redline | 0220dea699c0b24d414c5cd1c3c7ae689b2d5fb3ccf5f928349b3ce995622be1

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0220dea699c0b24d414c5cd1c3c7ae689b2d5fb3ccf5f928349b3ce995622be1.exe
Size

695KB
MD5

54f470332995bbff2ecd0c2f581a8a6e
SHA1

8a526e125a5e0ba129b9519f9c792cece7d49f0b
SHA256

0220dea699c0b24d414c5cd1c3c7ae689b2d5fb3ccf5f928349b3ce995622be1
SHA512

103a02f2c2b480c0b5239bc26765845a60fa01c68d1b447f28f68aa66ff2ca6d6b30b2b142dc7c87c765ad59dc49a38c878850082d7e3197575686973c009965
SSDEEP

12288:Fy90YP6ZGvDKdGwzDlg34eXbM1hcOkBVatgbUw5vleu2K5CQ1L4lu:Fyh5DKbpg34e4XcrB8tgbUsWK5CQ1L4w

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2056-983-0x0000000009C70000-0x000000000A288000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	08512672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	08512672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	08512672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	08512672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	08512672.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	08512672.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1336	un727372.exe
904	08512672.exe
2056	rk073402.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	08512672.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	08512672.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0220dea699c0b24d414c5cd1c3c7ae689b2d5fb3ccf5f928349b3ce995622be1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0220dea699c0b24d414c5cd1c3c7ae689b2d5fb3ccf5f928349b3ce995622be1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un727372.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un727372.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1476	904	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
904	08512672.exe
904	08512672.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	08512672.exe
Token: SeDebugPrivilege	2056	rk073402.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1336	2232	0220dea699c0b24d414c5cd1c3c7ae689b2d5fb3ccf5f928349b3ce995622be1.exe	84
PID 2232 wrote to memory of 1336	2232	0220dea699c0b24d414c5cd1c3c7ae689b2d5fb3ccf5f928349b3ce995622be1.exe	84
PID 2232 wrote to memory of 1336	2232	0220dea699c0b24d414c5cd1c3c7ae689b2d5fb3ccf5f928349b3ce995622be1.exe	84
PID 1336 wrote to memory of 904	1336	un727372.exe	85
PID 1336 wrote to memory of 904	1336	un727372.exe	85
PID 1336 wrote to memory of 904	1336	un727372.exe	85
PID 1336 wrote to memory of 2056	1336	un727372.exe	88
PID 1336 wrote to memory of 2056	1336	un727372.exe	88
PID 1336 wrote to memory of 2056	1336	un727372.exe	88

C:\Users\Admin\AppData\Local\Temp\0220dea699c0b24d414c5cd1c3c7ae689b2d5fb3ccf5f928349b3ce995622be1.exe
"C:\Users\Admin\AppData\Local\Temp\0220dea699c0b24d414c5cd1c3c7ae689b2d5fb3ccf5f928349b3ce995622be1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727372.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727372.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08512672.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08512672.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 1064
      4⤵
      Program crash
      PID:1476
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk073402.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk073402.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 904 -ip 904
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727372.exe

Filesize
541KB

MD5
7238983b31ec089952a4d3d1cdbfbb82

SHA1
c35ba4ed00a3ea45c0c10e6bab307e473494ce7a

SHA256
edf8a2c94b1116243f9aabd3e93c1103e87fbda140dd215d42a4abf7e97fa307

SHA512
c631d3cadd645a2a1a054c9b2c66b8e27dde77fbb2a95ebb274fb4ab2491d86c90c1eff378d76da9709c14440947954e9d5712e688ced6515c58881798576e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un727372.exe

Filesize
541KB

MD5
7238983b31ec089952a4d3d1cdbfbb82

SHA1
c35ba4ed00a3ea45c0c10e6bab307e473494ce7a

SHA256
edf8a2c94b1116243f9aabd3e93c1103e87fbda140dd215d42a4abf7e97fa307

SHA512
c631d3cadd645a2a1a054c9b2c66b8e27dde77fbb2a95ebb274fb4ab2491d86c90c1eff378d76da9709c14440947954e9d5712e688ced6515c58881798576e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08512672.exe

Filesize
257KB

MD5
f061c2735ec563a0420ee464f4f25d4d

SHA1
5ea73d13199959a8b136a2a7fb6d395b621a1d01

SHA256
173f7030d2196d372e4431d358ba2200debfcf81877e3711270782ded98838cc

SHA512
a879761607c61929365cc2ddcc5632ae2395edb8dfa7622020a789f8888da140e116acf66883e75938d4dc88083f993d7a6980fe2f0cfcaae641e8a85841f9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\08512672.exe

Filesize
257KB

MD5
f061c2735ec563a0420ee464f4f25d4d

SHA1
5ea73d13199959a8b136a2a7fb6d395b621a1d01

SHA256
173f7030d2196d372e4431d358ba2200debfcf81877e3711270782ded98838cc

SHA512
a879761607c61929365cc2ddcc5632ae2395edb8dfa7622020a789f8888da140e116acf66883e75938d4dc88083f993d7a6980fe2f0cfcaae641e8a85841f9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk073402.exe

Filesize
340KB

MD5
b136feffa3fb5dcd281971ac4d965071

SHA1
5c92f588f218924fd6ca2e35a2d9116735d4077e

SHA256
250686c5e4f5cb357758182a6e74d70bc7f03f2d450fdf872338009d052adf36

SHA512
3d80adcab8ce9fb73fe8af5495dfef5c6e568840f5ec77eb5c51ceb1b7859482c62411de8fc02bdebcfe86360e41628df7374190c312a90ae2ddd3870162a882

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk073402.exe

Filesize
340KB

MD5
b136feffa3fb5dcd281971ac4d965071

SHA1
5c92f588f218924fd6ca2e35a2d9116735d4077e

SHA256
250686c5e4f5cb357758182a6e74d70bc7f03f2d450fdf872338009d052adf36

SHA512
3d80adcab8ce9fb73fe8af5495dfef5c6e568840f5ec77eb5c51ceb1b7859482c62411de8fc02bdebcfe86360e41628df7374190c312a90ae2ddd3870162a882

Download Submit
memory/904-148-0x0000000002C80000-0x0000000002CAD000-memory.dmp

Filesize
180KB

Download
memory/904-149-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/904-150-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/904-151-0x00000000072C0000-0x0000000007864000-memory.dmp

Filesize
5.6MB

Download
memory/904-152-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/904-153-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/904-155-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/904-157-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/904-159-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/904-163-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/904-161-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/904-165-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/904-167-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/904-169-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/904-171-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/904-173-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/904-175-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/904-177-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/904-179-0x0000000007110000-0x0000000007123000-memory.dmp

Filesize
76KB

Download
memory/904-180-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/904-182-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/2056-187-0x0000000002C90000-0x0000000002CD6000-memory.dmp

Filesize
280KB

Download
memory/2056-188-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/2056-189-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-191-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/2056-190-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-192-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/2056-194-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-196-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-198-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-200-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-202-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-204-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-206-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-208-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-210-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-212-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-214-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-216-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-218-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-220-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-222-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-224-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/2056-983-0x0000000009C70000-0x000000000A288000-memory.dmp

Filesize
6.1MB

Download
memory/2056-984-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/2056-985-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/2056-986-0x000000000A480000-0x000000000A4BC000-memory.dmp

Filesize
240KB

Download
memory/2056-987-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/2056-989-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/2056-990-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/2056-991-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/2056-992-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download