redline | 2118ba87b19ce14dcf1a7a155dbbf11b4ba321599e9161c97ff58e9fc4dcb6cb

Analysis

max time kernel
148s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2118ba87b19ce14dcf1a7a155dbbf11b4ba321599e9161c97ff58e9fc4dcb6cb.exe
Size

1.2MB
MD5

0919b075f58b74f80db1b31fff072dec
SHA1

185a81f97cfbbea7160487998203264343dc2c42
SHA256

2118ba87b19ce14dcf1a7a155dbbf11b4ba321599e9161c97ff58e9fc4dcb6cb
SHA512

2c14a6ff1e5779a6d6dc52b4c1be00439690b39ffbacf023ca9282306b955deb06f969124f6b54ecf1fbfceb55e5648bacca7ccdee05153c770d416e5d74cf78
SSDEEP

24576:/YAVCfN05jEKvD1eqB6QLUIHZinS07gPUSko5622+s:/Y1NsVN654ZiE1ko5Q+

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/752-1001-0x0000000007990000-0x0000000007FA8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	108042834.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	108042834.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	108042834.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	108042834.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	108042834.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	108042834.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2336	kM904164.exe
3940	VJ798040.exe
684	108042834.exe
752	280070123.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	108042834.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	108042834.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kM904164.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kM904164.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	VJ798040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	VJ798040.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2118ba87b19ce14dcf1a7a155dbbf11b4ba321599e9161c97ff58e9fc4dcb6cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2118ba87b19ce14dcf1a7a155dbbf11b4ba321599e9161c97ff58e9fc4dcb6cb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3864	684	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
684	108042834.exe
684	108042834.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	684	108042834.exe
Token: SeDebugPrivilege	752	280070123.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 2336	3364	2118ba87b19ce14dcf1a7a155dbbf11b4ba321599e9161c97ff58e9fc4dcb6cb.exe	85
PID 3364 wrote to memory of 2336	3364	2118ba87b19ce14dcf1a7a155dbbf11b4ba321599e9161c97ff58e9fc4dcb6cb.exe	85
PID 3364 wrote to memory of 2336	3364	2118ba87b19ce14dcf1a7a155dbbf11b4ba321599e9161c97ff58e9fc4dcb6cb.exe	85
PID 2336 wrote to memory of 3940	2336	kM904164.exe	86
PID 2336 wrote to memory of 3940	2336	kM904164.exe	86
PID 2336 wrote to memory of 3940	2336	kM904164.exe	86
PID 3940 wrote to memory of 684	3940	VJ798040.exe	87
PID 3940 wrote to memory of 684	3940	VJ798040.exe	87
PID 3940 wrote to memory of 684	3940	VJ798040.exe	87
PID 3940 wrote to memory of 752	3940	VJ798040.exe	91
PID 3940 wrote to memory of 752	3940	VJ798040.exe	91
PID 3940 wrote to memory of 752	3940	VJ798040.exe	91

C:\Users\Admin\AppData\Local\Temp\2118ba87b19ce14dcf1a7a155dbbf11b4ba321599e9161c97ff58e9fc4dcb6cb.exe
"C:\Users\Admin\AppData\Local\Temp\2118ba87b19ce14dcf1a7a155dbbf11b4ba321599e9161c97ff58e9fc4dcb6cb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kM904164.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kM904164.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VJ798040.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VJ798040.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\108042834.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\108042834.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 1080
        5⤵
        Program crash
        
        PID:3864
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\280070123.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\280070123.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 684 -ip 684
1⤵
PID:3200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kM904164.exe

Filesize
770KB

MD5
392d34a4d3a736bccc6091e3839a6fce

SHA1
ec072e2b2e599bd3b7abc27a1254f4176cefbe6c

SHA256
e653e474a8d9fbfc811c2b091216d42aac7fbed5e5c3b1191c93060663084865

SHA512
e65dbb131c1f719606a44d6e76d78b9106fe25fb539396d8da759ead27bd437e76f6b6198bd4c6b9979b7676ef3247eca11eccc07a0b24732f503836825207f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kM904164.exe

Filesize
770KB

MD5
392d34a4d3a736bccc6091e3839a6fce

SHA1
ec072e2b2e599bd3b7abc27a1254f4176cefbe6c

SHA256
e653e474a8d9fbfc811c2b091216d42aac7fbed5e5c3b1191c93060663084865

SHA512
e65dbb131c1f719606a44d6e76d78b9106fe25fb539396d8da759ead27bd437e76f6b6198bd4c6b9979b7676ef3247eca11eccc07a0b24732f503836825207f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VJ798040.exe

Filesize
599KB

MD5
9693154f9e43acf85dc6444f65286c02

SHA1
9c70122819655c156fd116cd68c82956778fb036

SHA256
a33ce1ef82f0eeab1079ad1d0b8ee6b0502df369e83bd8d396cc613e50c0d3c7

SHA512
ff4c434440972afaa5d3e257da5cde9427f9993457da2bf59331d68235f78d019b3d25f5598c585916e949f3828a6603ecf778b933976364be4727f7753fcf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VJ798040.exe

Filesize
599KB

MD5
9693154f9e43acf85dc6444f65286c02

SHA1
9c70122819655c156fd116cd68c82956778fb036

SHA256
a33ce1ef82f0eeab1079ad1d0b8ee6b0502df369e83bd8d396cc613e50c0d3c7

SHA512
ff4c434440972afaa5d3e257da5cde9427f9993457da2bf59331d68235f78d019b3d25f5598c585916e949f3828a6603ecf778b933976364be4727f7753fcf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\108042834.exe

Filesize
396KB

MD5
5b1333c144f250b941047b543caee016

SHA1
ba2e842670998d0ebe45dd93f82993af4f4353f9

SHA256
f7c8b4d2fb6998fd65b37ab652e736ac8cd06fb434dcbc9f18242dd766cab20a

SHA512
890d85988c79957ab8743a6b53bb00b0510375b404ed439d7885d6a7bf613f8c44fa012362b9c5afca931e489cccb7fc6d1a1ed497e000c37470b12606936dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\108042834.exe

Filesize
396KB

MD5
5b1333c144f250b941047b543caee016

SHA1
ba2e842670998d0ebe45dd93f82993af4f4353f9

SHA256
f7c8b4d2fb6998fd65b37ab652e736ac8cd06fb434dcbc9f18242dd766cab20a

SHA512
890d85988c79957ab8743a6b53bb00b0510375b404ed439d7885d6a7bf613f8c44fa012362b9c5afca931e489cccb7fc6d1a1ed497e000c37470b12606936dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\280070123.exe

Filesize
478KB

MD5
753e8fdb43c01050b6df9d07136cb46b

SHA1
a8f6a4d318b991785bbd444d0f691b345ddde226

SHA256
257da5b41af249faa681721127bb9ff0bfd9ae9dceaf09d9be50904296cd2f22

SHA512
f9065a7b7aa0c04ca8cbd4d522f3e1aa7280f00afc80405900207d03dbd710f7566ed30bfa8bfe2a56fcba8613144d384c2c4406eb239f80bb75d34bd14071d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\280070123.exe

Filesize
478KB

MD5
753e8fdb43c01050b6df9d07136cb46b

SHA1
a8f6a4d318b991785bbd444d0f691b345ddde226

SHA256
257da5b41af249faa681721127bb9ff0bfd9ae9dceaf09d9be50904296cd2f22

SHA512
f9065a7b7aa0c04ca8cbd4d522f3e1aa7280f00afc80405900207d03dbd710f7566ed30bfa8bfe2a56fcba8613144d384c2c4406eb239f80bb75d34bd14071d5

Download Submit
memory/684-192-0x0000000000400000-0x0000000000808000-memory.dmp

Filesize
4.0MB

Download
memory/684-162-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/684-161-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/684-163-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/684-168-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/684-166-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/684-164-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/684-170-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/684-172-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/684-174-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/684-182-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/684-180-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/684-178-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/684-176-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/684-184-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/684-186-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/684-188-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/684-190-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/684-160-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/684-195-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/684-196-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/684-197-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/684-198-0x0000000000400000-0x0000000000808000-memory.dmp

Filesize
4.0MB

Download
memory/684-159-0x0000000000980000-0x00000000009AD000-memory.dmp

Filesize
180KB

Download
memory/684-158-0x0000000004E20000-0x00000000053C4000-memory.dmp

Filesize
5.6MB

Download
memory/752-218-0x0000000004DD0000-0x0000000004E05000-memory.dmp

Filesize
212KB

Download
memory/752-230-0x0000000004DD0000-0x0000000004E05000-memory.dmp

Filesize
212KB

Download
memory/752-1010-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/752-205-0x0000000000990000-0x00000000009D6000-memory.dmp

Filesize
280KB

Download
memory/752-210-0x0000000004DD0000-0x0000000004E05000-memory.dmp

Filesize
212KB

Download
memory/752-208-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/752-212-0x0000000004DD0000-0x0000000004E05000-memory.dmp

Filesize
212KB

Download
memory/752-214-0x0000000004DD0000-0x0000000004E05000-memory.dmp

Filesize
212KB

Download
memory/752-216-0x0000000004DD0000-0x0000000004E05000-memory.dmp

Filesize
212KB

Download
memory/752-209-0x0000000004DD0000-0x0000000004E05000-memory.dmp

Filesize
212KB

Download
memory/752-220-0x0000000004DD0000-0x0000000004E05000-memory.dmp

Filesize
212KB

Download
memory/752-222-0x0000000004DD0000-0x0000000004E05000-memory.dmp

Filesize
212KB

Download
memory/752-224-0x0000000004DD0000-0x0000000004E05000-memory.dmp

Filesize
212KB

Download
memory/752-226-0x0000000004DD0000-0x0000000004E05000-memory.dmp

Filesize
212KB

Download
memory/752-228-0x0000000004DD0000-0x0000000004E05000-memory.dmp

Filesize
212KB

Download
memory/752-206-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/752-232-0x0000000004DD0000-0x0000000004E05000-memory.dmp

Filesize
212KB

Download
memory/752-234-0x0000000004DD0000-0x0000000004E05000-memory.dmp

Filesize
212KB

Download
memory/752-236-0x0000000004DD0000-0x0000000004E05000-memory.dmp

Filesize
212KB

Download
memory/752-1001-0x0000000007990000-0x0000000007FA8000-memory.dmp

Filesize
6.1MB

Download
memory/752-1002-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/752-1003-0x0000000007FB0000-0x00000000080BA000-memory.dmp

Filesize
1.0MB

Download
memory/752-1005-0x00000000080C0000-0x00000000080FC000-memory.dmp

Filesize
240KB

Download
memory/752-1006-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/752-1008-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/752-1009-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/752-207-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/752-1012-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/3364-134-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/3364-139-0x00000000027F0000-0x00000000028E9000-memory.dmp

Filesize
996KB

Download
memory/3364-191-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download