redline | 496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f

Analysis

max time kernel
29s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2023, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe
Size

961KB
MD5

60a816d779a9116d17aa48d02020ccdf
SHA1

c3e7bdff4f078cbb566bd414be5f15bfc34b20d2
SHA256

496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f
SHA512

1c3a58b6138f4e750456db6bb011bbb21ce8b8fb502d715ce0a9528c1aa14df6cc19ce1b9ba507b0f6b3ba001b2cade28027e9dcb5ceb1bced3038c26742e8de
SSDEEP

24576:ny4lwx667IgrNt6l39LU0AYvvIB1st0WnBQQ+9NfczJDv:y4lcBJrz6l3FvAYvva1sthBnaiVD

Score

10^/10

redline lada evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lada

185.161.248.90:4125

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it660108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it660108.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it660108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it660108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it660108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it660108.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	jr000337.exe

Executes dropped EXE 4 IoCs

pid	Process
2420	ziXF5713.exe
1436	ziQc7393.exe
4256	it660108.exe
3240	jr000337.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it660108.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziXF5713.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziXF5713.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziQc7393.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ziQc7393.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4256	it660108.exe
4256	it660108.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4256	it660108.exe
Token: SeDebugPrivilege	3240	jr000337.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 2420	3948	496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe	85
PID 3948 wrote to memory of 2420	3948	496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe	85
PID 3948 wrote to memory of 2420	3948	496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe	85
PID 2420 wrote to memory of 1436	2420	ziXF5713.exe	86
PID 2420 wrote to memory of 1436	2420	ziXF5713.exe	86
PID 2420 wrote to memory of 1436	2420	ziXF5713.exe	86
PID 1436 wrote to memory of 4256	1436	ziQc7393.exe	87
PID 1436 wrote to memory of 4256	1436	ziQc7393.exe	87
PID 1436 wrote to memory of 3240	1436	ziQc7393.exe	88
PID 1436 wrote to memory of 3240	1436	ziQc7393.exe	88
PID 1436 wrote to memory of 3240	1436	ziQc7393.exe	88
PID 3240 wrote to memory of 2356	3240	jr000337.exe	89
PID 3240 wrote to memory of 2356	3240	jr000337.exe	89
PID 3240 wrote to memory of 2356	3240	jr000337.exe	89

C:\Users\Admin\AppData\Local\Temp\496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe
"C:\Users\Admin\AppData\Local\Temp\496f62ca4d44f6dc991c30d284d134e135a7d205ffb165aef624dd82748d511f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3240
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        
        PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe

Filesize
679KB

MD5
e04c7e96ee59d2015706ff71c71c3cae

SHA1
fd3b98f05dae77002d5d2f5049f2de41e8fdec10

SHA256
4bd54ee349d83e8dbdc5366ee8be6174b929f634a6c5644504d023060829f523

SHA512
5c75ca5f30d67081a2fb977536f6f33b7595c567ebdfc27791d16dbc947b7305b5d9dccf6bc5d86ccd0eeef16bdc003750f5398a9199fd4883e1f0cd2354f4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXF5713.exe

Filesize
679KB

MD5
e04c7e96ee59d2015706ff71c71c3cae

SHA1
fd3b98f05dae77002d5d2f5049f2de41e8fdec10

SHA256
4bd54ee349d83e8dbdc5366ee8be6174b929f634a6c5644504d023060829f523

SHA512
5c75ca5f30d67081a2fb977536f6f33b7595c567ebdfc27791d16dbc947b7305b5d9dccf6bc5d86ccd0eeef16bdc003750f5398a9199fd4883e1f0cd2354f4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe

Filesize
525KB

MD5
680417f2efe9eb78a4fb2e7866ec66f5

SHA1
de726b1f5ae8bdc19479980fd10e988dca138623

SHA256
607443710032388c930a8c9e35bd2e4c73771c4b4299507f6429731b36882b36

SHA512
8cb35a5f1b56796b1c5a97b3a8476952418a145edfe2ffda0382f1db7d8b9d94f41b1fd4eae56691434c1ab8093dfd811beea68906e95f6fe5d56d302a4a5fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziQc7393.exe

Filesize
525KB

MD5
680417f2efe9eb78a4fb2e7866ec66f5

SHA1
de726b1f5ae8bdc19479980fd10e988dca138623

SHA256
607443710032388c930a8c9e35bd2e4c73771c4b4299507f6429731b36882b36

SHA512
8cb35a5f1b56796b1c5a97b3a8476952418a145edfe2ffda0382f1db7d8b9d94f41b1fd4eae56691434c1ab8093dfd811beea68906e95f6fe5d56d302a4a5fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe

Filesize
11KB

MD5
a4f89f8dc8ca3450dc0240359e4c002c

SHA1
5b23c62b34d9adcfdb997a039b29115ba117fd1b

SHA256
03454e8aad3ebc11c3a0662fe85773cec8e85d456313438a94f99afc1c2fc42e

SHA512
9e8427ac8d39272ffdfed294238fdbfdd3a54ae379ed5a2d3d9acbe9a62ba19cf5b082b11b6f295ecb75da0f15aeb5c377f95198508c5e406e39406b1383bcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it660108.exe

Filesize
11KB

MD5
a4f89f8dc8ca3450dc0240359e4c002c

SHA1
5b23c62b34d9adcfdb997a039b29115ba117fd1b

SHA256
03454e8aad3ebc11c3a0662fe85773cec8e85d456313438a94f99afc1c2fc42e

SHA512
9e8427ac8d39272ffdfed294238fdbfdd3a54ae379ed5a2d3d9acbe9a62ba19cf5b082b11b6f295ecb75da0f15aeb5c377f95198508c5e406e39406b1383bcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe

Filesize
501KB

MD5
6424b85ebce56537ad6c67e59be400a8

SHA1
4010e1a196ba734e1b82868e6c47e391631e2e3a

SHA256
6ab79416f69dcf4bdf22ee0430afe96783ceac1fdf2057a959f023392efc29e9

SHA512
0905f6ddc31f1224e7d0c3fc0fca30aa3674ebc402dd843b47402c3c8047a9783f1389cdd45386aa43f72b8771a479c8fef668362bbd4582945443c193778c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr000337.exe

Filesize
501KB

MD5
6424b85ebce56537ad6c67e59be400a8

SHA1
4010e1a196ba734e1b82868e6c47e391631e2e3a

SHA256
6ab79416f69dcf4bdf22ee0430afe96783ceac1fdf2057a959f023392efc29e9

SHA512
0905f6ddc31f1224e7d0c3fc0fca30aa3674ebc402dd843b47402c3c8047a9783f1389cdd45386aa43f72b8771a479c8fef668362bbd4582945443c193778c2b

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
03728fed675bcde5256342183b1d6f27

SHA1
d13eace7d3d92f93756504b274777cc269b222a2

SHA256
f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

SHA512
6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

Download Submit
memory/3240-160-0x0000000002020000-0x000000000207B000-memory.dmp

Filesize
364KB

Download
memory/3240-161-0x0000000004C10000-0x00000000051B4000-memory.dmp

Filesize
5.6MB

Download
memory/3240-162-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-165-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-163-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-167-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-168-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/3240-170-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/3240-172-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/3240-171-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-174-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-176-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-178-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-180-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-182-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-184-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-186-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-188-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-190-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-192-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-194-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-196-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-198-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-200-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-202-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-204-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-206-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-208-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-210-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-212-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-214-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-216-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-218-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-220-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-222-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-224-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-226-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-228-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/3240-862-0x0000000002020000-0x000000000207B000-memory.dmp

Filesize
364KB

Download
memory/3240-2311-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/4256-154-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download