redline | 33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a

Analysis

max time kernel
141s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe
Size

701KB
MD5

243456c830cbe264025309d40192fdfd
SHA1

0211a08db62e814a81ae6000e6d106e93371335e
SHA256

33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a
SHA512

5303d2d6629704b9eea961b43ce92a2da3a191055d510dc93fcba251dabf461b71c6f8383f01cf81fd25e666774aa3046545d84cfee3c53980dd2ca0fa9ebaa6
SSDEEP

12288:iy909Vl56+rkrV/jriBpr3FDDjiDD+m5boAwXthlGiArHzPRiBCf5sPY:iyiTdgVuBpZDuDD+m5EAwoJzPRiBCRsg

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2668-985-0x0000000009C60000-0x000000000A278000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	31151928.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	31151928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	31151928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	31151928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	31151928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	31151928.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2808	un611357.exe
4928	31151928.exe
2668	rk613042.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	31151928.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	31151928.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un611357.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un611357.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3204	4928	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4928	31151928.exe
4928	31151928.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	31151928.exe
Token: SeDebugPrivilege	2668	rk613042.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2808	2548	33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe	86
PID 2548 wrote to memory of 2808	2548	33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe	86
PID 2548 wrote to memory of 2808	2548	33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe	86
PID 2808 wrote to memory of 4928	2808	un611357.exe	87
PID 2808 wrote to memory of 4928	2808	un611357.exe	87
PID 2808 wrote to memory of 4928	2808	un611357.exe	87
PID 2808 wrote to memory of 2668	2808	un611357.exe	97
PID 2808 wrote to memory of 2668	2808	un611357.exe	97
PID 2808 wrote to memory of 2668	2808	un611357.exe	97

C:\Users\Admin\AppData\Local\Temp\33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe
"C:\Users\Admin\AppData\Local\Temp\33f38a17cb2bca07f67cdabed30c8ef264bfbf5a73e5c7ead9882de42c2e489a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un611357.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un611357.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\31151928.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\31151928.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1084
      4⤵
      Program crash
      PID:3204
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk613042.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk613042.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4928 -ip 4928
1⤵
PID:3880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un611357.exe

Filesize
547KB

MD5
8dc485b769c5e0680d72419d2b568f19

SHA1
2c51522b756d0f4a5a93427c4701314682d34a34

SHA256
3342ad3abb0a858f8edeed019594bb3b05d6829439b4e9ecf8e3567c51629e87

SHA512
0d600949ff6a02c51d48e0b5ce02dfca66c3cfeeb11575987be3461bde682a01dce7d8a2f62b2618fc6b1683fae4d08cc82bc909f3c0d1a05147a5553a00f5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un611357.exe

Filesize
547KB

MD5
8dc485b769c5e0680d72419d2b568f19

SHA1
2c51522b756d0f4a5a93427c4701314682d34a34

SHA256
3342ad3abb0a858f8edeed019594bb3b05d6829439b4e9ecf8e3567c51629e87

SHA512
0d600949ff6a02c51d48e0b5ce02dfca66c3cfeeb11575987be3461bde682a01dce7d8a2f62b2618fc6b1683fae4d08cc82bc909f3c0d1a05147a5553a00f5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\31151928.exe

Filesize
269KB

MD5
1654ae14cb472a918c89e1501fa4fff6

SHA1
2b0a6dbee5fc721b601428f45820c9dbb04b583d

SHA256
76dbce94cd332414cb9f7acd36ad001fd73f630bdcc52705ee1c31d80ec4ecbb

SHA512
65d00d17ca4249cca70ac64e3861817a6970fd2aec11180f57bc2cf09f0f4848d967d56e25f74b289099393978d2cbe92b00fbeb84d1951af13fa50bb9c60674

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\31151928.exe

Filesize
269KB

MD5
1654ae14cb472a918c89e1501fa4fff6

SHA1
2b0a6dbee5fc721b601428f45820c9dbb04b583d

SHA256
76dbce94cd332414cb9f7acd36ad001fd73f630bdcc52705ee1c31d80ec4ecbb

SHA512
65d00d17ca4249cca70ac64e3861817a6970fd2aec11180f57bc2cf09f0f4848d967d56e25f74b289099393978d2cbe92b00fbeb84d1951af13fa50bb9c60674

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk613042.exe

Filesize
353KB

MD5
c8aa4148478bd90aa2efd94ac27b46be

SHA1
bc4f4ed76b9500261e46244f3f530480c8e172c1

SHA256
cf6fcc0f32a9ea206c72a17a98a9c6b3835090dd35c65b9755c7d863473cb05b

SHA512
da54b393a687c43829c847040fa17284c39b5e4dfca8f4062bfa2a2dc5870cffdb9201fee67c03ff7b630e04fca5894bae4f5625815c649bb85e14f21bbc1cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk613042.exe

Filesize
353KB

MD5
c8aa4148478bd90aa2efd94ac27b46be

SHA1
bc4f4ed76b9500261e46244f3f530480c8e172c1

SHA256
cf6fcc0f32a9ea206c72a17a98a9c6b3835090dd35c65b9755c7d863473cb05b

SHA512
da54b393a687c43829c847040fa17284c39b5e4dfca8f4062bfa2a2dc5870cffdb9201fee67c03ff7b630e04fca5894bae4f5625815c649bb85e14f21bbc1cc2

Download Submit
memory/2668-216-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-222-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-994-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/2668-993-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/2668-992-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/2668-991-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/2668-989-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/2668-195-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-987-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/2668-197-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-986-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/2668-985-0x0000000009C60000-0x000000000A278000-memory.dmp

Filesize
6.1MB

Download
memory/2668-226-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-224-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-193-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-201-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-220-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-218-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-214-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-212-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-210-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/2668-209-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-207-0x0000000002CE0000-0x0000000002D26000-memory.dmp

Filesize
280KB

Download
memory/2668-208-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/2668-190-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-191-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-205-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-988-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/2668-203-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2668-199-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/4928-175-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4928-167-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4928-148-0x0000000002C70000-0x0000000002C9D000-memory.dmp

Filesize
180KB

Download
memory/4928-149-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/4928-151-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/4928-185-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/4928-183-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/4928-182-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/4928-181-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/4928-150-0x00000000072C0000-0x0000000007864000-memory.dmp

Filesize
5.6MB

Download
memory/4928-180-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/4928-171-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4928-173-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4928-179-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4928-177-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4928-169-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4928-161-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4928-163-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4928-165-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4928-159-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4928-157-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4928-155-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4928-152-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4928-153-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download