redline | fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2023 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08.exe
Size

832KB
MD5

1f84e0b6a95a5fe23d40592f6a6f7554
SHA1

ef9eb5df7f4045d7b004e19986674c2c79dfb0d4
SHA256

fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08
SHA512

181c1ad898d7f8a6bbf6d766d6e6a0bc8d4e4271316ec4eadf6418ae7fd5fcab0e818849932526ff235d77a989649e7d1ee4dd12f0960fb460359ef45bc74736
SSDEEP

12288:SLUZH/VUan5w5mvBedKBlsXopctdTquivPgSwo0Z38ywgmPRI:gyUan5eWo8BlsXoarT7p8p1u

Score

10^/10

redline down evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

jr717328.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr717328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr717328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr717328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr717328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr717328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr717328.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 32 IoCs

Processes:

resource	yara_rule
behavioral2/memory/812-161-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-162-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-166-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-164-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-168-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-170-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-172-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-176-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-178-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-180-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-174-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-184-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-182-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-186-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-190-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-192-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-188-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-200-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-198-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-204-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-206-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-202-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-208-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-196-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-194-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-212-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-210-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-216-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-218-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-220-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-222-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline
behavioral2/memory/812-214-0x0000000004C50000-0x0000000004C8E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

zipb1214.exejr717328.exeku726757.exe

pid process

2180 zipb1214.exe
1700 jr717328.exe
812 ku726757.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

jr717328.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr717328.exe

pid	process
2180	zipb1214.exe
1700	jr717328.exe
812	ku726757.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr717328.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08.exezipb1214.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zipb1214.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zipb1214.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

744 sc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jr717328.exe

pid process

1700 jr717328.exe
1700 jr717328.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jr717328.exeku726757.exe

description pid process

Token: SeDebugPrivilege 1700 jr717328.exe
Token: SeDebugPrivilege 812 ku726757.exe

pid	process
744	sc.exe

pid	process
1700	jr717328.exe
1700	jr717328.exe

description	pid	process
Token: SeDebugPrivilege	1700	jr717328.exe
Token: SeDebugPrivilege	812	ku726757.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08.exezipb1214.exe

description	pid	process	target process
PID 3208 wrote to memory of 2180	3208	fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08.exe	zipb1214.exe
PID 3208 wrote to memory of 2180	3208	fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08.exe	zipb1214.exe
PID 3208 wrote to memory of 2180	3208	fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08.exe	zipb1214.exe
PID 2180 wrote to memory of 1700	2180	zipb1214.exe	jr717328.exe
PID 2180 wrote to memory of 1700	2180	zipb1214.exe	jr717328.exe
PID 2180 wrote to memory of 812	2180	zipb1214.exe	ku726757.exe
PID 2180 wrote to memory of 812	2180	zipb1214.exe	ku726757.exe
PID 2180 wrote to memory of 812	2180	zipb1214.exe	ku726757.exe

C:\Users\Admin\AppData\Local\Temp\fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08.exe
"C:\Users\Admin\AppData\Local\Temp\fcc4605384ed0d03937593f0aba2f0f60a7945b53d7ec538b3e315a439f80a08.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipb1214.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipb1214.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr717328.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr717328.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku726757.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku726757.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:812

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipb1214.exe

Filesize
409KB

MD5
55501ed5af404985f25e1297f961c821

SHA1
3f719bec85aba7b5c4ee5b85e7089676a943630b

SHA256
2d6433912144cd6dd3525d6ef0c7706a115246a903d54b1c6e3bd3ea4b44d49d

SHA512
6d61d2bc593a61d2fbf6a6140bfd6b26c5711c14ffd30508c95b1523cce933cd84df88b2abc182215c36194c578b3bc1ea16bb79408601c0b5d53d99c0152132

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipb1214.exe

Filesize
409KB

MD5
55501ed5af404985f25e1297f961c821

SHA1
3f719bec85aba7b5c4ee5b85e7089676a943630b

SHA256
2d6433912144cd6dd3525d6ef0c7706a115246a903d54b1c6e3bd3ea4b44d49d

SHA512
6d61d2bc593a61d2fbf6a6140bfd6b26c5711c14ffd30508c95b1523cce933cd84df88b2abc182215c36194c578b3bc1ea16bb79408601c0b5d53d99c0152132

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr717328.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr717328.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku726757.exe

Filesize
497KB

MD5
9e569c650bc18f128349feee9adf5b31

SHA1
32eff4ac619d11ea21700a6e7bf4f37bd9c8acd6

SHA256
56b06a9b617cd8fa4b90a631d5721ac40f216a2d6e90d9f4ed65aab0af588807

SHA512
c5b564eac8ed32e149d1b6fa4fab7de2899b4542d4096c4c555d4ed59ff42f23383d979d28511d0a99275b0ae7842a8d8cfd360bedf1813e5b549ce190c62f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku726757.exe

Filesize
497KB

MD5
9e569c650bc18f128349feee9adf5b31

SHA1
32eff4ac619d11ea21700a6e7bf4f37bd9c8acd6

SHA256
56b06a9b617cd8fa4b90a631d5721ac40f216a2d6e90d9f4ed65aab0af588807

SHA512
c5b564eac8ed32e149d1b6fa4fab7de2899b4542d4096c4c555d4ed59ff42f23383d979d28511d0a99275b0ae7842a8d8cfd360bedf1813e5b549ce190c62f96

Download Submit
memory/812-156-0x0000000004D30000-0x00000000052D4000-memory.dmp

Filesize
5.6MB

Download
memory/812-157-0x00000000005D0000-0x000000000061B000-memory.dmp

Filesize
300KB

Download
memory/812-158-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/812-159-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/812-160-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/812-161-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-162-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-166-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-164-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-168-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-170-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-172-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-176-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-178-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-180-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-174-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-184-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-182-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-186-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-190-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-192-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-188-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-200-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-198-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-204-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-206-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-202-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-208-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-196-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-194-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-212-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-210-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-216-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-218-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-220-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-222-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-214-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/812-1067-0x00000000052E0000-0x00000000058F8000-memory.dmp

Filesize
6.1MB

Download
memory/812-1068-0x0000000005900000-0x0000000005A0A000-memory.dmp

Filesize
1.0MB

Download
memory/812-1070-0x0000000005A20000-0x0000000005A32000-memory.dmp

Filesize
72KB

Download
memory/812-1071-0x0000000005A40000-0x0000000005A7C000-memory.dmp

Filesize
240KB

Download
memory/812-1072-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/812-1074-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/812-1075-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/812-1076-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/812-1078-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/1700-149-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/3208-138-0x0000000002200000-0x000000000228B000-memory.dmp

Filesize
556KB

Download
memory/3208-150-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download