

12288:Zy90+2YJFXNbwRip07UYqLTec2VKtWI1zzC9MIznMqo/KbdtdGT:ZyXBw1UpL0KZ/MMIDp7dHGT

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/744-987-0x0000000009C70000-0x000000000A288000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr315516.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr315516.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr315516.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr315516.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr315516.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr315516.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3068	un363612.exe
1348	pr315516.exe
744	qu134620.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr315516.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr315516.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un363612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un363612.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1272	1348	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1348	pr315516.exe
1348	pr315516.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	pr315516.exe
Token: SeDebugPrivilege	744	qu134620.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 3068	4420	074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe	85
PID 4420 wrote to memory of 3068	4420	074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe	85
PID 4420 wrote to memory of 3068	4420	074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe	85
PID 3068 wrote to memory of 1348	3068	un363612.exe	86
PID 3068 wrote to memory of 1348	3068	un363612.exe	86
PID 3068 wrote to memory of 1348	3068	un363612.exe	86
PID 3068 wrote to memory of 744	3068	un363612.exe	92
PID 3068 wrote to memory of 744	3068	un363612.exe	92
PID 3068 wrote to memory of 744	3068	un363612.exe	92

C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe
"C:\Users\Admin\AppData\Local\Temp\074530f56e76ca5cecc69ae25ee1236b382b323392a71307f34e66340880bf3e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1080
      4⤵
      Program crash
      PID:1272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1348 -ip 1348
1⤵
PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe

Filesize
549KB

MD5
592280f75e4c1d6252c30fcd978b428b

SHA1
6590d2b253f55789079e2fcfedb2d2d0cf8ed919

SHA256
35009834caa4936e938a0af163004a50ff15edf06d722a06c5429526f4349351

SHA512
564eb8a927c6486ec0125900cc1b7d0eee27d3df31e7a779ee176d1588e527a018cc15de92831a9941ff0494624e907ec09bdb2a0c91289bc709c6a222900e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un363612.exe

Filesize
549KB

MD5
592280f75e4c1d6252c30fcd978b428b

SHA1
6590d2b253f55789079e2fcfedb2d2d0cf8ed919

SHA256
35009834caa4936e938a0af163004a50ff15edf06d722a06c5429526f4349351

SHA512
564eb8a927c6486ec0125900cc1b7d0eee27d3df31e7a779ee176d1588e527a018cc15de92831a9941ff0494624e907ec09bdb2a0c91289bc709c6a222900e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe

Filesize
278KB

MD5
ea129ae4e2eec913a0abb8a1860e383d

SHA1
cc11444a5348d0948ccfb353ddfc0199d4f79897

SHA256
faecfb7874997a37e0096fe2b4434fbc333d96797b6fa70b69b9d260365dc752

SHA512
88f2adbffa90bd21186c8818dab9e74884d401d7364c8c520e7884620ca9e24a403a1ca1f73c9d7ea2adbb33b0c3baf0fe6d35d8e134e2326449b06ba24d012a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr315516.exe

Filesize
278KB

MD5
ea129ae4e2eec913a0abb8a1860e383d

SHA1
cc11444a5348d0948ccfb353ddfc0199d4f79897

SHA256
faecfb7874997a37e0096fe2b4434fbc333d96797b6fa70b69b9d260365dc752

SHA512
88f2adbffa90bd21186c8818dab9e74884d401d7364c8c520e7884620ca9e24a403a1ca1f73c9d7ea2adbb33b0c3baf0fe6d35d8e134e2326449b06ba24d012a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe

Filesize
361KB

MD5
dbd9429a188264660be8c2063838216e

SHA1
0755dfb277703fc264026eedffa4d6ce2f211536

SHA256
4fd3dfa285930f483efcc8694bbc41d006321540f053ff7b42a14d96ddd567a9

SHA512
60aabab3d8fc5e7833c6f4317d5f10aa8435743ec42411bed0c6911d28eb499a39cd9a674d0b23689d84922c0e473020043be28e9fc22d70af24285c8cc7e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu134620.exe

Filesize
361KB

MD5
dbd9429a188264660be8c2063838216e

SHA1
0755dfb277703fc264026eedffa4d6ce2f211536

SHA256
4fd3dfa285930f483efcc8694bbc41d006321540f053ff7b42a14d96ddd567a9

SHA512
60aabab3d8fc5e7833c6f4317d5f10aa8435743ec42411bed0c6911d28eb499a39cd9a674d0b23689d84922c0e473020043be28e9fc22d70af24285c8cc7e513

Download Submit
memory/744-218-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-222-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-996-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/744-995-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/744-192-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-993-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/744-196-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-990-0x000000000A460000-0x000000000A49C000-memory.dmp

Filesize
240KB

Download
memory/744-989-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/744-988-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/744-987-0x0000000009C70000-0x000000000A288000-memory.dmp

Filesize
6.1MB

Download
memory/744-230-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/744-225-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-227-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/744-226-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/744-224-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

Filesize
280KB

Download
memory/744-220-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-216-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-214-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-212-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-208-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-194-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-206-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-204-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-200-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-191-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-994-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/744-991-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/744-210-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-198-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/744-202-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/1348-150-0x0000000007170000-0x0000000007714000-memory.dmp

Filesize
5.6MB

Download
memory/1348-183-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/1348-149-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/1348-184-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/1348-186-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/1348-182-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/1348-181-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/1348-172-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/1348-148-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

Filesize
180KB

Download
memory/1348-179-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/1348-151-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/1348-152-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/1348-174-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/1348-176-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/1348-180-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/1348-170-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/1348-168-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/1348-166-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/1348-164-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/1348-162-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/1348-160-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/1348-158-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/1348-156-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/1348-154-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/1348-178-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download