redline | b01a9d506ad1831cb2b1dda9422e1871517579bc0aabedd282385a6745e4dc45

Analysis

max time kernel
148s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02-05-2023 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b01a9d506ad1831cb2b1dda9422e1871517579bc0aabedd282385a6745e4dc45.exe
Size

1.4MB
MD5

fc52ef2abd7dc53e96a0d088d86262c6
SHA1

68e1322297f8e8c334f2c01bef2f33ff6e9be97f
SHA256

b01a9d506ad1831cb2b1dda9422e1871517579bc0aabedd282385a6745e4dc45
SHA512

1a06cc690a15695bd91dba1bd42d378bc4ab766847168c1e21aace37ba4681dc58bc4bc046c1c3588b26fd1aace367725a6c396ca8f5043415aaf98168dbf532
SSDEEP

24576:LyglBnknVcos43MaSTAL4rSYD0DYB9aDUIXpx04I4DcTqSoQGks7YoVhudigReHk:+glxe04tzDPM9aDx04I4Dc81ksEGh2bW

Score

10^/10

redline massa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

massa

185.161.248.73:4164

Attributes

auth_value
413bf908ab27d959c62bef532780f511

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a00982018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a00982018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a00982018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a00982018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a00982018.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1684	i24981174.exe
4256	i62190176.exe
3068	i39009487.exe
4532	i80135776.exe
3016	a00982018.exe
4776	b63990264.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a00982018.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a00982018.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i39009487.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i24981174.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i24981174.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i62190176.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i39009487.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i80135776.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b01a9d506ad1831cb2b1dda9422e1871517579bc0aabedd282385a6745e4dc45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b01a9d506ad1831cb2b1dda9422e1871517579bc0aabedd282385a6745e4dc45.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i62190176.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i80135776.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3016	a00982018.exe
3016	a00982018.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	a00982018.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1684	1480	b01a9d506ad1831cb2b1dda9422e1871517579bc0aabedd282385a6745e4dc45.exe	66
PID 1480 wrote to memory of 1684	1480	b01a9d506ad1831cb2b1dda9422e1871517579bc0aabedd282385a6745e4dc45.exe	66
PID 1480 wrote to memory of 1684	1480	b01a9d506ad1831cb2b1dda9422e1871517579bc0aabedd282385a6745e4dc45.exe	66
PID 1684 wrote to memory of 4256	1684	i24981174.exe	67
PID 1684 wrote to memory of 4256	1684	i24981174.exe	67
PID 1684 wrote to memory of 4256	1684	i24981174.exe	67
PID 4256 wrote to memory of 3068	4256	i62190176.exe	68
PID 4256 wrote to memory of 3068	4256	i62190176.exe	68
PID 4256 wrote to memory of 3068	4256	i62190176.exe	68
PID 3068 wrote to memory of 4532	3068	i39009487.exe	69
PID 3068 wrote to memory of 4532	3068	i39009487.exe	69
PID 3068 wrote to memory of 4532	3068	i39009487.exe	69
PID 4532 wrote to memory of 3016	4532	i80135776.exe	70
PID 4532 wrote to memory of 3016	4532	i80135776.exe	70
PID 4532 wrote to memory of 3016	4532	i80135776.exe	70
PID 4532 wrote to memory of 4776	4532	i80135776.exe	71
PID 4532 wrote to memory of 4776	4532	i80135776.exe	71
PID 4532 wrote to memory of 4776	4532	i80135776.exe	71

C:\Users\Admin\AppData\Local\Temp\b01a9d506ad1831cb2b1dda9422e1871517579bc0aabedd282385a6745e4dc45.exe
"C:\Users\Admin\AppData\Local\Temp\b01a9d506ad1831cb2b1dda9422e1871517579bc0aabedd282385a6745e4dc45.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i24981174.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i24981174.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i62190176.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i62190176.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39009487.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39009487.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i80135776.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i80135776.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4532
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00982018.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00982018.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b63990264.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b63990264.exe
        6⤵
        Executes dropped EXE
        
        PID:4776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i24981174.exe

Filesize
1.2MB

MD5
3405d3d7d1abf488212667f65cf95c56

SHA1
2146567b3355b97001e4ce82f81656c538f83bf1

SHA256
d876f0f047c1acfa7522ea91b3e9041f41a42e762c1044180718f998889b7c48

SHA512
3b41de2e016d80e9bc3f6299cf13aeee3fa733f9db35b5c9ee838ebd1f3bb3d74245fc7554faffe32a7dc7321c4a54de17f01bce698244665036d5ce7af8a215

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i24981174.exe

Filesize
1.2MB

MD5
3405d3d7d1abf488212667f65cf95c56

SHA1
2146567b3355b97001e4ce82f81656c538f83bf1

SHA256
d876f0f047c1acfa7522ea91b3e9041f41a42e762c1044180718f998889b7c48

SHA512
3b41de2e016d80e9bc3f6299cf13aeee3fa733f9db35b5c9ee838ebd1f3bb3d74245fc7554faffe32a7dc7321c4a54de17f01bce698244665036d5ce7af8a215

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i62190176.exe

Filesize
1.1MB

MD5
86a77a3489b08ff4483c17361ea44a49

SHA1
31bac88afc35b472beebeb7228cd1201262c5da0

SHA256
190d7d1d16c7ae4089104df19be01aedda3e89ee47cb938e36a92c232b0baee1

SHA512
8c2df6447d108357a72567fce4ce1e8e711fdb7ee4e4af05279873bb95e4588e9de2f77e1990c663877b7f66175282de384c589f3e789ba68afecad05f0b31a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i62190176.exe

Filesize
1.1MB

MD5
86a77a3489b08ff4483c17361ea44a49

SHA1
31bac88afc35b472beebeb7228cd1201262c5da0

SHA256
190d7d1d16c7ae4089104df19be01aedda3e89ee47cb938e36a92c232b0baee1

SHA512
8c2df6447d108357a72567fce4ce1e8e711fdb7ee4e4af05279873bb95e4588e9de2f77e1990c663877b7f66175282de384c589f3e789ba68afecad05f0b31a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39009487.exe

Filesize
644KB

MD5
2d9e62b09e608c902aa28fec6b839c19

SHA1
2fbb9d568307051a0d04415c822cfadc0da3d562

SHA256
6767ef446acb5a3dd197b010c776f36d78be67051fac780e996692d65fb66827

SHA512
fb6a85bb8da77e61751fd26ee083e07525eee93bcd28cb0c4123035f8e0a04f17bf7f86b6c98ddee4a0849d7f677d6ea6ff775b0a8f3153af84a03de8268c8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i39009487.exe

Filesize
644KB

MD5
2d9e62b09e608c902aa28fec6b839c19

SHA1
2fbb9d568307051a0d04415c822cfadc0da3d562

SHA256
6767ef446acb5a3dd197b010c776f36d78be67051fac780e996692d65fb66827

SHA512
fb6a85bb8da77e61751fd26ee083e07525eee93bcd28cb0c4123035f8e0a04f17bf7f86b6c98ddee4a0849d7f677d6ea6ff775b0a8f3153af84a03de8268c8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i80135776.exe

Filesize
385KB

MD5
a38a41db824a71fa994576b4d85fcb70

SHA1
cf3d8a9f3b7199dfe3611679a19b922e5996df65

SHA256
51dacde5ef3e0132928f7aeff47151dcb376af6fcd79e576502d3921f445a00f

SHA512
0b62b6692c9e413708a0162b6a0efec4ddd6ef1478993ed75c6f1f14c75ca189bbe1551f79ff68ef38918f21e5e680e2a8aed094644cca1a4d7ddf49d30067cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i80135776.exe

Filesize
385KB

MD5
a38a41db824a71fa994576b4d85fcb70

SHA1
cf3d8a9f3b7199dfe3611679a19b922e5996df65

SHA256
51dacde5ef3e0132928f7aeff47151dcb376af6fcd79e576502d3921f445a00f

SHA512
0b62b6692c9e413708a0162b6a0efec4ddd6ef1478993ed75c6f1f14c75ca189bbe1551f79ff68ef38918f21e5e680e2a8aed094644cca1a4d7ddf49d30067cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00982018.exe

Filesize
291KB

MD5
245efa818151058855be39545ce0608c

SHA1
9dc8fe19453e62a03f76ef77ec7fd2d618316bf3

SHA256
0ec37d41525ee0c5995446e6163fa32d0b6fd05a92bcab4b973b83791d022155

SHA512
d8a0b0ddfc7ac2ce2084e27af382580104d9e603fecc837297076988c04a697cc6ae99045b423eeb2bc1afc03e46807e7b04fd9ba339983bd6c7f073375de6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a00982018.exe

Filesize
291KB

MD5
245efa818151058855be39545ce0608c

SHA1
9dc8fe19453e62a03f76ef77ec7fd2d618316bf3

SHA256
0ec37d41525ee0c5995446e6163fa32d0b6fd05a92bcab4b973b83791d022155

SHA512
d8a0b0ddfc7ac2ce2084e27af382580104d9e603fecc837297076988c04a697cc6ae99045b423eeb2bc1afc03e46807e7b04fd9ba339983bd6c7f073375de6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b63990264.exe

Filesize
168KB

MD5
0c5c6c5cd554b8373504868eb81e2fa0

SHA1
523baf3523b18e64fb6c43c3aa1bc370e62d1bca

SHA256
5ab23f68b0e780b2af0a727d503269bbe39530f079fa9a247b870a9abd3c2452

SHA512
8d99812ebdd9a230808042a98e4b7bc6b4cc4313f7e8040a498c0965040ab38ce68820bb3003b0e7fce529bc5041399e7151a85bf2c960f61f3e9b25b9c968d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b63990264.exe

Filesize
168KB

MD5
0c5c6c5cd554b8373504868eb81e2fa0

SHA1
523baf3523b18e64fb6c43c3aa1bc370e62d1bca

SHA256
5ab23f68b0e780b2af0a727d503269bbe39530f079fa9a247b870a9abd3c2452

SHA512
8d99812ebdd9a230808042a98e4b7bc6b4cc4313f7e8040a498c0965040ab38ce68820bb3003b0e7fce529bc5041399e7151a85bf2c960f61f3e9b25b9c968d8

Download Submit
memory/3016-177-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3016-187-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3016-161-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3016-163-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3016-167-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3016-165-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/3016-169-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3016-171-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3016-173-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3016-170-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3016-175-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3016-166-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3016-159-0x00000000025B0000-0x00000000025C8000-memory.dmp

Filesize
96KB

Download
memory/3016-179-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3016-181-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3016-183-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3016-185-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3016-160-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3016-189-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3016-191-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3016-192-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/3016-193-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3016-195-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3016-196-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/3016-197-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/3016-158-0x0000000004CF0000-0x00000000051EE000-memory.dmp

Filesize
5.0MB

Download
memory/3016-157-0x0000000002250000-0x000000000226A000-memory.dmp

Filesize
104KB

Download
memory/4776-201-0x00000000002E0000-0x0000000000310000-memory.dmp

Filesize
192KB

Download
memory/4776-202-0x0000000002560000-0x0000000002566000-memory.dmp

Filesize
24KB

Download
memory/4776-203-0x0000000005270000-0x0000000005876000-memory.dmp

Filesize
6.0MB

Download
memory/4776-204-0x0000000004D70000-0x0000000004E7A000-memory.dmp

Filesize
1.0MB

Download
memory/4776-205-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

Filesize
72KB

Download
memory/4776-206-0x0000000004C60000-0x0000000004C9E000-memory.dmp

Filesize
248KB

Download
memory/4776-207-0x0000000004CA0000-0x0000000004CEB000-memory.dmp

Filesize
300KB

Download
memory/4776-208-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4776-209-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download