redline | cbb377550aa4560e976bc8efd8f39309ee69594bf3823efa2d21d821fee3efe8

Resubmissions

29-10-2024 14:07

241029-re6ygswcmh 10

07-05-2023 06:53

230507-hnxazach5w 10

Analysis

max time kernel
183s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbb377550aa4560e976bc8efd8f39309ee69594bf3823efa2d21d821fee3efe8.exe
Size

1.5MB
MD5

ad39b7a2270e3b6fbf5a6dd50f48a487
SHA1

c1491b19e448b7afcada102b6e447989b3ea32ca
SHA256

cbb377550aa4560e976bc8efd8f39309ee69594bf3823efa2d21d821fee3efe8
SHA512

acb9dc0bd603c8fe3062fb2eacaad0321625c56c1fc23482e8f174daf7654591c2ce21fae04a4db82c317c376602ffc372c9e85615380c7af1dd0c6faf7661eb
SSDEEP

49152:IyHUdnAePtIm60ohZseZBMRH5G6V7OQniE:xHUdn3Gm60ZmBMpg6VC8iE

Score

10^/10

redline evasion infostealer persistence stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4472-215-0x0000000007680000-0x0000000007C98000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6858310.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a6858310.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6858310.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6858310.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6858310.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6858310.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
3696	v4325562.exe
4372	v5487393.exe
3064	v7306110.exe
3212	v5892967.exe
1704	a6858310.exe
4472	b3172754.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a6858310.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6858310.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cbb377550aa4560e976bc8efd8f39309ee69594bf3823efa2d21d821fee3efe8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4325562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4325562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5892967.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5892967.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cbb377550aa4560e976bc8efd8f39309ee69594bf3823efa2d21d821fee3efe8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5487393.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5487393.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7306110.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7306110.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2400	1704	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1704	a6858310.exe
1704	a6858310.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	a6858310.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 3696	3656	cbb377550aa4560e976bc8efd8f39309ee69594bf3823efa2d21d821fee3efe8.exe	84
PID 3656 wrote to memory of 3696	3656	cbb377550aa4560e976bc8efd8f39309ee69594bf3823efa2d21d821fee3efe8.exe	84
PID 3656 wrote to memory of 3696	3656	cbb377550aa4560e976bc8efd8f39309ee69594bf3823efa2d21d821fee3efe8.exe	84
PID 3696 wrote to memory of 4372	3696	v4325562.exe	85
PID 3696 wrote to memory of 4372	3696	v4325562.exe	85
PID 3696 wrote to memory of 4372	3696	v4325562.exe	85
PID 4372 wrote to memory of 3064	4372	v5487393.exe	86
PID 4372 wrote to memory of 3064	4372	v5487393.exe	86
PID 4372 wrote to memory of 3064	4372	v5487393.exe	86
PID 3064 wrote to memory of 3212	3064	v7306110.exe	87
PID 3064 wrote to memory of 3212	3064	v7306110.exe	87
PID 3064 wrote to memory of 3212	3064	v7306110.exe	87
PID 3212 wrote to memory of 1704	3212	v5892967.exe	88
PID 3212 wrote to memory of 1704	3212	v5892967.exe	88
PID 3212 wrote to memory of 1704	3212	v5892967.exe	88
PID 3212 wrote to memory of 4472	3212	v5892967.exe	91
PID 3212 wrote to memory of 4472	3212	v5892967.exe	91
PID 3212 wrote to memory of 4472	3212	v5892967.exe	91

C:\Users\Admin\AppData\Local\Temp\cbb377550aa4560e976bc8efd8f39309ee69594bf3823efa2d21d821fee3efe8.exe
"C:\Users\Admin\AppData\Local\Temp\cbb377550aa4560e976bc8efd8f39309ee69594bf3823efa2d21d821fee3efe8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4325562.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4325562.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5487393.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5487393.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7306110.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7306110.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5892967.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5892967.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3212
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6858310.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6858310.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1108
        7⤵
        Program crash
        
        PID:2400
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3172754.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3172754.exe
        6⤵
        Executes dropped EXE
        
        PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1704 -ip 1704
1⤵
PID:4496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4325562.exe

Filesize
1.4MB

MD5
9b2a9a5e0f9e597cac6bf4b5a68f3f9c

SHA1
fd4ccaff09ccd2a7e440c3fd55434646bd2f74a7

SHA256
8310d75e1c6689a515b291753d2fb45ab32cbad516bef61f6c37682f737390f2

SHA512
10c8cf431d4748ae5c21650b794f947fa937bae0e9966d6283cb7890f628e448a5545a79abbff8d853631eaf77152a8bed1ebd7617d537f01f2db28948a2e15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4325562.exe

Filesize
1.4MB

MD5
9b2a9a5e0f9e597cac6bf4b5a68f3f9c

SHA1
fd4ccaff09ccd2a7e440c3fd55434646bd2f74a7

SHA256
8310d75e1c6689a515b291753d2fb45ab32cbad516bef61f6c37682f737390f2

SHA512
10c8cf431d4748ae5c21650b794f947fa937bae0e9966d6283cb7890f628e448a5545a79abbff8d853631eaf77152a8bed1ebd7617d537f01f2db28948a2e15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5487393.exe

Filesize
914KB

MD5
4bbd13d3ce889603424772a003ee81ef

SHA1
47d9a144d5b2ca10c071ef81cc1d056e1430edfc

SHA256
7cc9b56f44dd575fdb8f82b440e9c6541b083ea07f91bbb55351071b788c7cdd

SHA512
89af134aecdc8d6ee80dc2a54dcedae375138da9050e482819a96db4a63fba5a9edf9635de24315112d8211b6ab61c3ba2d5d1bddeb827edf8ed153c412995c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5487393.exe

Filesize
914KB

MD5
4bbd13d3ce889603424772a003ee81ef

SHA1
47d9a144d5b2ca10c071ef81cc1d056e1430edfc

SHA256
7cc9b56f44dd575fdb8f82b440e9c6541b083ea07f91bbb55351071b788c7cdd

SHA512
89af134aecdc8d6ee80dc2a54dcedae375138da9050e482819a96db4a63fba5a9edf9635de24315112d8211b6ab61c3ba2d5d1bddeb827edf8ed153c412995c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7306110.exe

Filesize
709KB

MD5
59838f92445d5f84746d7473dd679ef1

SHA1
172e58b7f6abffa7a11de1166ee6d4ffaf9ad0a7

SHA256
07fdd3b3b419e015b8b3e2cc4d0c2fcda672d7010e0156453ad04f2146177ecd

SHA512
9e8771e52cac4ad49dfbdfe209f1d04aa29ba9e07cf2611fc49a50cce0de22d516d6625fcba93b1a13e428533f4f8865212128f6ea799a02d7c050451181781f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7306110.exe

Filesize
709KB

MD5
59838f92445d5f84746d7473dd679ef1

SHA1
172e58b7f6abffa7a11de1166ee6d4ffaf9ad0a7

SHA256
07fdd3b3b419e015b8b3e2cc4d0c2fcda672d7010e0156453ad04f2146177ecd

SHA512
9e8771e52cac4ad49dfbdfe209f1d04aa29ba9e07cf2611fc49a50cce0de22d516d6625fcba93b1a13e428533f4f8865212128f6ea799a02d7c050451181781f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5892967.exe

Filesize
418KB

MD5
0e00347fca26467fd8d0a547d0378c94

SHA1
eae68932673ffa58c971f953889a08c41883c5dd

SHA256
d4cee2575181205f932379f2b2a092ce76678903a30191d33f157f006ae6b45a

SHA512
6ca870c8df835304b9b6409878da84dad5d800ff4b558ffaa5d48e45018ecb1e41ef44d541bfb322a66848f951c893b101bd8e53ecdf7b1537349a429d8d5300

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5892967.exe

Filesize
418KB

MD5
0e00347fca26467fd8d0a547d0378c94

SHA1
eae68932673ffa58c971f953889a08c41883c5dd

SHA256
d4cee2575181205f932379f2b2a092ce76678903a30191d33f157f006ae6b45a

SHA512
6ca870c8df835304b9b6409878da84dad5d800ff4b558ffaa5d48e45018ecb1e41ef44d541bfb322a66848f951c893b101bd8e53ecdf7b1537349a429d8d5300

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6858310.exe

Filesize
361KB

MD5
2c281c3a5742433d6f6fbd07c9ce45b2

SHA1
719b1ac20c7b1d0e65b0f76bd4b9b1821f3ffbd5

SHA256
674991960e478586ea0e286dc767e1013cba5361480e296a31a33e4d4edb32c1

SHA512
d1e3029b48b1312265e5e5af5df7b7c1d07f21f2e6488189307142361c3efb22be6093c922aafdde13b5ffd89eb4db46a32a40422833c5ef8770f5d310115ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6858310.exe

Filesize
361KB

MD5
2c281c3a5742433d6f6fbd07c9ce45b2

SHA1
719b1ac20c7b1d0e65b0f76bd4b9b1821f3ffbd5

SHA256
674991960e478586ea0e286dc767e1013cba5361480e296a31a33e4d4edb32c1

SHA512
d1e3029b48b1312265e5e5af5df7b7c1d07f21f2e6488189307142361c3efb22be6093c922aafdde13b5ffd89eb4db46a32a40422833c5ef8770f5d310115ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3172754.exe

Filesize
136KB

MD5
9c7ca9b893663b04a6871d61fe63b3c4

SHA1
e7174f00df6496a5787e2c250df3a1aa46fbfbc3

SHA256
9c1930f3e31da99b54fb5fdd523e7c8b3ef19a1f8fa7ca29795b8ef8d1384c89

SHA512
c61dbfd6f2463ba7f6571eda17654524ebed952c21e1d53b8f85e2da6074ea266f828be47d473d30a08a3f7aadf9c0b3ca863eb4bf6e96f8f29f7784479ce187

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3172754.exe

Filesize
136KB

MD5
9c7ca9b893663b04a6871d61fe63b3c4

SHA1
e7174f00df6496a5787e2c250df3a1aa46fbfbc3

SHA256
9c1930f3e31da99b54fb5fdd523e7c8b3ef19a1f8fa7ca29795b8ef8d1384c89

SHA512
c61dbfd6f2463ba7f6571eda17654524ebed952c21e1d53b8f85e2da6074ea266f828be47d473d30a08a3f7aadf9c0b3ca863eb4bf6e96f8f29f7784479ce187

Download Submit
memory/1704-187-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1704-197-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1704-173-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/1704-174-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1704-175-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1704-177-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1704-179-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1704-181-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1704-183-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1704-185-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1704-171-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/1704-189-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1704-191-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1704-193-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1704-195-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1704-172-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/1704-199-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1704-201-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/1704-202-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/1704-203-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/1704-204-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/1704-205-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/1704-209-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/1704-170-0x0000000000780000-0x00000000007AD000-memory.dmp

Filesize
180KB

Download
memory/1704-169-0x0000000004EE0000-0x0000000005484000-memory.dmp

Filesize
5.6MB

Download
memory/4472-214-0x0000000000410000-0x0000000000438000-memory.dmp

Filesize
160KB

Download
memory/4472-215-0x0000000007680000-0x0000000007C98000-memory.dmp

Filesize
6.1MB

Download
memory/4472-216-0x0000000007120000-0x0000000007132000-memory.dmp

Filesize
72KB

Download
memory/4472-217-0x0000000007250000-0x000000000735A000-memory.dmp

Filesize
1.0MB

Download
memory/4472-218-0x0000000007180000-0x00000000071BC000-memory.dmp

Filesize
240KB

Download
memory/4472-219-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/4472-220-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download