redline | 00a3187ffedd9cabd11767b07407b45d1bcff453a3cbe139e8b2ad5080835dc7

Analysis

max time kernel
154s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2023, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00a3187ffedd9cabd11767b07407b45d1bcff453a3cbe139e8b2ad5080835dc7.exe
Size

557KB
MD5

bc63870b1b471b7bf32fd377c1d7123a
SHA1

9a9413a17889bed90aaa66549bfa8f7764d3323a
SHA256

00a3187ffedd9cabd11767b07407b45d1bcff453a3cbe139e8b2ad5080835dc7
SHA512

6369c8140a410036df41e2fb456c9adfed95cf99592a6fc911cecefc85eab11b9b361a6598bfed72f472d3f7025c932b33e0dd3178483328eb84eaba2c5a6b3c
SSDEEP

12288:wMrDy90nBHUT8H1jleEOmthrDUVpTm+aBl4utVqS:jyWBTjleteHTx4utVb

Score

10^/10

redline fud evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

fud

193.233.20.27:4123

Attributes

auth_value
cddc991efd6918ad5321d80dac884b40

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	sf78hI34mb07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sf78hI34mb07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	sf78hI34mb07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sf78hI34mb07.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	sf78hI34mb07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sf78hI34mb07.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 32 IoCs

resource	yara_rule
behavioral2/memory/3324-159-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-160-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-162-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-164-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-166-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-168-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-170-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-172-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-174-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-176-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-178-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-180-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-183-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-185-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-187-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-189-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-191-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-193-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-195-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-197-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-199-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-201-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-203-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-205-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-207-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-209-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-211-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-213-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-215-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-217-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-219-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline
behavioral2/memory/3324-221-0x00000000072C0000-0x00000000072FE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
244	vhWd2757Rh.exe
4740	sf78hI34mb07.exe
3324	tf13EY48Ab19.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	sf78hI34mb07.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	00a3187ffedd9cabd11767b07407b45d1bcff453a3cbe139e8b2ad5080835dc7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	00a3187ffedd9cabd11767b07407b45d1bcff453a3cbe139e8b2ad5080835dc7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vhWd2757Rh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vhWd2757Rh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4740	sf78hI34mb07.exe
4740	sf78hI34mb07.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	sf78hI34mb07.exe
Token: SeDebugPrivilege	3324	tf13EY48Ab19.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 244	2004	00a3187ffedd9cabd11767b07407b45d1bcff453a3cbe139e8b2ad5080835dc7.exe	85
PID 2004 wrote to memory of 244	2004	00a3187ffedd9cabd11767b07407b45d1bcff453a3cbe139e8b2ad5080835dc7.exe	85
PID 2004 wrote to memory of 244	2004	00a3187ffedd9cabd11767b07407b45d1bcff453a3cbe139e8b2ad5080835dc7.exe	85
PID 244 wrote to memory of 4740	244	vhWd2757Rh.exe	86
PID 244 wrote to memory of 4740	244	vhWd2757Rh.exe	86
PID 244 wrote to memory of 3324	244	vhWd2757Rh.exe	88
PID 244 wrote to memory of 3324	244	vhWd2757Rh.exe	88
PID 244 wrote to memory of 3324	244	vhWd2757Rh.exe	88

C:\Users\Admin\AppData\Local\Temp\00a3187ffedd9cabd11767b07407b45d1bcff453a3cbe139e8b2ad5080835dc7.exe
"C:\Users\Admin\AppData\Local\Temp\00a3187ffedd9cabd11767b07407b45d1bcff453a3cbe139e8b2ad5080835dc7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhWd2757Rh.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhWd2757Rh.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:244
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78hI34mb07.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78hI34mb07.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf13EY48Ab19.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf13EY48Ab19.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhWd2757Rh.exe

Filesize
412KB

MD5
39471fbd65737e3450ef9e47f54311a8

SHA1
834d17c2553ab89c323ce541de875649d2153856

SHA256
6e8377ed5a7a13d6079729d82ffbc3a52d178ff46cb5b81b8fea52fdc030d114

SHA512
df05455adb5b9cdc5344248bd2a44fe8abcec18ca200d05099d83695a3759ecd420e1dcb2ac1d7e6d508a3676005e8119d006907d45f9938d504fa4850c6ffd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhWd2757Rh.exe

Filesize
412KB

MD5
39471fbd65737e3450ef9e47f54311a8

SHA1
834d17c2553ab89c323ce541de875649d2153856

SHA256
6e8377ed5a7a13d6079729d82ffbc3a52d178ff46cb5b81b8fea52fdc030d114

SHA512
df05455adb5b9cdc5344248bd2a44fe8abcec18ca200d05099d83695a3759ecd420e1dcb2ac1d7e6d508a3676005e8119d006907d45f9938d504fa4850c6ffd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78hI34mb07.exe

Filesize
11KB

MD5
20093214719eff8ea5e487fc6e355e2f

SHA1
d28a6a912f5b54ef969763119c4a1bec3234deba

SHA256
340ec267276f0c7ce986f2d7341b3ed026472d6af0da81b256993b343616fd4f

SHA512
735ac07b662da46487223eaffd58d1056ed76c4400e40c67524f7b14f216380d68074f8648b04185df8341a53807687ac4db7aae9b44a199d5ae3440145f2907

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf78hI34mb07.exe

Filesize
11KB

MD5
20093214719eff8ea5e487fc6e355e2f

SHA1
d28a6a912f5b54ef969763119c4a1bec3234deba

SHA256
340ec267276f0c7ce986f2d7341b3ed026472d6af0da81b256993b343616fd4f

SHA512
735ac07b662da46487223eaffd58d1056ed76c4400e40c67524f7b14f216380d68074f8648b04185df8341a53807687ac4db7aae9b44a199d5ae3440145f2907

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf13EY48Ab19.exe

Filesize
409KB

MD5
931575b864d1b9cc3d4c75de1b8927be

SHA1
965ce099aae8d1a156fabb8f5a35966f94193141

SHA256
39b3bb1a3331fb51e5da43e373be13e1de7d448601059131407cfdbb19c68bca

SHA512
b7abd36d6720e85901547681a81ae8d4e2e036a6391a8f9aa744d74815a55f9a7590b5a9c01a33d9a328558949feb4b45549e6a278750feef842afad24489878

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf13EY48Ab19.exe

Filesize
409KB

MD5
931575b864d1b9cc3d4c75de1b8927be

SHA1
965ce099aae8d1a156fabb8f5a35966f94193141

SHA256
39b3bb1a3331fb51e5da43e373be13e1de7d448601059131407cfdbb19c68bca

SHA512
b7abd36d6720e85901547681a81ae8d4e2e036a6391a8f9aa744d74815a55f9a7590b5a9c01a33d9a328558949feb4b45549e6a278750feef842afad24489878

Download Submit
memory/3324-153-0x0000000002DC0000-0x0000000002E0B000-memory.dmp

Filesize
300KB

Download
memory/3324-154-0x0000000000400000-0x0000000002BD4000-memory.dmp

Filesize
39.8MB

Download
memory/3324-155-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/3324-156-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/3324-157-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/3324-158-0x0000000007400000-0x00000000079A4000-memory.dmp

Filesize
5.6MB

Download
memory/3324-159-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-160-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-162-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-164-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-166-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-168-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-170-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-172-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-174-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-176-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-178-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-180-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-183-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-185-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-187-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-189-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-191-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-193-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-195-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-197-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-199-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-201-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-203-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-205-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-207-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-209-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-211-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-213-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-215-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-217-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-219-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-221-0x00000000072C0000-0x00000000072FE000-memory.dmp

Filesize
248KB

Download
memory/3324-795-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/3324-1067-0x00000000079B0000-0x0000000007FC8000-memory.dmp

Filesize
6.1MB

Download
memory/3324-1068-0x0000000007FD0000-0x00000000080DA000-memory.dmp

Filesize
1.0MB

Download
memory/3324-1069-0x0000000008100000-0x0000000008112000-memory.dmp

Filesize
72KB

Download
memory/3324-1070-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/3324-1071-0x0000000008120000-0x000000000815C000-memory.dmp

Filesize
240KB

Download
memory/3324-1072-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/3324-1073-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/3324-1075-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/4740-147-0x0000000000810000-0x000000000081A000-memory.dmp

Filesize
40KB

Download