redline | 019b76da6b9ccbf4c3934669ef671db5abb6e079beadb6af8ce181490447afaa

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

019b76da6b9ccbf4c3934669ef671db5abb6e079beadb6af8ce181490447afaa.exe
Size

689KB
MD5

142d27ea7ab5ab4a5ed11664f5f38b40
SHA1

3aaf5c6aa9dcbe6b6a5dabc092bfcc18dc439457
SHA256

019b76da6b9ccbf4c3934669ef671db5abb6e079beadb6af8ce181490447afaa
SHA512

d5c7e33949c6ee07cccb02a80008e6e6e7bc6f1e4af6ece10b2062584c02910844d220966996c8884515315f43b7f5ad9c4764a7222d6bc482e3933d06e37a7b
SSDEEP

12288:0y90qQQj+Tz6edLdYGw4rQ7ExQBdzZIJbQ/17gQl+OFbrLbr6j67LTpUM43FAF:0y0QWHdLdy487EizZqG17gQZFb3br6js

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4100-988-0x0000000007650000-0x0000000007C68000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	51749761.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	51749761.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	51749761.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	51749761.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	51749761.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	51749761.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1428	un231618.exe
2292	51749761.exe
4100	rk751446.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	51749761.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	51749761.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un231618.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un231618.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	019b76da6b9ccbf4c3934669ef671db5abb6e079beadb6af8ce181490447afaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	019b76da6b9ccbf4c3934669ef671db5abb6e079beadb6af8ce181490447afaa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4572	2292	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2292	51749761.exe
2292	51749761.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	51749761.exe
Token: SeDebugPrivilege	4100	rk751446.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1428	2184	019b76da6b9ccbf4c3934669ef671db5abb6e079beadb6af8ce181490447afaa.exe	83
PID 2184 wrote to memory of 1428	2184	019b76da6b9ccbf4c3934669ef671db5abb6e079beadb6af8ce181490447afaa.exe	83
PID 2184 wrote to memory of 1428	2184	019b76da6b9ccbf4c3934669ef671db5abb6e079beadb6af8ce181490447afaa.exe	83
PID 1428 wrote to memory of 2292	1428	un231618.exe	84
PID 1428 wrote to memory of 2292	1428	un231618.exe	84
PID 1428 wrote to memory of 2292	1428	un231618.exe	84
PID 1428 wrote to memory of 4100	1428	un231618.exe	88
PID 1428 wrote to memory of 4100	1428	un231618.exe	88
PID 1428 wrote to memory of 4100	1428	un231618.exe	88

C:\Users\Admin\AppData\Local\Temp\019b76da6b9ccbf4c3934669ef671db5abb6e079beadb6af8ce181490447afaa.exe
"C:\Users\Admin\AppData\Local\Temp\019b76da6b9ccbf4c3934669ef671db5abb6e079beadb6af8ce181490447afaa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un231618.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un231618.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\51749761.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\51749761.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1100
      4⤵
      Program crash
      PID:4572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk751446.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk751446.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2292 -ip 2292
1⤵
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un231618.exe

Filesize
536KB

MD5
13ed61a9ee566c847e8ce2fa3a115669

SHA1
d00d782eecc722b74c5d6a98fe4d0a9faf27ff2a

SHA256
8386a8a5bc46556ce1cae3d95984e62070f4c38c9abeedf8fcf59c5b4ce3c78d

SHA512
60932caed18f5b6536dba022224c9c624d5ac9ec7a613632267b73f3a972d5992d9a18258956eb5fd24127e424bb0716f196c3c5b288162618c4c73c839a002b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un231618.exe

Filesize
536KB

MD5
13ed61a9ee566c847e8ce2fa3a115669

SHA1
d00d782eecc722b74c5d6a98fe4d0a9faf27ff2a

SHA256
8386a8a5bc46556ce1cae3d95984e62070f4c38c9abeedf8fcf59c5b4ce3c78d

SHA512
60932caed18f5b6536dba022224c9c624d5ac9ec7a613632267b73f3a972d5992d9a18258956eb5fd24127e424bb0716f196c3c5b288162618c4c73c839a002b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\51749761.exe

Filesize
259KB

MD5
68c156ad0a5c61b27570c007695b2893

SHA1
78d14907756cd6ccac0a953ec9af7073c36eddb8

SHA256
8874c20715be3c5cf4d6ba3ba18b3249f838c4385f69457a1a63705b3cc571c3

SHA512
c3f9944406477703c14ecea338a9e32c7ddab9e978e719b9d548a4ca2c746ebb5887715a9ac23bb3285a5af3abf7d5e349f809be008edf45609ccc8ebc8f970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\51749761.exe

Filesize
259KB

MD5
68c156ad0a5c61b27570c007695b2893

SHA1
78d14907756cd6ccac0a953ec9af7073c36eddb8

SHA256
8874c20715be3c5cf4d6ba3ba18b3249f838c4385f69457a1a63705b3cc571c3

SHA512
c3f9944406477703c14ecea338a9e32c7ddab9e978e719b9d548a4ca2c746ebb5887715a9ac23bb3285a5af3abf7d5e349f809be008edf45609ccc8ebc8f970d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk751446.exe

Filesize
341KB

MD5
ece6636e4bea2f2c09da6464d05744d9

SHA1
91fe9a92d46ebdc3827c22866c333a80255f74ef

SHA256
e61656c0f7ae84299f16483372cc09ded3b58681829920d1e4e2277b3d9e03ab

SHA512
f85d0b4fa0aacde2a0f1890775524d3c364fddf991a254bfb918c08dcb43cfc645346bc7bfca19c1ba234c161a77113b4b69948a16852b61bf72538e3e6669d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk751446.exe

Filesize
341KB

MD5
ece6636e4bea2f2c09da6464d05744d9

SHA1
91fe9a92d46ebdc3827c22866c333a80255f74ef

SHA256
e61656c0f7ae84299f16483372cc09ded3b58681829920d1e4e2277b3d9e03ab

SHA512
f85d0b4fa0aacde2a0f1890775524d3c364fddf991a254bfb918c08dcb43cfc645346bc7bfca19c1ba234c161a77113b4b69948a16852b61bf72538e3e6669d2

Download Submit
memory/2292-163-0x0000000002520000-0x0000000002533000-memory.dmp

Filesize
76KB

Download
memory/2292-150-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/2292-152-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/2292-153-0x0000000004B60000-0x0000000005104000-memory.dmp

Filesize
5.6MB

Download
memory/2292-155-0x0000000002520000-0x0000000002533000-memory.dmp

Filesize
76KB

Download
memory/2292-154-0x0000000002520000-0x0000000002533000-memory.dmp

Filesize
76KB

Download
memory/2292-157-0x0000000002520000-0x0000000002533000-memory.dmp

Filesize
76KB

Download
memory/2292-159-0x0000000002520000-0x0000000002533000-memory.dmp

Filesize
76KB

Download
memory/2292-161-0x0000000002520000-0x0000000002533000-memory.dmp

Filesize
76KB

Download
memory/2292-151-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2292-165-0x0000000002520000-0x0000000002533000-memory.dmp

Filesize
76KB

Download
memory/2292-167-0x0000000002520000-0x0000000002533000-memory.dmp

Filesize
76KB

Download
memory/2292-169-0x0000000002520000-0x0000000002533000-memory.dmp

Filesize
76KB

Download
memory/2292-171-0x0000000002520000-0x0000000002533000-memory.dmp

Filesize
76KB

Download
memory/2292-173-0x0000000002520000-0x0000000002533000-memory.dmp

Filesize
76KB

Download
memory/2292-175-0x0000000002520000-0x0000000002533000-memory.dmp

Filesize
76KB

Download
memory/2292-177-0x0000000002520000-0x0000000002533000-memory.dmp

Filesize
76KB

Download
memory/2292-179-0x0000000002520000-0x0000000002533000-memory.dmp

Filesize
76KB

Download
memory/2292-181-0x0000000002520000-0x0000000002533000-memory.dmp

Filesize
76KB

Download
memory/2292-182-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/2292-183-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/2292-185-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/2292-187-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2292-149-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/2292-148-0x0000000000530000-0x000000000055D000-memory.dmp

Filesize
180KB

Download
memory/4100-227-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-217-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-991-0x0000000004B90000-0x0000000004BCC000-memory.dmp

Filesize
240KB

Download
memory/4100-194-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-200-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-202-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-204-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-206-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-207-0x00000000008E0000-0x0000000000926000-memory.dmp

Filesize
280KB

Download
memory/4100-210-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-208-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4100-211-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4100-213-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-193-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-198-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-221-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-215-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-223-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-225-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-989-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/4100-988-0x0000000007650000-0x0000000007C68000-memory.dmp

Filesize
6.1MB

Download
memory/4100-219-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-990-0x0000000007C70000-0x0000000007D7A000-memory.dmp

Filesize
1.0MB

Download
memory/4100-196-0x00000000024B0000-0x00000000024E5000-memory.dmp

Filesize
212KB

Download
memory/4100-992-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4100-994-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4100-995-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4100-996-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4100-997-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download