redline | db1586421ba97e6516ac63d247bc5af6076f9a0182b9acab4fe976064039b006

Analysis

max time kernel
195s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2023, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db1586421ba97e6516ac63d247bc5af6076f9a0182b9acab4fe976064039b006.exe
Size

936KB
MD5

352ac4155529ee4123900210c899962c
SHA1

cee48556da9207c53239edd9f2a000efad4fdf14
SHA256

db1586421ba97e6516ac63d247bc5af6076f9a0182b9acab4fe976064039b006
SHA512

ec625eb0eaabf135aff527b39f1e5265b275b555a392d5f9058d4e18878bf853da43110766e134b134a045e29e2b60c8e2be6867e9e540330b32655078d61d30
SSDEEP

24576:hy2VoZVn3E+45zpW0UF6ztJJto3ryUBNFAFblsYJLQ:U2VUE5mmfJoyUeFpJ

Score

10^/10

redline gena evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	32240438.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	rk171752.exe

Executes dropped EXE 5 IoCs

pid	Process
1468	un207061.exe
3116	32240438.exe
220	1.exe
1840	rk171752.exe
4608	1.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un207061.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	db1586421ba97e6516ac63d247bc5af6076f9a0182b9acab4fe976064039b006.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	db1586421ba97e6516ac63d247bc5af6076f9a0182b9acab4fe976064039b006.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un207061.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1636	3116	WerFault.exe	84
4060	1840	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
220	1.exe
220	1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3116	32240438.exe
Token: SeDebugPrivilege	220	1.exe
Token: SeDebugPrivilege	1840	rk171752.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 1468	3560	db1586421ba97e6516ac63d247bc5af6076f9a0182b9acab4fe976064039b006.exe	83
PID 3560 wrote to memory of 1468	3560	db1586421ba97e6516ac63d247bc5af6076f9a0182b9acab4fe976064039b006.exe	83
PID 3560 wrote to memory of 1468	3560	db1586421ba97e6516ac63d247bc5af6076f9a0182b9acab4fe976064039b006.exe	83
PID 1468 wrote to memory of 3116	1468	un207061.exe	84
PID 1468 wrote to memory of 3116	1468	un207061.exe	84
PID 1468 wrote to memory of 3116	1468	un207061.exe	84
PID 3116 wrote to memory of 220	3116	32240438.exe	85
PID 3116 wrote to memory of 220	3116	32240438.exe	85
PID 1468 wrote to memory of 1840	1468	un207061.exe	94
PID 1468 wrote to memory of 1840	1468	un207061.exe	94
PID 1468 wrote to memory of 1840	1468	un207061.exe	94
PID 1840 wrote to memory of 4608	1840	rk171752.exe	95
PID 1840 wrote to memory of 4608	1840	rk171752.exe	95
PID 1840 wrote to memory of 4608	1840	rk171752.exe	95

C:\Users\Admin\AppData\Local\Temp\db1586421ba97e6516ac63d247bc5af6076f9a0182b9acab4fe976064039b006.exe
"C:\Users\Admin\AppData\Local\Temp\db1586421ba97e6516ac63d247bc5af6076f9a0182b9acab4fe976064039b006.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207061.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207061.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\32240438.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\32240438.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1376
      4⤵
      Program crash
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk171752.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk171752.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      PID:4608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1376
      4⤵
      Program crash
      PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3116 -ip 3116
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1840 -ip 1840
1⤵
PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207061.exe

Filesize
783KB

MD5
78cc5a30ebc80bfeee49fa6241b9e582

SHA1
08666bcceddb9709a7aa07874ca2cb2e12708edc

SHA256
aa9631a419e02b29fdc3387c705d8f36ffb9dd05d7a31c4ba824bcec7299ffd6

SHA512
6d62e62aa4f6dae34b96e622abffd82a2834b2bf1264290fbb1f45a485fba7a77f75605751d42a274db869c6c591c86578020f8a6bba527879481febdfad7073

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207061.exe

Filesize
783KB

MD5
78cc5a30ebc80bfeee49fa6241b9e582

SHA1
08666bcceddb9709a7aa07874ca2cb2e12708edc

SHA256
aa9631a419e02b29fdc3387c705d8f36ffb9dd05d7a31c4ba824bcec7299ffd6

SHA512
6d62e62aa4f6dae34b96e622abffd82a2834b2bf1264290fbb1f45a485fba7a77f75605751d42a274db869c6c591c86578020f8a6bba527879481febdfad7073

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\32240438.exe

Filesize
521KB

MD5
3300c51954039ea7b491eb90c28c6c77

SHA1
563f9b70eafabef8a10368966bb285a2cb2f4b62

SHA256
e395310bb34bcf5d731595470d5452775d49e3d483c04c0056f0d2944fb8a1be

SHA512
bcb2dfe2948a63552985199c25a37953e57eab34c3c0ed572ec3695e4a24be09fee83cffa01146755c67b852474add660df5d92f8a0f6ff812e6eaa8e40633a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\32240438.exe

Filesize
521KB

MD5
3300c51954039ea7b491eb90c28c6c77

SHA1
563f9b70eafabef8a10368966bb285a2cb2f4b62

SHA256
e395310bb34bcf5d731595470d5452775d49e3d483c04c0056f0d2944fb8a1be

SHA512
bcb2dfe2948a63552985199c25a37953e57eab34c3c0ed572ec3695e4a24be09fee83cffa01146755c67b852474add660df5d92f8a0f6ff812e6eaa8e40633a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk171752.exe

Filesize
581KB

MD5
b6a3c10157620c3824c4ac0d9c5ca316

SHA1
d92a6bfdc3afd055e86e34fbc60d240790e37257

SHA256
93d40c4db0e5bd65489d9c42f87a60f296c08ff0ae8d137a7f343f1b5be6dfee

SHA512
744aad58720784bf723dadf7a3e0e3c8da3677cea0173bec4c7878ca10a3c41ef04a85a8c30eff2be3a6d934e47dbd898b374f689eec5eb9d0118f4906e60fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk171752.exe

Filesize
581KB

MD5
b6a3c10157620c3824c4ac0d9c5ca316

SHA1
d92a6bfdc3afd055e86e34fbc60d240790e37257

SHA256
93d40c4db0e5bd65489d9c42f87a60f296c08ff0ae8d137a7f343f1b5be6dfee

SHA512
744aad58720784bf723dadf7a3e0e3c8da3677cea0173bec4c7878ca10a3c41ef04a85a8c30eff2be3a6d934e47dbd898b374f689eec5eb9d0118f4906e60fd4

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/220-2301-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/1840-4462-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/1840-2539-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/1840-2535-0x0000000000860000-0x00000000008BB000-memory.dmp

Filesize
364KB

Download
memory/1840-2537-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/1840-4477-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/1840-4478-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/1840-4479-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/1840-4480-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/3116-197-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-2283-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3116-179-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-181-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-183-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-185-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-187-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-189-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-191-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-193-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-195-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-175-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-201-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-199-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-203-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-205-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-207-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-209-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-211-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-213-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-215-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-177-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-173-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-171-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-169-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-2296-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3116-2297-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3116-2298-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3116-167-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-165-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-163-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-161-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-159-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-157-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-155-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-154-0x0000000005500000-0x0000000005551000-memory.dmp

Filesize
324KB

Download
memory/3116-153-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3116-152-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3116-148-0x0000000000830000-0x000000000087C000-memory.dmp

Filesize
304KB

Download
memory/3116-151-0x0000000004F50000-0x00000000054F4000-memory.dmp

Filesize
5.6MB

Download
memory/3116-150-0x0000000000830000-0x000000000087C000-memory.dmp

Filesize
304KB

Download
memory/3116-149-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download
memory/4608-4475-0x00000000000A0000-0x00000000000CE000-memory.dmp

Filesize
184KB

Download