redline | 2b3cd8cd7d635a951a431e9103148680f75dd0a97e633e3071104d7ac85bcd46

Analysis

max time kernel
150s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b3cd8cd7d635a951a431e9103148680f75dd0a97e633e3071104d7ac85bcd46.exe
Size

747KB
MD5

60c58d962b09b00dce5028f2c31be740
SHA1

806737d4cba25e7a56e660227ccdf691cc6f7762
SHA256

2b3cd8cd7d635a951a431e9103148680f75dd0a97e633e3071104d7ac85bcd46
SHA512

a0b18fcd898a1c15169fd3476be2549455aa0c4d6de4246e84be1e3871592bd7f4f2e0526d331c1d4d732369b38ac2ae797570551d595d2cdfe8b791deedd5aa
SSDEEP

12288:Oy901gJ/tuoC06phk1xRMZ6vmzSjyHxbUS65B5/HfRihWdedRm91DuOvXcCvgGT:Oy4Q/txClHk1IHzcyHdcvfR0HHmDtXcg

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4876-989-0x00000000079D0000-0x0000000007FE8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	81108454.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	81108454.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	81108454.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	81108454.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	81108454.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	81108454.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1144	un873475.exe
4304	81108454.exe
4876	rk600204.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	81108454.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	81108454.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2b3cd8cd7d635a951a431e9103148680f75dd0a97e633e3071104d7ac85bcd46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b3cd8cd7d635a951a431e9103148680f75dd0a97e633e3071104d7ac85bcd46.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un873475.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un873475.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3120	4304	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4304	81108454.exe
4304	81108454.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	81108454.exe
Token: SeDebugPrivilege	4876	rk600204.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1144	840	2b3cd8cd7d635a951a431e9103148680f75dd0a97e633e3071104d7ac85bcd46.exe	85
PID 840 wrote to memory of 1144	840	2b3cd8cd7d635a951a431e9103148680f75dd0a97e633e3071104d7ac85bcd46.exe	85
PID 840 wrote to memory of 1144	840	2b3cd8cd7d635a951a431e9103148680f75dd0a97e633e3071104d7ac85bcd46.exe	85
PID 1144 wrote to memory of 4304	1144	un873475.exe	86
PID 1144 wrote to memory of 4304	1144	un873475.exe	86
PID 1144 wrote to memory of 4304	1144	un873475.exe	86
PID 1144 wrote to memory of 4876	1144	un873475.exe	89
PID 1144 wrote to memory of 4876	1144	un873475.exe	89
PID 1144 wrote to memory of 4876	1144	un873475.exe	89

C:\Users\Admin\AppData\Local\Temp\2b3cd8cd7d635a951a431e9103148680f75dd0a97e633e3071104d7ac85bcd46.exe
"C:\Users\Admin\AppData\Local\Temp\2b3cd8cd7d635a951a431e9103148680f75dd0a97e633e3071104d7ac85bcd46.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un873475.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un873475.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\81108454.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\81108454.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1084
      4⤵
      Program crash
      PID:3120
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk600204.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk600204.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4304 -ip 4304
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un873475.exe

Filesize
593KB

MD5
d0ef41b2789cdc96648febe145a22493

SHA1
de5874296cbe6faef007c2595d1340404335e7bf

SHA256
71471b48af43f0af63f41a66b056c3c98efd1ee3a91019d84dbca1a10c5927d6

SHA512
5f9e3d01a87d5d075623bf08b210fa4d76b2e9d661549393ef3a80943592dbd4d34e2e6d78ed56be220208e1c6e574a275dc78c145ff52da8d0a135fa4585c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un873475.exe

Filesize
593KB

MD5
d0ef41b2789cdc96648febe145a22493

SHA1
de5874296cbe6faef007c2595d1340404335e7bf

SHA256
71471b48af43f0af63f41a66b056c3c98efd1ee3a91019d84dbca1a10c5927d6

SHA512
5f9e3d01a87d5d075623bf08b210fa4d76b2e9d661549393ef3a80943592dbd4d34e2e6d78ed56be220208e1c6e574a275dc78c145ff52da8d0a135fa4585c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\81108454.exe

Filesize
378KB

MD5
67995580b5320b89096e59f37dda5a83

SHA1
04fe88a5c238dc1aca63ff596eba398a8664c838

SHA256
e3671c5f94edaf17c8eaa227380481d5bcc5b9027d78a3a4d39dc040d31bac8b

SHA512
83a973e32657782b2b5f2f1f530a852de57fd8e682b2d48037d1c435d1425fcc03d6384745371069816c679f5289f35bc717d5bfbc416ca2e055ebb1c657d110

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\81108454.exe

Filesize
378KB

MD5
67995580b5320b89096e59f37dda5a83

SHA1
04fe88a5c238dc1aca63ff596eba398a8664c838

SHA256
e3671c5f94edaf17c8eaa227380481d5bcc5b9027d78a3a4d39dc040d31bac8b

SHA512
83a973e32657782b2b5f2f1f530a852de57fd8e682b2d48037d1c435d1425fcc03d6384745371069816c679f5289f35bc717d5bfbc416ca2e055ebb1c657d110

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk600204.exe

Filesize
460KB

MD5
cf3f2ca9b47fb4b242c079983d6cbca6

SHA1
c72902ffcabf7ae75bfc82a0020b5f1e5631adb3

SHA256
2c946a7a92401ddd97b0427630bfd59f02e8a0b2ea97c79ca5f36e923193f7a8

SHA512
48b344184af622c29e58a7b9507726cc15d020f871391058cdecf52915c167a9207c934c66477f8d66f9ef3ad505cb3437af5404e0655a5ee8964f571184d155

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk600204.exe

Filesize
460KB

MD5
cf3f2ca9b47fb4b242c079983d6cbca6

SHA1
c72902ffcabf7ae75bfc82a0020b5f1e5631adb3

SHA256
2c946a7a92401ddd97b0427630bfd59f02e8a0b2ea97c79ca5f36e923193f7a8

SHA512
48b344184af622c29e58a7b9507726cc15d020f871391058cdecf52915c167a9207c934c66477f8d66f9ef3ad505cb3437af5404e0655a5ee8964f571184d155

Download Submit
memory/4304-164-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4304-160-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4304-152-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/4304-153-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4304-154-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4304-156-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4304-158-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4304-151-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/4304-162-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4304-149-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/4304-166-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4304-168-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4304-170-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4304-172-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4304-176-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4304-174-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4304-178-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4304-180-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/4304-181-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/4304-182-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/4304-183-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/4304-184-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/4304-186-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/4304-150-0x0000000004F60000-0x0000000005504000-memory.dmp

Filesize
5.6MB

Download
memory/4304-148-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/4876-218-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-228-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-989-0x00000000079D0000-0x0000000007FE8000-memory.dmp

Filesize
6.1MB

Download
memory/4876-194-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4876-197-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-198-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-200-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-202-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-204-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-206-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-208-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-210-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-212-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-193-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/4876-196-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4876-214-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-990-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/4876-216-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-224-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-226-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-222-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-195-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4876-220-0x0000000004E20000-0x0000000004E55000-memory.dmp

Filesize
212KB

Download
memory/4876-991-0x0000000007FF0000-0x00000000080FA000-memory.dmp

Filesize
1.0MB

Download
memory/4876-992-0x0000000004F40000-0x0000000004F7C000-memory.dmp

Filesize
240KB

Download
memory/4876-993-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4876-995-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4876-996-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4876-997-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4876-998-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download