redline | 1b8d35dd2196d21679f0caa83a81d0c4d32ccd60b0e3a3e14ff5f97bfd603356

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1b8d35dd2196d21679f0caa83a81d0c4d32ccd60b0e3a3e14ff5f97bfd603356.exe
Size

746KB
MD5

02e1cb33332415eb905b0da1f3640f72
SHA1

c567fbb67706b0b199d2d1ea16d7cc182c88a81f
SHA256

1b8d35dd2196d21679f0caa83a81d0c4d32ccd60b0e3a3e14ff5f97bfd603356
SHA512

f6437418c1f184f002077a3c4f6ab7a157090ade7da22fe150628aa8bda15d8a6be4488c912ddfb195afec1f01f7daf9c8aedbe9868e1312f89f939e630636e0
SSDEEP

12288:ry90I5/FRXJsMf1iurKktFYxMfKOY5GzbE4tKQgLIHbdXfSLYrJp5zEvjIsvZa:ryV5/FHsM1hPtOxMa5lLIpXffFmEEZa

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/736-988-0x00000000079C0000-0x0000000007FD8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	12151546.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	12151546.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	12151546.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	12151546.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	12151546.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	12151546.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4672	un995386.exe
4556	12151546.exe
736	rk911277.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	12151546.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	12151546.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1b8d35dd2196d21679f0caa83a81d0c4d32ccd60b0e3a3e14ff5f97bfd603356.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1b8d35dd2196d21679f0caa83a81d0c4d32ccd60b0e3a3e14ff5f97bfd603356.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un995386.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un995386.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1260	4556	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4556	12151546.exe
4556	12151546.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4556	12151546.exe
Token: SeDebugPrivilege	736	rk911277.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4672	224	1b8d35dd2196d21679f0caa83a81d0c4d32ccd60b0e3a3e14ff5f97bfd603356.exe	84
PID 224 wrote to memory of 4672	224	1b8d35dd2196d21679f0caa83a81d0c4d32ccd60b0e3a3e14ff5f97bfd603356.exe	84
PID 224 wrote to memory of 4672	224	1b8d35dd2196d21679f0caa83a81d0c4d32ccd60b0e3a3e14ff5f97bfd603356.exe	84
PID 4672 wrote to memory of 4556	4672	un995386.exe	85
PID 4672 wrote to memory of 4556	4672	un995386.exe	85
PID 4672 wrote to memory of 4556	4672	un995386.exe	85
PID 4672 wrote to memory of 736	4672	un995386.exe	90
PID 4672 wrote to memory of 736	4672	un995386.exe	90
PID 4672 wrote to memory of 736	4672	un995386.exe	90

C:\Users\Admin\AppData\Local\Temp\1b8d35dd2196d21679f0caa83a81d0c4d32ccd60b0e3a3e14ff5f97bfd603356.exe
"C:\Users\Admin\AppData\Local\Temp\1b8d35dd2196d21679f0caa83a81d0c4d32ccd60b0e3a3e14ff5f97bfd603356.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un995386.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un995386.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12151546.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12151546.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1088
      4⤵
      Program crash
      PID:1260
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk911277.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk911277.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4556 -ip 4556
1⤵
PID:4260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un995386.exe

Filesize
591KB

MD5
eb3ae7be9be70f18d17f2a1a0db3864c

SHA1
3d662b9d3f6aa09d8065f50ac87b662d16d9a183

SHA256
b2f9eb07b891ee9f3d35dd816ed258536656e0166040e4019ea960a303418649

SHA512
87f685eb2c6844469afb71eec7d3bedad29af26f0031651fc694e30f55fe68546dfffe941541c83c2b5f6ec41a451d7d558b86d6fa6ebfadfbca1f1a6fbc67f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un995386.exe

Filesize
591KB

MD5
eb3ae7be9be70f18d17f2a1a0db3864c

SHA1
3d662b9d3f6aa09d8065f50ac87b662d16d9a183

SHA256
b2f9eb07b891ee9f3d35dd816ed258536656e0166040e4019ea960a303418649

SHA512
87f685eb2c6844469afb71eec7d3bedad29af26f0031651fc694e30f55fe68546dfffe941541c83c2b5f6ec41a451d7d558b86d6fa6ebfadfbca1f1a6fbc67f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12151546.exe

Filesize
376KB

MD5
591bb0c7cf517abc2ba56c66b55f6aa7

SHA1
46c8d6480904572434f90fc141e9158e1ff0c820

SHA256
9e33e8249ed4c1cec5ae255a4e4a2b34acc8fb97fd76477a2ec1eb033d192ea9

SHA512
e82dd4693c2c9b1d36f8e8a147ea4c79e9bf21f9402419a646d1600a9401eb5f2b01c17b23c8f43bd1a1642c209665f3966e7e55b8c7b0cd4a0e3b3f398d34f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12151546.exe

Filesize
376KB

MD5
591bb0c7cf517abc2ba56c66b55f6aa7

SHA1
46c8d6480904572434f90fc141e9158e1ff0c820

SHA256
9e33e8249ed4c1cec5ae255a4e4a2b34acc8fb97fd76477a2ec1eb033d192ea9

SHA512
e82dd4693c2c9b1d36f8e8a147ea4c79e9bf21f9402419a646d1600a9401eb5f2b01c17b23c8f43bd1a1642c209665f3966e7e55b8c7b0cd4a0e3b3f398d34f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk911277.exe

Filesize
459KB

MD5
de50dd60c0eeebf33216f23ffdda04ac

SHA1
1e78dcf56de08274d2fd258ed83400d30b8fc761

SHA256
597e6c76240682e8b2f9b3d1b2a68c589a29213aaff1a490b1c9107914028a62

SHA512
1c81b3c625ad21775bbb292eb7ae7ca44b790011506bb2e3c7bedd80fd063bb7425e54e75cc7491d38e702ef74dcf8d60f063134b89e5fcde026f1f573ee6712

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk911277.exe

Filesize
459KB

MD5
de50dd60c0eeebf33216f23ffdda04ac

SHA1
1e78dcf56de08274d2fd258ed83400d30b8fc761

SHA256
597e6c76240682e8b2f9b3d1b2a68c589a29213aaff1a490b1c9107914028a62

SHA512
1c81b3c625ad21775bbb292eb7ae7ca44b790011506bb2e3c7bedd80fd063bb7425e54e75cc7491d38e702ef74dcf8d60f063134b89e5fcde026f1f573ee6712

Download Submit
memory/736-217-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-223-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-997-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/736-996-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/736-995-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/736-994-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/736-992-0x0000000004F40000-0x0000000004F7C000-memory.dmp

Filesize
240KB

Download
memory/736-197-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-990-0x0000000007FE0000-0x00000000080EA000-memory.dmp

Filesize
1.0MB

Download
memory/736-199-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-989-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/736-988-0x00000000079C0000-0x0000000007FD8000-memory.dmp

Filesize
6.1MB

Download
memory/736-227-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-225-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-195-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-203-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-221-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-219-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-215-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-213-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-211-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-207-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/736-209-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/736-208-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-192-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-193-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/736-206-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/736-991-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/736-204-0x00000000008F0000-0x0000000000936000-memory.dmp

Filesize
280KB

Download
memory/736-201-0x0000000002980000-0x00000000029B5000-memory.dmp

Filesize
212KB

Download
memory/4556-178-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4556-166-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4556-151-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4556-149-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/4556-150-0x0000000005020000-0x00000000055C4000-memory.dmp

Filesize
5.6MB

Download
memory/4556-187-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4556-183-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/4556-182-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/4556-181-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4556-148-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/4556-180-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/4556-179-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/4556-176-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4556-174-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4556-172-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4556-170-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4556-168-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4556-164-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4556-162-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4556-160-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4556-158-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4556-156-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4556-152-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4556-154-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download