redline | 4b769b8c78ea3519af383642de23308cbc0dd4edd4a862d6fc789c1f4a40ca7b

Analysis

max time kernel
144s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
08/03/2023, 01:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4b769b8c78ea3519af383642de23308cbc0dd4edd4a862d6fc789c1f4a40ca7b.exe
Size

579KB
MD5

75c90fc6da299e7aa0f6ead3e042e07e
SHA1

807416d16567805c4ced6df71aafe50e33df0f5c
SHA256

4b769b8c78ea3519af383642de23308cbc0dd4edd4a862d6fc789c1f4a40ca7b
SHA512

f38aa49c3dd2746dfecfbd0d57d846da5e42b893a0de52b21fb33a51349e7d8476cab7f6d929e1aa586c04db0c6d8510c3e55bb726a9fcd8dce2462e3b247d19
SSDEEP

12288:7Mrxy90TdBLaeVFjaaSPMuJAfsTOO+kbu1dV/TKiGXJQr:qy6dBGeVViJAfsi3euR2iG5G

Score

10^/10

redline fud discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

fud

193.233.20.27:4123

Attributes

auth_value
cddc991efd6918ad5321d80dac884b40

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	r1994Pl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	r1994Pl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	r1994Pl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	r1994Pl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	r1994Pl.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4460-171-0x00000000024A0000-0x00000000024E6000-memory.dmp	family_redline
behavioral1/memory/4460-172-0x0000000004FD0000-0x0000000005014000-memory.dmp	family_redline
behavioral1/memory/4460-173-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-174-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-176-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-182-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-180-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-184-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-186-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-190-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-188-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-178-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-192-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-194-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-196-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-198-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-205-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-210-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-208-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline
behavioral1/memory/4460-201-0x0000000004FD0000-0x000000000500E000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
3280	r1994Pl.exe
4460	w26eI82.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	r1994Pl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	r1994Pl.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4b769b8c78ea3519af383642de23308cbc0dd4edd4a862d6fc789c1f4a40ca7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4b769b8c78ea3519af383642de23308cbc0dd4edd4a862d6fc789c1f4a40ca7b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3280	r1994Pl.exe
3280	r1994Pl.exe
4460	w26eI82.exe
4460	w26eI82.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3280	r1994Pl.exe
Token: SeDebugPrivilege	4460	w26eI82.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 3280	3128	4b769b8c78ea3519af383642de23308cbc0dd4edd4a862d6fc789c1f4a40ca7b.exe	66
PID 3128 wrote to memory of 3280	3128	4b769b8c78ea3519af383642de23308cbc0dd4edd4a862d6fc789c1f4a40ca7b.exe	66
PID 3128 wrote to memory of 3280	3128	4b769b8c78ea3519af383642de23308cbc0dd4edd4a862d6fc789c1f4a40ca7b.exe	66
PID 3128 wrote to memory of 4460	3128	4b769b8c78ea3519af383642de23308cbc0dd4edd4a862d6fc789c1f4a40ca7b.exe	67
PID 3128 wrote to memory of 4460	3128	4b769b8c78ea3519af383642de23308cbc0dd4edd4a862d6fc789c1f4a40ca7b.exe	67
PID 3128 wrote to memory of 4460	3128	4b769b8c78ea3519af383642de23308cbc0dd4edd4a862d6fc789c1f4a40ca7b.exe	67

C:\Users\Admin\AppData\Local\Temp\4b769b8c78ea3519af383642de23308cbc0dd4edd4a862d6fc789c1f4a40ca7b.exe
"C:\Users\Admin\AppData\Local\Temp\4b769b8c78ea3519af383642de23308cbc0dd4edd4a862d6fc789c1f4a40ca7b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r1994Pl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r1994Pl.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3280
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w26eI82.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w26eI82.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r1994Pl.exe

Filesize
363KB

MD5
5f9106c1a4ae0150887ac3eadc521f31

SHA1
b7c59f033e09829e70ebf380ef9c33aff98d2bf4

SHA256
ddda2d12c18f4944b44af8c6bb030ae608060d087483c423acf217c4c4ed5411

SHA512
80ab71ecb332f2316abf7cb73c4811bf2162c2e95fc0670fcd8d26370158e2b2f342328ece12e9edeed90a7568d24d0048bdb9ee3ea928fd80d1499851c5caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r1994Pl.exe

Filesize
363KB

MD5
5f9106c1a4ae0150887ac3eadc521f31

SHA1
b7c59f033e09829e70ebf380ef9c33aff98d2bf4

SHA256
ddda2d12c18f4944b44af8c6bb030ae608060d087483c423acf217c4c4ed5411

SHA512
80ab71ecb332f2316abf7cb73c4811bf2162c2e95fc0670fcd8d26370158e2b2f342328ece12e9edeed90a7568d24d0048bdb9ee3ea928fd80d1499851c5caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w26eI82.exe

Filesize
379KB

MD5
078594e2ec8f1b2481d493ca8b67af44

SHA1
d961fe2be92902c074b04272f277320fa994490a

SHA256
8bb2f1b6ab119fe6fc0293fa4e325c01dbdd79a5dcb2b73db5d151217dba7c0e

SHA512
0d6610de14191c8f5491a80cc8f50fc70011636e35b6b30295abcba780879b882e70dbb9ca33be81ad697bf1cdee7b68a1474b20968db6fc1d71e2e8cce227c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w26eI82.exe

Filesize
379KB

MD5
078594e2ec8f1b2481d493ca8b67af44

SHA1
d961fe2be92902c074b04272f277320fa994490a

SHA256
8bb2f1b6ab119fe6fc0293fa4e325c01dbdd79a5dcb2b73db5d151217dba7c0e

SHA512
0d6610de14191c8f5491a80cc8f50fc70011636e35b6b30295abcba780879b882e70dbb9ca33be81ad697bf1cdee7b68a1474b20968db6fc1d71e2e8cce227c6

Download Submit
memory/3280-129-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/3280-130-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/3280-131-0x0000000004740000-0x000000000475A000-memory.dmp

Filesize
104KB

Download
memory/3280-132-0x00000000071A0000-0x000000000769E000-memory.dmp

Filesize
5.0MB

Download
memory/3280-133-0x0000000004A00000-0x0000000004A18000-memory.dmp

Filesize
96KB

Download
memory/3280-134-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/3280-135-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/3280-136-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3280-137-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3280-139-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3280-141-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3280-143-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3280-147-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3280-145-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3280-149-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3280-151-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3280-159-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3280-161-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3280-157-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3280-163-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3280-155-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3280-153-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/3280-164-0x0000000000400000-0x0000000002BC9000-memory.dmp

Filesize
39.8MB

Download
memory/3280-166-0x0000000000400000-0x0000000002BC9000-memory.dmp

Filesize
39.8MB

Download
memory/4460-171-0x00000000024A0000-0x00000000024E6000-memory.dmp

Filesize
280KB

Download
memory/4460-172-0x0000000004FD0000-0x0000000005014000-memory.dmp

Filesize
272KB

Download
memory/4460-173-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-174-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-176-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-182-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-180-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-184-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-186-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-190-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-188-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-178-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-192-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-194-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-196-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-198-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-200-0x00000000004F0000-0x000000000053B000-memory.dmp

Filesize
300KB

Download
memory/4460-202-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/4460-205-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-204-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/4460-206-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/4460-210-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-208-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-201-0x0000000004FD0000-0x000000000500E000-memory.dmp

Filesize
248KB

Download
memory/4460-1083-0x0000000005010000-0x0000000005616000-memory.dmp

Filesize
6.0MB

Download
memory/4460-1084-0x0000000005690000-0x000000000579A000-memory.dmp

Filesize
1.0MB

Download
memory/4460-1085-0x00000000057D0000-0x00000000057E2000-memory.dmp

Filesize
72KB

Download
memory/4460-1086-0x00000000057F0000-0x000000000582E000-memory.dmp

Filesize
248KB

Download
memory/4460-1087-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/4460-1088-0x0000000005940000-0x000000000598B000-memory.dmp

Filesize
300KB

Download
memory/4460-1090-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/4460-1091-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/4460-1092-0x0000000005AD0000-0x0000000005B62000-memory.dmp

Filesize
584KB

Download
memory/4460-1093-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/4460-1094-0x0000000006280000-0x0000000006442000-memory.dmp

Filesize
1.8MB

Download
memory/4460-1095-0x0000000006450000-0x000000000697C000-memory.dmp

Filesize
5.2MB

Download
memory/4460-1096-0x0000000006BC0000-0x0000000006C36000-memory.dmp

Filesize
472KB

Download
memory/4460-1097-0x0000000006C40000-0x0000000006C90000-memory.dmp

Filesize
320KB

Download
memory/4460-1098-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download