redline | 275db2bbbd631acf176a14e1830ef2c2bd6037b888b17a291aeb38d4810b0648

Analysis

max time kernel
90s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2023 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

275db2bbbd631acf176a14e1830ef2c2bd6037b888b17a291aeb38d4810b0648.exe
Size

580KB
MD5

b54a14ce7774a7cd6b6bdd7c49c28e7f
SHA1

f53bdb3899ac62a2364e79edada2d65dc078900b
SHA256

275db2bbbd631acf176a14e1830ef2c2bd6037b888b17a291aeb38d4810b0648
SHA512

8f0943c80f6e54744a221a88ce836f2e1fcd7ac45313bdfa4245bf1dea5c206b2cc3a1b055e231ca19b51f7551d266b9a7f7ec668b7deea16adb61eba6add192
SSDEEP

12288:aMrhy90YZXgtVelIPsfXanZmwNE0W0ZI/FC/UXkUmGas6za99Q:HyzZXoVDPsvanZm70tGOikUmJl

Score

10^/10

redline cr10n fukia discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

fukia

193.233.20.13:4136

Attributes

auth_value
e5783636fbd9e4f0cf9a017bce02e67e

Extracted

Family

redline

Botnet

cr10n

176.113.115.17:4132

Attributes

auth_value
6016c19179aa1044c369adb0ec1f363b

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	dfY04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	dfY04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ljT27Mc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ljT27Mc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ljT27Mc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ljT27Mc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	dfY04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	dfY04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	dfY04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	dfY04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ljT27Mc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ljT27Mc.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
756	nFM18DH.exe
3988	nfc17qG.exe
4172	bVj86.exe
216	cAT43EH.exe
364	dfY04.exe
432	ljT27Mc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	dfY04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	dfY04.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ljT27Mc.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	nfc17qG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	nfc17qG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	275db2bbbd631acf176a14e1830ef2c2bd6037b888b17a291aeb38d4810b0648.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	275db2bbbd631acf176a14e1830ef2c2bd6037b888b17a291aeb38d4810b0648.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	nFM18DH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nFM18DH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2388	364	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4172	bVj86.exe
4172	bVj86.exe
216	cAT43EH.exe
216	cAT43EH.exe
364	dfY04.exe
364	dfY04.exe
432	ljT27Mc.exe
432	ljT27Mc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4172	bVj86.exe
Token: SeDebugPrivilege	216	cAT43EH.exe
Token: SeDebugPrivilege	364	dfY04.exe
Token: SeDebugPrivilege	432	ljT27Mc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 756	2912	275db2bbbd631acf176a14e1830ef2c2bd6037b888b17a291aeb38d4810b0648.exe	82
PID 2912 wrote to memory of 756	2912	275db2bbbd631acf176a14e1830ef2c2bd6037b888b17a291aeb38d4810b0648.exe	82
PID 2912 wrote to memory of 756	2912	275db2bbbd631acf176a14e1830ef2c2bd6037b888b17a291aeb38d4810b0648.exe	82
PID 756 wrote to memory of 3988	756	nFM18DH.exe	83
PID 756 wrote to memory of 3988	756	nFM18DH.exe	83
PID 756 wrote to memory of 3988	756	nFM18DH.exe	83
PID 3988 wrote to memory of 4172	3988	nfc17qG.exe	84
PID 3988 wrote to memory of 4172	3988	nfc17qG.exe	84
PID 3988 wrote to memory of 4172	3988	nfc17qG.exe	84
PID 3988 wrote to memory of 216	3988	nfc17qG.exe	85
PID 3988 wrote to memory of 216	3988	nfc17qG.exe	85
PID 3988 wrote to memory of 216	3988	nfc17qG.exe	85
PID 756 wrote to memory of 364	756	nFM18DH.exe	86
PID 756 wrote to memory of 364	756	nFM18DH.exe	86
PID 756 wrote to memory of 364	756	nFM18DH.exe	86
PID 2912 wrote to memory of 432	2912	275db2bbbd631acf176a14e1830ef2c2bd6037b888b17a291aeb38d4810b0648.exe	90
PID 2912 wrote to memory of 432	2912	275db2bbbd631acf176a14e1830ef2c2bd6037b888b17a291aeb38d4810b0648.exe	90

C:\Users\Admin\AppData\Local\Temp\275db2bbbd631acf176a14e1830ef2c2bd6037b888b17a291aeb38d4810b0648.exe
"C:\Users\Admin\AppData\Local\Temp\275db2bbbd631acf176a14e1830ef2c2bd6037b888b17a291aeb38d4810b0648.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nFM18DH.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nFM18DH.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nfc17qG.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nfc17qG.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bVj86.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bVj86.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cAT43EH.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cAT43EH.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfY04.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfY04.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:364
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 1088
      4⤵
      Program crash
      PID:2388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ljT27Mc.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ljT27Mc.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 364 -ip 364
1⤵
PID:3400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ljT27Mc.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ljT27Mc.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nFM18DH.exe

Filesize
476KB

MD5
ba07c0536458c0bfa18729fdb7f9e416

SHA1
1cc8ca367b8ff63aca311daeb03325ad3e54f767

SHA256
1a3c36691ed8655213d6e8633d88051f5dc24a6269b4694b84b1dc67ed571041

SHA512
134f6694f5586273dde825176d10ebb6234720165097a65f4fc3cc00391d0991ea4ac9901f129868e6db37f4868a3948d371c6e1e3e54fb6184d62c0ce92fe74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nFM18DH.exe

Filesize
476KB

MD5
ba07c0536458c0bfa18729fdb7f9e416

SHA1
1cc8ca367b8ff63aca311daeb03325ad3e54f767

SHA256
1a3c36691ed8655213d6e8633d88051f5dc24a6269b4694b84b1dc67ed571041

SHA512
134f6694f5586273dde825176d10ebb6234720165097a65f4fc3cc00391d0991ea4ac9901f129868e6db37f4868a3948d371c6e1e3e54fb6184d62c0ce92fe74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfY04.exe

Filesize
234KB

MD5
353c989b6b901edf860a132aa278144c

SHA1
b900aeb6427096ba11bc80552d71b8de14a3f921

SHA256
13f7ba7f9d4ef700b504fb077fc13b1d0fd008456d3fca56c5df3a4306db7a87

SHA512
2f3a3eb6508f5f3ab2308e76481155d6336a606011c1276e24d5fb8925a622ff0ea06ff7a7932753f844d578353c9a1cc9eb5d99378d65b09352d93f01deb6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfY04.exe

Filesize
234KB

MD5
353c989b6b901edf860a132aa278144c

SHA1
b900aeb6427096ba11bc80552d71b8de14a3f921

SHA256
13f7ba7f9d4ef700b504fb077fc13b1d0fd008456d3fca56c5df3a4306db7a87

SHA512
2f3a3eb6508f5f3ab2308e76481155d6336a606011c1276e24d5fb8925a622ff0ea06ff7a7932753f844d578353c9a1cc9eb5d99378d65b09352d93f01deb6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nfc17qG.exe

Filesize
202KB

MD5
f08eb5b9d5b553c4bbb3fdae475eb493

SHA1
05fb6e88642412abc81e5b569882fac6847da7f0

SHA256
0926deb47ebed039a67ae1cd4e8e4c3f59485bc5b414993df26e65054eeb1c25

SHA512
06b276d4645d5a0fa167ec04e9270db1631ffb274b73657c8944e7b742477dfd7faa7f066e7779f22bbd9b3af16f635cbf8d6761c3d515e98252d045fba46827

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nfc17qG.exe

Filesize
202KB

MD5
f08eb5b9d5b553c4bbb3fdae475eb493

SHA1
05fb6e88642412abc81e5b569882fac6847da7f0

SHA256
0926deb47ebed039a67ae1cd4e8e4c3f59485bc5b414993df26e65054eeb1c25

SHA512
06b276d4645d5a0fa167ec04e9270db1631ffb274b73657c8944e7b742477dfd7faa7f066e7779f22bbd9b3af16f635cbf8d6761c3d515e98252d045fba46827

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bVj86.exe

Filesize
175KB

MD5
a5f5c5d6291c7ae9e1d1b7ed1e551490

SHA1
3d06413341893b838549939e15f8f1eec423d71a

SHA256
1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

SHA512
d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bVj86.exe

Filesize
175KB

MD5
a5f5c5d6291c7ae9e1d1b7ed1e551490

SHA1
3d06413341893b838549939e15f8f1eec423d71a

SHA256
1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

SHA512
d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cAT43EH.exe

Filesize
175KB

MD5
ce5ef6aac94fdb2af40da676f6cab58f

SHA1
c393f24b1550955a686ee39067f20813415af95f

SHA256
ce360295ca7fcc1a1c2b47a604305c67ab41358770edbd769a6a44aa635c2fd0

SHA512
2cc98869cba6a962129c57fb7e3ff0b64623c94903bfbf9a2648e191b633fbe73f8e7b9d8fea348e30cc88bc44d27454fd880c81a55a6b795170fa804e6cda65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cAT43EH.exe

Filesize
175KB

MD5
ce5ef6aac94fdb2af40da676f6cab58f

SHA1
c393f24b1550955a686ee39067f20813415af95f

SHA256
ce360295ca7fcc1a1c2b47a604305c67ab41358770edbd769a6a44aa635c2fd0

SHA512
2cc98869cba6a962129c57fb7e3ff0b64623c94903bfbf9a2648e191b633fbe73f8e7b9d8fea348e30cc88bc44d27454fd880c81a55a6b795170fa804e6cda65

Download Submit
memory/216-153-0x0000000000000000-mapping.dmp

Download
memory/216-156-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/364-160-0x0000000000A74000-0x0000000000A94000-memory.dmp

Filesize
128KB

Download
memory/364-163-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/364-162-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/364-161-0x0000000000A00000-0x0000000000A2D000-memory.dmp

Filesize
180KB

Download
memory/364-157-0x0000000000000000-mapping.dmp

Download
memory/432-164-0x0000000000000000-mapping.dmp

Download
memory/432-167-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/432-168-0x00007FFF4B4C0000-0x00007FFF4BF81000-memory.dmp

Filesize
10.8MB

Download
memory/432-169-0x00007FFF4B4C0000-0x00007FFF4BF81000-memory.dmp

Filesize
10.8MB

Download
memory/756-132-0x0000000000000000-mapping.dmp

Download
memory/3988-135-0x0000000000000000-mapping.dmp

Download
memory/4172-141-0x0000000000AE0000-0x0000000000B12000-memory.dmp

Filesize
200KB

Download
memory/4172-152-0x00000000086E0000-0x0000000008C0C000-memory.dmp

Filesize
5.2MB

Download
memory/4172-151-0x0000000007FE0000-0x00000000081A2000-memory.dmp

Filesize
1.8MB

Download
memory/4172-150-0x0000000006710000-0x0000000006760000-memory.dmp

Filesize
320KB

Download
memory/4172-149-0x0000000006690000-0x0000000006706000-memory.dmp

Filesize
472KB

Download
memory/4172-148-0x0000000006A30000-0x0000000006FD4000-memory.dmp

Filesize
5.6MB

Download
memory/4172-147-0x00000000063E0000-0x0000000006472000-memory.dmp

Filesize
584KB

Download
memory/4172-146-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/4172-145-0x0000000005510000-0x000000000554C000-memory.dmp

Filesize
240KB

Download
memory/4172-144-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/4172-143-0x0000000005580000-0x000000000568A000-memory.dmp

Filesize
1.0MB

Download
memory/4172-142-0x0000000005A20000-0x0000000006038000-memory.dmp

Filesize
6.1MB

Download
memory/4172-138-0x0000000000000000-mapping.dmp

Download