redline | 7765420d53bc0319c6d4a32a412a76fa3d4e70b5b11e1081030bc43de324f2db

Analysis

max time kernel
31s
max time network
30s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2023 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a94617d31a2226096687bd730f2e4ac4.exe
Size

1.1MB
MD5

a94617d31a2226096687bd730f2e4ac4
SHA1

f4902652110c8bc8de2fe72a9b5c2935aed445e8
SHA256

7765420d53bc0319c6d4a32a412a76fa3d4e70b5b11e1081030bc43de324f2db
SHA512

4875ea3fd465fba9f491af8da93bfa3457ab148a56d148307a49f640ca93be3f60df9d112663ee1c147ff20df1c6c69ad14aa637b0bc1d324dd985f8ef8879e1
SSDEEP

24576:JyLnUxYcRv1yc+y2l3Eg+kXhZUkezE+b5Hd38/+:8zsYfc+y2l3LVIzV

Score

10^/10

redline messi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

messi

185.161.248.75:4132

Attributes

auth_value
b602b28664bb738e322d37baab91db28

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a0220667.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0220667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0220667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0220667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0220667.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a0220667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0220667.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 6 IoCs

Processes:

v0815452.exev6852480.exea0220667.exeb2321760.exec7429241.exec7429241.exe

pid process

1544 v0815452.exe
1224 v6852480.exe
944 a0220667.exe
1044 b2321760.exe
2780 c7429241.exe
3140 c7429241.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1544	v0815452.exe
1224	v6852480.exe
944	a0220667.exe
1044	b2321760.exe
2780	c7429241.exe
3140	c7429241.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a0220667.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a0220667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0220667.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v0815452.exev6852480.exea94617d31a2226096687bd730f2e4ac4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0815452.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6852480.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6852480.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a94617d31a2226096687bd730f2e4ac4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a94617d31a2226096687bd730f2e4ac4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0815452.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

c7429241.exe

description pid process target process

PID 2780 set thread context of 3140 2780 c7429241.exe c7429241.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a0220667.exeb2321760.exe

pid process

944 a0220667.exe
944 a0220667.exe
1044 b2321760.exe
1044 b2321760.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a0220667.exeb2321760.exec7429241.exe

description pid process

Token: SeDebugPrivilege 944 a0220667.exe
Token: SeDebugPrivilege 1044 b2321760.exe
Token: SeDebugPrivilege 2780 c7429241.exe

description	pid	process	target process
PID 2780 set thread context of 3140	2780	c7429241.exe	c7429241.exe

pid	process
944	a0220667.exe
944	a0220667.exe
1044	b2321760.exe
1044	b2321760.exe

description	pid	process
Token: SeDebugPrivilege	944	a0220667.exe
Token: SeDebugPrivilege	1044	b2321760.exe
Token: SeDebugPrivilege	2780	c7429241.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

a94617d31a2226096687bd730f2e4ac4.exev0815452.exev6852480.exec7429241.exe

description	pid	process	target process
PID 4424 wrote to memory of 1544	4424	a94617d31a2226096687bd730f2e4ac4.exe	v0815452.exe
PID 4424 wrote to memory of 1544	4424	a94617d31a2226096687bd730f2e4ac4.exe	v0815452.exe
PID 4424 wrote to memory of 1544	4424	a94617d31a2226096687bd730f2e4ac4.exe	v0815452.exe
PID 1544 wrote to memory of 1224	1544	v0815452.exe	v6852480.exe
PID 1544 wrote to memory of 1224	1544	v0815452.exe	v6852480.exe
PID 1544 wrote to memory of 1224	1544	v0815452.exe	v6852480.exe
PID 1224 wrote to memory of 944	1224	v6852480.exe	a0220667.exe
PID 1224 wrote to memory of 944	1224	v6852480.exe	a0220667.exe
PID 1224 wrote to memory of 944	1224	v6852480.exe	a0220667.exe
PID 1224 wrote to memory of 1044	1224	v6852480.exe	b2321760.exe
PID 1224 wrote to memory of 1044	1224	v6852480.exe	b2321760.exe
PID 1224 wrote to memory of 1044	1224	v6852480.exe	b2321760.exe
PID 1544 wrote to memory of 2780	1544	v0815452.exe	c7429241.exe
PID 1544 wrote to memory of 2780	1544	v0815452.exe	c7429241.exe
PID 1544 wrote to memory of 2780	1544	v0815452.exe	c7429241.exe
PID 2780 wrote to memory of 3140	2780	c7429241.exe	c7429241.exe
PID 2780 wrote to memory of 3140	2780	c7429241.exe	c7429241.exe
PID 2780 wrote to memory of 3140	2780	c7429241.exe	c7429241.exe
PID 2780 wrote to memory of 3140	2780	c7429241.exe	c7429241.exe
PID 2780 wrote to memory of 3140	2780	c7429241.exe	c7429241.exe
PID 2780 wrote to memory of 3140	2780	c7429241.exe	c7429241.exe
PID 2780 wrote to memory of 3140	2780	c7429241.exe	c7429241.exe
PID 2780 wrote to memory of 3140	2780	c7429241.exe	c7429241.exe
PID 2780 wrote to memory of 3140	2780	c7429241.exe	c7429241.exe
PID 2780 wrote to memory of 3140	2780	c7429241.exe	c7429241.exe

C:\Users\Admin\AppData\Local\Temp\a94617d31a2226096687bd730f2e4ac4.exe
"C:\Users\Admin\AppData\Local\Temp\a94617d31a2226096687bd730f2e4ac4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0815452.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0815452.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6852480.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6852480.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0220667.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0220667.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2321760.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2321760.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7429241.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7429241.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7429241.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7429241.exe
4⤵
- Executes dropped EXE
PID:3140

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9952573.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9952573.exe
2⤵
PID:4836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9952573.exe
Filesize
903KB

MD5
cf159007ccbd8e9cb22cec435668096c

SHA1
872417c9d6555d2d0c5fd4ac7e0cf36935640d91

SHA256
3e255978046b3c21d3d02fb83fef0064a21156feb6cf472a2906095f9c97197e

SHA512
d0a9d6c50f62844bab6bfeb897a723f4bf845a3adfb973ce699a41218473cfa9e1b14b8273092f04c8c47a395cbb92f863746edfa8e9b546496ff3908fd8d388

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9952573.exe
Filesize
903KB

MD5
cf159007ccbd8e9cb22cec435668096c

SHA1
872417c9d6555d2d0c5fd4ac7e0cf36935640d91

SHA256
3e255978046b3c21d3d02fb83fef0064a21156feb6cf472a2906095f9c97197e

SHA512
d0a9d6c50f62844bab6bfeb897a723f4bf845a3adfb973ce699a41218473cfa9e1b14b8273092f04c8c47a395cbb92f863746edfa8e9b546496ff3908fd8d388

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0815452.exe
Filesize
749KB

MD5
378929e67f77e9013d3b0d842fe1fab5

SHA1
4475bca2855c6358f7e733a104ad0771a7d8d5d2

SHA256
862fa57a621442e934214f536cc7b9281194ce827c6ab952135dfb140fdee3e2

SHA512
a5e6d1caa81f03555069685588aeaa79aeb3748c85da072c2a5667c0380d52e029ed19a5ba5a5a853e6767e0d793f23a15f1b9178e912994d53a1078a17d8aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0815452.exe
Filesize
749KB

MD5
378929e67f77e9013d3b0d842fe1fab5

SHA1
4475bca2855c6358f7e733a104ad0771a7d8d5d2

SHA256
862fa57a621442e934214f536cc7b9281194ce827c6ab952135dfb140fdee3e2

SHA512
a5e6d1caa81f03555069685588aeaa79aeb3748c85da072c2a5667c0380d52e029ed19a5ba5a5a853e6767e0d793f23a15f1b9178e912994d53a1078a17d8aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7429241.exe
Filesize
963KB

MD5
5667611e26b6437b05d9c6c23f88d449

SHA1
7f48dade27de74253b2a525dfcf995b6228d74c3

SHA256
72627969b843d4e5d582b97cff3871a1058541db6d753934292817f37e3db62c

SHA512
48e6c4a6c66ecee9b2606e47ecdee8fe4e0fb6ca18a5d9612f1ea7c6a0a7b520f2bb0405e97f88b5d3ee9043a1131d55b68565d3513d6d8f28c09e24b94a2166

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7429241.exe
Filesize
963KB

MD5
5667611e26b6437b05d9c6c23f88d449

SHA1
7f48dade27de74253b2a525dfcf995b6228d74c3

SHA256
72627969b843d4e5d582b97cff3871a1058541db6d753934292817f37e3db62c

SHA512
48e6c4a6c66ecee9b2606e47ecdee8fe4e0fb6ca18a5d9612f1ea7c6a0a7b520f2bb0405e97f88b5d3ee9043a1131d55b68565d3513d6d8f28c09e24b94a2166

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7429241.exe
Filesize
963KB

MD5
5667611e26b6437b05d9c6c23f88d449

SHA1
7f48dade27de74253b2a525dfcf995b6228d74c3

SHA256
72627969b843d4e5d582b97cff3871a1058541db6d753934292817f37e3db62c

SHA512
48e6c4a6c66ecee9b2606e47ecdee8fe4e0fb6ca18a5d9612f1ea7c6a0a7b520f2bb0405e97f88b5d3ee9043a1131d55b68565d3513d6d8f28c09e24b94a2166

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6852480.exe
Filesize
305KB

MD5
86feb41124a083ce75a6c3dd04302a27

SHA1
2b518b18c6d3305bdcebb9d62f1d1ad819b74d45

SHA256
bdffde01328cb17b17bf68eb284ef6a6a40eacba12d3219270728357b09d407d

SHA512
78a7687c5725a9979750bcb08e679c20117fafafc2cbd836a51ad24e5a1bef9b5fe141e2bef4f75f2d36abc7a2217ef7e641eee776fb76247ba1ebabbde8505f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6852480.exe
Filesize
305KB

MD5
86feb41124a083ce75a6c3dd04302a27

SHA1
2b518b18c6d3305bdcebb9d62f1d1ad819b74d45

SHA256
bdffde01328cb17b17bf68eb284ef6a6a40eacba12d3219270728357b09d407d

SHA512
78a7687c5725a9979750bcb08e679c20117fafafc2cbd836a51ad24e5a1bef9b5fe141e2bef4f75f2d36abc7a2217ef7e641eee776fb76247ba1ebabbde8505f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0220667.exe
Filesize
183KB

MD5
26701d1d993992725f0b4b0d529ef4f0

SHA1
c2699689f02270983b61ebcbb8de0a3c72b73854

SHA256
b15b85d72207e4be3a56cd72939a511e45d8a9b6f294de9599069acb354b85cf

SHA512
7a96aefb3ccda4cd7853f0c3efff346603708399bbc2f1e992be82d6d18fa75efdc8b3650152d19394369d530b268853f8257a91ed7ad26182c9c220d78a6ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0220667.exe
Filesize
183KB

MD5
26701d1d993992725f0b4b0d529ef4f0

SHA1
c2699689f02270983b61ebcbb8de0a3c72b73854

SHA256
b15b85d72207e4be3a56cd72939a511e45d8a9b6f294de9599069acb354b85cf

SHA512
7a96aefb3ccda4cd7853f0c3efff346603708399bbc2f1e992be82d6d18fa75efdc8b3650152d19394369d530b268853f8257a91ed7ad26182c9c220d78a6ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2321760.exe
Filesize
145KB

MD5
68fc69fade2b4cf39aaf5268eef8ae78

SHA1
a44e5518d8cb2b4dc4b442527b341b543ad18409

SHA256
5f1c485ee85cd3ee1e41e141588097ab5dbb139292098770af279fca61095b3e

SHA512
c1ff52e7c2d79e2aa75f33c283cf50904183362912d657a511975d460e635a4504592248f715dcd02a55a24ccef343aa15b914b85049a8cefaa3b87e6557d13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2321760.exe
Filesize
145KB

MD5
68fc69fade2b4cf39aaf5268eef8ae78

SHA1
a44e5518d8cb2b4dc4b442527b341b543ad18409

SHA256
5f1c485ee85cd3ee1e41e141588097ab5dbb139292098770af279fca61095b3e

SHA512
c1ff52e7c2d79e2aa75f33c283cf50904183362912d657a511975d460e635a4504592248f715dcd02a55a24ccef343aa15b914b85049a8cefaa3b87e6557d13f

Download Submit
memory/944-162-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/944-166-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/944-168-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/944-170-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/944-172-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/944-174-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/944-176-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/944-178-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/944-180-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/944-182-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/944-184-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/944-164-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/944-160-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/944-154-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/944-155-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/944-156-0x0000000004A80000-0x0000000005024000-memory.dmp

Filesize
5.6MB

Download
memory/944-157-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/944-158-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1044-195-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/1044-192-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/1044-196-0x0000000006750000-0x00000000067E2000-memory.dmp

Filesize
584KB

Download
memory/1044-197-0x0000000006B30000-0x0000000006CF2000-memory.dmp

Filesize
1.8MB

Download
memory/1044-198-0x0000000007880000-0x0000000007DAC000-memory.dmp

Filesize
5.2MB

Download
memory/1044-199-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/1044-200-0x0000000006D00000-0x0000000006D76000-memory.dmp

Filesize
472KB

Download
memory/1044-201-0x0000000006AB0000-0x0000000006B00000-memory.dmp

Filesize
320KB

Download
memory/1044-193-0x0000000005830000-0x0000000005842000-memory.dmp

Filesize
72KB

Download
memory/1044-194-0x00000000058B0000-0x00000000058EC000-memory.dmp

Filesize
240KB

Download
memory/1044-189-0x0000000000FA0000-0x0000000000FCA000-memory.dmp

Filesize
168KB

Download
memory/1044-190-0x0000000005D80000-0x0000000006398000-memory.dmp

Filesize
6.1MB

Download
memory/1044-191-0x0000000005900000-0x0000000005A0A000-memory.dmp

Filesize
1.0MB

Download
memory/2780-207-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/2780-206-0x0000000000440000-0x0000000000538000-memory.dmp

Filesize
992KB

Download
memory/3140-208-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3140-211-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3140-212-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4836-217-0x0000000000D80000-0x0000000000E68000-memory.dmp

Filesize
928KB

Download