redline | 185120ad49807c35f915dcf431450a50098210c6f46a671dcad18ec3469f8000

Analysis

max time kernel
147s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

185120ad49807c35f915dcf431450a50098210c6f46a671dcad18ec3469f8000.exe
Size

990KB
MD5

43d24568da0796b45cf85ce131bfaca1
SHA1

70d5941d35f9b38c61047f95d65b47e7fa7c2c2b
SHA256

185120ad49807c35f915dcf431450a50098210c6f46a671dcad18ec3469f8000
SHA512

58163f9b5c83d924eb040a54fbb47353787cb5305523c57f9c59ed28ef5a000a75f4d8c3f812aee0de665f3db526c9f9eb466c2b687dfe3276a61f22eb423c8c
SSDEEP

24576:5nUoY7pfy8Yg7Q7TsRZcKeD2Mzlnk+IY8Mlf:M7By87STskKefd5

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3064-1002-0x0000000009CB0000-0x000000000A2C8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	156413437.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	156413437.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	156413437.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	156413437.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	156413437.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	156413437.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4800	ws707062.exe
3596	UP235332.exe
4396	156413437.exe
3064	210661960.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	156413437.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	156413437.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ws707062.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	UP235332.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	UP235332.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	185120ad49807c35f915dcf431450a50098210c6f46a671dcad18ec3469f8000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	185120ad49807c35f915dcf431450a50098210c6f46a671dcad18ec3469f8000.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ws707062.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2488	4396	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4396	156413437.exe
4396	156413437.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4396	156413437.exe
Token: SeDebugPrivilege	3064	210661960.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 4800	2116	185120ad49807c35f915dcf431450a50098210c6f46a671dcad18ec3469f8000.exe	81
PID 2116 wrote to memory of 4800	2116	185120ad49807c35f915dcf431450a50098210c6f46a671dcad18ec3469f8000.exe	81
PID 2116 wrote to memory of 4800	2116	185120ad49807c35f915dcf431450a50098210c6f46a671dcad18ec3469f8000.exe	81
PID 4800 wrote to memory of 3596	4800	ws707062.exe	82
PID 4800 wrote to memory of 3596	4800	ws707062.exe	82
PID 4800 wrote to memory of 3596	4800	ws707062.exe	82
PID 3596 wrote to memory of 4396	3596	UP235332.exe	83
PID 3596 wrote to memory of 4396	3596	UP235332.exe	83
PID 3596 wrote to memory of 4396	3596	UP235332.exe	83
PID 3596 wrote to memory of 3064	3596	UP235332.exe	93
PID 3596 wrote to memory of 3064	3596	UP235332.exe	93
PID 3596 wrote to memory of 3064	3596	UP235332.exe	93

C:\Users\Admin\AppData\Local\Temp\185120ad49807c35f915dcf431450a50098210c6f46a671dcad18ec3469f8000.exe
"C:\Users\Admin\AppData\Local\Temp\185120ad49807c35f915dcf431450a50098210c6f46a671dcad18ec3469f8000.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1004
        5⤵
        Program crash
        
        PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4396 -ip 4396
1⤵
PID:4568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe

Filesize
717KB

MD5
fa00be7caa8c76ecf693086a43a6fa72

SHA1
5a824c7908f9a759b12be9aa2c5d758e003f36eb

SHA256
47ad2bf46a37ecfa35b25a2a5e59bda6d82e8768361fc9726e2a84d84a85a4b1

SHA512
cd1f0cc4dfa573648f8979cdc448f45b4ab07ae5e760541725d6a0dba1fa398208b534bb224e5fff79c9953a3ac89bcd3e5aca2c518143bce9dc68a55e4c62ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ws707062.exe

Filesize
717KB

MD5
fa00be7caa8c76ecf693086a43a6fa72

SHA1
5a824c7908f9a759b12be9aa2c5d758e003f36eb

SHA256
47ad2bf46a37ecfa35b25a2a5e59bda6d82e8768361fc9726e2a84d84a85a4b1

SHA512
cd1f0cc4dfa573648f8979cdc448f45b4ab07ae5e760541725d6a0dba1fa398208b534bb224e5fff79c9953a3ac89bcd3e5aca2c518143bce9dc68a55e4c62ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe

Filesize
545KB

MD5
200afa6d30b530e30060f4732a7d7ad8

SHA1
cada950005d7c663e2076e0d8a8147e49b9fbdd2

SHA256
d4a96660a52626abf454197b499e0c0ab26ed25462b08bbd8b0c14cca16620be

SHA512
d91886c594ff70176cd81f319f63092058729fba82789bae3173f711d32eac6ae189d8b930178338dfac441ec2e8b5d28f18e20f3d58e4f1a26ca86fd49eae2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UP235332.exe

Filesize
545KB

MD5
200afa6d30b530e30060f4732a7d7ad8

SHA1
cada950005d7c663e2076e0d8a8147e49b9fbdd2

SHA256
d4a96660a52626abf454197b499e0c0ab26ed25462b08bbd8b0c14cca16620be

SHA512
d91886c594ff70176cd81f319f63092058729fba82789bae3173f711d32eac6ae189d8b930178338dfac441ec2e8b5d28f18e20f3d58e4f1a26ca86fd49eae2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe

Filesize
269KB

MD5
4d86b1f078cf5b393a3c4c1977338041

SHA1
08ffce6e13ae74e83023e643ea97b0d9960e6e24

SHA256
a27c02ac2161eee8c4887a42c42af559a1be457c6b46d368c46eafeb3b878e1b

SHA512
f1a4aa45b0a55467d479dc23502556c8766a7551ad3f688fd3092c713f41775373d1a7d3e5c3193ee4d0d8c786bad6dfd0aa20a8702460632612dd992e4e07b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\156413437.exe

Filesize
269KB

MD5
4d86b1f078cf5b393a3c4c1977338041

SHA1
08ffce6e13ae74e83023e643ea97b0d9960e6e24

SHA256
a27c02ac2161eee8c4887a42c42af559a1be457c6b46d368c46eafeb3b878e1b

SHA512
f1a4aa45b0a55467d479dc23502556c8766a7551ad3f688fd3092c713f41775373d1a7d3e5c3193ee4d0d8c786bad6dfd0aa20a8702460632612dd992e4e07b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe

Filesize
353KB

MD5
a57403199ddf1fad6096938e90ccc21e

SHA1
45bcfc93e33259f76bfb8a68b19b4b43dd28678e

SHA256
eb0fb8fabb95798d507af3ed1999ab280efb55d61f62222aad3fc59be9551c3e

SHA512
eeeba09adb6171e9a56481e4b68b53359a0d94c16716e0783d7cfd69d61c923f627d41c1e47f0164a705445bf182cbf912347577bb45418fbe44c242bdba4bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\210661960.exe

Filesize
353KB

MD5
a57403199ddf1fad6096938e90ccc21e

SHA1
45bcfc93e33259f76bfb8a68b19b4b43dd28678e

SHA256
eb0fb8fabb95798d507af3ed1999ab280efb55d61f62222aad3fc59be9551c3e

SHA512
eeeba09adb6171e9a56481e4b68b53359a0d94c16716e0783d7cfd69d61c923f627d41c1e47f0164a705445bf182cbf912347577bb45418fbe44c242bdba4bb7

Download Submit
memory/2116-156-0x0000000004AC0000-0x0000000004B9D000-memory.dmp

Filesize
884KB

Download
memory/2116-191-0x0000000000400000-0x0000000002C53000-memory.dmp

Filesize
40.3MB

Download
memory/3064-1010-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/3064-227-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/3064-1005-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/3064-1004-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/3064-1003-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/3064-1009-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/3064-1002-0x0000000009CB0000-0x000000000A2C8000-memory.dmp

Filesize
6.1MB

Download
memory/3064-235-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/3064-237-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/3064-233-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/3064-231-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/3064-229-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/3064-228-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/3064-1006-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/3064-225-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/3064-224-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/3064-223-0x0000000002DF0000-0x0000000002E36000-memory.dmp

Filesize
280KB

Download
memory/3064-211-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/3064-221-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/3064-219-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/3064-217-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/3064-215-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/3064-213-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/3064-1011-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/3064-1012-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/3064-206-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/3064-207-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/3064-209-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/4396-168-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4396-198-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/4396-195-0x0000000004760000-0x0000000004770000-memory.dmp

Filesize
64KB

Download
memory/4396-194-0x0000000004760000-0x0000000004770000-memory.dmp

Filesize
64KB

Download
memory/4396-193-0x0000000004760000-0x0000000004770000-memory.dmp

Filesize
64KB

Download
memory/4396-192-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/4396-190-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4396-188-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4396-186-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4396-184-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4396-182-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4396-180-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4396-178-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4396-176-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4396-174-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4396-172-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4396-170-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4396-166-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4396-164-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4396-163-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4396-162-0x0000000004760000-0x0000000004770000-memory.dmp

Filesize
64KB

Download
memory/4396-160-0x0000000004760000-0x0000000004770000-memory.dmp

Filesize
64KB

Download
memory/4396-161-0x0000000004760000-0x0000000004770000-memory.dmp

Filesize
64KB

Download
memory/4396-159-0x0000000007240000-0x00000000077E4000-memory.dmp

Filesize
5.6MB

Download
memory/4396-158-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download