redline | af93831b036b9986dfec722c03c1b700dfc5241d8275c3bda3c5b1ffcc1f983e

Analysis

max time kernel
91s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2023, 09:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

af93831b036b9986dfec722c03c1b700dfc5241d8275c3bda3c5b1ffcc1f983e.exe
Size

738KB
MD5

f580f303e42f3499d154e50c5396d13b
SHA1

6da146a886f5ddea96ad0958c6ff1bafdda83f49
SHA256

af93831b036b9986dfec722c03c1b700dfc5241d8275c3bda3c5b1ffcc1f983e
SHA512

4a2ed50a4af9ba4628f2c5411ae0248e1d9cf5be6fbcdcde43901b4e8433081cf028890518f5b66a083dcd46f5f904ece39a33e176eb7d3962c42b9b1d982517
SSDEEP

12288:eMrry90hPDDzsV92MN8cF9YfIz6nMMmbPqlN8O431T9cKhB5Lj6bpP06J7:Ny64V9W0XWMnPqlN8J31hPhrLwpp

Score

10^/10

redline cr10 dubka discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cr10

176.113.115.17:4132

Attributes

auth_value
0a52a09c70a98bb6612362e5eb8b1d02

Extracted

Family

redline

Botnet

dubka

193.233.20.13:4136

Attributes

auth_value
e5a9421183a033f283b2f23139b471f0

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	spI81.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	spI81.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	spI81.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	spI81.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	spI81.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	spI81.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4752	vVY44.exe
4860	vKu28.exe
4968	diN62.exe
2396	ldX54.exe
3328	ndj56.exe
5076	spI81.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	spI81.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vKu28.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	af93831b036b9986dfec722c03c1b700dfc5241d8275c3bda3c5b1ffcc1f983e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	af93831b036b9986dfec722c03c1b700dfc5241d8275c3bda3c5b1ffcc1f983e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vVY44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vVY44.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vKu28.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2396 set thread context of 4240	2396	ldX54.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1568	4968	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4968	diN62.exe
4968	diN62.exe
4240	AppLaunch.exe
3328	ndj56.exe
3328	ndj56.exe
4240	AppLaunch.exe
5076	spI81.exe
5076	spI81.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	diN62.exe
Token: SeDebugPrivilege	4240	AppLaunch.exe
Token: SeDebugPrivilege	3328	ndj56.exe
Token: SeDebugPrivilege	5076	spI81.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4752	4072	af93831b036b9986dfec722c03c1b700dfc5241d8275c3bda3c5b1ffcc1f983e.exe	81
PID 4072 wrote to memory of 4752	4072	af93831b036b9986dfec722c03c1b700dfc5241d8275c3bda3c5b1ffcc1f983e.exe	81
PID 4072 wrote to memory of 4752	4072	af93831b036b9986dfec722c03c1b700dfc5241d8275c3bda3c5b1ffcc1f983e.exe	81
PID 4752 wrote to memory of 4860	4752	vVY44.exe	82
PID 4752 wrote to memory of 4860	4752	vVY44.exe	82
PID 4752 wrote to memory of 4860	4752	vVY44.exe	82
PID 4860 wrote to memory of 4968	4860	vKu28.exe	83
PID 4860 wrote to memory of 4968	4860	vKu28.exe	83
PID 4860 wrote to memory of 4968	4860	vKu28.exe	83
PID 4860 wrote to memory of 2396	4860	vKu28.exe	86
PID 4860 wrote to memory of 2396	4860	vKu28.exe	86
PID 4860 wrote to memory of 2396	4860	vKu28.exe	86
PID 2396 wrote to memory of 4240	2396	ldX54.exe	88
PID 2396 wrote to memory of 4240	2396	ldX54.exe	88
PID 2396 wrote to memory of 4240	2396	ldX54.exe	88
PID 2396 wrote to memory of 4240	2396	ldX54.exe	88
PID 2396 wrote to memory of 4240	2396	ldX54.exe	88
PID 4752 wrote to memory of 3328	4752	vVY44.exe	89
PID 4752 wrote to memory of 3328	4752	vVY44.exe	89
PID 4752 wrote to memory of 3328	4752	vVY44.exe	89
PID 4072 wrote to memory of 5076	4072	af93831b036b9986dfec722c03c1b700dfc5241d8275c3bda3c5b1ffcc1f983e.exe	90
PID 4072 wrote to memory of 5076	4072	af93831b036b9986dfec722c03c1b700dfc5241d8275c3bda3c5b1ffcc1f983e.exe	90

C:\Users\Admin\AppData\Local\Temp\af93831b036b9986dfec722c03c1b700dfc5241d8275c3bda3c5b1ffcc1f983e.exe
"C:\Users\Admin\AppData\Local\Temp\af93831b036b9986dfec722c03c1b700dfc5241d8275c3bda3c5b1ffcc1f983e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vVY44.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vVY44.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vKu28.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vKu28.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\diN62.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\diN62.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1848
        5⤵
        Program crash
        
        PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ldX54.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ldX54.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ndj56.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ndj56.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3328
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spI81.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spI81.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4968 -ip 4968
1⤵
PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spI81.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spI81.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vVY44.exe

Filesize
635KB

MD5
77f7a3cf02c1903c17cae3048ffd134b

SHA1
1907478464fcb7c5cc2bf458ad1ba7b94e4b95e0

SHA256
e9120cc34f3c2fa2f800d4873c13edda64548a9204afcb8f55de98884ffc7185

SHA512
2a196553a1dedccec7b010c87e4971f49b2b8144cbac592cb7ed0a1d42c2bbe3d55837f55c919bddfc46ebc0f495e066bf3967d0c8f7a1e1ad85588e5b06dcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vVY44.exe

Filesize
635KB

MD5
77f7a3cf02c1903c17cae3048ffd134b

SHA1
1907478464fcb7c5cc2bf458ad1ba7b94e4b95e0

SHA256
e9120cc34f3c2fa2f800d4873c13edda64548a9204afcb8f55de98884ffc7185

SHA512
2a196553a1dedccec7b010c87e4971f49b2b8144cbac592cb7ed0a1d42c2bbe3d55837f55c919bddfc46ebc0f495e066bf3967d0c8f7a1e1ad85588e5b06dcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ndj56.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ndj56.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vKu28.exe

Filesize
490KB

MD5
75f641dc9d86d7ce4393bebeef0b386a

SHA1
65f777a0b74c2a57c0dd245e3bf1ef2b659f681c

SHA256
2e196a1a30f049c214b1d75ef4dcaed1791b08d1c4b96d700677a02bf991cee7

SHA512
c1e84b1e3c24e2b57cd8c7777ea68848a672f2a8a957f6b5ae033275350af246ef011c4c8caf2f0b592bde22612da23acd745b6f4287c2f3403ffd3344d4e1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vKu28.exe

Filesize
490KB

MD5
75f641dc9d86d7ce4393bebeef0b386a

SHA1
65f777a0b74c2a57c0dd245e3bf1ef2b659f681c

SHA256
2e196a1a30f049c214b1d75ef4dcaed1791b08d1c4b96d700677a02bf991cee7

SHA512
c1e84b1e3c24e2b57cd8c7777ea68848a672f2a8a957f6b5ae033275350af246ef011c4c8caf2f0b592bde22612da23acd745b6f4287c2f3403ffd3344d4e1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\diN62.exe

Filesize
278KB

MD5
8052d925dcd515d349e252a0d434e27c

SHA1
9a78f5daa0001a5d4f2c1e9439f4ce80f4ef15db

SHA256
bd229d944fbb7266329eda429de3ac07f2a89729ee91d1f9dfda73ea3b6691cc

SHA512
ed29c5bfa0123e5e0ee16afe72d2279139149eebe82b5aae572d714d1f1e1426c2d5484066c7b637f70732524733c27d3d0dda7cfda8a60c918c783a33f124de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\diN62.exe

Filesize
278KB

MD5
8052d925dcd515d349e252a0d434e27c

SHA1
9a78f5daa0001a5d4f2c1e9439f4ce80f4ef15db

SHA256
bd229d944fbb7266329eda429de3ac07f2a89729ee91d1f9dfda73ea3b6691cc

SHA512
ed29c5bfa0123e5e0ee16afe72d2279139149eebe82b5aae572d714d1f1e1426c2d5484066c7b637f70732524733c27d3d0dda7cfda8a60c918c783a33f124de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ldX54.exe

Filesize
265KB

MD5
b9eedd1c8b16c4481c3cadbe6ed97280

SHA1
6d44e5ced475bda87d1282b30ebc84bd25595e1f

SHA256
ceb59e6ddd127fcc56e7dca136002b8552290a954c92dd565706c4dc472bad17

SHA512
335b334750f8de4e366c7eb3ddc854a46b0d8cbd4d5479671131c9ce9a93fe679ae728b970b6ce3489a6863472bd2172870c6c8e4f1271234b23717a6dc957f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ldX54.exe

Filesize
265KB

MD5
b9eedd1c8b16c4481c3cadbe6ed97280

SHA1
6d44e5ced475bda87d1282b30ebc84bd25595e1f

SHA256
ceb59e6ddd127fcc56e7dca136002b8552290a954c92dd565706c4dc472bad17

SHA512
335b334750f8de4e366c7eb3ddc854a46b0d8cbd4d5479671131c9ce9a93fe679ae728b970b6ce3489a6863472bd2172870c6c8e4f1271234b23717a6dc957f1

Download Submit
memory/3328-169-0x0000000000210000-0x0000000000242000-memory.dmp

Filesize
200KB

Download
memory/4240-161-0x0000000000380000-0x00000000003B2000-memory.dmp

Filesize
200KB

Download
memory/4968-142-0x00000000008C0000-0x000000000090B000-memory.dmp

Filesize
300KB

Download
memory/4968-146-0x0000000005B40000-0x0000000005C4A000-memory.dmp

Filesize
1.0MB

Download
memory/4968-153-0x0000000006F90000-0x0000000007006000-memory.dmp

Filesize
472KB

Download
memory/4968-154-0x0000000007010000-0x0000000007060000-memory.dmp

Filesize
320KB

Download
memory/4968-155-0x0000000000964000-0x0000000000992000-memory.dmp

Filesize
184KB

Download
memory/4968-156-0x0000000000400000-0x0000000000763000-memory.dmp

Filesize
3.4MB

Download
memory/4968-151-0x0000000006750000-0x0000000006912000-memory.dmp

Filesize
1.8MB

Download
memory/4968-150-0x0000000006640000-0x00000000066D2000-memory.dmp

Filesize
584KB

Download
memory/4968-149-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/4968-148-0x0000000005CA0000-0x0000000005CDC000-memory.dmp

Filesize
240KB

Download
memory/4968-147-0x0000000005C80000-0x0000000005C92000-memory.dmp

Filesize
72KB

Download
memory/4968-152-0x0000000006920000-0x0000000006E4C000-memory.dmp

Filesize
5.2MB

Download
memory/4968-145-0x00000000054B0000-0x0000000005AC8000-memory.dmp

Filesize
6.1MB

Download
memory/4968-144-0x0000000004DC0000-0x0000000005364000-memory.dmp

Filesize
5.6MB

Download
memory/4968-143-0x0000000000400000-0x0000000000763000-memory.dmp

Filesize
3.4MB

Download
memory/4968-141-0x0000000000964000-0x0000000000992000-memory.dmp

Filesize
184KB

Download
memory/5076-173-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/5076-174-0x00007FFC5D4A0000-0x00007FFC5DF61000-memory.dmp

Filesize
10.8MB

Download
memory/5076-175-0x00007FFC5D4A0000-0x00007FFC5DF61000-memory.dmp

Filesize
10.8MB

Download