redline | 3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf

Analysis

max time kernel
145s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe
Size

747KB
MD5

72a896d421d41c5913d3a2e42fda4717
SHA1

e0bd15b47be605a799862d960a4c31cd0cf953ae
SHA256

3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf
SHA512

2bfba1e787411ce37b2cc0ffea1372d9f05e5733bb3babfa7b72730eda8d2ab36005a35514b87767fd02dd42ccb2e9984f963814e63c267150762cab9a3c15af
SSDEEP

12288:+y90foOt5rdmHdqt0UWffvUa5qTpTCSp7Dd3RqUiLW/f2dmFcVvPkwJOB:+yeoOt5JmHYtTWfXUa5qTcYp3tCwGm6q

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2668-990-0x00000000078E0000-0x0000000007EF8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	11649037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	11649037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	11649037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	11649037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	11649037.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	11649037.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4324	un828097.exe
3880	11649037.exe
2668	rk895948.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	11649037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	11649037.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un828097.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un828097.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4368	3880	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3880	11649037.exe
3880	11649037.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3880	11649037.exe
Token: SeDebugPrivilege	2668	rk895948.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 4324	4088	3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe	84
PID 4088 wrote to memory of 4324	4088	3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe	84
PID 4088 wrote to memory of 4324	4088	3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe	84
PID 4324 wrote to memory of 3880	4324	un828097.exe	85
PID 4324 wrote to memory of 3880	4324	un828097.exe	85
PID 4324 wrote to memory of 3880	4324	un828097.exe	85
PID 4324 wrote to memory of 2668	4324	un828097.exe	89
PID 4324 wrote to memory of 2668	4324	un828097.exe	89
PID 4324 wrote to memory of 2668	4324	un828097.exe	89

C:\Users\Admin\AppData\Local\Temp\3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe
"C:\Users\Admin\AppData\Local\Temp\3211e374b732c8d73f42b7ae20317bc134a05dfead28e6dd8da425df5bd479cf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un828097.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un828097.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11649037.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11649037.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1092
      4⤵
      Program crash
      PID:4368
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk895948.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk895948.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3880 -ip 3880
1⤵
PID:392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un828097.exe

Filesize
593KB

MD5
1e7264a9bd5729ba621602292d228771

SHA1
a2a5c96ae0e46a9bb67e51fa3e41ba82f63e7cb9

SHA256
e84473804cc3078208f3470ceee0d2c6bf7a0282cbab723bd67ad5565bc733cd

SHA512
228202418f909fe124f587565cadd2783d5c60f7a5b7ade194ec0b9985d391bd4c6522feebff6b2f185bf7109df2df7e30ad6e5488d1b8b954d6ed216e6331bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un828097.exe

Filesize
593KB

MD5
1e7264a9bd5729ba621602292d228771

SHA1
a2a5c96ae0e46a9bb67e51fa3e41ba82f63e7cb9

SHA256
e84473804cc3078208f3470ceee0d2c6bf7a0282cbab723bd67ad5565bc733cd

SHA512
228202418f909fe124f587565cadd2783d5c60f7a5b7ade194ec0b9985d391bd4c6522feebff6b2f185bf7109df2df7e30ad6e5488d1b8b954d6ed216e6331bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11649037.exe

Filesize
378KB

MD5
735f099981cdec9fcdf3dfc609cadd22

SHA1
2159c822a0501e44669ad1f29b3a9040e99f9d8f

SHA256
65c7572c4e22405c9f5350a7bfb53ef7c12563cfbb50f97d863bf2245e7b89a2

SHA512
8727cf63c86af4cfb5bf1c18bafa459547ce8b9cb704804f2e964fe30811b7bc11d4b8f254fe0f7192cb08eb2cdb2442b21ea820de234074a0c31184485a5306

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11649037.exe

Filesize
378KB

MD5
735f099981cdec9fcdf3dfc609cadd22

SHA1
2159c822a0501e44669ad1f29b3a9040e99f9d8f

SHA256
65c7572c4e22405c9f5350a7bfb53ef7c12563cfbb50f97d863bf2245e7b89a2

SHA512
8727cf63c86af4cfb5bf1c18bafa459547ce8b9cb704804f2e964fe30811b7bc11d4b8f254fe0f7192cb08eb2cdb2442b21ea820de234074a0c31184485a5306

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk895948.exe

Filesize
460KB

MD5
afba15ef8e8b2beeef56858a688af452

SHA1
ede5dfa71e16791fade92bffd63a3a894e26c098

SHA256
e615d124c01b3baf40cf50cb6f7af2b1ae57a4b6870a22f2899e5fd80174efef

SHA512
7ce361ddb29bd5bfa77f8ff901dbab6b762e57166f68affd3c34b08fa1468f42491ec143af53ae517bcca5a82ad7ddab784e89f1ffa30f25a9620986e983f540

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk895948.exe

Filesize
460KB

MD5
afba15ef8e8b2beeef56858a688af452

SHA1
ede5dfa71e16791fade92bffd63a3a894e26c098

SHA256
e615d124c01b3baf40cf50cb6f7af2b1ae57a4b6870a22f2899e5fd80174efef

SHA512
7ce361ddb29bd5bfa77f8ff901dbab6b762e57166f68affd3c34b08fa1468f42491ec143af53ae517bcca5a82ad7ddab784e89f1ffa30f25a9620986e983f540

Download Submit
memory/2668-221-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/2668-387-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/2668-999-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/2668-998-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/2668-997-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/2668-996-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/2668-994-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/2668-197-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/2668-992-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/2668-199-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/2668-991-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/2668-990-0x00000000078E0000-0x0000000007EF8000-memory.dmp

Filesize
6.1MB

Download
memory/2668-388-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/2668-385-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/2668-195-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/2668-201-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/2668-384-0x00000000008F0000-0x0000000000936000-memory.dmp

Filesize
280KB

Download
memory/2668-223-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/2668-219-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/2668-217-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/2668-215-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/2668-213-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/2668-211-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/2668-209-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/2668-207-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/2668-194-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/2668-205-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/2668-993-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/2668-203-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/3880-177-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/3880-167-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/3880-151-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/3880-149-0x0000000004E20000-0x00000000053C4000-memory.dmp

Filesize
5.6MB

Download
memory/3880-150-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/3880-187-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/3880-184-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/3880-183-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/3880-182-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/3880-181-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/3880-148-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/3880-179-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/3880-180-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/3880-178-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/3880-175-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/3880-173-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/3880-171-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/3880-169-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/3880-165-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/3880-163-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/3880-161-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/3880-159-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/3880-155-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/3880-157-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/3880-153-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download