redline | 012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725

Analysis

max time kernel
141s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-03-2023 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exe
Size

652KB
MD5

14f5e165626c6af52bffbc89d21329cc
SHA1

984311acb1194d14570e18fb067d0d77e18e09f7
SHA256

012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725
SHA512

09943f10e8f01e32822a270451c7a6b9d46657b1b7d857f70c7a39ec0f11b49d79faefd8bb6cdfd3dc16b3fa4d224e793a9fa77c15048d025129fac470737fba
SSDEEP

12288:zVWaqBVJ9djGK+NILVhWtA2upeUQFEoo+eN1d2xH8+llKGkAOH:zVWlhd+NIph4APeUQFEoo+eN1OH8+llu

Score

10^/10

redline garry evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

garry

193.56.146.11:4173

Attributes

auth_value
210ba56bf751fefe327f26e00f0be5a9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a897ftxo.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a897ftxo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a897ftxo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a897ftxo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a897ftxo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a897ftxo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a897ftxo.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 3 IoCs

Processes:

m652x759.exea897ftxo.exefAano057.exe

pid process

2024 m652x759.exe
972 a897ftxo.exe
824 fAano057.exe

pid	process
2024	m652x759.exe
972	a897ftxo.exe
824	fAano057.exe

Loads dropped DLL 7 IoCs

Processes:

012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exem652x759.exea897ftxo.exefAano057.exe

pid	process
1204	012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exe
2024	m652x759.exe
2024	m652x759.exe
2024	m652x759.exe
972	a897ftxo.exe
2024	m652x759.exe
824	fAano057.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a897ftxo.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	a897ftxo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a897ftxo.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exem652x759.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	m652x759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	m652x759.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a897ftxo.exe

pid process

972 a897ftxo.exe
972 a897ftxo.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a897ftxo.exe

description pid process

Token: SeDebugPrivilege 972 a897ftxo.exe

pid	process
972	a897ftxo.exe
972	a897ftxo.exe

description	pid	process
Token: SeDebugPrivilege	972	a897ftxo.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exem652x759.exe

description	pid	process	target process
PID 1204 wrote to memory of 2024	1204	012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exe	m652x759.exe
PID 1204 wrote to memory of 2024	1204	012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exe	m652x759.exe
PID 1204 wrote to memory of 2024	1204	012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exe	m652x759.exe
PID 1204 wrote to memory of 2024	1204	012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exe	m652x759.exe
PID 1204 wrote to memory of 2024	1204	012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exe	m652x759.exe
PID 1204 wrote to memory of 2024	1204	012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exe	m652x759.exe
PID 1204 wrote to memory of 2024	1204	012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exe	m652x759.exe
PID 2024 wrote to memory of 972	2024	m652x759.exe	a897ftxo.exe
PID 2024 wrote to memory of 972	2024	m652x759.exe	a897ftxo.exe
PID 2024 wrote to memory of 972	2024	m652x759.exe	a897ftxo.exe
PID 2024 wrote to memory of 972	2024	m652x759.exe	a897ftxo.exe
PID 2024 wrote to memory of 972	2024	m652x759.exe	a897ftxo.exe
PID 2024 wrote to memory of 972	2024	m652x759.exe	a897ftxo.exe
PID 2024 wrote to memory of 972	2024	m652x759.exe	a897ftxo.exe
PID 2024 wrote to memory of 824	2024	m652x759.exe	fAano057.exe
PID 2024 wrote to memory of 824	2024	m652x759.exe	fAano057.exe
PID 2024 wrote to memory of 824	2024	m652x759.exe	fAano057.exe
PID 2024 wrote to memory of 824	2024	m652x759.exe	fAano057.exe
PID 2024 wrote to memory of 824	2024	m652x759.exe	fAano057.exe
PID 2024 wrote to memory of 824	2024	m652x759.exe	fAano057.exe
PID 2024 wrote to memory of 824	2024	m652x759.exe	fAano057.exe

C:\Users\Admin\AppData\Local\Temp\012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exe
"C:\Users\Admin\AppData\Local\Temp\012246d33d0db647d7d358792ca9610d561f0cfdbb7b173966842d93ad4af725.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m652x759.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m652x759.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a897ftxo.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a897ftxo.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fAano057.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fAano057.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m652x759.exe
Filesize
382KB

MD5
65fb93ce39b827d09f8090aea0d8e9d3

SHA1
dd4eb0405f6d2d4dff4bbde92bcd600972dda160

SHA256
93386cf794aa821ea9970aeef3af62ff94c5c7aacd52df6178415e09ddad91c3

SHA512
7fc2dc83b8c619acbb08dc48540a147642c393679a74bffeb11077d82746c5640d2876b3e7fc9b40c0294d4ae78daf811d7d5aa033d15d4e5d14d5de78a5cdc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m652x759.exe
Filesize
382KB

MD5
65fb93ce39b827d09f8090aea0d8e9d3

SHA1
dd4eb0405f6d2d4dff4bbde92bcd600972dda160

SHA256
93386cf794aa821ea9970aeef3af62ff94c5c7aacd52df6178415e09ddad91c3

SHA512
7fc2dc83b8c619acbb08dc48540a147642c393679a74bffeb11077d82746c5640d2876b3e7fc9b40c0294d4ae78daf811d7d5aa033d15d4e5d14d5de78a5cdc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a897ftxo.exe
Filesize
322KB

MD5
8141937b23cd1895e561d8e90fdeeff3

SHA1
6f810e9e480564f5837461f8ccdd07c951a1bece

SHA256
ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6

SHA512
40957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a897ftxo.exe
Filesize
322KB

MD5
8141937b23cd1895e561d8e90fdeeff3

SHA1
6f810e9e480564f5837461f8ccdd07c951a1bece

SHA256
ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6

SHA512
40957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a897ftxo.exe
Filesize
322KB

MD5
8141937b23cd1895e561d8e90fdeeff3

SHA1
6f810e9e480564f5837461f8ccdd07c951a1bece

SHA256
ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6

SHA512
40957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fAano057.exe
Filesize
175KB

MD5
f321ec1070df38bc3d9516ced9c63e82

SHA1
ed54b270a786bbd3f9d055e0ae5eaf8e2752fde5

SHA256
17696f99326cbeb44f8bd3bae2f91a7fbafa32ef54cf6631f0751cf6227c61a7

SHA512
8bd8939185690415cb2305b4ae05e7d0c97db2260cb6bb0197460ff8bede41e0c3dd8c25b96af21503acc82fe24ebfd4e70aac966488de6111b20def9c30d2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fAano057.exe
Filesize
175KB

MD5
f321ec1070df38bc3d9516ced9c63e82

SHA1
ed54b270a786bbd3f9d055e0ae5eaf8e2752fde5

SHA256
17696f99326cbeb44f8bd3bae2f91a7fbafa32ef54cf6631f0751cf6227c61a7

SHA512
8bd8939185690415cb2305b4ae05e7d0c97db2260cb6bb0197460ff8bede41e0c3dd8c25b96af21503acc82fe24ebfd4e70aac966488de6111b20def9c30d2ab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\m652x759.exe
Filesize
382KB

MD5
65fb93ce39b827d09f8090aea0d8e9d3

SHA1
dd4eb0405f6d2d4dff4bbde92bcd600972dda160

SHA256
93386cf794aa821ea9970aeef3af62ff94c5c7aacd52df6178415e09ddad91c3

SHA512
7fc2dc83b8c619acbb08dc48540a147642c393679a74bffeb11077d82746c5640d2876b3e7fc9b40c0294d4ae78daf811d7d5aa033d15d4e5d14d5de78a5cdc3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\m652x759.exe
Filesize
382KB

MD5
65fb93ce39b827d09f8090aea0d8e9d3

SHA1
dd4eb0405f6d2d4dff4bbde92bcd600972dda160

SHA256
93386cf794aa821ea9970aeef3af62ff94c5c7aacd52df6178415e09ddad91c3

SHA512
7fc2dc83b8c619acbb08dc48540a147642c393679a74bffeb11077d82746c5640d2876b3e7fc9b40c0294d4ae78daf811d7d5aa033d15d4e5d14d5de78a5cdc3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a897ftxo.exe
Filesize
322KB

MD5
8141937b23cd1895e561d8e90fdeeff3

SHA1
6f810e9e480564f5837461f8ccdd07c951a1bece

SHA256
ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6

SHA512
40957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a897ftxo.exe
Filesize
322KB

MD5
8141937b23cd1895e561d8e90fdeeff3

SHA1
6f810e9e480564f5837461f8ccdd07c951a1bece

SHA256
ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6

SHA512
40957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a897ftxo.exe
Filesize
322KB

MD5
8141937b23cd1895e561d8e90fdeeff3

SHA1
6f810e9e480564f5837461f8ccdd07c951a1bece

SHA256
ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6

SHA512
40957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\fAano057.exe
Filesize
175KB

MD5
f321ec1070df38bc3d9516ced9c63e82

SHA1
ed54b270a786bbd3f9d055e0ae5eaf8e2752fde5

SHA256
17696f99326cbeb44f8bd3bae2f91a7fbafa32ef54cf6631f0751cf6227c61a7

SHA512
8bd8939185690415cb2305b4ae05e7d0c97db2260cb6bb0197460ff8bede41e0c3dd8c25b96af21503acc82fe24ebfd4e70aac966488de6111b20def9c30d2ab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\fAano057.exe
Filesize
175KB

MD5
f321ec1070df38bc3d9516ced9c63e82

SHA1
ed54b270a786bbd3f9d055e0ae5eaf8e2752fde5

SHA256
17696f99326cbeb44f8bd3bae2f91a7fbafa32ef54cf6631f0751cf6227c61a7

SHA512
8bd8939185690415cb2305b4ae05e7d0c97db2260cb6bb0197460ff8bede41e0c3dd8c25b96af21503acc82fe24ebfd4e70aac966488de6111b20def9c30d2ab

Download Submit
memory/824-126-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/824-123-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/824-122-0x0000000000CB0000-0x0000000000CE2000-memory.dmp

Filesize
200KB

Download
memory/972-95-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/972-111-0x0000000002340000-0x0000000002380000-memory.dmp

Filesize
256KB

Download
memory/972-89-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/972-80-0x00000000008B0000-0x00000000008CA000-memory.dmp

Filesize
104KB

Download
memory/972-93-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/972-97-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/972-99-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/972-101-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/972-103-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/972-105-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/972-109-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/972-107-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/972-110-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/972-91-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/972-112-0x0000000002340000-0x0000000002380000-memory.dmp

Filesize
256KB

Download
memory/972-81-0x0000000000BB0000-0x0000000000BC8000-memory.dmp

Filesize
96KB

Download
memory/972-114-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/972-115-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/972-85-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/972-87-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/972-83-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/972-82-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/1204-113-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1204-54-0x0000000000230000-0x00000000002B5000-memory.dmp

Filesize
532KB

Download
memory/1204-61-0x00000000004C0000-0x000000000054F000-memory.dmp

Filesize
572KB

Download