redline | 10b09889f08b7b8c55c644c15f22c792831615a38ff18f5709de1b11ed7b131c

Analysis

max time kernel
90s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15/02/2023, 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10b09889f08b7b8c55c644c15f22c792831615a38ff18f5709de1b11ed7b131c.exe
Size

861KB
MD5

c6bbd64cc1d1cdf76b328d7f05ac66c9
SHA1

4e40fe4e6eddb6ba45fd4060b8c8a27526cd0292
SHA256

10b09889f08b7b8c55c644c15f22c792831615a38ff18f5709de1b11ed7b131c
SHA512

62603c36420524430a016f05023b12151f97152fac4d17d4b34f27b5bcfa1728a6a3f6d48b023e39e8d6c99d207de6aed4b70dd1e1165d8c40c7189cc4af4ea7
SSDEEP

24576:SybC7HD9R6fDwZLyc0b6mJfaVqe+HJTF:50DxNq6qfgJU

Score

10^/10

redline cr10n dubka discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dubka

193.233.20.13:4136

Attributes

auth_value
e5a9421183a033f283b2f23139b471f0

Extracted

Family

redline

Botnet

cr10n

176.113.115.17:4132

Attributes

auth_value
6016c19179aa1044c369adb0ec1f363b

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	mLV41Kw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	mLV41Kw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	mLV41Kw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	mLV41Kw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	mLV41Kw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	mLV41Kw.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
3592	dvs2439.exe
3924	dAH3416.exe
1596	mLV41Kw.exe
2248	nrA19Rf.exe
208	oez12eX.exe
2808	pRJ30DP.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	mLV41Kw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	mLV41Kw.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dAH3416.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dAH3416.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	10b09889f08b7b8c55c644c15f22c792831615a38ff18f5709de1b11ed7b131c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	10b09889f08b7b8c55c644c15f22c792831615a38ff18f5709de1b11ed7b131c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dvs2439.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dvs2439.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1728	1596	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1596	mLV41Kw.exe
1596	mLV41Kw.exe
2248	nrA19Rf.exe
2248	nrA19Rf.exe
208	oez12eX.exe
208	oez12eX.exe
2808	pRJ30DP.exe
2808	pRJ30DP.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	mLV41Kw.exe
Token: SeDebugPrivilege	2248	nrA19Rf.exe
Token: SeDebugPrivilege	208	oez12eX.exe
Token: SeDebugPrivilege	2808	pRJ30DP.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 3592	4800	10b09889f08b7b8c55c644c15f22c792831615a38ff18f5709de1b11ed7b131c.exe	79
PID 4800 wrote to memory of 3592	4800	10b09889f08b7b8c55c644c15f22c792831615a38ff18f5709de1b11ed7b131c.exe	79
PID 4800 wrote to memory of 3592	4800	10b09889f08b7b8c55c644c15f22c792831615a38ff18f5709de1b11ed7b131c.exe	79
PID 3592 wrote to memory of 3924	3592	dvs2439.exe	80
PID 3592 wrote to memory of 3924	3592	dvs2439.exe	80
PID 3592 wrote to memory of 3924	3592	dvs2439.exe	80
PID 3924 wrote to memory of 1596	3924	dAH3416.exe	81
PID 3924 wrote to memory of 1596	3924	dAH3416.exe	81
PID 3924 wrote to memory of 1596	3924	dAH3416.exe	81
PID 3924 wrote to memory of 2248	3924	dAH3416.exe	85
PID 3924 wrote to memory of 2248	3924	dAH3416.exe	85
PID 3924 wrote to memory of 2248	3924	dAH3416.exe	85
PID 3592 wrote to memory of 208	3592	dvs2439.exe	87
PID 3592 wrote to memory of 208	3592	dvs2439.exe	87
PID 3592 wrote to memory of 208	3592	dvs2439.exe	87
PID 4800 wrote to memory of 2808	4800	10b09889f08b7b8c55c644c15f22c792831615a38ff18f5709de1b11ed7b131c.exe	88
PID 4800 wrote to memory of 2808	4800	10b09889f08b7b8c55c644c15f22c792831615a38ff18f5709de1b11ed7b131c.exe	88
PID 4800 wrote to memory of 2808	4800	10b09889f08b7b8c55c644c15f22c792831615a38ff18f5709de1b11ed7b131c.exe	88

C:\Users\Admin\AppData\Local\Temp\10b09889f08b7b8c55c644c15f22c792831615a38ff18f5709de1b11ed7b131c.exe
"C:\Users\Admin\AppData\Local\Temp\10b09889f08b7b8c55c644c15f22c792831615a38ff18f5709de1b11ed7b131c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dvs2439.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dvs2439.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dAH3416.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dAH3416.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mLV41Kw.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mLV41Kw.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1596
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 1072
        5⤵
        Program crash
        
        PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nrA19Rf.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nrA19Rf.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2248
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oez12eX.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oez12eX.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pRJ30DP.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pRJ30DP.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1596 -ip 1596
1⤵
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dvs2439.exe

Filesize
717KB

MD5
f99bf0368c28b67d89973521d6c26739

SHA1
47a8a0e35f223ddd73592d45c373d09531f18421

SHA256
ba76f61d3ca3d6c12f7ad1c3c62954d3130f0c0ddc21569647288f1b2d9abd07

SHA512
3847770ad9b3d0de7b4953e7cbdfb8cd8bdc22d8b1e21a9a9a660d0a7b6eab12c6efd68483e925974a9b1d3097eff43eee9d93700968c55d5edfe1b2dd713d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dvs2439.exe

Filesize
717KB

MD5
f99bf0368c28b67d89973521d6c26739

SHA1
47a8a0e35f223ddd73592d45c373d09531f18421

SHA256
ba76f61d3ca3d6c12f7ad1c3c62954d3130f0c0ddc21569647288f1b2d9abd07

SHA512
3847770ad9b3d0de7b4953e7cbdfb8cd8bdc22d8b1e21a9a9a660d0a7b6eab12c6efd68483e925974a9b1d3097eff43eee9d93700968c55d5edfe1b2dd713d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pRJ30DP.exe

Filesize
175KB

MD5
ce5ef6aac94fdb2af40da676f6cab58f

SHA1
c393f24b1550955a686ee39067f20813415af95f

SHA256
ce360295ca7fcc1a1c2b47a604305c67ab41358770edbd769a6a44aa635c2fd0

SHA512
2cc98869cba6a962129c57fb7e3ff0b64623c94903bfbf9a2648e191b633fbe73f8e7b9d8fea348e30cc88bc44d27454fd880c81a55a6b795170fa804e6cda65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pRJ30DP.exe

Filesize
175KB

MD5
ce5ef6aac94fdb2af40da676f6cab58f

SHA1
c393f24b1550955a686ee39067f20813415af95f

SHA256
ce360295ca7fcc1a1c2b47a604305c67ab41358770edbd769a6a44aa635c2fd0

SHA512
2cc98869cba6a962129c57fb7e3ff0b64623c94903bfbf9a2648e191b633fbe73f8e7b9d8fea348e30cc88bc44d27454fd880c81a55a6b795170fa804e6cda65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dAH3416.exe

Filesize
379KB

MD5
866052c70fd7da4931146e6ebe9d17f4

SHA1
8009e850fe3d4b558ee3136c78a4eae3a1418f8a

SHA256
8425387fece82da4dc084a1d83fab3763258f9909d5ee0ece22d2a158d4d56e5

SHA512
7abfd8ac9b69ebddc5e41404c8d29b1951fd22ded5b6a80ee166e6cb2d47566cd21e9667ef0c67bc6121fbfcb4cd3a414dd33ebeea2ffccd0f2d27c9a6a441b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dAH3416.exe

Filesize
379KB

MD5
866052c70fd7da4931146e6ebe9d17f4

SHA1
8009e850fe3d4b558ee3136c78a4eae3a1418f8a

SHA256
8425387fece82da4dc084a1d83fab3763258f9909d5ee0ece22d2a158d4d56e5

SHA512
7abfd8ac9b69ebddc5e41404c8d29b1951fd22ded5b6a80ee166e6cb2d47566cd21e9667ef0c67bc6121fbfcb4cd3a414dd33ebeea2ffccd0f2d27c9a6a441b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oez12eX.exe

Filesize
306KB

MD5
0bdf7901be49e053cb6b88e9e1d4a805

SHA1
80bb92261e5405f2a100740673d365251e70f9a6

SHA256
ceae18ce869f741fb9f5cf755cc5e79c0b2d509aef739236ff5bc24662a74a9a

SHA512
8fed6f65db29f0c1ab4cb36e83f003c241ed601a67fd8c520f3e7a13c6192a778e461dc827df6ec91454f562f7d70e4bf00dc945cf214fb22aa5acffb8813428

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oez12eX.exe

Filesize
306KB

MD5
0bdf7901be49e053cb6b88e9e1d4a805

SHA1
80bb92261e5405f2a100740673d365251e70f9a6

SHA256
ceae18ce869f741fb9f5cf755cc5e79c0b2d509aef739236ff5bc24662a74a9a

SHA512
8fed6f65db29f0c1ab4cb36e83f003c241ed601a67fd8c520f3e7a13c6192a778e461dc827df6ec91454f562f7d70e4bf00dc945cf214fb22aa5acffb8813428

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mLV41Kw.exe

Filesize
248KB

MD5
9821f24e5aa2c1312d1b025f18ed5e03

SHA1
63bf2524ee14b19cd323e77f9e2d96e10d949fb6

SHA256
87be77c0612d5ffaf2f74cbc1296e40ebd131d775b3693531bcea88d9c6ee8b4

SHA512
5c0ed2cbc1373916c8ebf7bbf2c7d07c409247fd8ca1a410f76596b3a0a0a75e6a59e2eb4407f4836e42416a30699608d8b752fb2538df861ac42510e969efca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mLV41Kw.exe

Filesize
248KB

MD5
9821f24e5aa2c1312d1b025f18ed5e03

SHA1
63bf2524ee14b19cd323e77f9e2d96e10d949fb6

SHA256
87be77c0612d5ffaf2f74cbc1296e40ebd131d775b3693531bcea88d9c6ee8b4

SHA512
5c0ed2cbc1373916c8ebf7bbf2c7d07c409247fd8ca1a410f76596b3a0a0a75e6a59e2eb4407f4836e42416a30699608d8b752fb2538df861ac42510e969efca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nrA19Rf.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nrA19Rf.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
memory/208-166-0x0000000000650000-0x000000000069B000-memory.dmp

Filesize
300KB

Download
memory/208-165-0x0000000000861000-0x000000000088F000-memory.dmp

Filesize
184KB

Download
memory/208-167-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/208-168-0x0000000000861000-0x000000000088F000-memory.dmp

Filesize
184KB

Download
memory/208-169-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1596-142-0x00000000006F1000-0x0000000000711000-memory.dmp

Filesize
128KB

Download
memory/1596-147-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/1596-141-0x0000000004C10000-0x00000000051B4000-memory.dmp

Filesize
5.6MB

Download
memory/1596-143-0x0000000000570000-0x000000000059D000-memory.dmp

Filesize
180KB

Download
memory/1596-144-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/1596-145-0x00000000006F1000-0x0000000000711000-memory.dmp

Filesize
128KB

Download
memory/1596-146-0x00000000006F1000-0x0000000000711000-memory.dmp

Filesize
128KB

Download
memory/2248-156-0x0000000004EA0000-0x0000000004F06000-memory.dmp

Filesize
408KB

Download
memory/2248-151-0x00000000002A0000-0x00000000002D2000-memory.dmp

Filesize
200KB

Download
memory/2248-160-0x0000000005DC0000-0x0000000005E36000-memory.dmp

Filesize
472KB

Download
memory/2248-161-0x0000000005E40000-0x0000000005E90000-memory.dmp

Filesize
320KB

Download
memory/2248-158-0x0000000006570000-0x0000000006732000-memory.dmp

Filesize
1.8MB

Download
memory/2248-157-0x0000000005AB0000-0x0000000005B42000-memory.dmp

Filesize
584KB

Download
memory/2248-159-0x0000000006C70000-0x000000000719C000-memory.dmp

Filesize
5.2MB

Download
memory/2248-155-0x0000000004BC0000-0x0000000004BFC000-memory.dmp

Filesize
240KB

Download
memory/2248-154-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/2248-152-0x00000000050F0000-0x0000000005708000-memory.dmp

Filesize
6.1MB

Download
memory/2248-153-0x0000000004C00000-0x0000000004D0A000-memory.dmp

Filesize
1.0MB

Download
memory/2808-173-0x0000000000E50000-0x0000000000E82000-memory.dmp

Filesize
200KB

Download