redline | a5bcce65108785b3eb9828f0745e1a9613ae2066985b50ff36ef093815ac291d

Analysis

max time kernel
112s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15/02/2023, 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5bcce65108785b3eb9828f0745e1a9613ae2066985b50ff36ef093815ac291d.exe
Size

851KB
MD5

28d9607d117a0ac4df8c3ed3991f5b80
SHA1

e1a7474f758034c54463a4db66e0dde88cbd65a2
SHA256

a5bcce65108785b3eb9828f0745e1a9613ae2066985b50ff36ef093815ac291d
SHA512

8d4c2ed9cc471cdfae98c4e6efd9a439cb0994b7201e26d5d95bc4ee62bf926df7f3d26aca8fd7644672671a4b023a5940c63f8fe75bbd0028ed3707e6152e34
SSDEEP

12288:iMrwy90Ej7zIOKknh1SNeP9aEY9xpsFQriZZs6Eo0xHZmI+s2En+ZtB:mytfKkhkEl9Y9xpsK63EJHZks2ESn

Score

10^/10

redline cr10n dubka discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dubka

193.233.20.13:4136

Attributes

auth_value
e5a9421183a033f283b2f23139b471f0

Extracted

Family

redline

Botnet

cr10n

176.113.115.17:4132

Attributes

auth_value
6016c19179aa1044c369adb0ec1f363b

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	mhb47ec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	mhb47ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	mhb47ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	mhb47ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	mhb47ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	mhb47ec.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1156	dqs6520.exe
2208	dgA1297.exe
2672	mhb47ec.exe
32	nbl02QX.exe
1328	ots08Tp.exe
2128	pei67wL.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	mhb47ec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	mhb47ec.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a5bcce65108785b3eb9828f0745e1a9613ae2066985b50ff36ef093815ac291d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a5bcce65108785b3eb9828f0745e1a9613ae2066985b50ff36ef093815ac291d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dqs6520.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dqs6520.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dgA1297.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dgA1297.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3620	2672	WerFault.exe	84
788	1328	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2672	mhb47ec.exe
2672	mhb47ec.exe
32	nbl02QX.exe
32	nbl02QX.exe
1328	ots08Tp.exe
1328	ots08Tp.exe
2128	pei67wL.exe
2128	pei67wL.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	mhb47ec.exe
Token: SeDebugPrivilege	32	nbl02QX.exe
Token: SeDebugPrivilege	1328	ots08Tp.exe
Token: SeDebugPrivilege	2128	pei67wL.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 1156	792	a5bcce65108785b3eb9828f0745e1a9613ae2066985b50ff36ef093815ac291d.exe	82
PID 792 wrote to memory of 1156	792	a5bcce65108785b3eb9828f0745e1a9613ae2066985b50ff36ef093815ac291d.exe	82
PID 792 wrote to memory of 1156	792	a5bcce65108785b3eb9828f0745e1a9613ae2066985b50ff36ef093815ac291d.exe	82
PID 1156 wrote to memory of 2208	1156	dqs6520.exe	83
PID 1156 wrote to memory of 2208	1156	dqs6520.exe	83
PID 1156 wrote to memory of 2208	1156	dqs6520.exe	83
PID 2208 wrote to memory of 2672	2208	dgA1297.exe	84
PID 2208 wrote to memory of 2672	2208	dgA1297.exe	84
PID 2208 wrote to memory of 2672	2208	dgA1297.exe	84
PID 2208 wrote to memory of 32	2208	dgA1297.exe	92
PID 2208 wrote to memory of 32	2208	dgA1297.exe	92
PID 2208 wrote to memory of 32	2208	dgA1297.exe	92
PID 1156 wrote to memory of 1328	1156	dqs6520.exe	95
PID 1156 wrote to memory of 1328	1156	dqs6520.exe	95
PID 1156 wrote to memory of 1328	1156	dqs6520.exe	95
PID 792 wrote to memory of 2128	792	a5bcce65108785b3eb9828f0745e1a9613ae2066985b50ff36ef093815ac291d.exe	99
PID 792 wrote to memory of 2128	792	a5bcce65108785b3eb9828f0745e1a9613ae2066985b50ff36ef093815ac291d.exe	99
PID 792 wrote to memory of 2128	792	a5bcce65108785b3eb9828f0745e1a9613ae2066985b50ff36ef093815ac291d.exe	99

C:\Users\Admin\AppData\Local\Temp\a5bcce65108785b3eb9828f0745e1a9613ae2066985b50ff36ef093815ac291d.exe
"C:\Users\Admin\AppData\Local\Temp\a5bcce65108785b3eb9828f0745e1a9613ae2066985b50ff36ef093815ac291d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dqs6520.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dqs6520.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgA1297.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgA1297.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mhb47ec.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mhb47ec.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2672
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1080
        5⤵
        Program crash
        
        PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nbl02QX.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nbl02QX.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:32
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ots08Tp.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ots08Tp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 1636
      4⤵
      Program crash
      PID:788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pei67wL.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pei67wL.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2672 -ip 2672
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1328 -ip 1328
1⤵
PID:2516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dqs6520.exe

Filesize
706KB

MD5
a3476c822c876373b68e5f10987610dc

SHA1
cfaed453ef15a65456025559fd7bb91131adad95

SHA256
9f7ae90b4cfcafc0bb43e6462f7a85ebde833fb7c0eca3c9c0ba2dd8a50216c3

SHA512
f8a7d4a610e334d927f8e2c67b174d47fb3604e045bd12ca3ab18b24dd8d94aea49033633b33105b9992d9684d7fb25123c85ad22490e740f0e450d02683d807

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dqs6520.exe

Filesize
706KB

MD5
a3476c822c876373b68e5f10987610dc

SHA1
cfaed453ef15a65456025559fd7bb91131adad95

SHA256
9f7ae90b4cfcafc0bb43e6462f7a85ebde833fb7c0eca3c9c0ba2dd8a50216c3

SHA512
f8a7d4a610e334d927f8e2c67b174d47fb3604e045bd12ca3ab18b24dd8d94aea49033633b33105b9992d9684d7fb25123c85ad22490e740f0e450d02683d807

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pei67wL.exe

Filesize
175KB

MD5
ce5ef6aac94fdb2af40da676f6cab58f

SHA1
c393f24b1550955a686ee39067f20813415af95f

SHA256
ce360295ca7fcc1a1c2b47a604305c67ab41358770edbd769a6a44aa635c2fd0

SHA512
2cc98869cba6a962129c57fb7e3ff0b64623c94903bfbf9a2648e191b633fbe73f8e7b9d8fea348e30cc88bc44d27454fd880c81a55a6b795170fa804e6cda65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pei67wL.exe

Filesize
175KB

MD5
ce5ef6aac94fdb2af40da676f6cab58f

SHA1
c393f24b1550955a686ee39067f20813415af95f

SHA256
ce360295ca7fcc1a1c2b47a604305c67ab41358770edbd769a6a44aa635c2fd0

SHA512
2cc98869cba6a962129c57fb7e3ff0b64623c94903bfbf9a2648e191b633fbe73f8e7b9d8fea348e30cc88bc44d27454fd880c81a55a6b795170fa804e6cda65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgA1297.exe

Filesize
374KB

MD5
31daffdc2afc53e821eb09d6376bde97

SHA1
06f400aeff6d29f9d80d3b9e9e0838fbd18e1097

SHA256
e618c12034ba8a59f08fdc25884104827cf07aa3cdbac9db692e763e4301e5d0

SHA512
84b8b739c78cf4e8d6afc6f7cde961ed90355249530de23166fe15f25b817811d5ed5ed29a2f21d84cd3c1694983fa7ea86144c727c10498a93b1defc4e09afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgA1297.exe

Filesize
374KB

MD5
31daffdc2afc53e821eb09d6376bde97

SHA1
06f400aeff6d29f9d80d3b9e9e0838fbd18e1097

SHA256
e618c12034ba8a59f08fdc25884104827cf07aa3cdbac9db692e763e4301e5d0

SHA512
84b8b739c78cf4e8d6afc6f7cde961ed90355249530de23166fe15f25b817811d5ed5ed29a2f21d84cd3c1694983fa7ea86144c727c10498a93b1defc4e09afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ots08Tp.exe

Filesize
293KB

MD5
ec0c7c2ce156617357b27c12c55df977

SHA1
ee3e38afc5679a67c96eef302f7dd62ffc5b2aff

SHA256
a8fb13aef5dafccbee2d454155197e472fa8b7f31a2a9fde7038e65785d603ea

SHA512
88a1d0f87318cd396b2483b5c679bfc34cdd1ab028ec0cd4098940cf03fff7e484e367b47cbe05e599e9ec5267f628dadbc0bb067af8fd9cf698501214acfd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ots08Tp.exe

Filesize
293KB

MD5
ec0c7c2ce156617357b27c12c55df977

SHA1
ee3e38afc5679a67c96eef302f7dd62ffc5b2aff

SHA256
a8fb13aef5dafccbee2d454155197e472fa8b7f31a2a9fde7038e65785d603ea

SHA512
88a1d0f87318cd396b2483b5c679bfc34cdd1ab028ec0cd4098940cf03fff7e484e367b47cbe05e599e9ec5267f628dadbc0bb067af8fd9cf698501214acfd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mhb47ec.exe

Filesize
235KB

MD5
a83f871ff3ff4702c68b94e0ba9ed0da

SHA1
6a7ceb6521559ec069e0067036d6d2de3a8294b4

SHA256
a7804907253a51461b3a23f3f54f59060707f4672c38f9b09d9cbb16b00e8fe8

SHA512
91d7e6c48afc6f334338aff3f0253f4593c03ab3d2657aa659fc67fb6288113e97211a89f58dd1c7906f662af14ca9dcd2d76c205ba5c121baf4e21fecfc8f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mhb47ec.exe

Filesize
235KB

MD5
a83f871ff3ff4702c68b94e0ba9ed0da

SHA1
6a7ceb6521559ec069e0067036d6d2de3a8294b4

SHA256
a7804907253a51461b3a23f3f54f59060707f4672c38f9b09d9cbb16b00e8fe8

SHA512
91d7e6c48afc6f334338aff3f0253f4593c03ab3d2657aa659fc67fb6288113e97211a89f58dd1c7906f662af14ca9dcd2d76c205ba5c121baf4e21fecfc8f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nbl02QX.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nbl02QX.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
memory/32-161-0x00000000072B0000-0x00000000077DC000-memory.dmp

Filesize
5.2MB

Download
memory/32-160-0x0000000006BB0000-0x0000000006D72000-memory.dmp

Filesize
1.8MB

Download
memory/32-159-0x0000000006140000-0x0000000006190000-memory.dmp

Filesize
320KB

Download
memory/32-158-0x0000000006080000-0x00000000060F6000-memory.dmp

Filesize
472KB

Download
memory/32-157-0x0000000005F60000-0x0000000005FF2000-memory.dmp

Filesize
584KB

Download
memory/32-151-0x0000000000770000-0x00000000007A2000-memory.dmp

Filesize
200KB

Download
memory/32-152-0x0000000005550000-0x0000000005B68000-memory.dmp

Filesize
6.1MB

Download
memory/32-153-0x00000000050D0000-0x00000000051DA000-memory.dmp

Filesize
1.0MB

Download
memory/32-154-0x0000000005000000-0x0000000005012000-memory.dmp

Filesize
72KB

Download
memory/32-155-0x0000000005060000-0x000000000509C000-memory.dmp

Filesize
240KB

Download
memory/32-156-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/1328-170-0x0000000000400000-0x0000000000767000-memory.dmp

Filesize
3.4MB

Download
memory/1328-169-0x00000000008F3000-0x0000000000921000-memory.dmp

Filesize
184KB

Download
memory/1328-168-0x00000000008F3000-0x0000000000921000-memory.dmp

Filesize
184KB

Download
memory/1328-167-0x0000000000400000-0x0000000000767000-memory.dmp

Filesize
3.4MB

Download
memory/1328-165-0x00000000008F3000-0x0000000000921000-memory.dmp

Filesize
184KB

Download
memory/1328-166-0x00000000023B0000-0x00000000023FB000-memory.dmp

Filesize
300KB

Download
memory/2128-174-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/2672-141-0x0000000005000000-0x00000000055A4000-memory.dmp

Filesize
5.6MB

Download
memory/2672-142-0x0000000000803000-0x0000000000823000-memory.dmp

Filesize
128KB

Download
memory/2672-143-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/2672-144-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/2672-145-0x0000000000803000-0x0000000000823000-memory.dmp

Filesize
128KB

Download
memory/2672-146-0x0000000000803000-0x0000000000823000-memory.dmp

Filesize
128KB

Download
memory/2672-147-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download