redline | 2707f3bff6ab5ef89ca8b4df2d3cae768c42eb0c61228655569de035d9fb3266

Analysis

max time kernel
149s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2707f3bff6ab5ef89ca8b4df2d3cae768c42eb0c61228655569de035d9fb3266.exe
Size

707KB
MD5

c2b033fff954e57061a06eb7ae38ead8
SHA1

6afa16395c0cc95e6f183cfa9faa92d135bce6e9
SHA256

2707f3bff6ab5ef89ca8b4df2d3cae768c42eb0c61228655569de035d9fb3266
SHA512

8d7831d24b06f2a2b0244eae3d5b10a9bba655f4d060820f2419140bd0031e364bc73562c43a4e8b6d4147f126afef2133c8cdcf3079e1cf8751cd631cf89fe9
SSDEEP

12288:Gy90RwcqSU4MuOIv9Ek+P48pUe3/XnQTdnfsmPXuGAeva+d:GymwcJU4MuOYEk+P48pUu/Xn8ff+KS+d

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2260-989-0x0000000009CA0000-0x000000000A2B8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	78159387.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	78159387.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	78159387.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	78159387.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	78159387.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	78159387.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
5100	un909829.exe
3424	78159387.exe
2260	rk565461.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	78159387.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	78159387.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2707f3bff6ab5ef89ca8b4df2d3cae768c42eb0c61228655569de035d9fb3266.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2707f3bff6ab5ef89ca8b4df2d3cae768c42eb0c61228655569de035d9fb3266.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un909829.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un909829.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2548	3424	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3424	78159387.exe
3424	78159387.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3424	78159387.exe
Token: SeDebugPrivilege	2260	rk565461.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 5100	3868	2707f3bff6ab5ef89ca8b4df2d3cae768c42eb0c61228655569de035d9fb3266.exe	86
PID 3868 wrote to memory of 5100	3868	2707f3bff6ab5ef89ca8b4df2d3cae768c42eb0c61228655569de035d9fb3266.exe	86
PID 3868 wrote to memory of 5100	3868	2707f3bff6ab5ef89ca8b4df2d3cae768c42eb0c61228655569de035d9fb3266.exe	86
PID 5100 wrote to memory of 3424	5100	un909829.exe	87
PID 5100 wrote to memory of 3424	5100	un909829.exe	87
PID 5100 wrote to memory of 3424	5100	un909829.exe	87
PID 5100 wrote to memory of 2260	5100	un909829.exe	92
PID 5100 wrote to memory of 2260	5100	un909829.exe	92
PID 5100 wrote to memory of 2260	5100	un909829.exe	92

C:\Users\Admin\AppData\Local\Temp\2707f3bff6ab5ef89ca8b4df2d3cae768c42eb0c61228655569de035d9fb3266.exe
"C:\Users\Admin\AppData\Local\Temp\2707f3bff6ab5ef89ca8b4df2d3cae768c42eb0c61228655569de035d9fb3266.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un909829.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un909829.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78159387.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78159387.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1028
      4⤵
      Program crash
      PID:2548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk565461.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk565461.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3424 -ip 3424
1⤵
PID:2848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un909829.exe

Filesize
553KB

MD5
93f608355df5536207b41691c39cf0d8

SHA1
2efc395b8025fef12dc2c7966e01f4670e6b6201

SHA256
fa59a28316f08648f77ac3bbb48c5be5230fd9a4cad2e209507546ed14b996f1

SHA512
45b3305f8b7d8f1896a38af0ebefd1d1add0839744cc6c305a91898b412d54f888d1f2e48a41df17e7a650b06a0f9b83e41b92ec14c6056850e132d7667bcd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un909829.exe

Filesize
553KB

MD5
93f608355df5536207b41691c39cf0d8

SHA1
2efc395b8025fef12dc2c7966e01f4670e6b6201

SHA256
fa59a28316f08648f77ac3bbb48c5be5230fd9a4cad2e209507546ed14b996f1

SHA512
45b3305f8b7d8f1896a38af0ebefd1d1add0839744cc6c305a91898b412d54f888d1f2e48a41df17e7a650b06a0f9b83e41b92ec14c6056850e132d7667bcd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78159387.exe

Filesize
258KB

MD5
44254e9fb092e7da5dbb88568a0e36cd

SHA1
1269f8a6453095ed30d1fe75a93c66c585ed2b36

SHA256
d7ff5bf6fe82db98bbafe378e8989ffa7c05dae5e015e75fcc2d26b9f4613c5b

SHA512
356ed9e7def52a7f4e82f258b0bf4b9dfa37e87138796c504500fdc8d92da6d4843d580d34608363f03406d5afa33d6d1a6059797a490402622454ac839ed93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\78159387.exe

Filesize
258KB

MD5
44254e9fb092e7da5dbb88568a0e36cd

SHA1
1269f8a6453095ed30d1fe75a93c66c585ed2b36

SHA256
d7ff5bf6fe82db98bbafe378e8989ffa7c05dae5e015e75fcc2d26b9f4613c5b

SHA512
356ed9e7def52a7f4e82f258b0bf4b9dfa37e87138796c504500fdc8d92da6d4843d580d34608363f03406d5afa33d6d1a6059797a490402622454ac839ed93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk565461.exe

Filesize
353KB

MD5
c219d1e502ab0d9c27e15c77e4344311

SHA1
44dce4de25104f6f42fe7c62b7ccd3589a4300b5

SHA256
36fb341150dce0b8a4d06f4e3ac5b6c2b2757788df8688156e0945f13fcec086

SHA512
50b486f23bb984f32bb75001b1b73cd67d2a275beb1bad64fb5888beadd1c38739e1fe53fc342a497cc02dea7f1beeef127d79663fe09316c949dbef143c4b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk565461.exe

Filesize
353KB

MD5
c219d1e502ab0d9c27e15c77e4344311

SHA1
44dce4de25104f6f42fe7c62b7ccd3589a4300b5

SHA256
36fb341150dce0b8a4d06f4e3ac5b6c2b2757788df8688156e0945f13fcec086

SHA512
50b486f23bb984f32bb75001b1b73cd67d2a275beb1bad64fb5888beadd1c38739e1fe53fc342a497cc02dea7f1beeef127d79663fe09316c949dbef143c4b32

Download Submit
memory/2260-224-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2260-214-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2260-992-0x000000000A450000-0x000000000A48C000-memory.dmp

Filesize
240KB

Download
memory/2260-991-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/2260-990-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/2260-989-0x0000000009CA0000-0x000000000A2B8000-memory.dmp

Filesize
6.1MB

Download
memory/2260-507-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/2260-509-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/2260-995-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/2260-222-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2260-196-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2260-220-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2260-218-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2260-993-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/2260-216-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2260-210-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2260-212-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2260-208-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2260-202-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2260-206-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2260-204-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2260-200-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2260-198-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/2260-996-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/2260-997-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/2260-194-0x0000000002BE0000-0x0000000002C26000-memory.dmp

Filesize
280KB

Download
memory/2260-195-0x00000000071A0000-0x00000000071D5000-memory.dmp

Filesize
212KB

Download
memory/3424-164-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/3424-187-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3424-184-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/3424-183-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/3424-182-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/3424-181-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/3424-180-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/3424-179-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/3424-178-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/3424-176-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/3424-174-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/3424-172-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/3424-170-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/3424-168-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/3424-166-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/3424-162-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/3424-160-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/3424-158-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/3424-156-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/3424-154-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/3424-152-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/3424-151-0x00000000048F0000-0x0000000004903000-memory.dmp

Filesize
76KB

Download
memory/3424-150-0x0000000007380000-0x0000000007924000-memory.dmp

Filesize
5.6MB

Download
memory/3424-149-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/3424-148-0x0000000002C70000-0x0000000002C9D000-memory.dmp

Filesize
180KB

Download