redline | dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb

Analysis

max time kernel
201s
max time network
270s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-05-2023 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exe
Size

1.1MB
MD5

4854c1a008fbb1da446dd5eeaf87ac78
SHA1

cb977c8ac566b12a2d0c25fb558fe2aebed770e9
SHA256

dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb
SHA512

69a47258d90d58c778c7fea4cadca91e9cb08eb0e08d3d7f3d97ecde02400b5c04759782afc7163f834059405f8b9d0b8f52b42d0051bd41e30c626c825c0ca8
SSDEEP

24576:MyKaiEY7a78YP8Mv+lOTmv7v8+jSiEuyHADWN00HoJ:7bTKo8a8M2ETmzj+dAWF

Score

10^/10

redline messi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

messi

185.161.248.75:4132

Attributes

auth_value
b602b28664bb738e322d37baab91db28

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a9902608.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9902608.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9902608.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9902608.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9902608.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9902608.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9902608.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v2544255.exev2440533.exea9902608.exeb2767253.exe

pid process

1312 v2544255.exe
684 v2440533.exe
1684 a9902608.exe
1676 b2767253.exe

pid	process
1312	v2544255.exe
684	v2440533.exe
1684	a9902608.exe
1676	b2767253.exe

Loads dropped DLL 8 IoCs

Processes:

dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exev2544255.exev2440533.exea9902608.exeb2767253.exe

pid	process
1980	dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exe
1312	v2544255.exe
1312	v2544255.exe
684	v2440533.exe
684	v2440533.exe
1684	a9902608.exe
684	v2440533.exe
1676	b2767253.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a9902608.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	a9902608.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9902608.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v2544255.exev2440533.exedce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2544255.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2440533.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2440533.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2544255.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a9902608.exe

pid process

1684 a9902608.exe
1684 a9902608.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a9902608.exe

description pid process

Token: SeDebugPrivilege 1684 a9902608.exe

pid	process
1684	a9902608.exe
1684	a9902608.exe

description	pid	process
Token: SeDebugPrivilege	1684	a9902608.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exev2544255.exev2440533.exe

description	pid	process	target process
PID 1980 wrote to memory of 1312	1980	dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exe	v2544255.exe
PID 1980 wrote to memory of 1312	1980	dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exe	v2544255.exe
PID 1980 wrote to memory of 1312	1980	dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exe	v2544255.exe
PID 1980 wrote to memory of 1312	1980	dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exe	v2544255.exe
PID 1980 wrote to memory of 1312	1980	dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exe	v2544255.exe
PID 1980 wrote to memory of 1312	1980	dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exe	v2544255.exe
PID 1980 wrote to memory of 1312	1980	dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exe	v2544255.exe
PID 1312 wrote to memory of 684	1312	v2544255.exe	v2440533.exe
PID 1312 wrote to memory of 684	1312	v2544255.exe	v2440533.exe
PID 1312 wrote to memory of 684	1312	v2544255.exe	v2440533.exe
PID 1312 wrote to memory of 684	1312	v2544255.exe	v2440533.exe
PID 1312 wrote to memory of 684	1312	v2544255.exe	v2440533.exe
PID 1312 wrote to memory of 684	1312	v2544255.exe	v2440533.exe
PID 1312 wrote to memory of 684	1312	v2544255.exe	v2440533.exe
PID 684 wrote to memory of 1684	684	v2440533.exe	a9902608.exe
PID 684 wrote to memory of 1684	684	v2440533.exe	a9902608.exe
PID 684 wrote to memory of 1684	684	v2440533.exe	a9902608.exe
PID 684 wrote to memory of 1684	684	v2440533.exe	a9902608.exe
PID 684 wrote to memory of 1684	684	v2440533.exe	a9902608.exe
PID 684 wrote to memory of 1684	684	v2440533.exe	a9902608.exe
PID 684 wrote to memory of 1684	684	v2440533.exe	a9902608.exe
PID 684 wrote to memory of 1676	684	v2440533.exe	b2767253.exe
PID 684 wrote to memory of 1676	684	v2440533.exe	b2767253.exe
PID 684 wrote to memory of 1676	684	v2440533.exe	b2767253.exe
PID 684 wrote to memory of 1676	684	v2440533.exe	b2767253.exe
PID 684 wrote to memory of 1676	684	v2440533.exe	b2767253.exe
PID 684 wrote to memory of 1676	684	v2440533.exe	b2767253.exe
PID 684 wrote to memory of 1676	684	v2440533.exe	b2767253.exe

C:\Users\Admin\AppData\Local\Temp\dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exe
"C:\Users\Admin\AppData\Local\Temp\dce285bd0afda613cb8ed58a1980fe57bf9333fbc470aed3a182f4c3cd84f4bb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2544255.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2544255.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2440533.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2440533.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9902608.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9902608.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2767253.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2767253.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2544255.exe
Filesize
749KB

MD5
d05b2213715759049c1fe5f1722ca7ff

SHA1
7fd51236940dc8bd0b52faa5e796933d3a444173

SHA256
cc19cc801932ae01d6ce2f1000f3153a025600b02cd5ef3803de51d66c6f8041

SHA512
173a4b12512b0cfb2dbf24f528d40edb1d37b44d700b44d53104b5ff32d077fd499068707793ee25e5cd43130c64d87fc084cfe500839f6fe794babb171086bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2544255.exe
Filesize
749KB

MD5
d05b2213715759049c1fe5f1722ca7ff

SHA1
7fd51236940dc8bd0b52faa5e796933d3a444173

SHA256
cc19cc801932ae01d6ce2f1000f3153a025600b02cd5ef3803de51d66c6f8041

SHA512
173a4b12512b0cfb2dbf24f528d40edb1d37b44d700b44d53104b5ff32d077fd499068707793ee25e5cd43130c64d87fc084cfe500839f6fe794babb171086bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2440533.exe
Filesize
305KB

MD5
9bd6d7456c992c41d39ee27365606983

SHA1
402ffce33f220c36d66dc58b49604deb9b081fa1

SHA256
29785ee23be57a2155b50ab7cf842d2e14c58bd6f54f0ce2f91c6704c0a01c52

SHA512
d14a8097bbbc3f658d2b99011648b42836c579e9499f33eb49420d466ea262b8db05214a5856fce166a46ebcae96a6c5d9b5a58a6ae11f5b162dcfb652d26854

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2440533.exe
Filesize
305KB

MD5
9bd6d7456c992c41d39ee27365606983

SHA1
402ffce33f220c36d66dc58b49604deb9b081fa1

SHA256
29785ee23be57a2155b50ab7cf842d2e14c58bd6f54f0ce2f91c6704c0a01c52

SHA512
d14a8097bbbc3f658d2b99011648b42836c579e9499f33eb49420d466ea262b8db05214a5856fce166a46ebcae96a6c5d9b5a58a6ae11f5b162dcfb652d26854

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9902608.exe
Filesize
183KB

MD5
ed1cbf153bfffc017a12ab9078a37647

SHA1
435cfed35ca906c96ce27b85fbc7fef7017b97c3

SHA256
c19d4f7a64374691ea56565587cc04cc0f1f652da18a59aa45ab823f1ec61e68

SHA512
72dccd0ce03700415034d2bd4a44105ad35a5d1836ac47ae2c7f4c289f887d047eaa1ae46495b39aa316a37f13c32abc7672b9b287cf68c31a9f95279f4ba88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9902608.exe
Filesize
183KB

MD5
ed1cbf153bfffc017a12ab9078a37647

SHA1
435cfed35ca906c96ce27b85fbc7fef7017b97c3

SHA256
c19d4f7a64374691ea56565587cc04cc0f1f652da18a59aa45ab823f1ec61e68

SHA512
72dccd0ce03700415034d2bd4a44105ad35a5d1836ac47ae2c7f4c289f887d047eaa1ae46495b39aa316a37f13c32abc7672b9b287cf68c31a9f95279f4ba88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2767253.exe
Filesize
145KB

MD5
3550cdfbf5a93d0a78604c2e8383659e

SHA1
6ebc9edd60848aa65b55be189e21d796c9c54687

SHA256
617ee89fb42aaa8f89668aa1ef9a514fb11021b732710c52eac7890cc1e5979b

SHA512
6ed4e5c4efa281392219d5498ed70e8e16b6829abc16972de0bd6dde681af9fa66effdd41aa37584af05afb0c148dfff7455b8a27221a1a191b119ac31763c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2767253.exe
Filesize
145KB

MD5
3550cdfbf5a93d0a78604c2e8383659e

SHA1
6ebc9edd60848aa65b55be189e21d796c9c54687

SHA256
617ee89fb42aaa8f89668aa1ef9a514fb11021b732710c52eac7890cc1e5979b

SHA512
6ed4e5c4efa281392219d5498ed70e8e16b6829abc16972de0bd6dde681af9fa66effdd41aa37584af05afb0c148dfff7455b8a27221a1a191b119ac31763c86

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2544255.exe
Filesize
749KB

MD5
d05b2213715759049c1fe5f1722ca7ff

SHA1
7fd51236940dc8bd0b52faa5e796933d3a444173

SHA256
cc19cc801932ae01d6ce2f1000f3153a025600b02cd5ef3803de51d66c6f8041

SHA512
173a4b12512b0cfb2dbf24f528d40edb1d37b44d700b44d53104b5ff32d077fd499068707793ee25e5cd43130c64d87fc084cfe500839f6fe794babb171086bc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2544255.exe
Filesize
749KB

MD5
d05b2213715759049c1fe5f1722ca7ff

SHA1
7fd51236940dc8bd0b52faa5e796933d3a444173

SHA256
cc19cc801932ae01d6ce2f1000f3153a025600b02cd5ef3803de51d66c6f8041

SHA512
173a4b12512b0cfb2dbf24f528d40edb1d37b44d700b44d53104b5ff32d077fd499068707793ee25e5cd43130c64d87fc084cfe500839f6fe794babb171086bc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2440533.exe
Filesize
305KB

MD5
9bd6d7456c992c41d39ee27365606983

SHA1
402ffce33f220c36d66dc58b49604deb9b081fa1

SHA256
29785ee23be57a2155b50ab7cf842d2e14c58bd6f54f0ce2f91c6704c0a01c52

SHA512
d14a8097bbbc3f658d2b99011648b42836c579e9499f33eb49420d466ea262b8db05214a5856fce166a46ebcae96a6c5d9b5a58a6ae11f5b162dcfb652d26854

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2440533.exe
Filesize
305KB

MD5
9bd6d7456c992c41d39ee27365606983

SHA1
402ffce33f220c36d66dc58b49604deb9b081fa1

SHA256
29785ee23be57a2155b50ab7cf842d2e14c58bd6f54f0ce2f91c6704c0a01c52

SHA512
d14a8097bbbc3f658d2b99011648b42836c579e9499f33eb49420d466ea262b8db05214a5856fce166a46ebcae96a6c5d9b5a58a6ae11f5b162dcfb652d26854

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9902608.exe
Filesize
183KB

MD5
ed1cbf153bfffc017a12ab9078a37647

SHA1
435cfed35ca906c96ce27b85fbc7fef7017b97c3

SHA256
c19d4f7a64374691ea56565587cc04cc0f1f652da18a59aa45ab823f1ec61e68

SHA512
72dccd0ce03700415034d2bd4a44105ad35a5d1836ac47ae2c7f4c289f887d047eaa1ae46495b39aa316a37f13c32abc7672b9b287cf68c31a9f95279f4ba88f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9902608.exe
Filesize
183KB

MD5
ed1cbf153bfffc017a12ab9078a37647

SHA1
435cfed35ca906c96ce27b85fbc7fef7017b97c3

SHA256
c19d4f7a64374691ea56565587cc04cc0f1f652da18a59aa45ab823f1ec61e68

SHA512
72dccd0ce03700415034d2bd4a44105ad35a5d1836ac47ae2c7f4c289f887d047eaa1ae46495b39aa316a37f13c32abc7672b9b287cf68c31a9f95279f4ba88f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2767253.exe
Filesize
145KB

MD5
3550cdfbf5a93d0a78604c2e8383659e

SHA1
6ebc9edd60848aa65b55be189e21d796c9c54687

SHA256
617ee89fb42aaa8f89668aa1ef9a514fb11021b732710c52eac7890cc1e5979b

SHA512
6ed4e5c4efa281392219d5498ed70e8e16b6829abc16972de0bd6dde681af9fa66effdd41aa37584af05afb0c148dfff7455b8a27221a1a191b119ac31763c86

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2767253.exe
Filesize
145KB

MD5
3550cdfbf5a93d0a78604c2e8383659e

SHA1
6ebc9edd60848aa65b55be189e21d796c9c54687

SHA256
617ee89fb42aaa8f89668aa1ef9a514fb11021b732710c52eac7890cc1e5979b

SHA512
6ed4e5c4efa281392219d5498ed70e8e16b6829abc16972de0bd6dde681af9fa66effdd41aa37584af05afb0c148dfff7455b8a27221a1a191b119ac31763c86

Download Submit
memory/1676-124-0x0000000000850000-0x0000000000890000-memory.dmp

Filesize
256KB

Download
memory/1676-123-0x0000000001010000-0x000000000103A000-memory.dmp

Filesize
168KB

Download
memory/1676-125-0x0000000000850000-0x0000000000890000-memory.dmp

Filesize
256KB

Download
memory/1684-93-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1684-113-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1684-99-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1684-101-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1684-103-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1684-107-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1684-105-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1684-109-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1684-111-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1684-97-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1684-114-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/1684-115-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/1684-116-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/1684-95-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1684-91-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1684-89-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1684-87-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1684-86-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1684-85-0x00000000004E0000-0x00000000004FC000-memory.dmp

Filesize
112KB

Download
memory/1684-84-0x00000000003D0000-0x00000000003EE000-memory.dmp

Filesize
120KB

Download