redline | 3df0115bd9ccb06f290473eaea9f490086bf98156727fa912acb04a1accb09db

Analysis

max time kernel
222s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 21:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3df0115bd9ccb06f290473eaea9f490086bf98156727fa912acb04a1accb09db.exe
Size

1.2MB
MD5

d44c35515ad09f67f35ca83a9d48675c
SHA1

cb6b0ff4812f27327fd88da308ed029293f5dc48
SHA256

3df0115bd9ccb06f290473eaea9f490086bf98156727fa912acb04a1accb09db
SHA512

27572c1e0dff8c339123c851dd1f2fc43808e0bbd9e21c8f6734cd8e27f8dd5bee2ac79fb8181194a9e2d15adbde60bb3377c46999abaab7b4e99229dbcdd429
SSDEEP

24576:vyXCLWU0n6TVQBOvUegcKcsF9Lz07qY5VHPcV:6XCaU0+QlHUsvLz07qYPvc

Score

10^/10

redline lofa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lofa

185.161.248.73:4164

Attributes

auth_value
3442ba767c6a30cde747101942f34a3a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	s59949084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	s59949084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	s59949084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	s59949084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	s59949084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	s59949084.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4608	z77701829.exe
3592	z17944723.exe
1612	z72251254.exe
1348	s59949084.exe
2820	t31369139.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	s59949084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	s59949084.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z77701829.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z77701829.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z17944723.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z17944723.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z72251254.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z72251254.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3df0115bd9ccb06f290473eaea9f490086bf98156727fa912acb04a1accb09db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3df0115bd9ccb06f290473eaea9f490086bf98156727fa912acb04a1accb09db.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1348	s59949084.exe
1348	s59949084.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	s59949084.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 4608	1412	3df0115bd9ccb06f290473eaea9f490086bf98156727fa912acb04a1accb09db.exe	79
PID 1412 wrote to memory of 4608	1412	3df0115bd9ccb06f290473eaea9f490086bf98156727fa912acb04a1accb09db.exe	79
PID 1412 wrote to memory of 4608	1412	3df0115bd9ccb06f290473eaea9f490086bf98156727fa912acb04a1accb09db.exe	79
PID 4608 wrote to memory of 3592	4608	z77701829.exe	80
PID 4608 wrote to memory of 3592	4608	z77701829.exe	80
PID 4608 wrote to memory of 3592	4608	z77701829.exe	80
PID 3592 wrote to memory of 1612	3592	z17944723.exe	81
PID 3592 wrote to memory of 1612	3592	z17944723.exe	81
PID 3592 wrote to memory of 1612	3592	z17944723.exe	81
PID 1612 wrote to memory of 1348	1612	z72251254.exe	82
PID 1612 wrote to memory of 1348	1612	z72251254.exe	82
PID 1612 wrote to memory of 1348	1612	z72251254.exe	82
PID 1612 wrote to memory of 2820	1612	z72251254.exe	85
PID 1612 wrote to memory of 2820	1612	z72251254.exe	85
PID 1612 wrote to memory of 2820	1612	z72251254.exe	85

C:\Users\Admin\AppData\Local\Temp\3df0115bd9ccb06f290473eaea9f490086bf98156727fa912acb04a1accb09db.exe
"C:\Users\Admin\AppData\Local\Temp\3df0115bd9ccb06f290473eaea9f490086bf98156727fa912acb04a1accb09db.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z77701829.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z77701829.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z17944723.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z17944723.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z72251254.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z72251254.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s59949084.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s59949084.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t31369139.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t31369139.exe
        5⤵
        Executes dropped EXE
        
        PID:2820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z77701829.exe

Filesize
978KB

MD5
a1a4d32d9a00567d169c9fea6b3ed64c

SHA1
4d89661aac6504fe8b61823335475e3b0768fef5

SHA256
3fdb37ec1bd6bbd19f6baf51f57bdbed85c7d0a30ddcc85560936311e82b86a4

SHA512
16425f01c6d1fe7de15fa2a4ab0d9c06f4eba9869e3d293b8cc961c0c3fe803ad7ccee09ee7d61247f74f172ad92e26c84d6d403371ce411d02c33ad0a0fb76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z77701829.exe

Filesize
978KB

MD5
a1a4d32d9a00567d169c9fea6b3ed64c

SHA1
4d89661aac6504fe8b61823335475e3b0768fef5

SHA256
3fdb37ec1bd6bbd19f6baf51f57bdbed85c7d0a30ddcc85560936311e82b86a4

SHA512
16425f01c6d1fe7de15fa2a4ab0d9c06f4eba9869e3d293b8cc961c0c3fe803ad7ccee09ee7d61247f74f172ad92e26c84d6d403371ce411d02c33ad0a0fb76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z17944723.exe

Filesize
795KB

MD5
3eab85b611292dee2015f88ad16e4aff

SHA1
6cc03d2aab09694d594cf9baa2bbdc6182f5e1e5

SHA256
14a5adea03f6f11b64056f32e52ec1b5ecb4c240d1205ee43c10e820e4c758dd

SHA512
9ed259f54cbd4da5ec554501a82c4a1d83b78d15661a7c58491e02f1b43f92e075e6357b9ba3c68a4f9ea5592b1f1e3d11f1b34a58dc73bb940b3182aee41a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z17944723.exe

Filesize
795KB

MD5
3eab85b611292dee2015f88ad16e4aff

SHA1
6cc03d2aab09694d594cf9baa2bbdc6182f5e1e5

SHA256
14a5adea03f6f11b64056f32e52ec1b5ecb4c240d1205ee43c10e820e4c758dd

SHA512
9ed259f54cbd4da5ec554501a82c4a1d83b78d15661a7c58491e02f1b43f92e075e6357b9ba3c68a4f9ea5592b1f1e3d11f1b34a58dc73bb940b3182aee41a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z72251254.exe

Filesize
310KB

MD5
17e17686124421c8acd5e497b3833c72

SHA1
b6830bbb8e4908e473c1a3b429af0ba1eb1ec6f1

SHA256
5f2f33372d554b22a01995034c33e522115e5e92c2a1c947e5a0448ba2fa54d2

SHA512
91d4340633591a0b3e0ecce28801a3e91c52399c3bd20bc7ea68afe0494021b0577a084bcbff0193de79bd8818cdf3fd4fa38f9b95ba40508953734371d1225d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z72251254.exe

Filesize
310KB

MD5
17e17686124421c8acd5e497b3833c72

SHA1
b6830bbb8e4908e473c1a3b429af0ba1eb1ec6f1

SHA256
5f2f33372d554b22a01995034c33e522115e5e92c2a1c947e5a0448ba2fa54d2

SHA512
91d4340633591a0b3e0ecce28801a3e91c52399c3bd20bc7ea68afe0494021b0577a084bcbff0193de79bd8818cdf3fd4fa38f9b95ba40508953734371d1225d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s59949084.exe

Filesize
176KB

MD5
c8563f11ca5126c188259f7984de5a02

SHA1
af39ede344a69cdd3f442846941ef095d2728ec6

SHA256
e3ee14ddc9d56563efafbc5549b6af99684f142ffe3e333c04b02954c25e3362

SHA512
374d89070b04539cece21397be7a3701f0495e94c688edad7b1aa8bca63fde171b605bcac5083df0d06b3a886eb0567eafd6ae3fbc9d201e3dec37884d2dc9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s59949084.exe

Filesize
176KB

MD5
c8563f11ca5126c188259f7984de5a02

SHA1
af39ede344a69cdd3f442846941ef095d2728ec6

SHA256
e3ee14ddc9d56563efafbc5549b6af99684f142ffe3e333c04b02954c25e3362

SHA512
374d89070b04539cece21397be7a3701f0495e94c688edad7b1aa8bca63fde171b605bcac5083df0d06b3a886eb0567eafd6ae3fbc9d201e3dec37884d2dc9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t31369139.exe

Filesize
168KB

MD5
e5b21915092d9a13316e71c2e0fc7760

SHA1
0c0b6b646d8f3556c3bcbb7e0951801da7bdd955

SHA256
cee7fe62031df1a8ca672e76a834d0ddab1825192ed0ac42002193155db175a3

SHA512
79db081d2b87bd28c51d350dcafee11703b714151ea946aeef1f3e1c4cbcceadd71b37663ffaf06330145176acf007842bcf386414546eea6f7878615850831b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t31369139.exe

Filesize
168KB

MD5
e5b21915092d9a13316e71c2e0fc7760

SHA1
0c0b6b646d8f3556c3bcbb7e0951801da7bdd955

SHA256
cee7fe62031df1a8ca672e76a834d0ddab1825192ed0ac42002193155db175a3

SHA512
79db081d2b87bd28c51d350dcafee11703b714151ea946aeef1f3e1c4cbcceadd71b37663ffaf06330145176acf007842bcf386414546eea6f7878615850831b

Download Submit
memory/1348-163-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/1348-190-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1348-165-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1348-166-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1348-168-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1348-170-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1348-172-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1348-174-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1348-176-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1348-178-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1348-180-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1348-182-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1348-184-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1348-186-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1348-192-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1348-164-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/1348-188-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/1348-193-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/1348-194-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/1348-195-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/1348-162-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/1348-161-0x0000000004B80000-0x0000000005124000-memory.dmp

Filesize
5.6MB

Download
memory/2820-200-0x0000000000CD0000-0x0000000000CFE000-memory.dmp

Filesize
184KB

Download
memory/2820-201-0x0000000006080000-0x0000000006698000-memory.dmp

Filesize
6.1MB

Download
memory/2820-202-0x0000000005BF0000-0x0000000005CFA000-memory.dmp

Filesize
1.0MB

Download
memory/2820-203-0x0000000005B20000-0x0000000005B32000-memory.dmp

Filesize
72KB

Download
memory/2820-204-0x0000000005B80000-0x0000000005BBC000-memory.dmp

Filesize
240KB

Download
memory/2820-205-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/2820-206-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/2820-207-0x0000000005DC0000-0x0000000005E36000-memory.dmp

Filesize
472KB

Download
memory/2820-208-0x0000000005E40000-0x0000000005ED2000-memory.dmp

Filesize
584KB

Download
memory/2820-209-0x0000000005FE0000-0x0000000006046000-memory.dmp

Filesize
408KB

Download