redline | 14c014a731fdd8a83dd94d9bea96ee4ec90110b61bf574ca0d85ea8a459dc894

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14c014a731fdd8a83dd94d9bea96ee4ec90110b61bf574ca0d85ea8a459dc894.exe
Size

934KB
MD5

dbf4acfacacd0e8aa1c6dc4129cca0cc
SHA1

1926bda614072d902345418681344cd797a956ee
SHA256

14c014a731fdd8a83dd94d9bea96ee4ec90110b61bf574ca0d85ea8a459dc894
SHA512

62dc85016ac7ec8562f619f2189937815df9b073b37b755b78d5a2fdfec69bd0a70e44b30de420ac55bee90de6a25d6cb7885382d888d2864b01d3ee3511f480
SSDEEP

24576:YyDOF/X7QoNE/YhQzS3RB8yQ+EAuhde3BUxLZ3Aq:fDOFDhReyQX9hdeRUnQ

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2284-994-0x0000000009C90000-0x000000000A2A8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	36703384.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	36703384.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	36703384.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	36703384.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	36703384.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	36703384.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3832	za264663.exe
3812	za029542.exe
3884	36703384.exe
2284	w30bV66.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	36703384.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	36703384.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za029542.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za029542.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	14c014a731fdd8a83dd94d9bea96ee4ec90110b61bf574ca0d85ea8a459dc894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	14c014a731fdd8a83dd94d9bea96ee4ec90110b61bf574ca0d85ea8a459dc894.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za264663.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za264663.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
408	3884	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3884	36703384.exe
3884	36703384.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3884	36703384.exe
Token: SeDebugPrivilege	2284	w30bV66.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 3832	1656	14c014a731fdd8a83dd94d9bea96ee4ec90110b61bf574ca0d85ea8a459dc894.exe	79
PID 1656 wrote to memory of 3832	1656	14c014a731fdd8a83dd94d9bea96ee4ec90110b61bf574ca0d85ea8a459dc894.exe	79
PID 1656 wrote to memory of 3832	1656	14c014a731fdd8a83dd94d9bea96ee4ec90110b61bf574ca0d85ea8a459dc894.exe	79
PID 3832 wrote to memory of 3812	3832	za264663.exe	80
PID 3832 wrote to memory of 3812	3832	za264663.exe	80
PID 3832 wrote to memory of 3812	3832	za264663.exe	80
PID 3812 wrote to memory of 3884	3812	za029542.exe	81
PID 3812 wrote to memory of 3884	3812	za029542.exe	81
PID 3812 wrote to memory of 3884	3812	za029542.exe	81
PID 3812 wrote to memory of 2284	3812	za029542.exe	90
PID 3812 wrote to memory of 2284	3812	za029542.exe	90
PID 3812 wrote to memory of 2284	3812	za029542.exe	90

C:\Users\Admin\AppData\Local\Temp\14c014a731fdd8a83dd94d9bea96ee4ec90110b61bf574ca0d85ea8a459dc894.exe
"C:\Users\Admin\AppData\Local\Temp\14c014a731fdd8a83dd94d9bea96ee4ec90110b61bf574ca0d85ea8a459dc894.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za264663.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za264663.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za029542.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za029542.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\36703384.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\36703384.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3884
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 1084
        5⤵
        Program crash
        
        PID:408
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w30bV66.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w30bV66.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3884 -ip 3884
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za264663.exe

Filesize
724KB

MD5
fab6a442657019ecea3664314936e8e9

SHA1
a5da078b0f7585901e724f20cc0f1eca31c99ccb

SHA256
fc3900c2ccbda9c7418d9548051f62ee765571cab9ab8679e131ef6779add500

SHA512
232fc1fd90cf9437060362082f59b2bbb01ed777392066fb8746b46fcfc60cd0d5919c97e503c72ad2c30897ce17f957ab286edc3bae5344adcfb89eccb28480

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za264663.exe

Filesize
724KB

MD5
fab6a442657019ecea3664314936e8e9

SHA1
a5da078b0f7585901e724f20cc0f1eca31c99ccb

SHA256
fc3900c2ccbda9c7418d9548051f62ee765571cab9ab8679e131ef6779add500

SHA512
232fc1fd90cf9437060362082f59b2bbb01ed777392066fb8746b46fcfc60cd0d5919c97e503c72ad2c30897ce17f957ab286edc3bae5344adcfb89eccb28480

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za029542.exe

Filesize
541KB

MD5
355bcec3757353c815a6f961b660a4e0

SHA1
ade54e30b2ae71618210b5ed4ef94a62bc80ddec

SHA256
74884e777674726a74a5f9061c9a01d3e4516a98ef0b75de4a77153bc31819b4

SHA512
642d96088be4964c23c0942262465ee8f65e804d8b1baecfc4ce8784d4e0ea2b84029ab5cd43ac42a889f2690251cb662f8e437f3172f0aecb6b1e25e5b38896

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za029542.exe

Filesize
541KB

MD5
355bcec3757353c815a6f961b660a4e0

SHA1
ade54e30b2ae71618210b5ed4ef94a62bc80ddec

SHA256
74884e777674726a74a5f9061c9a01d3e4516a98ef0b75de4a77153bc31819b4

SHA512
642d96088be4964c23c0942262465ee8f65e804d8b1baecfc4ce8784d4e0ea2b84029ab5cd43ac42a889f2690251cb662f8e437f3172f0aecb6b1e25e5b38896

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\36703384.exe

Filesize
258KB

MD5
d44dfa01de18ab6572818f6151ee017b

SHA1
e7ab692485dee0ce27579420d2ff97a61360e8e3

SHA256
684f90be7d17abc59c57fb22a31b1614907b107deb44fc9ea57252fc4debbb21

SHA512
85444dafb11a80e558115bc8f4f7cda0ad303bde8ab5e36f1a764a72aff627281cac8836ddda36b1d7b0ba5f2b90a712130f02113820c13ef4067ae224b7fa3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\36703384.exe

Filesize
258KB

MD5
d44dfa01de18ab6572818f6151ee017b

SHA1
e7ab692485dee0ce27579420d2ff97a61360e8e3

SHA256
684f90be7d17abc59c57fb22a31b1614907b107deb44fc9ea57252fc4debbb21

SHA512
85444dafb11a80e558115bc8f4f7cda0ad303bde8ab5e36f1a764a72aff627281cac8836ddda36b1d7b0ba5f2b90a712130f02113820c13ef4067ae224b7fa3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w30bV66.exe

Filesize
340KB

MD5
0569136335e389f62f451edbfd5af910

SHA1
05a64e53ceade81474587198edb1741b16e2c4e9

SHA256
0cc620a683c41b52a7a7cb720823f718dac02a0c91ac74d8b82253ed74db9a67

SHA512
f0edc84c591ce53dfcee6a0a7dd3cb6ba91c034aadbce4f255a67b096bf86ebb465c7dc80a4cd79fe76dfee026213c1bcafba21534b0da366da6ecc8bd0a7030

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w30bV66.exe

Filesize
340KB

MD5
0569136335e389f62f451edbfd5af910

SHA1
05a64e53ceade81474587198edb1741b16e2c4e9

SHA256
0cc620a683c41b52a7a7cb720823f718dac02a0c91ac74d8b82253ed74db9a67

SHA512
f0edc84c591ce53dfcee6a0a7dd3cb6ba91c034aadbce4f255a67b096bf86ebb465c7dc80a4cd79fe76dfee026213c1bcafba21534b0da366da6ecc8bd0a7030

Download Submit
memory/2284-224-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-228-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-1003-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2284-1002-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2284-1001-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2284-1000-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2284-998-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2284-997-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/2284-996-0x000000000A320000-0x000000000A42A000-memory.dmp

Filesize
1.0MB

Download
memory/2284-995-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/2284-994-0x0000000009C90000-0x000000000A2A8000-memory.dmp

Filesize
6.1MB

Download
memory/2284-322-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2284-319-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2284-320-0x0000000007350000-0x0000000007360000-memory.dmp

Filesize
64KB

Download
memory/2284-232-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-230-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-226-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-220-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-222-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-218-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-216-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-214-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-210-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-212-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-208-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-198-0x00000000046D0000-0x0000000004716000-memory.dmp

Filesize
280KB

Download
memory/2284-199-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-200-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-202-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-206-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2284-204-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3884-184-0x00000000049F0000-0x0000000004A03000-memory.dmp

Filesize
76KB

Download
memory/3884-166-0x00000000049F0000-0x0000000004A03000-memory.dmp

Filesize
76KB

Download
memory/3884-193-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3884-192-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/3884-190-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/3884-191-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/3884-188-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3884-187-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/3884-186-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/3884-155-0x0000000002BE0000-0x0000000002C0D000-memory.dmp

Filesize
180KB

Download
memory/3884-158-0x00000000049F0000-0x0000000004A03000-memory.dmp

Filesize
76KB

Download
memory/3884-185-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/3884-160-0x00000000049F0000-0x0000000004A03000-memory.dmp

Filesize
76KB

Download
memory/3884-180-0x00000000049F0000-0x0000000004A03000-memory.dmp

Filesize
76KB

Download
memory/3884-156-0x0000000007370000-0x0000000007914000-memory.dmp

Filesize
5.6MB

Download
memory/3884-172-0x00000000049F0000-0x0000000004A03000-memory.dmp

Filesize
76KB

Download
memory/3884-174-0x00000000049F0000-0x0000000004A03000-memory.dmp

Filesize
76KB

Download
memory/3884-176-0x00000000049F0000-0x0000000004A03000-memory.dmp

Filesize
76KB

Download
memory/3884-178-0x00000000049F0000-0x0000000004A03000-memory.dmp

Filesize
76KB

Download
memory/3884-170-0x00000000049F0000-0x0000000004A03000-memory.dmp

Filesize
76KB

Download
memory/3884-168-0x00000000049F0000-0x0000000004A03000-memory.dmp

Filesize
76KB

Download
memory/3884-182-0x00000000049F0000-0x0000000004A03000-memory.dmp

Filesize
76KB

Download
memory/3884-164-0x00000000049F0000-0x0000000004A03000-memory.dmp

Filesize
76KB

Download
memory/3884-162-0x00000000049F0000-0x0000000004A03000-memory.dmp

Filesize
76KB

Download
memory/3884-157-0x00000000049F0000-0x0000000004A03000-memory.dmp

Filesize
76KB

Download