redline | bff73ef26c410d89b352b6f6a33897fce077d951db59735155ff6e7a0e71209c

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14/02/2023, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7384ad4b89310f0e5ce7a561d7173bad.exe
Size

480KB
MD5

7384ad4b89310f0e5ce7a561d7173bad
SHA1

ec9f9990704595941aa89cb7560ac74a0c71f3a2
SHA256

bff73ef26c410d89b352b6f6a33897fce077d951db59735155ff6e7a0e71209c
SHA512

12c8bb7b5729adad551fe2246fe1733f2a0d898e6f0ca3555f7ab909feca4e25cd9e5b5bd293d29bab688a6f3d1292e615c07925bb2909bdbfbaa0f87a757310
SSDEEP

12288:gMrty90wu1GLaabMMpSYHAnd2SFiLCoRagTZe:9yDuEfeQS0Cost

Score

10^/10

redline crnn fukia discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

fukia

193.233.20.13:4136

Attributes

auth_value
e5783636fbd9e4f0cf9a017bce02e67e

Extracted

Family

redline

Botnet

crnn

176.113.115.17:4132

Attributes

auth_value
6dfbf5eac3db7046d55dfd3f6608be3f

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	dkI58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	dkI58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	dkI58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	dkI58.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	dkI58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	dkI58.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2004	nrV73.exe
948	byh16.exe
1900	cFX70sA.exe
1476	dkI58.exe

Loads dropped DLL 9 IoCs

pid	Process
1356	7384ad4b89310f0e5ce7a561d7173bad.exe
2004	nrV73.exe
2004	nrV73.exe
948	byh16.exe
2004	nrV73.exe
1900	cFX70sA.exe
1356	7384ad4b89310f0e5ce7a561d7173bad.exe
1356	7384ad4b89310f0e5ce7a561d7173bad.exe
1476	dkI58.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	dkI58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	dkI58.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	nrV73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nrV73.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7384ad4b89310f0e5ce7a561d7173bad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7384ad4b89310f0e5ce7a561d7173bad.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
948	byh16.exe
948	byh16.exe
1900	cFX70sA.exe
1900	cFX70sA.exe
1476	dkI58.exe
1476	dkI58.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	948	byh16.exe
Token: SeDebugPrivilege	1900	cFX70sA.exe
Token: SeDebugPrivilege	1476	dkI58.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2004	1356	7384ad4b89310f0e5ce7a561d7173bad.exe	28
PID 1356 wrote to memory of 2004	1356	7384ad4b89310f0e5ce7a561d7173bad.exe	28
PID 1356 wrote to memory of 2004	1356	7384ad4b89310f0e5ce7a561d7173bad.exe	28
PID 1356 wrote to memory of 2004	1356	7384ad4b89310f0e5ce7a561d7173bad.exe	28
PID 1356 wrote to memory of 2004	1356	7384ad4b89310f0e5ce7a561d7173bad.exe	28
PID 1356 wrote to memory of 2004	1356	7384ad4b89310f0e5ce7a561d7173bad.exe	28
PID 1356 wrote to memory of 2004	1356	7384ad4b89310f0e5ce7a561d7173bad.exe	28
PID 2004 wrote to memory of 948	2004	nrV73.exe	29
PID 2004 wrote to memory of 948	2004	nrV73.exe	29
PID 2004 wrote to memory of 948	2004	nrV73.exe	29
PID 2004 wrote to memory of 948	2004	nrV73.exe	29
PID 2004 wrote to memory of 948	2004	nrV73.exe	29
PID 2004 wrote to memory of 948	2004	nrV73.exe	29
PID 2004 wrote to memory of 948	2004	nrV73.exe	29
PID 2004 wrote to memory of 1900	2004	nrV73.exe	31
PID 2004 wrote to memory of 1900	2004	nrV73.exe	31
PID 2004 wrote to memory of 1900	2004	nrV73.exe	31
PID 2004 wrote to memory of 1900	2004	nrV73.exe	31
PID 2004 wrote to memory of 1900	2004	nrV73.exe	31
PID 2004 wrote to memory of 1900	2004	nrV73.exe	31
PID 2004 wrote to memory of 1900	2004	nrV73.exe	31
PID 1356 wrote to memory of 1476	1356	7384ad4b89310f0e5ce7a561d7173bad.exe	32
PID 1356 wrote to memory of 1476	1356	7384ad4b89310f0e5ce7a561d7173bad.exe	32
PID 1356 wrote to memory of 1476	1356	7384ad4b89310f0e5ce7a561d7173bad.exe	32
PID 1356 wrote to memory of 1476	1356	7384ad4b89310f0e5ce7a561d7173bad.exe	32
PID 1356 wrote to memory of 1476	1356	7384ad4b89310f0e5ce7a561d7173bad.exe	32
PID 1356 wrote to memory of 1476	1356	7384ad4b89310f0e5ce7a561d7173bad.exe	32
PID 1356 wrote to memory of 1476	1356	7384ad4b89310f0e5ce7a561d7173bad.exe	32

C:\Users\Admin\AppData\Local\Temp\7384ad4b89310f0e5ce7a561d7173bad.exe
"C:\Users\Admin\AppData\Local\Temp\7384ad4b89310f0e5ce7a561d7173bad.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nrV73.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nrV73.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\byh16.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\byh16.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFX70sA.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFX70sA.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkI58.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkI58.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkI58.exe

Filesize
247KB

MD5
0ef0dfd14f4136e407d971cfb57adf3f

SHA1
f7225981e833c73276fcb3569357f5c60312843a

SHA256
75b453b18104f8df29c0c668319eee3dc13a162a9d9054135a69b28f0803ae49

SHA512
bc06e461f8ff784b31cc98570e1e62c881c8eb20b4883e9ebf59207d0ef34fef982bbdbdb04ba7521c29cabda874274f71658dc6f7ae9cf01ae14bf9392bd281

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkI58.exe

Filesize
247KB

MD5
0ef0dfd14f4136e407d971cfb57adf3f

SHA1
f7225981e833c73276fcb3569357f5c60312843a

SHA256
75b453b18104f8df29c0c668319eee3dc13a162a9d9054135a69b28f0803ae49

SHA512
bc06e461f8ff784b31cc98570e1e62c881c8eb20b4883e9ebf59207d0ef34fef982bbdbdb04ba7521c29cabda874274f71658dc6f7ae9cf01ae14bf9392bd281

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nrV73.exe

Filesize
202KB

MD5
c061012bed5bd45e89402b59eb1dc6c4

SHA1
79c55149fea496bf61cba88544650b641b9b8051

SHA256
43035d7ab2c5376cc32d33b94e513e6e70e52767095451a0ed557e644dcfbda0

SHA512
675096d0d8ed047e7346bdc9d4d5d593694332464257bf951b60533326152fe6c1a25b8612561b5b3050e7e2595911615bc990f1e4bd470abc2bd69d412f614f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nrV73.exe

Filesize
202KB

MD5
c061012bed5bd45e89402b59eb1dc6c4

SHA1
79c55149fea496bf61cba88544650b641b9b8051

SHA256
43035d7ab2c5376cc32d33b94e513e6e70e52767095451a0ed557e644dcfbda0

SHA512
675096d0d8ed047e7346bdc9d4d5d593694332464257bf951b60533326152fe6c1a25b8612561b5b3050e7e2595911615bc990f1e4bd470abc2bd69d412f614f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\byh16.exe

Filesize
175KB

MD5
a5f5c5d6291c7ae9e1d1b7ed1e551490

SHA1
3d06413341893b838549939e15f8f1eec423d71a

SHA256
1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

SHA512
d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\byh16.exe

Filesize
175KB

MD5
a5f5c5d6291c7ae9e1d1b7ed1e551490

SHA1
3d06413341893b838549939e15f8f1eec423d71a

SHA256
1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

SHA512
d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFX70sA.exe

Filesize
175KB

MD5
062a3c73b1aaf076abefd71633b66de5

SHA1
e4b7e004c32d673fd61b1669c797dc4b207d8445

SHA256
f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881

SHA512
6bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFX70sA.exe

Filesize
175KB

MD5
062a3c73b1aaf076abefd71633b66de5

SHA1
e4b7e004c32d673fd61b1669c797dc4b207d8445

SHA256
f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881

SHA512
6bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkI58.exe

Filesize
247KB

MD5
0ef0dfd14f4136e407d971cfb57adf3f

SHA1
f7225981e833c73276fcb3569357f5c60312843a

SHA256
75b453b18104f8df29c0c668319eee3dc13a162a9d9054135a69b28f0803ae49

SHA512
bc06e461f8ff784b31cc98570e1e62c881c8eb20b4883e9ebf59207d0ef34fef982bbdbdb04ba7521c29cabda874274f71658dc6f7ae9cf01ae14bf9392bd281

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkI58.exe

Filesize
247KB

MD5
0ef0dfd14f4136e407d971cfb57adf3f

SHA1
f7225981e833c73276fcb3569357f5c60312843a

SHA256
75b453b18104f8df29c0c668319eee3dc13a162a9d9054135a69b28f0803ae49

SHA512
bc06e461f8ff784b31cc98570e1e62c881c8eb20b4883e9ebf59207d0ef34fef982bbdbdb04ba7521c29cabda874274f71658dc6f7ae9cf01ae14bf9392bd281

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dkI58.exe

Filesize
247KB

MD5
0ef0dfd14f4136e407d971cfb57adf3f

SHA1
f7225981e833c73276fcb3569357f5c60312843a

SHA256
75b453b18104f8df29c0c668319eee3dc13a162a9d9054135a69b28f0803ae49

SHA512
bc06e461f8ff784b31cc98570e1e62c881c8eb20b4883e9ebf59207d0ef34fef982bbdbdb04ba7521c29cabda874274f71658dc6f7ae9cf01ae14bf9392bd281

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\nrV73.exe

Filesize
202KB

MD5
c061012bed5bd45e89402b59eb1dc6c4

SHA1
79c55149fea496bf61cba88544650b641b9b8051

SHA256
43035d7ab2c5376cc32d33b94e513e6e70e52767095451a0ed557e644dcfbda0

SHA512
675096d0d8ed047e7346bdc9d4d5d593694332464257bf951b60533326152fe6c1a25b8612561b5b3050e7e2595911615bc990f1e4bd470abc2bd69d412f614f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\nrV73.exe

Filesize
202KB

MD5
c061012bed5bd45e89402b59eb1dc6c4

SHA1
79c55149fea496bf61cba88544650b641b9b8051

SHA256
43035d7ab2c5376cc32d33b94e513e6e70e52767095451a0ed557e644dcfbda0

SHA512
675096d0d8ed047e7346bdc9d4d5d593694332464257bf951b60533326152fe6c1a25b8612561b5b3050e7e2595911615bc990f1e4bd470abc2bd69d412f614f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\byh16.exe

Filesize
175KB

MD5
a5f5c5d6291c7ae9e1d1b7ed1e551490

SHA1
3d06413341893b838549939e15f8f1eec423d71a

SHA256
1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

SHA512
d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\byh16.exe

Filesize
175KB

MD5
a5f5c5d6291c7ae9e1d1b7ed1e551490

SHA1
3d06413341893b838549939e15f8f1eec423d71a

SHA256
1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

SHA512
d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFX70sA.exe

Filesize
175KB

MD5
062a3c73b1aaf076abefd71633b66de5

SHA1
e4b7e004c32d673fd61b1669c797dc4b207d8445

SHA256
f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881

SHA512
6bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\cFX70sA.exe

Filesize
175KB

MD5
062a3c73b1aaf076abefd71633b66de5

SHA1
e4b7e004c32d673fd61b1669c797dc4b207d8445

SHA256
f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881

SHA512
6bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3

Download Submit
memory/948-67-0x00000000013D0000-0x0000000001402000-memory.dmp

Filesize
200KB

Download
memory/1356-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1476-83-0x0000000000670000-0x0000000000688000-memory.dmp

Filesize
96KB

Download
memory/1476-82-0x0000000000650000-0x000000000066A000-memory.dmp

Filesize
104KB

Download
memory/1476-85-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/1476-84-0x00000000006DF000-0x00000000006FF000-memory.dmp

Filesize
128KB

Download
memory/1476-86-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1476-87-0x00000000006DF000-0x00000000006FF000-memory.dmp

Filesize
128KB

Download
memory/1476-88-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1900-74-0x00000000008D0000-0x0000000000902000-memory.dmp

Filesize
200KB

Download