redline | 1512f2677c3a00978fcc4fb732ce657b364f8121642f66e238c1f2e280b2b65a

Analysis

max time kernel
156s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1512f2677c3a00978fcc4fb732ce657b364f8121642f66e238c1f2e280b2b65a.exe
Size

1.2MB
MD5

bc87d468235fa165c29ce7e4ecdc1cab
SHA1

662a53f5b83f33ef4765fc607e3a18a3c319a020
SHA256

1512f2677c3a00978fcc4fb732ce657b364f8121642f66e238c1f2e280b2b65a
SHA512

6343747ab62c9737cf765c3a9e99b8165f3b5e8d3b7e68e71343893e20b2b0775b772f6251356de62fa4215a86436f6a145705455bdfe55bc55bb28dff442f70
SSDEEP

24576:IYAVCfN05jEKvD1eqB6QLUIHZinS07gPUSko5622+s:IY1NsVN654ZiE1ko5Q+

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3564-1000-0x00000000079A0000-0x0000000007FB8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	108042834.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	108042834.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	108042834.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	108042834.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	108042834.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	108042834.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4748	kM904164.exe
4324	VJ798040.exe
2096	108042834.exe
3564	280070123.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	108042834.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	108042834.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	VJ798040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	VJ798040.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1512f2677c3a00978fcc4fb732ce657b364f8121642f66e238c1f2e280b2b65a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1512f2677c3a00978fcc4fb732ce657b364f8121642f66e238c1f2e280b2b65a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kM904164.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kM904164.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3988	2096	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2096	108042834.exe
2096	108042834.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	108042834.exe
Token: SeDebugPrivilege	3564	280070123.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 4748	4732	1512f2677c3a00978fcc4fb732ce657b364f8121642f66e238c1f2e280b2b65a.exe	83
PID 4732 wrote to memory of 4748	4732	1512f2677c3a00978fcc4fb732ce657b364f8121642f66e238c1f2e280b2b65a.exe	83
PID 4732 wrote to memory of 4748	4732	1512f2677c3a00978fcc4fb732ce657b364f8121642f66e238c1f2e280b2b65a.exe	83
PID 4748 wrote to memory of 4324	4748	kM904164.exe	84
PID 4748 wrote to memory of 4324	4748	kM904164.exe	84
PID 4748 wrote to memory of 4324	4748	kM904164.exe	84
PID 4324 wrote to memory of 2096	4324	VJ798040.exe	85
PID 4324 wrote to memory of 2096	4324	VJ798040.exe	85
PID 4324 wrote to memory of 2096	4324	VJ798040.exe	85
PID 4324 wrote to memory of 3564	4324	VJ798040.exe	90
PID 4324 wrote to memory of 3564	4324	VJ798040.exe	90
PID 4324 wrote to memory of 3564	4324	VJ798040.exe	90

C:\Users\Admin\AppData\Local\Temp\1512f2677c3a00978fcc4fb732ce657b364f8121642f66e238c1f2e280b2b65a.exe
"C:\Users\Admin\AppData\Local\Temp\1512f2677c3a00978fcc4fb732ce657b364f8121642f66e238c1f2e280b2b65a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kM904164.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kM904164.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VJ798040.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VJ798040.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\108042834.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\108042834.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2096
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1080
        5⤵
        Program crash
        
        PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\280070123.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\280070123.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2096 -ip 2096
1⤵
PID:4232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kM904164.exe

Filesize
770KB

MD5
392d34a4d3a736bccc6091e3839a6fce

SHA1
ec072e2b2e599bd3b7abc27a1254f4176cefbe6c

SHA256
e653e474a8d9fbfc811c2b091216d42aac7fbed5e5c3b1191c93060663084865

SHA512
e65dbb131c1f719606a44d6e76d78b9106fe25fb539396d8da759ead27bd437e76f6b6198bd4c6b9979b7676ef3247eca11eccc07a0b24732f503836825207f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kM904164.exe

Filesize
770KB

MD5
392d34a4d3a736bccc6091e3839a6fce

SHA1
ec072e2b2e599bd3b7abc27a1254f4176cefbe6c

SHA256
e653e474a8d9fbfc811c2b091216d42aac7fbed5e5c3b1191c93060663084865

SHA512
e65dbb131c1f719606a44d6e76d78b9106fe25fb539396d8da759ead27bd437e76f6b6198bd4c6b9979b7676ef3247eca11eccc07a0b24732f503836825207f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VJ798040.exe

Filesize
599KB

MD5
9693154f9e43acf85dc6444f65286c02

SHA1
9c70122819655c156fd116cd68c82956778fb036

SHA256
a33ce1ef82f0eeab1079ad1d0b8ee6b0502df369e83bd8d396cc613e50c0d3c7

SHA512
ff4c434440972afaa5d3e257da5cde9427f9993457da2bf59331d68235f78d019b3d25f5598c585916e949f3828a6603ecf778b933976364be4727f7753fcf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VJ798040.exe

Filesize
599KB

MD5
9693154f9e43acf85dc6444f65286c02

SHA1
9c70122819655c156fd116cd68c82956778fb036

SHA256
a33ce1ef82f0eeab1079ad1d0b8ee6b0502df369e83bd8d396cc613e50c0d3c7

SHA512
ff4c434440972afaa5d3e257da5cde9427f9993457da2bf59331d68235f78d019b3d25f5598c585916e949f3828a6603ecf778b933976364be4727f7753fcf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\108042834.exe

Filesize
396KB

MD5
5b1333c144f250b941047b543caee016

SHA1
ba2e842670998d0ebe45dd93f82993af4f4353f9

SHA256
f7c8b4d2fb6998fd65b37ab652e736ac8cd06fb434dcbc9f18242dd766cab20a

SHA512
890d85988c79957ab8743a6b53bb00b0510375b404ed439d7885d6a7bf613f8c44fa012362b9c5afca931e489cccb7fc6d1a1ed497e000c37470b12606936dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\108042834.exe

Filesize
396KB

MD5
5b1333c144f250b941047b543caee016

SHA1
ba2e842670998d0ebe45dd93f82993af4f4353f9

SHA256
f7c8b4d2fb6998fd65b37ab652e736ac8cd06fb434dcbc9f18242dd766cab20a

SHA512
890d85988c79957ab8743a6b53bb00b0510375b404ed439d7885d6a7bf613f8c44fa012362b9c5afca931e489cccb7fc6d1a1ed497e000c37470b12606936dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\280070123.exe

Filesize
478KB

MD5
753e8fdb43c01050b6df9d07136cb46b

SHA1
a8f6a4d318b991785bbd444d0f691b345ddde226

SHA256
257da5b41af249faa681721127bb9ff0bfd9ae9dceaf09d9be50904296cd2f22

SHA512
f9065a7b7aa0c04ca8cbd4d522f3e1aa7280f00afc80405900207d03dbd710f7566ed30bfa8bfe2a56fcba8613144d384c2c4406eb239f80bb75d34bd14071d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\280070123.exe

Filesize
478KB

MD5
753e8fdb43c01050b6df9d07136cb46b

SHA1
a8f6a4d318b991785bbd444d0f691b345ddde226

SHA256
257da5b41af249faa681721127bb9ff0bfd9ae9dceaf09d9be50904296cd2f22

SHA512
f9065a7b7aa0c04ca8cbd4d522f3e1aa7280f00afc80405900207d03dbd710f7566ed30bfa8bfe2a56fcba8613144d384c2c4406eb239f80bb75d34bd14071d5

Download Submit
memory/2096-195-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/2096-159-0x0000000000400000-0x0000000000808000-memory.dmp

Filesize
4.0MB

Download
memory/2096-160-0x0000000004ED0000-0x0000000005474000-memory.dmp

Filesize
5.6MB

Download
memory/2096-162-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2096-161-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2096-164-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2096-166-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2096-168-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2096-170-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2096-172-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2096-174-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2096-176-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2096-178-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2096-180-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2096-182-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2096-184-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2096-186-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2096-188-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download
memory/2096-189-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/2096-191-0x0000000000400000-0x0000000000808000-memory.dmp

Filesize
4.0MB

Download
memory/2096-193-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/2096-194-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/2096-157-0x0000000000990000-0x00000000009BD000-memory.dmp

Filesize
180KB

Download
memory/2096-197-0x0000000000400000-0x0000000000808000-memory.dmp

Filesize
4.0MB

Download
memory/3564-209-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/3564-378-0x0000000002440000-0x0000000002486000-memory.dmp

Filesize
280KB

Download
memory/3564-207-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/3564-204-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/3564-211-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/3564-213-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/3564-215-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/3564-217-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/3564-219-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/3564-221-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/3564-223-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/3564-225-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/3564-227-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/3564-229-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/3564-231-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/3564-205-0x0000000002860000-0x0000000002895000-memory.dmp

Filesize
212KB

Download
memory/3564-380-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/3564-382-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/3564-384-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/3564-1000-0x00000000079A0000-0x0000000007FB8000-memory.dmp

Filesize
6.1MB

Download
memory/3564-1001-0x0000000005010000-0x0000000005022000-memory.dmp

Filesize
72KB

Download
memory/3564-1002-0x0000000007FC0000-0x00000000080CA000-memory.dmp

Filesize
1.0MB

Download
memory/3564-1003-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/3564-1004-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/3564-1007-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/3564-1008-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/3564-1009-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/3564-1010-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/4732-148-0x0000000002940000-0x0000000002A39000-memory.dmp

Filesize
996KB

Download
memory/4732-158-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download