redline | 00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2023, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe
Size

543KB
MD5

66541493e865ecb4987cd03ace809213
SHA1

72db71fda9f0ce821c17e4039b76a32a94224e22
SHA256

00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce
SHA512

87ba635fbf3a538e2db296f90c266972c1dc63e6f9e1e8577bcffa6ea3fe78a389b666140bc9cf75c7dfa54ed6a62fa9aab65850f8b2b19d32ce6aebd2d81b2b
SSDEEP

12288:xMrey9025UmNm/TsBWwoxHUL8n7rfllLAekOWr0C7f4T9KM:LyP5UgB5oOYnllLA8WolR

Score

10^/10

redline rumfa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sw02au24Pm95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	sw02au24Pm95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sw02au24Pm95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	sw02au24Pm95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sw02au24Pm95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	sw02au24Pm95.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral2/memory/928-155-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-156-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-158-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-160-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-162-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-164-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-166-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-168-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-170-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-172-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-174-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-176-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-180-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-178-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-182-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-184-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-186-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-189-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-188-0x0000000007180000-0x0000000007190000-memory.dmp	family_redline
behavioral2/memory/928-193-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-195-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-197-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-199-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-201-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-203-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-205-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-209-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-207-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-211-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-213-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-215-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-217-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-219-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-221-0x0000000007740000-0x000000000777E000-memory.dmp	family_redline
behavioral2/memory/928-1071-0x0000000007180000-0x0000000007190000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
3748	vXU3653uW.exe
3424	sw02au24Pm95.exe
928	tAa98gm10.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	sw02au24Pm95.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vXU3653uW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vXU3653uW.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3424	sw02au24Pm95.exe
3424	sw02au24Pm95.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3424	sw02au24Pm95.exe
Token: SeDebugPrivilege	928	tAa98gm10.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 3748	3964	00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe	86
PID 3964 wrote to memory of 3748	3964	00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe	86
PID 3964 wrote to memory of 3748	3964	00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe	86
PID 3748 wrote to memory of 3424	3748	vXU3653uW.exe	87
PID 3748 wrote to memory of 3424	3748	vXU3653uW.exe	87
PID 3748 wrote to memory of 928	3748	vXU3653uW.exe	88
PID 3748 wrote to memory of 928	3748	vXU3653uW.exe	88
PID 3748 wrote to memory of 928	3748	vXU3653uW.exe	88

C:\Users\Admin\AppData\Local\Temp\00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe
"C:\Users\Admin\AppData\Local\Temp\00979437b4cc7205495e3c756ee055d647617c0945a0a157ab5b7dde635eccce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vXU3653uW.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vXU3653uW.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw02au24Pm95.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw02au24Pm95.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tAa98gm10.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tAa98gm10.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vXU3653uW.exe

Filesize
399KB

MD5
50bc7efd4a38f37c52900a65cfce76c7

SHA1
0c2fc47376b5ce8c44eddbcf19ccacfc809ca213

SHA256
e639ce2395316cd29730de3e41d3ee0b71c37ed4ea51b15c9b3fa07defc1b457

SHA512
a1d526fa58bcd0d2248b8d1aee6b064f988d1fa96295fc294daadbcaece7dac18aee77db764289034a669827c602378b6b48e6554c398de6f5d708445c186faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vXU3653uW.exe

Filesize
399KB

MD5
50bc7efd4a38f37c52900a65cfce76c7

SHA1
0c2fc47376b5ce8c44eddbcf19ccacfc809ca213

SHA256
e639ce2395316cd29730de3e41d3ee0b71c37ed4ea51b15c9b3fa07defc1b457

SHA512
a1d526fa58bcd0d2248b8d1aee6b064f988d1fa96295fc294daadbcaece7dac18aee77db764289034a669827c602378b6b48e6554c398de6f5d708445c186faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw02au24Pm95.exe

Filesize
13KB

MD5
686416842f14ee97e8415b3567bc3ab3

SHA1
220e60b932739148814a1c76d9ca59de3d7a4c81

SHA256
dbade68c39972522578365edf7ab175aabca2c057beb78057b8b63226b61af71

SHA512
2539532e5bebee1bd80d38ebe5271c443a2cd5d39598572d1dcd3de0f2b1b269bfcf6a88d089cf7aa4f57422cc621cb77903d17213d38169975a23fca3c12a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw02au24Pm95.exe

Filesize
13KB

MD5
686416842f14ee97e8415b3567bc3ab3

SHA1
220e60b932739148814a1c76d9ca59de3d7a4c81

SHA256
dbade68c39972522578365edf7ab175aabca2c057beb78057b8b63226b61af71

SHA512
2539532e5bebee1bd80d38ebe5271c443a2cd5d39598572d1dcd3de0f2b1b269bfcf6a88d089cf7aa4f57422cc621cb77903d17213d38169975a23fca3c12a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tAa98gm10.exe

Filesize
374KB

MD5
049b7e9c3b3777fd130ad01127cd8268

SHA1
7f56ea5b4e7029a2da226d899ddfce99ff960e0f

SHA256
aff2553c6b6d9a7f84838eb4a2b47cbb3891e122ba04e305c020e68b27847b68

SHA512
d89cdb1b58ceb4d9b83ab498fc69e5c423b9f44ea2eb24a07b860a6594462899cb1d08e5427dd57473fa2b15d233744f7f7e9fd5f7ae082387a0072c278e0aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tAa98gm10.exe

Filesize
374KB

MD5
049b7e9c3b3777fd130ad01127cd8268

SHA1
7f56ea5b4e7029a2da226d899ddfce99ff960e0f

SHA256
aff2553c6b6d9a7f84838eb4a2b47cbb3891e122ba04e305c020e68b27847b68

SHA512
d89cdb1b58ceb4d9b83ab498fc69e5c423b9f44ea2eb24a07b860a6594462899cb1d08e5427dd57473fa2b15d233744f7f7e9fd5f7ae082387a0072c278e0aa1

Download Submit
memory/928-153-0x0000000002E70000-0x0000000002EBB000-memory.dmp

Filesize
300KB

Download
memory/928-154-0x0000000007190000-0x0000000007734000-memory.dmp

Filesize
5.6MB

Download
memory/928-155-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-156-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-158-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-160-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-162-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-164-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-166-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-168-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-170-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-172-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-174-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-176-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-180-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-178-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-182-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-184-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-186-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-189-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-190-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/928-192-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/928-188-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/928-193-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-195-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-197-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-199-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-201-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-203-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-205-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-209-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-207-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-211-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-213-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-215-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-217-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-219-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-221-0x0000000007740000-0x000000000777E000-memory.dmp

Filesize
248KB

Download
memory/928-1064-0x0000000007910000-0x0000000007F28000-memory.dmp

Filesize
6.1MB

Download
memory/928-1065-0x0000000007FB0000-0x00000000080BA000-memory.dmp

Filesize
1.0MB

Download
memory/928-1066-0x00000000080F0000-0x0000000008102000-memory.dmp

Filesize
72KB

Download
memory/928-1067-0x0000000008110000-0x000000000814C000-memory.dmp

Filesize
240KB

Download
memory/928-1068-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/928-1070-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/928-1071-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/928-1072-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/928-1073-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/3424-147-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download