redline | 22efd7e40a5b2b0445ed874a5795f96a98f98c3cdc0ad10cf24e0fe2086b6e2d

Analysis

max time kernel
54s
max time network
65s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02/05/2023, 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22efd7e40a5b2b0445ed874a5795f96a98f98c3cdc0ad10cf24e0fe2086b6e2d.exe
Size

850KB
MD5

c0ce2c4f24796cf99efce0d2f4d05ebc
SHA1

c956b06c8cd02be9afb293f02b05fef461c2454c
SHA256

22efd7e40a5b2b0445ed874a5795f96a98f98c3cdc0ad10cf24e0fe2086b6e2d
SHA512

403a97b83cf2462e3d46e611daf11d27aaecd5c06125e2007cda5e68f0ed37fd6d6aa1e61a807548ba0313932a3b50fd5ab2d19cb26b15d9a1d6222e8282ff39
SSDEEP

24576:PydjrE4HDN9IYdSoIm8PZ6Cc4aFwjwVLLZ4B:ad7fIib8a4KNLW

Score

10^/10

redline dante gena discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dante

185.161.248.73:4164

Attributes

auth_value
f4066af6b8a6f23125c8ee48288a3f90

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	s64782146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	s64782146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	s64782146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	s64782146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	s64782146.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3192	y59499488.exe
4100	p49159209.exe
1716	1.exe
1228	r69171612.exe
1052	s64782146.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	s64782146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	s64782146.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	22efd7e40a5b2b0445ed874a5795f96a98f98c3cdc0ad10cf24e0fe2086b6e2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	22efd7e40a5b2b0445ed874a5795f96a98f98c3cdc0ad10cf24e0fe2086b6e2d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y59499488.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y59499488.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1228	r69171612.exe
1228	r69171612.exe
1716	1.exe
1716	1.exe
1052	s64782146.exe
1052	s64782146.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4100	p49159209.exe
Token: SeDebugPrivilege	1228	r69171612.exe
Token: SeDebugPrivilege	1716	1.exe
Token: SeDebugPrivilege	1052	s64782146.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3192	4308	22efd7e40a5b2b0445ed874a5795f96a98f98c3cdc0ad10cf24e0fe2086b6e2d.exe	66
PID 4308 wrote to memory of 3192	4308	22efd7e40a5b2b0445ed874a5795f96a98f98c3cdc0ad10cf24e0fe2086b6e2d.exe	66
PID 4308 wrote to memory of 3192	4308	22efd7e40a5b2b0445ed874a5795f96a98f98c3cdc0ad10cf24e0fe2086b6e2d.exe	66
PID 3192 wrote to memory of 4100	3192	y59499488.exe	67
PID 3192 wrote to memory of 4100	3192	y59499488.exe	67
PID 3192 wrote to memory of 4100	3192	y59499488.exe	67
PID 4100 wrote to memory of 1716	4100	p49159209.exe	68
PID 4100 wrote to memory of 1716	4100	p49159209.exe	68
PID 4100 wrote to memory of 1716	4100	p49159209.exe	68
PID 3192 wrote to memory of 1228	3192	y59499488.exe	69
PID 3192 wrote to memory of 1228	3192	y59499488.exe	69
PID 3192 wrote to memory of 1228	3192	y59499488.exe	69
PID 4308 wrote to memory of 1052	4308	22efd7e40a5b2b0445ed874a5795f96a98f98c3cdc0ad10cf24e0fe2086b6e2d.exe	71
PID 4308 wrote to memory of 1052	4308	22efd7e40a5b2b0445ed874a5795f96a98f98c3cdc0ad10cf24e0fe2086b6e2d.exe	71
PID 4308 wrote to memory of 1052	4308	22efd7e40a5b2b0445ed874a5795f96a98f98c3cdc0ad10cf24e0fe2086b6e2d.exe	71

C:\Users\Admin\AppData\Local\Temp\22efd7e40a5b2b0445ed874a5795f96a98f98c3cdc0ad10cf24e0fe2086b6e2d.exe
"C:\Users\Admin\AppData\Local\Temp\22efd7e40a5b2b0445ed874a5795f96a98f98c3cdc0ad10cf24e0fe2086b6e2d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y59499488.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y59499488.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p49159209.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p49159209.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1716
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r69171612.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r69171612.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s64782146.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s64782146.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s64782146.exe

Filesize
291KB

MD5
06f1237c34e3affe27fe18bb2e13bca0

SHA1
bc3a8a0503222689f9e209a86c1cf4e7f12711e8

SHA256
44c607f78f429a264a663aa0b250de6cced3aea09fc3f68d450a3b9629ebd78a

SHA512
aa8be412e0a2f83fcca244ea008b266888d5072c8b49338e1f1a17f8a123e3e61160224e75f568e2e43588b97fea45014a1ece10f5ac0d34fe26a79b441bf9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s64782146.exe

Filesize
291KB

MD5
06f1237c34e3affe27fe18bb2e13bca0

SHA1
bc3a8a0503222689f9e209a86c1cf4e7f12711e8

SHA256
44c607f78f429a264a663aa0b250de6cced3aea09fc3f68d450a3b9629ebd78a

SHA512
aa8be412e0a2f83fcca244ea008b266888d5072c8b49338e1f1a17f8a123e3e61160224e75f568e2e43588b97fea45014a1ece10f5ac0d34fe26a79b441bf9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y59499488.exe

Filesize
570KB

MD5
b3602351ed9dbcf55ed9544665150b06

SHA1
82f0acddff387c6918e54ba466026e4a6b627fee

SHA256
f5cda16236455009903724157ae5db859cf3c2392d0fd0e2a668f1a0c33d6110

SHA512
e48c1d9537ba24a2935fb6f58633227eeb865f212b13b76f5273700f8864759afc9045b973e51be048f054ae042b931f82e2c9fe7ec3018bf627aea3277e6572

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y59499488.exe

Filesize
570KB

MD5
b3602351ed9dbcf55ed9544665150b06

SHA1
82f0acddff387c6918e54ba466026e4a6b627fee

SHA256
f5cda16236455009903724157ae5db859cf3c2392d0fd0e2a668f1a0c33d6110

SHA512
e48c1d9537ba24a2935fb6f58633227eeb865f212b13b76f5273700f8864759afc9045b973e51be048f054ae042b931f82e2c9fe7ec3018bf627aea3277e6572

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p49159209.exe

Filesize
476KB

MD5
2eb09108d7c8daad4f30addc6dcbbdf9

SHA1
0480f265a3bdad46b535b96738c5cf0337bd36cc

SHA256
be9021b6861dbd8b8be41c6a93b1894933b5fa347d9cd89976cbc0608ebfa8e9

SHA512
428c45070f6ed3bcaf3b0e863fe863722f286d0cd866e57a4b67a9377c17e80bf55bf81c59c7eabcf65f0631441e9746c685c04ebf60525f5bba47c50f764e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p49159209.exe

Filesize
476KB

MD5
2eb09108d7c8daad4f30addc6dcbbdf9

SHA1
0480f265a3bdad46b535b96738c5cf0337bd36cc

SHA256
be9021b6861dbd8b8be41c6a93b1894933b5fa347d9cd89976cbc0608ebfa8e9

SHA512
428c45070f6ed3bcaf3b0e863fe863722f286d0cd866e57a4b67a9377c17e80bf55bf81c59c7eabcf65f0631441e9746c685c04ebf60525f5bba47c50f764e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r69171612.exe

Filesize
169KB

MD5
015e10b60aaf625632009a0398d5c02d

SHA1
3abea34ac51c95b0b73dacbd80b99a916b172356

SHA256
e4bbf41b4625b2e880d9c6605f2cc474ea73aa7491942e1c6b8b55854650aebb

SHA512
966edbf893e3b875fe040ed28c324e79ebdd3e7b27b789f0b252a148f993b84e4b251ce88261a5455c718c6e136e5259f92ecc2e43ab952c354132da2ce8f0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r69171612.exe

Filesize
169KB

MD5
015e10b60aaf625632009a0398d5c02d

SHA1
3abea34ac51c95b0b73dacbd80b99a916b172356

SHA256
e4bbf41b4625b2e880d9c6605f2cc474ea73aa7491942e1c6b8b55854650aebb

SHA512
966edbf893e3b875fe040ed28c324e79ebdd3e7b27b789f0b252a148f993b84e4b251ce88261a5455c718c6e136e5259f92ecc2e43ab952c354132da2ce8f0fb

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/1052-2358-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/1052-2325-0x00000000021D0000-0x00000000021EA000-memory.dmp

Filesize
104KB

Download
memory/1052-2326-0x0000000002290000-0x00000000022A8000-memory.dmp

Filesize
96KB

Download
memory/1052-2355-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/1052-2356-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/1052-2357-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/1228-2307-0x0000000009E40000-0x0000000009E7E000-memory.dmp

Filesize
248KB

Download
memory/1228-2306-0x0000000009DE0000-0x0000000009DF2000-memory.dmp

Filesize
72KB

Download
memory/1228-2312-0x000000000A280000-0x000000000A312000-memory.dmp

Filesize
584KB

Download
memory/1228-2317-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/1228-2316-0x000000000BCE0000-0x000000000C20C000-memory.dmp

Filesize
5.2MB

Download
memory/1228-2310-0x0000000009FC0000-0x000000000A00B000-memory.dmp

Filesize
300KB

Download
memory/1228-2301-0x00000000000B0000-0x00000000000E0000-memory.dmp

Filesize
192KB

Download
memory/1228-2308-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/1228-2315-0x000000000B0E0000-0x000000000B2A2000-memory.dmp

Filesize
1.8MB

Download
memory/1228-2313-0x000000000A1E0000-0x000000000A246000-memory.dmp

Filesize
408KB

Download
memory/1228-2303-0x0000000002270000-0x0000000002276000-memory.dmp

Filesize
24KB

Download
memory/1228-2304-0x000000000A3A0000-0x000000000A9A6000-memory.dmp

Filesize
6.0MB

Download
memory/1716-2302-0x0000000004A90000-0x0000000004A96000-memory.dmp

Filesize
24KB

Download
memory/1716-2305-0x0000000004C30000-0x0000000004D3A000-memory.dmp

Filesize
1.0MB

Download
memory/1716-2309-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1716-2311-0x0000000004E70000-0x0000000004EE6000-memory.dmp

Filesize
472KB

Download
memory/1716-2314-0x0000000005A90000-0x0000000005AE0000-memory.dmp

Filesize
320KB

Download
memory/1716-2297-0x00000000001E0000-0x000000000020E000-memory.dmp

Filesize
184KB

Download
memory/1716-2318-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4100-157-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-169-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-193-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-195-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-197-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-199-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-201-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-203-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-205-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-2288-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4100-2289-0x00000000054F0000-0x0000000005522000-memory.dmp

Filesize
200KB

Download
memory/4100-189-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-187-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-185-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-183-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-181-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-179-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-177-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-175-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-171-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-173-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-191-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-167-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-165-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-163-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-161-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-159-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-155-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-153-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-151-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-149-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-147-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-145-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-143-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-142-0x00000000052F0000-0x0000000005350000-memory.dmp

Filesize
384KB

Download
memory/4100-141-0x00000000052F0000-0x0000000005356000-memory.dmp

Filesize
408KB

Download
memory/4100-140-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4100-137-0x0000000004DF0000-0x00000000052EE000-memory.dmp

Filesize
5.0MB

Download
memory/4100-139-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4100-138-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4100-136-0x0000000000700000-0x000000000075B000-memory.dmp

Filesize
364KB

Download
memory/4100-135-0x0000000004D80000-0x0000000004DE8000-memory.dmp

Filesize
416KB

Download