redline | 0db00a2776aa25233f406bcc722b2adf39d9fb5dbbaacf24852304a8bc6e3b2c

Analysis

max time kernel
51s
max time network
73s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02/05/2023, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0db00a2776aa25233f406bcc722b2adf39d9fb5dbbaacf24852304a8bc6e3b2c.exe
Size

794KB
MD5

5b205d500d17bb64787be3452ea06113
SHA1

be144de8005b064438d4be7b4a99afefee1d8c46
SHA256

0db00a2776aa25233f406bcc722b2adf39d9fb5dbbaacf24852304a8bc6e3b2c
SHA512

ea44d46a9b8b2e0ba7fbc379b1597f556cfbae7a624d4ed2b66a0fbc12898c80794668c6bb5328fe3f9a216c7c2add6b0c9fa16a6a0f605f01027addd6082e33
SSDEEP

24576:PyEYX7KsoFnZRnOkEjgW0N9U8sHYkf4z:aEkKsoFZUz0gqkf4

Score

10^/10

redline dante gena discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dante

185.161.248.73:4164

Attributes

auth_value
f4066af6b8a6f23125c8ee48288a3f90

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o57934279.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o57934279.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o57934279.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o57934279.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o57934279.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
5032	x06485986.exe
2080	m48640342.exe
1640	1.exe
2116	n99488944.exe
2108	o57934279.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o57934279.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o57934279.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0db00a2776aa25233f406bcc722b2adf39d9fb5dbbaacf24852304a8bc6e3b2c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x06485986.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x06485986.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0db00a2776aa25233f406bcc722b2adf39d9fb5dbbaacf24852304a8bc6e3b2c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1640	1.exe
2116	n99488944.exe
1640	1.exe
2116	n99488944.exe
2108	o57934279.exe
2108	o57934279.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	m48640342.exe
Token: SeDebugPrivilege	1640	1.exe
Token: SeDebugPrivilege	2116	n99488944.exe
Token: SeDebugPrivilege	2108	o57934279.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 5032	2148	0db00a2776aa25233f406bcc722b2adf39d9fb5dbbaacf24852304a8bc6e3b2c.exe	66
PID 2148 wrote to memory of 5032	2148	0db00a2776aa25233f406bcc722b2adf39d9fb5dbbaacf24852304a8bc6e3b2c.exe	66
PID 2148 wrote to memory of 5032	2148	0db00a2776aa25233f406bcc722b2adf39d9fb5dbbaacf24852304a8bc6e3b2c.exe	66
PID 5032 wrote to memory of 2080	5032	x06485986.exe	67
PID 5032 wrote to memory of 2080	5032	x06485986.exe	67
PID 5032 wrote to memory of 2080	5032	x06485986.exe	67
PID 2080 wrote to memory of 1640	2080	m48640342.exe	68
PID 2080 wrote to memory of 1640	2080	m48640342.exe	68
PID 2080 wrote to memory of 1640	2080	m48640342.exe	68
PID 5032 wrote to memory of 2116	5032	x06485986.exe	69
PID 5032 wrote to memory of 2116	5032	x06485986.exe	69
PID 5032 wrote to memory of 2116	5032	x06485986.exe	69
PID 2148 wrote to memory of 2108	2148	0db00a2776aa25233f406bcc722b2adf39d9fb5dbbaacf24852304a8bc6e3b2c.exe	71
PID 2148 wrote to memory of 2108	2148	0db00a2776aa25233f406bcc722b2adf39d9fb5dbbaacf24852304a8bc6e3b2c.exe	71
PID 2148 wrote to memory of 2108	2148	0db00a2776aa25233f406bcc722b2adf39d9fb5dbbaacf24852304a8bc6e3b2c.exe	71

C:\Users\Admin\AppData\Local\Temp\0db00a2776aa25233f406bcc722b2adf39d9fb5dbbaacf24852304a8bc6e3b2c.exe
"C:\Users\Admin\AppData\Local\Temp\0db00a2776aa25233f406bcc722b2adf39d9fb5dbbaacf24852304a8bc6e3b2c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x06485986.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x06485986.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m48640342.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m48640342.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1640
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n99488944.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n99488944.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\o57934279.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\o57934279.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\o57934279.exe

Filesize
176KB

MD5
9d9d08faa93b95146bdf4ede9cac2398

SHA1
bb9d80345bfe3b3f287c3921d7cd77119bf77101

SHA256
873f70babac6753be8a83377c2602d4443b92d9b340352313560aa1ffa835b42

SHA512
d7c6c5a619883d1a31ee5ebf94e0abd311dca263ded79afff61b729d9ad3fed5c75c8eb5d6a11ad5e0369df2d88f0863759b45b9159eb5d4ca35a9c8a6f7e522

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\o57934279.exe

Filesize
176KB

MD5
9d9d08faa93b95146bdf4ede9cac2398

SHA1
bb9d80345bfe3b3f287c3921d7cd77119bf77101

SHA256
873f70babac6753be8a83377c2602d4443b92d9b340352313560aa1ffa835b42

SHA512
d7c6c5a619883d1a31ee5ebf94e0abd311dca263ded79afff61b729d9ad3fed5c75c8eb5d6a11ad5e0369df2d88f0863759b45b9159eb5d4ca35a9c8a6f7e522

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x06485986.exe

Filesize
589KB

MD5
28d91431872663e544e3d0f5738c456a

SHA1
1e09260276bd4b14b90013d19ec144542c56831f

SHA256
dadf06cae69b809ca320290faff151b51777b113e47425e09a7ab79e465efc59

SHA512
c425dde05d7f9b2baddc8ea9cf823b6e68a61f80720a907b68bfb7828bf0e9279484f2844bba314d08dcab61bc28ba09f9034867fa5352cc3f3c120b19e00405

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x06485986.exe

Filesize
589KB

MD5
28d91431872663e544e3d0f5738c456a

SHA1
1e09260276bd4b14b90013d19ec144542c56831f

SHA256
dadf06cae69b809ca320290faff151b51777b113e47425e09a7ab79e465efc59

SHA512
c425dde05d7f9b2baddc8ea9cf823b6e68a61f80720a907b68bfb7828bf0e9279484f2844bba314d08dcab61bc28ba09f9034867fa5352cc3f3c120b19e00405

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m48640342.exe

Filesize
530KB

MD5
7c57e26b7263f417390803d6d402e3dd

SHA1
316383feda5633c5b88e78cb0b8b56bf6481b987

SHA256
0f7cf5e81f975a713b913a16a364cbaa1cb7e83b79442847464031de9fe55d48

SHA512
a11be4206d4201bd3e350fa3a3e91bec377388d156a9f5ad785aaa7a6c8f7cca19567a660fbd6f6c5137a993626d72adefe774eceaae4713cd1d06217fab341b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m48640342.exe

Filesize
530KB

MD5
7c57e26b7263f417390803d6d402e3dd

SHA1
316383feda5633c5b88e78cb0b8b56bf6481b987

SHA256
0f7cf5e81f975a713b913a16a364cbaa1cb7e83b79442847464031de9fe55d48

SHA512
a11be4206d4201bd3e350fa3a3e91bec377388d156a9f5ad785aaa7a6c8f7cca19567a660fbd6f6c5137a993626d72adefe774eceaae4713cd1d06217fab341b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n99488944.exe

Filesize
168KB

MD5
a7eaddb65384b8cc19481ec6578fa5a5

SHA1
1167d4a35c270bc9abf8bf4ab3982d3b26d4971d

SHA256
c0979a9d7729d5fa7da661221189e1fdaa839c4797b55e0d7c50d64155dc7656

SHA512
b2ad5c39c38e3700404326b79c5b9df0275f2fca987737f51337cfb430c09ed61e9551270e43b8052d404ca647dc2480b833c9a969a2a92d243d8e22aa5495e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n99488944.exe

Filesize
168KB

MD5
a7eaddb65384b8cc19481ec6578fa5a5

SHA1
1167d4a35c270bc9abf8bf4ab3982d3b26d4971d

SHA256
c0979a9d7729d5fa7da661221189e1fdaa839c4797b55e0d7c50d64155dc7656

SHA512
b2ad5c39c38e3700404326b79c5b9df0275f2fca987737f51337cfb430c09ed61e9551270e43b8052d404ca647dc2480b833c9a969a2a92d243d8e22aa5495e2

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/1640-2302-0x000000000A810000-0x000000000A91A000-memory.dmp

Filesize
1.0MB

Download
memory/1640-2305-0x000000000A790000-0x000000000A7CE000-memory.dmp

Filesize
248KB

Download
memory/1640-2303-0x000000000A730000-0x000000000A742000-memory.dmp

Filesize
72KB

Download
memory/1640-2311-0x000000000B790000-0x000000000B7E0000-memory.dmp

Filesize
320KB

Download
memory/1640-2304-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/1640-2309-0x000000000ABD0000-0x000000000AC62000-memory.dmp

Filesize
584KB

Download
memory/1640-2295-0x00000000051B0000-0x00000000051B6000-memory.dmp

Filesize
24KB

Download
memory/1640-2294-0x0000000000A00000-0x0000000000A2E000-memory.dmp

Filesize
184KB

Download
memory/1640-2310-0x000000000AB30000-0x000000000AB96000-memory.dmp

Filesize
408KB

Download
memory/1640-2314-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/2080-156-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-152-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-160-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-162-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-164-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-166-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-168-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-170-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-172-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-174-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-176-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-180-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-182-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-178-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-184-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-186-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-188-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-190-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-192-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-194-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-196-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-198-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-200-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-202-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-2285-0x0000000005180000-0x00000000051B2000-memory.dmp

Filesize
200KB

Download
memory/2080-2287-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/2080-158-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-154-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-150-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-148-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-146-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-144-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-132-0x0000000002860000-0x00000000028C8000-memory.dmp

Filesize
416KB

Download
memory/2080-133-0x00000000052E0000-0x00000000057DE000-memory.dmp

Filesize
5.0MB

Download
memory/2080-134-0x0000000002C50000-0x0000000002CB6000-memory.dmp

Filesize
408KB

Download
memory/2080-142-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-139-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-140-0x0000000002C50000-0x0000000002CB0000-memory.dmp

Filesize
384KB

Download
memory/2080-136-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/2080-137-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/2080-135-0x0000000000AA0000-0x0000000000AFB000-memory.dmp

Filesize
364KB

Download
memory/2080-138-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/2108-2321-0x00000000008B0000-0x00000000008CA000-memory.dmp

Filesize
104KB

Download
memory/2108-2353-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2108-2352-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2108-2351-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2108-2322-0x00000000023B0000-0x00000000023C8000-memory.dmp

Filesize
96KB

Download
memory/2116-2312-0x000000000BB50000-0x000000000BD12000-memory.dmp

Filesize
1.8MB

Download
memory/2116-2315-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2116-2300-0x0000000000B80000-0x0000000000B86000-memory.dmp

Filesize
24KB

Download
memory/2116-2299-0x0000000000490000-0x00000000004C0000-memory.dmp

Filesize
192KB

Download
memory/2116-2301-0x000000000A800000-0x000000000AE06000-memory.dmp

Filesize
6.0MB

Download
memory/2116-2313-0x000000000C250000-0x000000000C77C000-memory.dmp

Filesize
5.2MB

Download
memory/2116-2308-0x000000000A540000-0x000000000A5B6000-memory.dmp

Filesize
472KB

Download
memory/2116-2306-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2116-2307-0x000000000A270000-0x000000000A2BB000-memory.dmp

Filesize
300KB

Download