redline | 1a01b86226a33ca6502a9ef2c6b467c11549055e1e6572b8d7616f6f7ed8ebe9

General

Target

1a01b86226a33ca6502a9ef2c6b467c11549055e1e6572b8d7616f6f7ed8ebe9.exe
Size

479KB
MD5

0bf9633fe4699fab685c096a13b64469
SHA1

c747ab729af36f006b7a655ef177f0b0267569f7
SHA256

1a01b86226a33ca6502a9ef2c6b467c11549055e1e6572b8d7616f6f7ed8ebe9
SHA512

34bf6e103381301b24d210ad04a88e8618fd3c75a8e33f2e27ad11176d9213bc8d21b7c308bddd844f3044594a4db3a01a09f86a62fa469b99ed7d6d6abd36b3
SSDEEP

12288:IMrYy90bXlYVOMy2e6I0snSbtDKwDMwEG:Qynq907bZKwD5

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3052-184-0x0000000007560000-0x0000000007B78000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k9129989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k9129989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k9129989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k9129989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k9129989.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k9129989.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3800	y1449400.exe
4340	k9129989.exe
3052	l5746999.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k9129989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k9129989.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1a01b86226a33ca6502a9ef2c6b467c11549055e1e6572b8d7616f6f7ed8ebe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1a01b86226a33ca6502a9ef2c6b467c11549055e1e6572b8d7616f6f7ed8ebe9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1449400.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1449400.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4340	k9129989.exe
4340	k9129989.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	k9129989.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 3800	1248	1a01b86226a33ca6502a9ef2c6b467c11549055e1e6572b8d7616f6f7ed8ebe9.exe	85
PID 1248 wrote to memory of 3800	1248	1a01b86226a33ca6502a9ef2c6b467c11549055e1e6572b8d7616f6f7ed8ebe9.exe	85
PID 1248 wrote to memory of 3800	1248	1a01b86226a33ca6502a9ef2c6b467c11549055e1e6572b8d7616f6f7ed8ebe9.exe	85
PID 3800 wrote to memory of 4340	3800	y1449400.exe	86
PID 3800 wrote to memory of 4340	3800	y1449400.exe	86
PID 3800 wrote to memory of 4340	3800	y1449400.exe	86
PID 3800 wrote to memory of 3052	3800	y1449400.exe	87
PID 3800 wrote to memory of 3052	3800	y1449400.exe	87
PID 3800 wrote to memory of 3052	3800	y1449400.exe	87

C:\Users\Admin\AppData\Local\Temp\1a01b86226a33ca6502a9ef2c6b467c11549055e1e6572b8d7616f6f7ed8ebe9.exe
"C:\Users\Admin\AppData\Local\Temp\1a01b86226a33ca6502a9ef2c6b467c11549055e1e6572b8d7616f6f7ed8ebe9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1449400.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1449400.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9129989.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9129989.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5746999.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5746999.exe
    3⤵
    - Executes dropped EXE
    PID:3052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1449400.exe

Filesize
307KB

MD5
40992800b7e61dcfcd1f667b87015990

SHA1
248e01f7783f661e768e00be6292e4602559787f

SHA256
ae1647388a4eb08248a3af3a164a875915db27cc33edbf241a4e13539d8b3120

SHA512
52f5e224aef912523c2a4cb020032ac79c771ce91b2165e694fb5cf7ddbe210363b2cb879d772b2dc870a7af5803fbea6491cffe5ba7c3d50175667368aaf57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1449400.exe

Filesize
307KB

MD5
40992800b7e61dcfcd1f667b87015990

SHA1
248e01f7783f661e768e00be6292e4602559787f

SHA256
ae1647388a4eb08248a3af3a164a875915db27cc33edbf241a4e13539d8b3120

SHA512
52f5e224aef912523c2a4cb020032ac79c771ce91b2165e694fb5cf7ddbe210363b2cb879d772b2dc870a7af5803fbea6491cffe5ba7c3d50175667368aaf57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9129989.exe

Filesize
175KB

MD5
f4e3132283fcd34ed6e7f21bf5e641b9

SHA1
80ea2447ee16e6c7326fb0f67388919c0e329c47

SHA256
08e70c5a08fece90f52519e77d9421e91142a857d1544a9aad8eb4b989130486

SHA512
b2490422edf470c78087f069b0375420725f4598ca47a56d6dc70b5b59612bce794c62a8dda9f4911583d7e69c3e3a947f8bc8cc46d659993f25c5307563f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9129989.exe

Filesize
175KB

MD5
f4e3132283fcd34ed6e7f21bf5e641b9

SHA1
80ea2447ee16e6c7326fb0f67388919c0e329c47

SHA256
08e70c5a08fece90f52519e77d9421e91142a857d1544a9aad8eb4b989130486

SHA512
b2490422edf470c78087f069b0375420725f4598ca47a56d6dc70b5b59612bce794c62a8dda9f4911583d7e69c3e3a947f8bc8cc46d659993f25c5307563f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5746999.exe

Filesize
136KB

MD5
585fd3da28d25dff65873210715afc82

SHA1
5f3f0c24ddafa8000d24d1dad504bf66f478e9b8

SHA256
ae960adfd49163ec6518c780127144d33d08bb9edc209adcafdaf09acc568eea

SHA512
118aae36c3bb0866ff139f0079f56acb80c391fa9e44ba25f74da3418ff8d3b4b5e4f1e40584c2c147e30b71d92759005f154ce6a8078effbcadee80d238c65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5746999.exe

Filesize
136KB

MD5
585fd3da28d25dff65873210715afc82

SHA1
5f3f0c24ddafa8000d24d1dad504bf66f478e9b8

SHA256
ae960adfd49163ec6518c780127144d33d08bb9edc209adcafdaf09acc568eea

SHA512
118aae36c3bb0866ff139f0079f56acb80c391fa9e44ba25f74da3418ff8d3b4b5e4f1e40584c2c147e30b71d92759005f154ce6a8078effbcadee80d238c65c

Download Submit
memory/3052-187-0x0000000007050000-0x000000000708C000-memory.dmp

Filesize
240KB

Download
memory/3052-186-0x0000000007120000-0x000000000722A000-memory.dmp

Filesize
1.0MB

Download
memory/3052-188-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/3052-185-0x0000000006FF0000-0x0000000007002000-memory.dmp

Filesize
72KB

Download
memory/3052-184-0x0000000007560000-0x0000000007B78000-memory.dmp

Filesize
6.1MB

Download
memory/3052-183-0x00000000002C0000-0x00000000002E8000-memory.dmp

Filesize
160KB

Download
memory/3052-189-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/4340-158-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4340-178-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/4340-166-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4340-168-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4340-170-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4340-172-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4340-174-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4340-176-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4340-177-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/4340-164-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4340-162-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4340-160-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4340-149-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4340-150-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4340-152-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4340-154-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4340-156-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/4340-148-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download
memory/4340-147-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads