redline | 21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe
Size

618KB
MD5

f4e2a3ad55df1a84fa32f2a3a396f75e
SHA1

9e1c4f29d65a68c93599688c0b83de1fefade2b4
SHA256

21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84
SHA512

d1667915ee72608e84f21afa33d829c274510e52ea656b75f17ecff70d6ca270083a87bfba90f1b705309a8e4763840ae1b022cac910c06ada3a309744840bee
SSDEEP

12288:Qy90o5UfrRk63dq6vJI7FYfAPYRKhsVPTs2FQe6/qr9wl:QyR5qmCzvO5QKYYhsVPTs2y3

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1592-948-0x0000000007960000-0x0000000007F78000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	15968789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	15968789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	15968789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	15968789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	15968789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	15968789.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4836	st935675.exe
1152	15968789.exe
1592	kp167459.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	15968789.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st935675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st935675.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1152	15968789.exe
1152	15968789.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	15968789.exe
Token: SeDebugPrivilege	1592	kp167459.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 4836	1564	21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe	86
PID 1564 wrote to memory of 4836	1564	21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe	86
PID 1564 wrote to memory of 4836	1564	21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe	86
PID 4836 wrote to memory of 1152	4836	st935675.exe	87
PID 4836 wrote to memory of 1152	4836	st935675.exe	87
PID 4836 wrote to memory of 1592	4836	st935675.exe	90
PID 4836 wrote to memory of 1592	4836	st935675.exe	90
PID 4836 wrote to memory of 1592	4836	st935675.exe	90

C:\Users\Admin\AppData\Local\Temp\21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe
"C:\Users\Admin\AppData\Local\Temp\21a0d9848733e2ff99df508be706d562932695da05186fd52d832e2dc1fb1e84.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st935675.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st935675.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\15968789.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\15968789.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp167459.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp167459.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st935675.exe

Filesize
464KB

MD5
cf80f6dde7471fa66217e09531b0408f

SHA1
2bff57f4a56eb362fd7f85ffdf6ff0630fbee293

SHA256
c92ea110db222121e3a056248d7879de458193374766c1c2c64b54ce5e2e86ad

SHA512
e0102854c4247aedc747fcd6ad7565af4d836357b6e3cd656030c49ff92142986c6859fdd31c06256f11eacd162e88632a9279784e9301f83a95cf247cad86fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st935675.exe

Filesize
464KB

MD5
cf80f6dde7471fa66217e09531b0408f

SHA1
2bff57f4a56eb362fd7f85ffdf6ff0630fbee293

SHA256
c92ea110db222121e3a056248d7879de458193374766c1c2c64b54ce5e2e86ad

SHA512
e0102854c4247aedc747fcd6ad7565af4d836357b6e3cd656030c49ff92142986c6859fdd31c06256f11eacd162e88632a9279784e9301f83a95cf247cad86fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\15968789.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\15968789.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp167459.exe

Filesize
478KB

MD5
53a550c71434300c3c799600c3a90aa0

SHA1
7d3228855e56364adaf0f56c47e2418d3e6b868e

SHA256
8bd1e953ea28869fa796e95ffc8b17b539f97efc87f1cbbbe0843c912b1c23b3

SHA512
aef59bfc54e250bd05541eb1e5aae6e9d02f5d7ec254a1022ea6a869d5e71a9a4d686d25892a4d69e5a36cbbb31d756a498534de06427ee1b9de1475bb08635f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp167459.exe

Filesize
478KB

MD5
53a550c71434300c3c799600c3a90aa0

SHA1
7d3228855e56364adaf0f56c47e2418d3e6b868e

SHA256
8bd1e953ea28869fa796e95ffc8b17b539f97efc87f1cbbbe0843c912b1c23b3

SHA512
aef59bfc54e250bd05541eb1e5aae6e9d02f5d7ec254a1022ea6a869d5e71a9a4d686d25892a4d69e5a36cbbb31d756a498534de06427ee1b9de1475bb08635f

Download Submit
memory/1152-147-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/1592-153-0x00000000009A0000-0x00000000009E6000-memory.dmp

Filesize
280KB

Download
memory/1592-154-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/1592-155-0x0000000005030000-0x00000000055D4000-memory.dmp

Filesize
5.6MB

Download
memory/1592-156-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-157-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-159-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-161-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-163-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-165-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-167-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-169-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-171-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-173-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-175-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-177-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-179-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-181-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-183-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-185-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-187-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-189-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-191-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-193-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-195-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-197-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-199-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-201-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-203-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-205-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-207-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-209-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-211-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-213-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-215-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-217-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-219-0x0000000002890000-0x00000000028C5000-memory.dmp

Filesize
212KB

Download
memory/1592-948-0x0000000007960000-0x0000000007F78000-memory.dmp

Filesize
6.1MB

Download
memory/1592-949-0x0000000007F80000-0x0000000007F92000-memory.dmp

Filesize
72KB

Download
memory/1592-950-0x0000000007FA0000-0x00000000080AA000-memory.dmp

Filesize
1.0MB

Download
memory/1592-951-0x00000000080F0000-0x000000000812C000-memory.dmp

Filesize
240KB

Download
memory/1592-952-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/1592-954-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/1592-955-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/1592-956-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download