redline | 8611a9dca789986cf828bf4447048ba6d1abf0ac1c66c04d2f1bdb69614e7ac3

Analysis

max time kernel
42s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
14/02/2023, 20:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8e27e86acfe902271ed5638e04446150.exe
Size

536KB
MD5

8e27e86acfe902271ed5638e04446150
SHA1

03907adb653f6826e977535fcb73e56394134672
SHA256

8611a9dca789986cf828bf4447048ba6d1abf0ac1c66c04d2f1bdb69614e7ac3
SHA512

2ba788ed046599d063aad1c3da246db47b70969c0d61f56f178aa402a50294ad092420d7f72e49e3ff6e8880dbe722b2010a568193f1926edf0d7db2080effee
SSDEEP

12288:DMrry90OPms5Vq/fkznpb/VldDXR0TNlXonW88TX2:0y3PTVqMpdTCPXonWr6

Score

10^/10

redline dubka ruma discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

ruma

193.233.20.13:4136

Attributes

auth_value
647d00dfaba082a4a30f383bca5d1a2a

Extracted

Family

redline

Botnet

dubka

193.233.20.13:4136

Attributes

auth_value
e5a9421183a033f283b2f23139b471f0

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	stF74.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	stF74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	stF74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	stF74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	stF74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	stF74.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/1920-68-0x0000000002330000-0x0000000002376000-memory.dmp	family_redline
behavioral1/memory/1920-72-0x00000000025C0000-0x0000000002604000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1432	vKl01.exe
1920	dYr93.exe
672	nrb15QO.exe
1208	stF74.exe

Loads dropped DLL 8 IoCs

pid	Process
1544	8e27e86acfe902271ed5638e04446150.exe
1432	vKl01.exe
1432	vKl01.exe
1432	vKl01.exe
1920	dYr93.exe
1432	vKl01.exe
672	nrb15QO.exe
1544	8e27e86acfe902271ed5638e04446150.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	stF74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	stF74.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vKl01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vKl01.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8e27e86acfe902271ed5638e04446150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8e27e86acfe902271ed5638e04446150.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1920	dYr93.exe
1920	dYr93.exe
672	nrb15QO.exe
672	nrb15QO.exe
1208	stF74.exe
1208	stF74.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	dYr93.exe
Token: SeDebugPrivilege	672	nrb15QO.exe
Token: SeDebugPrivilege	1208	stF74.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1432	1544	8e27e86acfe902271ed5638e04446150.exe	27
PID 1544 wrote to memory of 1432	1544	8e27e86acfe902271ed5638e04446150.exe	27
PID 1544 wrote to memory of 1432	1544	8e27e86acfe902271ed5638e04446150.exe	27
PID 1544 wrote to memory of 1432	1544	8e27e86acfe902271ed5638e04446150.exe	27
PID 1544 wrote to memory of 1432	1544	8e27e86acfe902271ed5638e04446150.exe	27
PID 1544 wrote to memory of 1432	1544	8e27e86acfe902271ed5638e04446150.exe	27
PID 1544 wrote to memory of 1432	1544	8e27e86acfe902271ed5638e04446150.exe	27
PID 1432 wrote to memory of 1920	1432	vKl01.exe	28
PID 1432 wrote to memory of 1920	1432	vKl01.exe	28
PID 1432 wrote to memory of 1920	1432	vKl01.exe	28
PID 1432 wrote to memory of 1920	1432	vKl01.exe	28
PID 1432 wrote to memory of 1920	1432	vKl01.exe	28
PID 1432 wrote to memory of 1920	1432	vKl01.exe	28
PID 1432 wrote to memory of 1920	1432	vKl01.exe	28
PID 1432 wrote to memory of 672	1432	vKl01.exe	30
PID 1432 wrote to memory of 672	1432	vKl01.exe	30
PID 1432 wrote to memory of 672	1432	vKl01.exe	30
PID 1432 wrote to memory of 672	1432	vKl01.exe	30
PID 1432 wrote to memory of 672	1432	vKl01.exe	30
PID 1432 wrote to memory of 672	1432	vKl01.exe	30
PID 1432 wrote to memory of 672	1432	vKl01.exe	30
PID 1544 wrote to memory of 1208	1544	8e27e86acfe902271ed5638e04446150.exe	31
PID 1544 wrote to memory of 1208	1544	8e27e86acfe902271ed5638e04446150.exe	31
PID 1544 wrote to memory of 1208	1544	8e27e86acfe902271ed5638e04446150.exe	31
PID 1544 wrote to memory of 1208	1544	8e27e86acfe902271ed5638e04446150.exe	31
PID 1544 wrote to memory of 1208	1544	8e27e86acfe902271ed5638e04446150.exe	31
PID 1544 wrote to memory of 1208	1544	8e27e86acfe902271ed5638e04446150.exe	31
PID 1544 wrote to memory of 1208	1544	8e27e86acfe902271ed5638e04446150.exe	31

C:\Users\Admin\AppData\Local\Temp\8e27e86acfe902271ed5638e04446150.exe
"C:\Users\Admin\AppData\Local\Temp\8e27e86acfe902271ed5638e04446150.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vKl01.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vKl01.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dYr93.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dYr93.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nrb15QO.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nrb15QO.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:672
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stF74.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stF74.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stF74.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stF74.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vKl01.exe

Filesize
432KB

MD5
c360dbfc30d94a1a495a8c56ebc8476e

SHA1
64143fc21dbfb626d5a2836314841c3b48017f65

SHA256
7dc2883b840808456a2b0472bf501ef6e41e33af225c61bc56b71218dd64e6d9

SHA512
2cf8895eb28d3c8ca5e1eb22e62d7367f6b0a50d119f1ef7b1bf4c61c7b41a01466d3f2ec5fb9ac1adb7fbc7eed2229e7bb1cac3d6f471f2626371410c33c578

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vKl01.exe

Filesize
432KB

MD5
c360dbfc30d94a1a495a8c56ebc8476e

SHA1
64143fc21dbfb626d5a2836314841c3b48017f65

SHA256
7dc2883b840808456a2b0472bf501ef6e41e33af225c61bc56b71218dd64e6d9

SHA512
2cf8895eb28d3c8ca5e1eb22e62d7367f6b0a50d119f1ef7b1bf4c61c7b41a01466d3f2ec5fb9ac1adb7fbc7eed2229e7bb1cac3d6f471f2626371410c33c578

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dYr93.exe

Filesize
293KB

MD5
7cf461732cf9d151aed5ca9f15c9d689

SHA1
16308873863f9231638b81abe04b80afd0b98c18

SHA256
971b14529405a8774ceb5552f3f12fcf455f530e567b71ae043ef166f4ff9d4f

SHA512
1b27323c2386aa46b28ebd2b8a127dfa86ccefee0a104c73d0ec2fd56b7f72c65a46d0529716def211c747e386d101aa38cc7d2143839927971ba7788e381e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dYr93.exe

Filesize
293KB

MD5
7cf461732cf9d151aed5ca9f15c9d689

SHA1
16308873863f9231638b81abe04b80afd0b98c18

SHA256
971b14529405a8774ceb5552f3f12fcf455f530e567b71ae043ef166f4ff9d4f

SHA512
1b27323c2386aa46b28ebd2b8a127dfa86ccefee0a104c73d0ec2fd56b7f72c65a46d0529716def211c747e386d101aa38cc7d2143839927971ba7788e381e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nrb15QO.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nrb15QO.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\stF74.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\vKl01.exe

Filesize
432KB

MD5
c360dbfc30d94a1a495a8c56ebc8476e

SHA1
64143fc21dbfb626d5a2836314841c3b48017f65

SHA256
7dc2883b840808456a2b0472bf501ef6e41e33af225c61bc56b71218dd64e6d9

SHA512
2cf8895eb28d3c8ca5e1eb22e62d7367f6b0a50d119f1ef7b1bf4c61c7b41a01466d3f2ec5fb9ac1adb7fbc7eed2229e7bb1cac3d6f471f2626371410c33c578

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\vKl01.exe

Filesize
432KB

MD5
c360dbfc30d94a1a495a8c56ebc8476e

SHA1
64143fc21dbfb626d5a2836314841c3b48017f65

SHA256
7dc2883b840808456a2b0472bf501ef6e41e33af225c61bc56b71218dd64e6d9

SHA512
2cf8895eb28d3c8ca5e1eb22e62d7367f6b0a50d119f1ef7b1bf4c61c7b41a01466d3f2ec5fb9ac1adb7fbc7eed2229e7bb1cac3d6f471f2626371410c33c578

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\dYr93.exe

Filesize
293KB

MD5
7cf461732cf9d151aed5ca9f15c9d689

SHA1
16308873863f9231638b81abe04b80afd0b98c18

SHA256
971b14529405a8774ceb5552f3f12fcf455f530e567b71ae043ef166f4ff9d4f

SHA512
1b27323c2386aa46b28ebd2b8a127dfa86ccefee0a104c73d0ec2fd56b7f72c65a46d0529716def211c747e386d101aa38cc7d2143839927971ba7788e381e75

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\dYr93.exe

Filesize
293KB

MD5
7cf461732cf9d151aed5ca9f15c9d689

SHA1
16308873863f9231638b81abe04b80afd0b98c18

SHA256
971b14529405a8774ceb5552f3f12fcf455f530e567b71ae043ef166f4ff9d4f

SHA512
1b27323c2386aa46b28ebd2b8a127dfa86ccefee0a104c73d0ec2fd56b7f72c65a46d0529716def211c747e386d101aa38cc7d2143839927971ba7788e381e75

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\dYr93.exe

Filesize
293KB

MD5
7cf461732cf9d151aed5ca9f15c9d689

SHA1
16308873863f9231638b81abe04b80afd0b98c18

SHA256
971b14529405a8774ceb5552f3f12fcf455f530e567b71ae043ef166f4ff9d4f

SHA512
1b27323c2386aa46b28ebd2b8a127dfa86ccefee0a104c73d0ec2fd56b7f72c65a46d0529716def211c747e386d101aa38cc7d2143839927971ba7788e381e75

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\nrb15QO.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\nrb15QO.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
memory/672-81-0x0000000000C10000-0x0000000000C42000-memory.dmp

Filesize
200KB

Download
memory/1208-86-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/1544-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1920-74-0x0000000000400000-0x0000000000767000-memory.dmp

Filesize
3.4MB

Download
memory/1920-73-0x00000000008FF000-0x000000000092E000-memory.dmp

Filesize
188KB

Download
memory/1920-72-0x00000000025C0000-0x0000000002604000-memory.dmp

Filesize
272KB

Download
memory/1920-71-0x0000000000400000-0x0000000000767000-memory.dmp

Filesize
3.4MB

Download
memory/1920-70-0x00000000002B0000-0x00000000002FB000-memory.dmp

Filesize
300KB

Download
memory/1920-69-0x00000000008FF000-0x000000000092E000-memory.dmp

Filesize
188KB

Download
memory/1920-68-0x0000000002330000-0x0000000002376000-memory.dmp

Filesize
280KB

Download