redline | 07da23b9aa46368ec03210670782e8fe34bc733ba6184c69bc0fa98a8cd2d338

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07da23b9aa46368ec03210670782e8fe34bc733ba6184c69bc0fa98a8cd2d338.exe
Size

998KB
MD5

36b259cc7f82e5771bfc00fd2d94b885
SHA1

0fbf7c4f6caafd33c6ef1844b7a239499e35ef00
SHA256

07da23b9aa46368ec03210670782e8fe34bc733ba6184c69bc0fa98a8cd2d338
SHA512

790a2d876eba3ae2dfaca21710f06b526a83980abd3afbf9bbaafa9e70bbcea47e7b489a48e5676cc7e7bef2fdd6a109435ed9481a681c153fd7e59fefeeb9c5
SSDEEP

24576:hyLgsllIlL7nKOGLSwLnc0SIGwErHCbytD70:ULgsizAS6c0jGwHbYD

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4116-999-0x0000000007990000-0x0000000007FA8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	184357238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	184357238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	184357238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	184357238.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	184357238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	184357238.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1904	ZR363723.exe
4476	AN544097.exe
3396	184357238.exe
4116	277149504.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	184357238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	184357238.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	07da23b9aa46368ec03210670782e8fe34bc733ba6184c69bc0fa98a8cd2d338.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	07da23b9aa46368ec03210670782e8fe34bc733ba6184c69bc0fa98a8cd2d338.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ZR363723.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ZR363723.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	AN544097.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	AN544097.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3396	184357238.exe
3396	184357238.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3396	184357238.exe
Token: SeDebugPrivilege	4116	277149504.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 1904	4536	07da23b9aa46368ec03210670782e8fe34bc733ba6184c69bc0fa98a8cd2d338.exe	85
PID 4536 wrote to memory of 1904	4536	07da23b9aa46368ec03210670782e8fe34bc733ba6184c69bc0fa98a8cd2d338.exe	85
PID 4536 wrote to memory of 1904	4536	07da23b9aa46368ec03210670782e8fe34bc733ba6184c69bc0fa98a8cd2d338.exe	85
PID 1904 wrote to memory of 4476	1904	ZR363723.exe	86
PID 1904 wrote to memory of 4476	1904	ZR363723.exe	86
PID 1904 wrote to memory of 4476	1904	ZR363723.exe	86
PID 4476 wrote to memory of 3396	4476	AN544097.exe	87
PID 4476 wrote to memory of 3396	4476	AN544097.exe	87
PID 4476 wrote to memory of 3396	4476	AN544097.exe	87
PID 4476 wrote to memory of 4116	4476	AN544097.exe	89
PID 4476 wrote to memory of 4116	4476	AN544097.exe	89
PID 4476 wrote to memory of 4116	4476	AN544097.exe	89

C:\Users\Admin\AppData\Local\Temp\07da23b9aa46368ec03210670782e8fe34bc733ba6184c69bc0fa98a8cd2d338.exe
"C:\Users\Admin\AppData\Local\Temp\07da23b9aa46368ec03210670782e8fe34bc733ba6184c69bc0fa98a8cd2d338.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZR363723.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZR363723.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AN544097.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AN544097.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\184357238.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\184357238.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3396
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\277149504.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\277149504.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZR363723.exe

Filesize
769KB

MD5
0f81b9f80c1229c1074db19b197765c2

SHA1
b250f1d525856e613fbc86f364f25243b03fdce6

SHA256
5dc84e93463d5eb0eb6d318d8e60ade985e3def735f2846b5bb4f3988f9e14c7

SHA512
1653599ca1b763120389301aa5d75dca6ff2a3bc1e67570b5d35a111ff0f5c9f71695ac109772526aa8a2b20ad8032c34ef6649d52a21f3624dcf19b075a9f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZR363723.exe

Filesize
769KB

MD5
0f81b9f80c1229c1074db19b197765c2

SHA1
b250f1d525856e613fbc86f364f25243b03fdce6

SHA256
5dc84e93463d5eb0eb6d318d8e60ade985e3def735f2846b5bb4f3988f9e14c7

SHA512
1653599ca1b763120389301aa5d75dca6ff2a3bc1e67570b5d35a111ff0f5c9f71695ac109772526aa8a2b20ad8032c34ef6649d52a21f3624dcf19b075a9f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AN544097.exe

Filesize
597KB

MD5
e66eac9328ed6d89e106c5ae7fb8328b

SHA1
78ef242df2b5bf034729f6768543f7e6817f0351

SHA256
862d2aa4bee82bd43aa8906240db0a440d4e929c8be80f0bf1de838014bbb92e

SHA512
d53841efd0b8b7bd89b4fc9dfe93e51b9c0469790942249eaf1ba851c52e36a874fb5788f527a8b404cf639e8447e6414dfe09a73856689935f90ccd66da3ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AN544097.exe

Filesize
597KB

MD5
e66eac9328ed6d89e106c5ae7fb8328b

SHA1
78ef242df2b5bf034729f6768543f7e6817f0351

SHA256
862d2aa4bee82bd43aa8906240db0a440d4e929c8be80f0bf1de838014bbb92e

SHA512
d53841efd0b8b7bd89b4fc9dfe93e51b9c0469790942249eaf1ba851c52e36a874fb5788f527a8b404cf639e8447e6414dfe09a73856689935f90ccd66da3ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\184357238.exe

Filesize
390KB

MD5
7cda122d869d11f7c91fe6d606b02747

SHA1
ecb87c79b46b997df7e44843a6e0e260aa78a4e7

SHA256
d39fbd1875109df5f99ccd3498e534d596e5ea78f8b585ad57958187bf7afff1

SHA512
373b7630e51aeca33a844b7aa8013ca5bf8ada992bba64f7e5e9321dad6b8dae0504be517a5c9fb019be90efd6aa11b0b9ec0527682ad54d9ea1097eb7060de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\184357238.exe

Filesize
390KB

MD5
7cda122d869d11f7c91fe6d606b02747

SHA1
ecb87c79b46b997df7e44843a6e0e260aa78a4e7

SHA256
d39fbd1875109df5f99ccd3498e534d596e5ea78f8b585ad57958187bf7afff1

SHA512
373b7630e51aeca33a844b7aa8013ca5bf8ada992bba64f7e5e9321dad6b8dae0504be517a5c9fb019be90efd6aa11b0b9ec0527682ad54d9ea1097eb7060de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\277149504.exe

Filesize
473KB

MD5
9a2e8b3986286a2f77e7d9d40f0d6951

SHA1
896f348bd33d486ce270e297b88d5e4de480aff1

SHA256
a8c4bb37fe1948144330f6245ddb4a0fc37ce85eca660be6dbd15faa7509c260

SHA512
f43d26afa879292d0efbd0206e480347251b8361c7e0a4a453dad09166d9098dc23694a03c11f16d8b310ad5b6327382ab2e7cda2bcca1d5fe403ea1037fe261

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\277149504.exe

Filesize
473KB

MD5
9a2e8b3986286a2f77e7d9d40f0d6951

SHA1
896f348bd33d486ce270e297b88d5e4de480aff1

SHA256
a8c4bb37fe1948144330f6245ddb4a0fc37ce85eca660be6dbd15faa7509c260

SHA512
f43d26afa879292d0efbd0206e480347251b8361c7e0a4a453dad09166d9098dc23694a03c11f16d8b310ad5b6327382ab2e7cda2bcca1d5fe403ea1037fe261

Download Submit
memory/3396-155-0x0000000000970000-0x000000000099D000-memory.dmp

Filesize
180KB

Download
memory/3396-156-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/3396-158-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3396-157-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3396-159-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3396-160-0x0000000004F40000-0x00000000054E4000-memory.dmp

Filesize
5.6MB

Download
memory/3396-161-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/3396-162-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/3396-164-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/3396-166-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/3396-168-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/3396-170-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/3396-172-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/3396-174-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/3396-176-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/3396-178-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/3396-180-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/3396-182-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/3396-184-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/3396-186-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/3396-188-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/3396-189-0x0000000000970000-0x000000000099D000-memory.dmp

Filesize
180KB

Download
memory/3396-191-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3396-192-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3396-193-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3396-198-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4116-203-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-204-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-206-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-208-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-210-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-212-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-214-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-216-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-218-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-220-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-222-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-224-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-226-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-228-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-230-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-232-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/4116-243-0x0000000000970000-0x00000000009B6000-memory.dmp

Filesize
280KB

Download
memory/4116-245-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4116-247-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4116-249-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4116-999-0x0000000007990000-0x0000000007FA8000-memory.dmp

Filesize
6.1MB

Download
memory/4116-1000-0x0000000002AD0000-0x0000000002AE2000-memory.dmp

Filesize
72KB

Download
memory/4116-1001-0x0000000007FB0000-0x00000000080BA000-memory.dmp

Filesize
1.0MB

Download
memory/4116-1002-0x00000000080C0000-0x00000000080FC000-memory.dmp

Filesize
240KB

Download
memory/4116-1003-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4116-1005-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4116-1006-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4116-1007-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4116-1008-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download