redline | 0029b23940e0cbbdacf0604c801d24624e82c96f9fbcf6d403a2c30f1b92deb0

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2023, 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0029b23940e0cbbdacf0604c801d24624e82c96f9fbcf6d403a2c30f1b92deb0.exe
Size

561KB
MD5

83ec8c47401456f0671acc33a021b3d7
SHA1

5edfb84331bd873f5b75fb93ae7025632e92943a
SHA256

0029b23940e0cbbdacf0604c801d24624e82c96f9fbcf6d403a2c30f1b92deb0
SHA512

4123d99bd7f32714bfb9bd8df13d80f5ed2d05239ce20629eb0bf31eb6d15c8db019e9ddfa2f0f58ea6293e5b1664c67aec3da186a9a97db989d7d60316a87ac
SSDEEP

12288:aMrVy90cZlcEMRxq+MKiKgb7QCD4y9b2Su4ebvT3a1fCCpmGYIVq:jyx+7Rxq+MKvgb7QCDL9b2J4urK1fCCe

Score

10^/10

redline fud evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

fud

193.233.20.27:4123

Attributes

auth_value
cddc991efd6918ad5321d80dac884b40

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	sf26XU18Qi05.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sf26XU18Qi05.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	sf26XU18Qi05.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sf26XU18Qi05.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	sf26XU18Qi05.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sf26XU18Qi05.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

resource	yara_rule
behavioral2/memory/4160-157-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-160-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-158-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-162-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-164-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-166-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-168-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-170-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-172-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-174-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-176-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-178-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-180-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-182-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-184-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-186-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-188-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-190-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-192-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-194-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-196-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-198-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-200-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-202-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-204-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-206-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-208-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-210-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-214-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-212-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-216-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-218-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline
behavioral2/memory/4160-220-0x00000000071C0000-0x00000000071FE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
660	vhYv4270eI.exe
2196	sf26XU18Qi05.exe
4160	tf16hJ43Gq51.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	sf26XU18Qi05.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0029b23940e0cbbdacf0604c801d24624e82c96f9fbcf6d403a2c30f1b92deb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0029b23940e0cbbdacf0604c801d24624e82c96f9fbcf6d403a2c30f1b92deb0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vhYv4270eI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vhYv4270eI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2196	sf26XU18Qi05.exe
2196	sf26XU18Qi05.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	sf26XU18Qi05.exe
Token: SeDebugPrivilege	4160	tf16hJ43Gq51.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 660	2364	0029b23940e0cbbdacf0604c801d24624e82c96f9fbcf6d403a2c30f1b92deb0.exe	85
PID 2364 wrote to memory of 660	2364	0029b23940e0cbbdacf0604c801d24624e82c96f9fbcf6d403a2c30f1b92deb0.exe	85
PID 2364 wrote to memory of 660	2364	0029b23940e0cbbdacf0604c801d24624e82c96f9fbcf6d403a2c30f1b92deb0.exe	85
PID 660 wrote to memory of 2196	660	vhYv4270eI.exe	86
PID 660 wrote to memory of 2196	660	vhYv4270eI.exe	86
PID 660 wrote to memory of 4160	660	vhYv4270eI.exe	87
PID 660 wrote to memory of 4160	660	vhYv4270eI.exe	87
PID 660 wrote to memory of 4160	660	vhYv4270eI.exe	87

C:\Users\Admin\AppData\Local\Temp\0029b23940e0cbbdacf0604c801d24624e82c96f9fbcf6d403a2c30f1b92deb0.exe
"C:\Users\Admin\AppData\Local\Temp\0029b23940e0cbbdacf0604c801d24624e82c96f9fbcf6d403a2c30f1b92deb0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhYv4270eI.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhYv4270eI.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf26XU18Qi05.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf26XU18Qi05.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf16hJ43Gq51.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf16hJ43Gq51.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhYv4270eI.exe

Filesize
417KB

MD5
63aa80e434ea0b85f540a8ad03389b3f

SHA1
f30f6d362fe8942ffd560aafb380fa6510ac004b

SHA256
22a721b379494c2c206830782d419b73049a571d9b6c237810ac6b086c605787

SHA512
ba53570d411303c00e9ab2b2bbce1e9d3b0a9e349aa225d90304aa9d0063e7544596e0d53a0ccfcc37fa70f225d1855780e9d17cee2dc417f8f4b285fedc867f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhYv4270eI.exe

Filesize
417KB

MD5
63aa80e434ea0b85f540a8ad03389b3f

SHA1
f30f6d362fe8942ffd560aafb380fa6510ac004b

SHA256
22a721b379494c2c206830782d419b73049a571d9b6c237810ac6b086c605787

SHA512
ba53570d411303c00e9ab2b2bbce1e9d3b0a9e349aa225d90304aa9d0063e7544596e0d53a0ccfcc37fa70f225d1855780e9d17cee2dc417f8f4b285fedc867f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf26XU18Qi05.exe

Filesize
11KB

MD5
97ac268fb02ea976d6c4045aa62edfe1

SHA1
f0734c5a446d420eccab629a61df860df59cba03

SHA256
e53c50f5300972cea9cb13404a80f3fd8f93ae5f01a5624c5541d3c7a34c8ee9

SHA512
ff1da3484c14825464c3f57dc07fb404af7a6ec517f86bc79d91fc568811ca8fea8443c451efe6e5fc791c5538c4252f163eae9dfe00f84e4ef1d0d141d97601

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf26XU18Qi05.exe

Filesize
11KB

MD5
97ac268fb02ea976d6c4045aa62edfe1

SHA1
f0734c5a446d420eccab629a61df860df59cba03

SHA256
e53c50f5300972cea9cb13404a80f3fd8f93ae5f01a5624c5541d3c7a34c8ee9

SHA512
ff1da3484c14825464c3f57dc07fb404af7a6ec517f86bc79d91fc568811ca8fea8443c451efe6e5fc791c5538c4252f163eae9dfe00f84e4ef1d0d141d97601

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf16hJ43Gq51.exe

Filesize
416KB

MD5
3298bce398b0b8db15538825fc22ec70

SHA1
97382a7c1ec70bd6549554c69ae3a8b18daddc9c

SHA256
c85fde6aeb312030435d285771cf28b3aaca92431f2a8e4f50227ddbd05d31fd

SHA512
4bcae254153697dfc1d54415b5571cece4cc33f0dec3423d89fa6879238d6939a3e4be6992085e1365f9b7150d64c642d36e694541f0e1eabdf212cabab4f737

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf16hJ43Gq51.exe

Filesize
416KB

MD5
3298bce398b0b8db15538825fc22ec70

SHA1
97382a7c1ec70bd6549554c69ae3a8b18daddc9c

SHA256
c85fde6aeb312030435d285771cf28b3aaca92431f2a8e4f50227ddbd05d31fd

SHA512
4bcae254153697dfc1d54415b5571cece4cc33f0dec3423d89fa6879238d6939a3e4be6992085e1365f9b7150d64c642d36e694541f0e1eabdf212cabab4f737

Download Submit
memory/2196-147-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

Filesize
40KB

Download
memory/4160-153-0x00000000072B0000-0x0000000007854000-memory.dmp

Filesize
5.6MB

Download
memory/4160-154-0x0000000002BE0000-0x0000000002C2B000-memory.dmp

Filesize
300KB

Download
memory/4160-155-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/4160-156-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/4160-157-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-160-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-158-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-162-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-164-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-166-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-168-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-170-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-172-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-174-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-176-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-178-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-180-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-182-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-184-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-186-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-188-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-190-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-192-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-194-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-196-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-198-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-200-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-202-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-204-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-206-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-208-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-210-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-214-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-212-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-216-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-218-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-220-0x00000000071C0000-0x00000000071FE000-memory.dmp

Filesize
248KB

Download
memory/4160-1063-0x0000000007860000-0x0000000007E78000-memory.dmp

Filesize
6.1MB

Download
memory/4160-1064-0x0000000007E80000-0x0000000007F8A000-memory.dmp

Filesize
1.0MB

Download
memory/4160-1065-0x0000000007FC0000-0x0000000007FD2000-memory.dmp

Filesize
72KB

Download
memory/4160-1066-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/4160-1067-0x0000000007FE0000-0x000000000801C000-memory.dmp

Filesize
240KB

Download
memory/4160-1069-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/4160-1070-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/4160-1071-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download