redline | 269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232

General

Target

269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe
Size

479KB
MD5

2dd3dcc10f7006763fb2751b0fa6f454
SHA1

484bfeb780722165db13052795e2f4422f828707
SHA256

269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232
SHA512

79a78376652972730c83e57444a167953a45d749a1ddb141d4e68ad043fff56f5e1e633d7592c4a4280ce540706059cd007812434a1d50afea1ef9564785da3a
SSDEEP

6144:Kzy+bnr+rp0yN90QETpsOMm2Vn+UwCj0FOUEjCgnbEQ/PIz2QUJ9tVVv3SJV:VMrry90bpMMC0OAgnbE01Qu9rVvAV

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4164-187-0x0000000007900000-0x0000000007F18000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0859051.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0859051.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0859051.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0859051.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a0859051.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0859051.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
3052	v7184437.exe
1484	a0859051.exe
4164	b8913035.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a0859051.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0859051.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7184437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7184437.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1484	a0859051.exe
1484	a0859051.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	a0859051.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 3052	636	269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe	84
PID 636 wrote to memory of 3052	636	269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe	84
PID 636 wrote to memory of 3052	636	269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe	84
PID 3052 wrote to memory of 1484	3052	v7184437.exe	85
PID 3052 wrote to memory of 1484	3052	v7184437.exe	85
PID 3052 wrote to memory of 1484	3052	v7184437.exe	85
PID 3052 wrote to memory of 4164	3052	v7184437.exe	90
PID 3052 wrote to memory of 4164	3052	v7184437.exe	90
PID 3052 wrote to memory of 4164	3052	v7184437.exe	90

C:\Users\Admin\AppData\Local\Temp\269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe
"C:\Users\Admin\AppData\Local\Temp\269abe57e67654fa1a97d65396fa841de0481432bb7f18037db3862b4458e232.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7184437.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7184437.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0859051.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0859051.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8913035.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8913035.exe
    3⤵
    - Executes dropped EXE
    PID:4164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7184437.exe

Filesize
307KB

MD5
25d205eb0b4d50be87dea2d3043ee936

SHA1
9d8d1271e22b8f12614db71e18a43ed1a6918b4b

SHA256
2a7ea5826deab8afb1383512f6ee928d5eb7bcf7ce8e0a660816f2b474fac726

SHA512
f14082b9a6ddcc6cedb524cdb4f64feebc97a90fffc8f844932d376324964b7ee3dd8180430221a7bceb1619282e512e564bd8bed41a9f5e5101b2e56e4c3c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7184437.exe

Filesize
307KB

MD5
25d205eb0b4d50be87dea2d3043ee936

SHA1
9d8d1271e22b8f12614db71e18a43ed1a6918b4b

SHA256
2a7ea5826deab8afb1383512f6ee928d5eb7bcf7ce8e0a660816f2b474fac726

SHA512
f14082b9a6ddcc6cedb524cdb4f64feebc97a90fffc8f844932d376324964b7ee3dd8180430221a7bceb1619282e512e564bd8bed41a9f5e5101b2e56e4c3c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0859051.exe

Filesize
175KB

MD5
d59b989253d9bd505567328d127ce588

SHA1
7f2bc6f370f00d2364c50ed6037eff706f64d5c5

SHA256
b5a92e6994f0db8057eaa987df7bf5e1dace2f834d26672ef78b70620f6812cc

SHA512
bcc947bbc66c63da11439aec57b08e7aa6e92c9278d83d523d41a0a13129711d9e609a195526e69b504a9079af880a90cfa4ed01aa920d9295851d8f7ad2d189

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a0859051.exe

Filesize
175KB

MD5
d59b989253d9bd505567328d127ce588

SHA1
7f2bc6f370f00d2364c50ed6037eff706f64d5c5

SHA256
b5a92e6994f0db8057eaa987df7bf5e1dace2f834d26672ef78b70620f6812cc

SHA512
bcc947bbc66c63da11439aec57b08e7aa6e92c9278d83d523d41a0a13129711d9e609a195526e69b504a9079af880a90cfa4ed01aa920d9295851d8f7ad2d189

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8913035.exe

Filesize
136KB

MD5
31fc937fffe039390eec038ac8e953d7

SHA1
bad83a487f89adf0daf13140d0f7956e26d81a83

SHA256
da0047fc3c24596e35d37015285c4c6467ab25a7fa17b5d7663e2f8c3b4d7087

SHA512
b4137c7aeb7067d62002ac8dca0ff647a7f25c6f57457ed1a9971b855400718b9388b6a69fd2fecf22cdcb3ebe28ea1fe4da98f848bcc230fa196c8363f42fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8913035.exe

Filesize
136KB

MD5
31fc937fffe039390eec038ac8e953d7

SHA1
bad83a487f89adf0daf13140d0f7956e26d81a83

SHA256
da0047fc3c24596e35d37015285c4c6467ab25a7fa17b5d7663e2f8c3b4d7087

SHA512
b4137c7aeb7067d62002ac8dca0ff647a7f25c6f57457ed1a9971b855400718b9388b6a69fd2fecf22cdcb3ebe28ea1fe4da98f848bcc230fa196c8363f42fd3

Download Submit
memory/1484-166-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1484-176-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1484-151-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1484-152-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1484-154-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1484-156-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1484-158-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1484-160-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1484-162-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1484-164-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1484-149-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/1484-168-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1484-170-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1484-172-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1484-174-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1484-150-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/1484-178-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1484-179-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/1484-180-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/1484-181-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/1484-148-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/1484-147-0x0000000004970000-0x0000000004F14000-memory.dmp

Filesize
5.6MB

Download
memory/4164-186-0x0000000000530000-0x0000000000558000-memory.dmp

Filesize
160KB

Download
memory/4164-187-0x0000000007900000-0x0000000007F18000-memory.dmp

Filesize
6.1MB

Download
memory/4164-188-0x0000000007380000-0x0000000007392000-memory.dmp

Filesize
72KB

Download
memory/4164-189-0x00000000074B0000-0x00000000075BA000-memory.dmp

Filesize
1.0MB

Download
memory/4164-190-0x00000000073E0000-0x000000000741C000-memory.dmp

Filesize
240KB

Download
memory/4164-191-0x0000000007770000-0x0000000007780000-memory.dmp

Filesize
64KB

Download
memory/4164-192-0x0000000007770000-0x0000000007780000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads