redline | 0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad

Analysis

max time kernel
130s
max time network
144s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18-05-2023 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe
Size

1.0MB
MD5

e8eb299aab88f4a9f0e810741bb16b34
SHA1

5eef9d9aecfceb363ad2c01d7b3b09582c84e394
SHA256

0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad
SHA512

fd0fae772e86c2542b9a2137f97ef06bd689fa263638b025b263ff5c1fcd382abd9596e2a9df449aa8818e5247d93fd9be38b7f7621f42676e18cc46264d04fe
SSDEEP

24576:Sy9C28aBd3KBmNnScreojy9VA+GvH2splenZbSu4TBO3UnBW:5A23Bd33Nn5nyVA+IH2ZOTBOM

Score

10^/10

redline musor evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

musor

185.161.248.25:4132

Attributes

auth_value
b044e31277d21cb0a56d9461e5e741d5

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6676004.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a6676004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6676004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6676004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6676004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6676004.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1668	v2892900.exe
1736	v3003153.exe
320	a6676004.exe
1936	b2502552.exe

Loads dropped DLL 8 IoCs

pid	Process
1696	0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe
1668	v2892900.exe
1668	v2892900.exe
1736	v3003153.exe
1736	v3003153.exe
320	a6676004.exe
1736	v3003153.exe
1936	b2502552.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6676004.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	a6676004.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2892900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2892900.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3003153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3003153.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
320	a6676004.exe
320	a6676004.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	a6676004.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1668	1696	0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe	27
PID 1696 wrote to memory of 1668	1696	0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe	27
PID 1696 wrote to memory of 1668	1696	0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe	27
PID 1696 wrote to memory of 1668	1696	0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe	27
PID 1696 wrote to memory of 1668	1696	0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe	27
PID 1696 wrote to memory of 1668	1696	0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe	27
PID 1696 wrote to memory of 1668	1696	0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe	27
PID 1668 wrote to memory of 1736	1668	v2892900.exe	28
PID 1668 wrote to memory of 1736	1668	v2892900.exe	28
PID 1668 wrote to memory of 1736	1668	v2892900.exe	28
PID 1668 wrote to memory of 1736	1668	v2892900.exe	28
PID 1668 wrote to memory of 1736	1668	v2892900.exe	28
PID 1668 wrote to memory of 1736	1668	v2892900.exe	28
PID 1668 wrote to memory of 1736	1668	v2892900.exe	28
PID 1736 wrote to memory of 320	1736	v3003153.exe	29
PID 1736 wrote to memory of 320	1736	v3003153.exe	29
PID 1736 wrote to memory of 320	1736	v3003153.exe	29
PID 1736 wrote to memory of 320	1736	v3003153.exe	29
PID 1736 wrote to memory of 320	1736	v3003153.exe	29
PID 1736 wrote to memory of 320	1736	v3003153.exe	29
PID 1736 wrote to memory of 320	1736	v3003153.exe	29
PID 1736 wrote to memory of 1936	1736	v3003153.exe	30
PID 1736 wrote to memory of 1936	1736	v3003153.exe	30
PID 1736 wrote to memory of 1936	1736	v3003153.exe	30
PID 1736 wrote to memory of 1936	1736	v3003153.exe	30
PID 1736 wrote to memory of 1936	1736	v3003153.exe	30
PID 1736 wrote to memory of 1936	1736	v3003153.exe	30
PID 1736 wrote to memory of 1936	1736	v3003153.exe	30

C:\Users\Admin\AppData\Local\Temp\0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe
"C:\Users\Admin\AppData\Local\Temp\0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2892900.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2892900.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3003153.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3003153.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6676004.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6676004.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:320
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2502552.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2502552.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2892900.exe

Filesize
749KB

MD5
6c9a8f494c48b6e625987633ea5b6306

SHA1
65be67aff4f194e9426e1c18ace510e50ea62e39

SHA256
2aa18f8e62c90e794fd1553d537359d552ac7d35f6f5582485516a31a92cfc13

SHA512
aaf717fc3ab3ed8a9976a755636165e90ac94c2ea76ee1eaf8f38b5759003879e26b23c8170fccc0336c8aed07b474492910c283cd639b8413ec6efb80cce0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2892900.exe

Filesize
749KB

MD5
6c9a8f494c48b6e625987633ea5b6306

SHA1
65be67aff4f194e9426e1c18ace510e50ea62e39

SHA256
2aa18f8e62c90e794fd1553d537359d552ac7d35f6f5582485516a31a92cfc13

SHA512
aaf717fc3ab3ed8a9976a755636165e90ac94c2ea76ee1eaf8f38b5759003879e26b23c8170fccc0336c8aed07b474492910c283cd639b8413ec6efb80cce0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3003153.exe

Filesize
305KB

MD5
bc080dd4c547fd19d35f89cd4024f0be

SHA1
e7e54446a2bfd1273d37d273ffc4424dd6db28ca

SHA256
31d75834b41827987b9bce707dc02810f73880ff7f7888f00a8bc07c8c1a81aa

SHA512
0523f73505bad7852cc25320be99729983201afad9989a5d26e3c9dfb50e0476d694901007c36bf2768914f2bd4760801e3a4e6d6aebe6f1b8813e0f11599471

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3003153.exe

Filesize
305KB

MD5
bc080dd4c547fd19d35f89cd4024f0be

SHA1
e7e54446a2bfd1273d37d273ffc4424dd6db28ca

SHA256
31d75834b41827987b9bce707dc02810f73880ff7f7888f00a8bc07c8c1a81aa

SHA512
0523f73505bad7852cc25320be99729983201afad9989a5d26e3c9dfb50e0476d694901007c36bf2768914f2bd4760801e3a4e6d6aebe6f1b8813e0f11599471

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6676004.exe

Filesize
183KB

MD5
ce58e10273d08479be30eea081b640ab

SHA1
6bdd3164025b479e8810b9ac39b32ecdbdabc299

SHA256
d04bdda05ffbdea140fdf0475bbad5e536d0a04e56584f355d88ce54680a526b

SHA512
d3995aa53567d9e7ddf6e4b82309977b6b662d238fe1391528ba1c50db1f46e699513a48fab0dbe7126f42b750e53457477198e833de062fc2d0eaccb0cda899

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6676004.exe

Filesize
183KB

MD5
ce58e10273d08479be30eea081b640ab

SHA1
6bdd3164025b479e8810b9ac39b32ecdbdabc299

SHA256
d04bdda05ffbdea140fdf0475bbad5e536d0a04e56584f355d88ce54680a526b

SHA512
d3995aa53567d9e7ddf6e4b82309977b6b662d238fe1391528ba1c50db1f46e699513a48fab0dbe7126f42b750e53457477198e833de062fc2d0eaccb0cda899

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2502552.exe

Filesize
145KB

MD5
686e6efed0ac2e9ac27d4722971bcca9

SHA1
ce989ccc962d6999537d4d4f0fe77b839df6bc8e

SHA256
f2b9e5ce317bce2bf647080533c2b3cc24551dcf64444eb6f7bd38186222daac

SHA512
523158e80eb89efcc3acb0153917e53a400031c9baec0661611a426cf8b2e32472d02316be35026e0b1c27e828d79d44192bcf0c4e6cb009dedca7325d0d72be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2502552.exe

Filesize
145KB

MD5
686e6efed0ac2e9ac27d4722971bcca9

SHA1
ce989ccc962d6999537d4d4f0fe77b839df6bc8e

SHA256
f2b9e5ce317bce2bf647080533c2b3cc24551dcf64444eb6f7bd38186222daac

SHA512
523158e80eb89efcc3acb0153917e53a400031c9baec0661611a426cf8b2e32472d02316be35026e0b1c27e828d79d44192bcf0c4e6cb009dedca7325d0d72be

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2892900.exe

Filesize
749KB

MD5
6c9a8f494c48b6e625987633ea5b6306

SHA1
65be67aff4f194e9426e1c18ace510e50ea62e39

SHA256
2aa18f8e62c90e794fd1553d537359d552ac7d35f6f5582485516a31a92cfc13

SHA512
aaf717fc3ab3ed8a9976a755636165e90ac94c2ea76ee1eaf8f38b5759003879e26b23c8170fccc0336c8aed07b474492910c283cd639b8413ec6efb80cce0d9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2892900.exe

Filesize
749KB

MD5
6c9a8f494c48b6e625987633ea5b6306

SHA1
65be67aff4f194e9426e1c18ace510e50ea62e39

SHA256
2aa18f8e62c90e794fd1553d537359d552ac7d35f6f5582485516a31a92cfc13

SHA512
aaf717fc3ab3ed8a9976a755636165e90ac94c2ea76ee1eaf8f38b5759003879e26b23c8170fccc0336c8aed07b474492910c283cd639b8413ec6efb80cce0d9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3003153.exe

Filesize
305KB

MD5
bc080dd4c547fd19d35f89cd4024f0be

SHA1
e7e54446a2bfd1273d37d273ffc4424dd6db28ca

SHA256
31d75834b41827987b9bce707dc02810f73880ff7f7888f00a8bc07c8c1a81aa

SHA512
0523f73505bad7852cc25320be99729983201afad9989a5d26e3c9dfb50e0476d694901007c36bf2768914f2bd4760801e3a4e6d6aebe6f1b8813e0f11599471

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3003153.exe

Filesize
305KB

MD5
bc080dd4c547fd19d35f89cd4024f0be

SHA1
e7e54446a2bfd1273d37d273ffc4424dd6db28ca

SHA256
31d75834b41827987b9bce707dc02810f73880ff7f7888f00a8bc07c8c1a81aa

SHA512
0523f73505bad7852cc25320be99729983201afad9989a5d26e3c9dfb50e0476d694901007c36bf2768914f2bd4760801e3a4e6d6aebe6f1b8813e0f11599471

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6676004.exe

Filesize
183KB

MD5
ce58e10273d08479be30eea081b640ab

SHA1
6bdd3164025b479e8810b9ac39b32ecdbdabc299

SHA256
d04bdda05ffbdea140fdf0475bbad5e536d0a04e56584f355d88ce54680a526b

SHA512
d3995aa53567d9e7ddf6e4b82309977b6b662d238fe1391528ba1c50db1f46e699513a48fab0dbe7126f42b750e53457477198e833de062fc2d0eaccb0cda899

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6676004.exe

Filesize
183KB

MD5
ce58e10273d08479be30eea081b640ab

SHA1
6bdd3164025b479e8810b9ac39b32ecdbdabc299

SHA256
d04bdda05ffbdea140fdf0475bbad5e536d0a04e56584f355d88ce54680a526b

SHA512
d3995aa53567d9e7ddf6e4b82309977b6b662d238fe1391528ba1c50db1f46e699513a48fab0dbe7126f42b750e53457477198e833de062fc2d0eaccb0cda899

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2502552.exe

Filesize
145KB

MD5
686e6efed0ac2e9ac27d4722971bcca9

SHA1
ce989ccc962d6999537d4d4f0fe77b839df6bc8e

SHA256
f2b9e5ce317bce2bf647080533c2b3cc24551dcf64444eb6f7bd38186222daac

SHA512
523158e80eb89efcc3acb0153917e53a400031c9baec0661611a426cf8b2e32472d02316be35026e0b1c27e828d79d44192bcf0c4e6cb009dedca7325d0d72be

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2502552.exe

Filesize
145KB

MD5
686e6efed0ac2e9ac27d4722971bcca9

SHA1
ce989ccc962d6999537d4d4f0fe77b839df6bc8e

SHA256
f2b9e5ce317bce2bf647080533c2b3cc24551dcf64444eb6f7bd38186222daac

SHA512
523158e80eb89efcc3acb0153917e53a400031c9baec0661611a426cf8b2e32472d02316be35026e0b1c27e828d79d44192bcf0c4e6cb009dedca7325d0d72be

Download Submit
memory/320-106-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/320-98-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/320-88-0x0000000000A40000-0x0000000000A5C000-memory.dmp

Filesize
112KB

Download
memory/320-116-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/320-114-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/320-112-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/320-110-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/320-108-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/320-104-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/320-102-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/320-100-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/320-92-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/320-96-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/320-94-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/320-90-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/320-89-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/320-85-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/320-87-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/320-84-0x0000000000500000-0x000000000051E000-memory.dmp

Filesize
120KB

Download
memory/320-86-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/1936-123-0x0000000000A50000-0x0000000000A7A000-memory.dmp

Filesize
168KB

Download
memory/1936-124-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/1936-125-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download