redline | 7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5

General

Target

7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe
Size

469KB
MD5

fef3d12a1fe20fced05419512b510cbb
SHA1

269939fd78d1d8878ce10dc36c7920a4174cba8d
SHA256

7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5
SHA512

cd14a90731676b3ac9ba9028bb61f499c61984e193898bdcb4245e7185edbf58a7efd5f275ef07045a815b279c7f940878a4dceaefadbbdf9a60117884b125a6
SSDEEP

12288:dMrky90oZ78lEyTm+95+gWZr7Vi3Sgvq9qRnXQ:xy/1y/sgWjvOSqRnXQ

Score

10^/10

redline cr10n fukia discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes

auth_value
e5783636fbd9e4f0cf9a017bce02e67e

Extracted

Family

redline

Botnet

cr10n

C2

176.113.115.17:4132

Attributes

auth_value
6016c19179aa1044c369adb0ec1f363b

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	dSo61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	dSo61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	dSo61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	dSo61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	dSo61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	dSo61.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2792	nNt12.exe
3868	bfe83.exe
4480	cPy79vk.exe
4700	dSo61.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	dSo61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	dSo61.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	nNt12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nNt12.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3816	4700	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3868	bfe83.exe
3868	bfe83.exe
4480	cPy79vk.exe
4480	cPy79vk.exe
4700	dSo61.exe
4700	dSo61.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3868	bfe83.exe
Token: SeDebugPrivilege	4480	cPy79vk.exe
Token: SeDebugPrivilege	4700	dSo61.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 2792	4880	7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe	81
PID 4880 wrote to memory of 2792	4880	7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe	81
PID 4880 wrote to memory of 2792	4880	7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe	81
PID 2792 wrote to memory of 3868	2792	nNt12.exe	82
PID 2792 wrote to memory of 3868	2792	nNt12.exe	82
PID 2792 wrote to memory of 3868	2792	nNt12.exe	82
PID 2792 wrote to memory of 4480	2792	nNt12.exe	83
PID 2792 wrote to memory of 4480	2792	nNt12.exe	83
PID 2792 wrote to memory of 4480	2792	nNt12.exe	83
PID 4880 wrote to memory of 4700	4880	7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe	84
PID 4880 wrote to memory of 4700	4880	7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe	84
PID 4880 wrote to memory of 4700	4880	7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe	84

C:\Users\Admin\AppData\Local\Temp\7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe
"C:\Users\Admin\AppData\Local\Temp\7a023534e2ea54a80b0ea8f51ea6d053ff27a353ff153aaccd85568f67a32aa5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nNt12.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nNt12.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bfe83.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bfe83.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3868
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cPy79vk.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cPy79vk.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dSo61.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dSo61.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 1080
    3⤵
    - Program crash
    PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4700 -ip 4700
1⤵
PID:4448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dSo61.exe

Filesize
221KB

MD5
4feb45b0494ebda3a75baf46d9a6ace6

SHA1
412a2e08c2def6996742c6e8fc20cfc982d30cd9

SHA256
3e361b1e9b10cdc0c9f294148c6f4b4bc0d93a4562a6b8dda641e870e1432f77

SHA512
d408c826beba95df794cd648f8ccb87d871c35368038bea9105c550b5b5f054241c75d73d46056a313aa045ff02a5322bac2e754d542bd7d469f9bd69cc87125

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dSo61.exe

Filesize
221KB

MD5
4feb45b0494ebda3a75baf46d9a6ace6

SHA1
412a2e08c2def6996742c6e8fc20cfc982d30cd9

SHA256
3e361b1e9b10cdc0c9f294148c6f4b4bc0d93a4562a6b8dda641e870e1432f77

SHA512
d408c826beba95df794cd648f8ccb87d871c35368038bea9105c550b5b5f054241c75d73d46056a313aa045ff02a5322bac2e754d542bd7d469f9bd69cc87125

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nNt12.exe

Filesize
202KB

MD5
18b1cdf6eaf473705d5000e53498dfb2

SHA1
6f83716fce0220d269945e82e078204a175992c5

SHA256
dea78dc80a8dcc645701763858eeee0ce38bcc16641a0bbfd4e104b06adafb5d

SHA512
c39ea7b3e3535b4d2c2ce281a0af21b338cbe0d06bb4a144ab43a6eab93777c97994b5dbb1c97a838e9d2bfb8f83f17bddcf5a6aca0aa65d5d9f7e6a1ec79d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nNt12.exe

Filesize
202KB

MD5
18b1cdf6eaf473705d5000e53498dfb2

SHA1
6f83716fce0220d269945e82e078204a175992c5

SHA256
dea78dc80a8dcc645701763858eeee0ce38bcc16641a0bbfd4e104b06adafb5d

SHA512
c39ea7b3e3535b4d2c2ce281a0af21b338cbe0d06bb4a144ab43a6eab93777c97994b5dbb1c97a838e9d2bfb8f83f17bddcf5a6aca0aa65d5d9f7e6a1ec79d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bfe83.exe

Filesize
175KB

MD5
a5f5c5d6291c7ae9e1d1b7ed1e551490

SHA1
3d06413341893b838549939e15f8f1eec423d71a

SHA256
1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

SHA512
d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bfe83.exe

Filesize
175KB

MD5
a5f5c5d6291c7ae9e1d1b7ed1e551490

SHA1
3d06413341893b838549939e15f8f1eec423d71a

SHA256
1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

SHA512
d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cPy79vk.exe

Filesize
175KB

MD5
ce5ef6aac94fdb2af40da676f6cab58f

SHA1
c393f24b1550955a686ee39067f20813415af95f

SHA256
ce360295ca7fcc1a1c2b47a604305c67ab41358770edbd769a6a44aa635c2fd0

SHA512
2cc98869cba6a962129c57fb7e3ff0b64623c94903bfbf9a2648e191b633fbe73f8e7b9d8fea348e30cc88bc44d27454fd880c81a55a6b795170fa804e6cda65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cPy79vk.exe

Filesize
175KB

MD5
ce5ef6aac94fdb2af40da676f6cab58f

SHA1
c393f24b1550955a686ee39067f20813415af95f

SHA256
ce360295ca7fcc1a1c2b47a604305c67ab41358770edbd769a6a44aa635c2fd0

SHA512
2cc98869cba6a962129c57fb7e3ff0b64623c94903bfbf9a2648e191b633fbe73f8e7b9d8fea348e30cc88bc44d27454fd880c81a55a6b795170fa804e6cda65

Download Submit
memory/3868-146-0x0000000006890000-0x0000000006A52000-memory.dmp

Filesize
1.8MB

Download
memory/3868-139-0x0000000005540000-0x0000000005B58000-memory.dmp

Filesize
6.1MB

Download
memory/3868-143-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/3868-144-0x0000000006110000-0x00000000066B4000-memory.dmp

Filesize
5.6MB

Download
memory/3868-145-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/3868-141-0x0000000004FF0000-0x0000000005002000-memory.dmp

Filesize
72KB

Download
memory/3868-147-0x0000000006F90000-0x00000000074BC000-memory.dmp

Filesize
5.2MB

Download
memory/3868-148-0x0000000006A60000-0x0000000006AD6000-memory.dmp

Filesize
472KB

Download
memory/3868-149-0x0000000006820000-0x0000000006870000-memory.dmp

Filesize
320KB

Download
memory/3868-140-0x00000000050C0000-0x00000000051CA000-memory.dmp

Filesize
1.0MB

Download
memory/3868-142-0x0000000005050000-0x000000000508C000-memory.dmp

Filesize
240KB

Download
memory/3868-138-0x0000000000760000-0x0000000000792000-memory.dmp

Filesize
200KB

Download
memory/4480-153-0x0000000000AD0000-0x0000000000B02000-memory.dmp

Filesize
200KB

Download
memory/4700-157-0x0000000000804000-0x0000000000824000-memory.dmp

Filesize
128KB

Download
memory/4700-158-0x00000000023E0000-0x000000000240D000-memory.dmp

Filesize
180KB

Download
memory/4700-159-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4700-160-0x0000000000804000-0x0000000000824000-memory.dmp

Filesize
128KB

Download
memory/4700-161-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads