redline | 1878c5846243e1c022e9573f86b201075f754485ca088cafe82c68e5cb0d0a83

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1878c5846243e1c022e9573f86b201075f754485ca088cafe82c68e5cb0d0a83.exe
Size

953KB
MD5

1ac40e0d36dc7065321c4d70e7eab611
SHA1

eaddc404b94d1e70eaf406a2926737bc954e8f18
SHA256

1878c5846243e1c022e9573f86b201075f754485ca088cafe82c68e5cb0d0a83
SHA512

ed60f4e92925e54613c94be59c71d47f7292c19cfeca43d2c3779bda32a565c9bba5700daf346aa893352f0fcf017d5b1d95c8c74b1a9ceaf2014d9e7de43524
SSDEEP

24576:uyXoPQviI+0RlWjw2M6as84MzCZAwIe1XkLCIeB:9Xz+0RQjw1sawIeUCI

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2516-994-0x0000000009CF0000-0x000000000A308000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v6745zE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v6745zE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v6745zE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v6745zE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v6745zE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v6745zE.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3832	za186811.exe
536	za290863.exe
392	v6745zE.exe
2516	w32gQ36.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v6745zE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v6745zE.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za290863.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1878c5846243e1c022e9573f86b201075f754485ca088cafe82c68e5cb0d0a83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1878c5846243e1c022e9573f86b201075f754485ca088cafe82c68e5cb0d0a83.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za186811.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za186811.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za290863.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
864	392	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
392	v6745zE.exe
392	v6745zE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	392	v6745zE.exe
Token: SeDebugPrivilege	2516	w32gQ36.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 3832	3848	1878c5846243e1c022e9573f86b201075f754485ca088cafe82c68e5cb0d0a83.exe	79
PID 3848 wrote to memory of 3832	3848	1878c5846243e1c022e9573f86b201075f754485ca088cafe82c68e5cb0d0a83.exe	79
PID 3848 wrote to memory of 3832	3848	1878c5846243e1c022e9573f86b201075f754485ca088cafe82c68e5cb0d0a83.exe	79
PID 3832 wrote to memory of 536	3832	za186811.exe	80
PID 3832 wrote to memory of 536	3832	za186811.exe	80
PID 3832 wrote to memory of 536	3832	za186811.exe	80
PID 536 wrote to memory of 392	536	za290863.exe	81
PID 536 wrote to memory of 392	536	za290863.exe	81
PID 536 wrote to memory of 392	536	za290863.exe	81
PID 536 wrote to memory of 2516	536	za290863.exe	90
PID 536 wrote to memory of 2516	536	za290863.exe	90
PID 536 wrote to memory of 2516	536	za290863.exe	90

C:\Users\Admin\AppData\Local\Temp\1878c5846243e1c022e9573f86b201075f754485ca088cafe82c68e5cb0d0a83.exe
"C:\Users\Admin\AppData\Local\Temp\1878c5846243e1c022e9573f86b201075f754485ca088cafe82c68e5cb0d0a83.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za186811.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za186811.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za290863.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za290863.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6745zE.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6745zE.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1084
        5⤵
        Program crash
        
        PID:864
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w32gQ36.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w32gQ36.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 392 -ip 392
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za186811.exe

Filesize
732KB

MD5
063f8163d3c057628ffb5ac79050f305

SHA1
05c50fc9969d6c5efd20a2ec981c3fd2f4d807b6

SHA256
eb6e5addd46fe16b1f036f06feeec4c61bdd29add3abad14d3e4204fa9ddd4dc

SHA512
2cfaf914099cd2cc39783689a67e566aa836546182f177cda291362d8ce142f302c1a1b57179efffd9cc2198544ac4ea8b1f43148153654e7bc8dbfd41ed4bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za186811.exe

Filesize
732KB

MD5
063f8163d3c057628ffb5ac79050f305

SHA1
05c50fc9969d6c5efd20a2ec981c3fd2f4d807b6

SHA256
eb6e5addd46fe16b1f036f06feeec4c61bdd29add3abad14d3e4204fa9ddd4dc

SHA512
2cfaf914099cd2cc39783689a67e566aa836546182f177cda291362d8ce142f302c1a1b57179efffd9cc2198544ac4ea8b1f43148153654e7bc8dbfd41ed4bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za290863.exe

Filesize
550KB

MD5
2bfa7c23a3766e21ff06910e00e6fdfb

SHA1
f2ed149cc5e460cdffd749a8cb361c2f8afe92de

SHA256
57fef41914e6262fa1c5641de0d89eac1973c4c3b0d0f8582932434795dd1e51

SHA512
74e3d3dd7c0356f6ae906e654643ed5fd62c0781a2acc26d76657ac0864581be149a183053d90e34bde1f0c31ba38756902cbf194ad13273dd8f1bf0f5cb8c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za290863.exe

Filesize
550KB

MD5
2bfa7c23a3766e21ff06910e00e6fdfb

SHA1
f2ed149cc5e460cdffd749a8cb361c2f8afe92de

SHA256
57fef41914e6262fa1c5641de0d89eac1973c4c3b0d0f8582932434795dd1e51

SHA512
74e3d3dd7c0356f6ae906e654643ed5fd62c0781a2acc26d76657ac0864581be149a183053d90e34bde1f0c31ba38756902cbf194ad13273dd8f1bf0f5cb8c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6745zE.exe

Filesize
278KB

MD5
4df8915919be80bf5568575d2848da9a

SHA1
3c30784d303de10c8dcdf6b7d7086d3c0ac2c925

SHA256
b5727071b04ca7f2fdbbcf54ffa7c039a5745fd458dfae95cd3b18bb9d214001

SHA512
e3474fb441811662d927e8cbb805a532de4c557f9dc8362e7285ec0998f26da6c236114e23417a263e4fe4d062f41b64f774335b5cc5665ea2d929d76ff1d1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6745zE.exe

Filesize
278KB

MD5
4df8915919be80bf5568575d2848da9a

SHA1
3c30784d303de10c8dcdf6b7d7086d3c0ac2c925

SHA256
b5727071b04ca7f2fdbbcf54ffa7c039a5745fd458dfae95cd3b18bb9d214001

SHA512
e3474fb441811662d927e8cbb805a532de4c557f9dc8362e7285ec0998f26da6c236114e23417a263e4fe4d062f41b64f774335b5cc5665ea2d929d76ff1d1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w32gQ36.exe

Filesize
361KB

MD5
5aa9b2adb31bfa6b41f4e56648ba4612

SHA1
f4cb22a4d43a428cb0dd51ecee4ac800873e0183

SHA256
8718e5a496f663072e934264058d277872f10f7acc3f40ca87dbc6dc8cb5d5f7

SHA512
de16e045e1ce27dfc68d146b0b24f28d19e49d1309fbf7df31bac4a48e96322e1d0bfc641a7865a00e26a04be509579f2eb446960a5c1c02fcfb55f9bf36b1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w32gQ36.exe

Filesize
361KB

MD5
5aa9b2adb31bfa6b41f4e56648ba4612

SHA1
f4cb22a4d43a428cb0dd51ecee4ac800873e0183

SHA256
8718e5a496f663072e934264058d277872f10f7acc3f40ca87dbc6dc8cb5d5f7

SHA512
de16e045e1ce27dfc68d146b0b24f28d19e49d1309fbf7df31bac4a48e96322e1d0bfc641a7865a00e26a04be509579f2eb446960a5c1c02fcfb55f9bf36b1f4

Download Submit
memory/392-171-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/392-159-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/392-158-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/392-161-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/392-163-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/392-165-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/392-167-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/392-169-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/392-157-0x0000000007450000-0x00000000079F4000-memory.dmp

Filesize
5.6MB

Download
memory/392-173-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/392-175-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/392-179-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/392-177-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/392-181-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/392-183-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/392-185-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/392-186-0x0000000007440000-0x0000000007450000-memory.dmp

Filesize
64KB

Download
memory/392-187-0x0000000007440000-0x0000000007450000-memory.dmp

Filesize
64KB

Download
memory/392-188-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/392-189-0x0000000007440000-0x0000000007450000-memory.dmp

Filesize
64KB

Download
memory/392-191-0x0000000007440000-0x0000000007450000-memory.dmp

Filesize
64KB

Download
memory/392-192-0x0000000007440000-0x0000000007450000-memory.dmp

Filesize
64KB

Download
memory/392-193-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/392-156-0x0000000007440000-0x0000000007450000-memory.dmp

Filesize
64KB

Download
memory/392-155-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

Filesize
180KB

Download
memory/2516-201-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-224-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/2516-199-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-203-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-205-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-207-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-209-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-211-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-213-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-215-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-217-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-220-0x0000000002BD0000-0x0000000002C16000-memory.dmp

Filesize
280KB

Download
memory/2516-219-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-223-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-222-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/2516-198-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-226-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/2516-231-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-229-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-227-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-233-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-235-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2516-994-0x0000000009CF0000-0x000000000A308000-memory.dmp

Filesize
6.1MB

Download
memory/2516-995-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/2516-996-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/2516-997-0x000000000A460000-0x000000000A49C000-memory.dmp

Filesize
240KB

Download
memory/2516-998-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/2516-1000-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/2516-1001-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/2516-1002-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/2516-1003-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download