redline | 22743f2dcb465fc320cf0972d158bfde65251879730fe00f0c293e0c6fb173d3

Analysis

max time kernel
148s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22743f2dcb465fc320cf0972d158bfde65251879730fe00f0c293e0c6fb173d3.exe
Size

694KB
MD5

541e9af617ffc11d4ea2d5840b3b12fe
SHA1

b05e648957a8aa2b40625f50e4f44a4a7178a13a
SHA256

22743f2dcb465fc320cf0972d158bfde65251879730fe00f0c293e0c6fb173d3
SHA512

8a406990757de8c87f8d9ebc442d1728428aab0dfdf6db94cab230c5c4349e87790f267df19265b8c78a389edf0284d4379be905c18c9f9eeb82b2ef82b2692e
SSDEEP

12288:Ey90Rxq9+6T+B1Bs0oXi4Gh9WBxcfp95avxDH1X5VN97n/eqbZ:EyixW+Bs0oy42wGHabfN97nmql

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2084-995-0x0000000009C60000-0x000000000A278000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	64815260.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	64815260.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	64815260.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	64815260.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	64815260.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	64815260.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4916	un292855.exe
2412	64815260.exe
2084	rk008943.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	64815260.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	64815260.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	22743f2dcb465fc320cf0972d158bfde65251879730fe00f0c293e0c6fb173d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	22743f2dcb465fc320cf0972d158bfde65251879730fe00f0c293e0c6fb173d3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un292855.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un292855.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4580	2412	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2412	64815260.exe
2412	64815260.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	64815260.exe
Token: SeDebugPrivilege	2084	rk008943.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 4916	64	22743f2dcb465fc320cf0972d158bfde65251879730fe00f0c293e0c6fb173d3.exe	83
PID 64 wrote to memory of 4916	64	22743f2dcb465fc320cf0972d158bfde65251879730fe00f0c293e0c6fb173d3.exe	83
PID 64 wrote to memory of 4916	64	22743f2dcb465fc320cf0972d158bfde65251879730fe00f0c293e0c6fb173d3.exe	83
PID 4916 wrote to memory of 2412	4916	un292855.exe	84
PID 4916 wrote to memory of 2412	4916	un292855.exe	84
PID 4916 wrote to memory of 2412	4916	un292855.exe	84
PID 4916 wrote to memory of 2084	4916	un292855.exe	88
PID 4916 wrote to memory of 2084	4916	un292855.exe	88
PID 4916 wrote to memory of 2084	4916	un292855.exe	88

C:\Users\Admin\AppData\Local\Temp\22743f2dcb465fc320cf0972d158bfde65251879730fe00f0c293e0c6fb173d3.exe
"C:\Users\Admin\AppData\Local\Temp\22743f2dcb465fc320cf0972d158bfde65251879730fe00f0c293e0c6fb173d3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:64
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un292855.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un292855.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\64815260.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\64815260.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 1088
      4⤵
      Program crash
      PID:4580
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk008943.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk008943.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2412 -ip 2412
1⤵
PID:4140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un292855.exe

Filesize
541KB

MD5
78431b8c837c46ebfa488656e202d098

SHA1
7e6489188c71f16e73e3226c042bd1d8e7d42cc4

SHA256
c3205aabbc3928fc076d41ac76a0f5385d66f65d9c5ac284196a3068cb53a7c6

SHA512
c12d1e2bd80823dd05c2f879443d286addd7a39d430b585f1dcf1e3aa83522a91f21ebad6efd2553ea76bc322a6ff36828f378e978421c7be732d8ae46cabc37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un292855.exe

Filesize
541KB

MD5
78431b8c837c46ebfa488656e202d098

SHA1
7e6489188c71f16e73e3226c042bd1d8e7d42cc4

SHA256
c3205aabbc3928fc076d41ac76a0f5385d66f65d9c5ac284196a3068cb53a7c6

SHA512
c12d1e2bd80823dd05c2f879443d286addd7a39d430b585f1dcf1e3aa83522a91f21ebad6efd2553ea76bc322a6ff36828f378e978421c7be732d8ae46cabc37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\64815260.exe

Filesize
258KB

MD5
9b0d36b6cc1096426aff27c39a09a231

SHA1
b044fa7e607b03968dd5343bef2ea065a940c08e

SHA256
9cf94eca19920cfadc860e23dd9518fd8eedded1e98254e617726c0ceddb97c2

SHA512
411fc4b1c7e0e9a06af3a40f3c2b971facadad33cd82b50a8e0b0f49f486f25f750795c2e7ec82124146bb8213c07f56ba5c6179e641377bbbb53b8aa2661502

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\64815260.exe

Filesize
258KB

MD5
9b0d36b6cc1096426aff27c39a09a231

SHA1
b044fa7e607b03968dd5343bef2ea065a940c08e

SHA256
9cf94eca19920cfadc860e23dd9518fd8eedded1e98254e617726c0ceddb97c2

SHA512
411fc4b1c7e0e9a06af3a40f3c2b971facadad33cd82b50a8e0b0f49f486f25f750795c2e7ec82124146bb8213c07f56ba5c6179e641377bbbb53b8aa2661502

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk008943.exe

Filesize
341KB

MD5
4855a0b624baab2cf1e3bd026d4818a5

SHA1
95722020b9a25fc034b3c70126fe8f188fdccf06

SHA256
4aef7c7b8d9c4bef9ae8edc41c76dec73b20156f3b2587116a8f0c9ebc8155eb

SHA512
1b7ab3aa0ed0355a2aefba25bfe6d24092f67e6ffba1bc1991061e6e9228173c2531c3372eb8ac5e9b4319e862c8fae928b310613d5706b7b9833da9b60202af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk008943.exe

Filesize
341KB

MD5
4855a0b624baab2cf1e3bd026d4818a5

SHA1
95722020b9a25fc034b3c70126fe8f188fdccf06

SHA256
4aef7c7b8d9c4bef9ae8edc41c76dec73b20156f3b2587116a8f0c9ebc8155eb

SHA512
1b7ab3aa0ed0355a2aefba25bfe6d24092f67e6ffba1bc1991061e6e9228173c2531c3372eb8ac5e9b4319e862c8fae928b310613d5706b7b9833da9b60202af

Download Submit
memory/2084-221-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2084-272-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/2084-1001-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/2084-999-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/2084-998-0x000000000A320000-0x000000000A35C000-memory.dmp

Filesize
240KB

Download
memory/2084-997-0x00000000077A0000-0x00000000078AA000-memory.dmp

Filesize
1.0MB

Download
memory/2084-996-0x000000000A300000-0x000000000A312000-memory.dmp

Filesize
72KB

Download
memory/2084-197-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2084-993-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/2084-199-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2084-992-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/2084-991-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/2084-274-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/2084-276-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/2084-195-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2084-201-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2084-270-0x0000000002CC0000-0x0000000002D06000-memory.dmp

Filesize
280KB

Download
memory/2084-223-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2084-219-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2084-217-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2084-213-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2084-215-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2084-211-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2084-209-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2084-207-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2084-194-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2084-205-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2084-995-0x0000000009C60000-0x000000000A278000-memory.dmp

Filesize
6.1MB

Download
memory/2084-203-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2412-175-0x0000000004CE0000-0x0000000004CF3000-memory.dmp

Filesize
76KB

Download
memory/2412-163-0x0000000004CE0000-0x0000000004CF3000-memory.dmp

Filesize
76KB

Download
memory/2412-150-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download
memory/2412-149-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/2412-151-0x00000000074A0000-0x0000000007A44000-memory.dmp

Filesize
5.6MB

Download
memory/2412-188-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/2412-185-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download
memory/2412-184-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download
memory/2412-183-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download
memory/2412-181-0x0000000004CE0000-0x0000000004CF3000-memory.dmp

Filesize
76KB

Download
memory/2412-148-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/2412-179-0x0000000004CE0000-0x0000000004CF3000-memory.dmp

Filesize
76KB

Download
memory/2412-177-0x0000000004CE0000-0x0000000004CF3000-memory.dmp

Filesize
76KB

Download
memory/2412-173-0x0000000004CE0000-0x0000000004CF3000-memory.dmp

Filesize
76KB

Download
memory/2412-171-0x0000000004CE0000-0x0000000004CF3000-memory.dmp

Filesize
76KB

Download
memory/2412-169-0x0000000004CE0000-0x0000000004CF3000-memory.dmp

Filesize
76KB

Download
memory/2412-167-0x0000000004CE0000-0x0000000004CF3000-memory.dmp

Filesize
76KB

Download
memory/2412-165-0x0000000004CE0000-0x0000000004CF3000-memory.dmp

Filesize
76KB

Download
memory/2412-161-0x0000000004CE0000-0x0000000004CF3000-memory.dmp

Filesize
76KB

Download
memory/2412-159-0x0000000004CE0000-0x0000000004CF3000-memory.dmp

Filesize
76KB

Download
memory/2412-157-0x0000000004CE0000-0x0000000004CF3000-memory.dmp

Filesize
76KB

Download
memory/2412-155-0x0000000004CE0000-0x0000000004CF3000-memory.dmp

Filesize
76KB

Download
memory/2412-154-0x0000000004CE0000-0x0000000004CF3000-memory.dmp

Filesize
76KB

Download
memory/2412-153-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download
memory/2412-152-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download