redline | 5098929077a0af292a2da5dbd12e2d3bf758cf085eef8cf0f1f3c3a7e4c23c7b

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-05-2023 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a19fd275109a98ace8fb30d84180a7a497fd6d0a4b7e3151039bb342cc4b9e9.exe
Size

1.0MB
MD5

83e69d2f1054c26576de28402d6dd912
SHA1

891d6439771606dd94b294ff98e66835e2c9faa7
SHA256

7a19fd275109a98ace8fb30d84180a7a497fd6d0a4b7e3151039bb342cc4b9e9
SHA512

4792d02bafa9ab480d2194d2bc4b749e72edd70b3ecb13c76a77dc040961741b683819a7bfffcc2d04127d09d265b119a5b598020b85ff70cb7f109ae02105fa
SSDEEP

24576:JyczWJC8P9AwgjR4i4lyMT/Gjw78ZI6Kzk:8c6CmCwgjCi49/G6

Score

10^/10

redline dako evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dako

77.91.68.253:41783

Attributes

auth_value
c6bc6a7edb74e0eff37800710e07bee1

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k0024048.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0024048.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0024048.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0024048.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0024048.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0024048.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1100	y9142316.exe
980	y9479436.exe
676	k0024048.exe
1236	l6539524.exe

Loads dropped DLL 8 IoCs

pid	Process
1060	7a19fd275109a98ace8fb30d84180a7a497fd6d0a4b7e3151039bb342cc4b9e9.exe
1100	y9142316.exe
1100	y9142316.exe
980	y9479436.exe
980	y9479436.exe
676	k0024048.exe
980	y9479436.exe
1236	l6539524.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k0024048.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0024048.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7a19fd275109a98ace8fb30d84180a7a497fd6d0a4b7e3151039bb342cc4b9e9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9142316.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9142316.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9479436.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9479436.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7a19fd275109a98ace8fb30d84180a7a497fd6d0a4b7e3151039bb342cc4b9e9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
676	k0024048.exe
676	k0024048.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	676	k0024048.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 1100	1060	7a19fd275109a98ace8fb30d84180a7a497fd6d0a4b7e3151039bb342cc4b9e9.exe	28
PID 1060 wrote to memory of 1100	1060	7a19fd275109a98ace8fb30d84180a7a497fd6d0a4b7e3151039bb342cc4b9e9.exe	28
PID 1060 wrote to memory of 1100	1060	7a19fd275109a98ace8fb30d84180a7a497fd6d0a4b7e3151039bb342cc4b9e9.exe	28
PID 1060 wrote to memory of 1100	1060	7a19fd275109a98ace8fb30d84180a7a497fd6d0a4b7e3151039bb342cc4b9e9.exe	28
PID 1060 wrote to memory of 1100	1060	7a19fd275109a98ace8fb30d84180a7a497fd6d0a4b7e3151039bb342cc4b9e9.exe	28
PID 1060 wrote to memory of 1100	1060	7a19fd275109a98ace8fb30d84180a7a497fd6d0a4b7e3151039bb342cc4b9e9.exe	28
PID 1060 wrote to memory of 1100	1060	7a19fd275109a98ace8fb30d84180a7a497fd6d0a4b7e3151039bb342cc4b9e9.exe	28
PID 1100 wrote to memory of 980	1100	y9142316.exe	29
PID 1100 wrote to memory of 980	1100	y9142316.exe	29
PID 1100 wrote to memory of 980	1100	y9142316.exe	29
PID 1100 wrote to memory of 980	1100	y9142316.exe	29
PID 1100 wrote to memory of 980	1100	y9142316.exe	29
PID 1100 wrote to memory of 980	1100	y9142316.exe	29
PID 1100 wrote to memory of 980	1100	y9142316.exe	29
PID 980 wrote to memory of 676	980	y9479436.exe	30
PID 980 wrote to memory of 676	980	y9479436.exe	30
PID 980 wrote to memory of 676	980	y9479436.exe	30
PID 980 wrote to memory of 676	980	y9479436.exe	30
PID 980 wrote to memory of 676	980	y9479436.exe	30
PID 980 wrote to memory of 676	980	y9479436.exe	30
PID 980 wrote to memory of 676	980	y9479436.exe	30
PID 980 wrote to memory of 1236	980	y9479436.exe	31
PID 980 wrote to memory of 1236	980	y9479436.exe	31
PID 980 wrote to memory of 1236	980	y9479436.exe	31
PID 980 wrote to memory of 1236	980	y9479436.exe	31
PID 980 wrote to memory of 1236	980	y9479436.exe	31
PID 980 wrote to memory of 1236	980	y9479436.exe	31
PID 980 wrote to memory of 1236	980	y9479436.exe	31

C:\Users\Admin\AppData\Local\Temp\7a19fd275109a98ace8fb30d84180a7a497fd6d0a4b7e3151039bb342cc4b9e9.exe
"C:\Users\Admin\AppData\Local\Temp\7a19fd275109a98ace8fb30d84180a7a497fd6d0a4b7e3151039bb342cc4b9e9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9142316.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9142316.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9479436.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9479436.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024048.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024048.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:676
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6539524.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6539524.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9142316.exe

Filesize
750KB

MD5
7fe29742955e3b84e9495a93ad42953e

SHA1
f00c8be4ab5c37abf20bb406fdcc62be765c49ff

SHA256
7ad4053177b519ea097ad128d0c2ecf53e701ef67bf29d3b7297001d12d8fffe

SHA512
f0c76e862ae45d5fe88e44693dfe686de2365ee9d2d6c61d0a6ac71033bb9b5a9e91b90862d4bb3a356ab14ec40718a06bf9cebb5edf445c0543c99fb8de5d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9142316.exe

Filesize
750KB

MD5
7fe29742955e3b84e9495a93ad42953e

SHA1
f00c8be4ab5c37abf20bb406fdcc62be765c49ff

SHA256
7ad4053177b519ea097ad128d0c2ecf53e701ef67bf29d3b7297001d12d8fffe

SHA512
f0c76e862ae45d5fe88e44693dfe686de2365ee9d2d6c61d0a6ac71033bb9b5a9e91b90862d4bb3a356ab14ec40718a06bf9cebb5edf445c0543c99fb8de5d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9479436.exe

Filesize
306KB

MD5
41baa213bece16cdc3831c06adcbb130

SHA1
e01f25850b72af9eb7aa9ab74b6d6a1fd0a2d29b

SHA256
86d13abece21336f75c8d3c19381863aedb736398567475583cf7c92eda6ad0a

SHA512
373f6402459e66b0056117500665faca691e703ae35c92f5d383d287e30391327a2331e82603fea8f6d5d8fbff1aa98decb03691bd60ae5a4c8d79ffd3a90844

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9479436.exe

Filesize
306KB

MD5
41baa213bece16cdc3831c06adcbb130

SHA1
e01f25850b72af9eb7aa9ab74b6d6a1fd0a2d29b

SHA256
86d13abece21336f75c8d3c19381863aedb736398567475583cf7c92eda6ad0a

SHA512
373f6402459e66b0056117500665faca691e703ae35c92f5d383d287e30391327a2331e82603fea8f6d5d8fbff1aa98decb03691bd60ae5a4c8d79ffd3a90844

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024048.exe

Filesize
184KB

MD5
f8d1d1049f03f2a02caf76e3063e09f4

SHA1
45dffca2e783f7429aad2e6ce40ec7521bc1c140

SHA256
c090bc4d59f261ede9d650f202093311cf620cbc69a363e8cd2f70e729de5dd9

SHA512
ad09c89856be03c7e06050ce9c9412c65a33b61ee16f18a47d3a153311ef70ee84314e9b31ae8c5e96820e9ac3479ef0ce5741ea7ad6102b936617f8e5f06d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024048.exe

Filesize
184KB

MD5
f8d1d1049f03f2a02caf76e3063e09f4

SHA1
45dffca2e783f7429aad2e6ce40ec7521bc1c140

SHA256
c090bc4d59f261ede9d650f202093311cf620cbc69a363e8cd2f70e729de5dd9

SHA512
ad09c89856be03c7e06050ce9c9412c65a33b61ee16f18a47d3a153311ef70ee84314e9b31ae8c5e96820e9ac3479ef0ce5741ea7ad6102b936617f8e5f06d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6539524.exe

Filesize
145KB

MD5
7e944f5789a8a226490d2ae03b65148d

SHA1
2e233ca174ef5549b91974cd9b2a5d42c7ec98d9

SHA256
fa6f65c685c3ae56982dafb088bd00c64395456ea10b80e1d0b887be453df6ec

SHA512
b99536151fbf353d09f0eac22ab25af5aad1b3ff8eae0f6bb3c281d17497645c8dd6b0d22c5132a5e39986fd274c122a796279cd0667404e2d99c359ac9ae29e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6539524.exe

Filesize
145KB

MD5
7e944f5789a8a226490d2ae03b65148d

SHA1
2e233ca174ef5549b91974cd9b2a5d42c7ec98d9

SHA256
fa6f65c685c3ae56982dafb088bd00c64395456ea10b80e1d0b887be453df6ec

SHA512
b99536151fbf353d09f0eac22ab25af5aad1b3ff8eae0f6bb3c281d17497645c8dd6b0d22c5132a5e39986fd274c122a796279cd0667404e2d99c359ac9ae29e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9142316.exe

Filesize
750KB

MD5
7fe29742955e3b84e9495a93ad42953e

SHA1
f00c8be4ab5c37abf20bb406fdcc62be765c49ff

SHA256
7ad4053177b519ea097ad128d0c2ecf53e701ef67bf29d3b7297001d12d8fffe

SHA512
f0c76e862ae45d5fe88e44693dfe686de2365ee9d2d6c61d0a6ac71033bb9b5a9e91b90862d4bb3a356ab14ec40718a06bf9cebb5edf445c0543c99fb8de5d7f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9142316.exe

Filesize
750KB

MD5
7fe29742955e3b84e9495a93ad42953e

SHA1
f00c8be4ab5c37abf20bb406fdcc62be765c49ff

SHA256
7ad4053177b519ea097ad128d0c2ecf53e701ef67bf29d3b7297001d12d8fffe

SHA512
f0c76e862ae45d5fe88e44693dfe686de2365ee9d2d6c61d0a6ac71033bb9b5a9e91b90862d4bb3a356ab14ec40718a06bf9cebb5edf445c0543c99fb8de5d7f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9479436.exe

Filesize
306KB

MD5
41baa213bece16cdc3831c06adcbb130

SHA1
e01f25850b72af9eb7aa9ab74b6d6a1fd0a2d29b

SHA256
86d13abece21336f75c8d3c19381863aedb736398567475583cf7c92eda6ad0a

SHA512
373f6402459e66b0056117500665faca691e703ae35c92f5d383d287e30391327a2331e82603fea8f6d5d8fbff1aa98decb03691bd60ae5a4c8d79ffd3a90844

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9479436.exe

Filesize
306KB

MD5
41baa213bece16cdc3831c06adcbb130

SHA1
e01f25850b72af9eb7aa9ab74b6d6a1fd0a2d29b

SHA256
86d13abece21336f75c8d3c19381863aedb736398567475583cf7c92eda6ad0a

SHA512
373f6402459e66b0056117500665faca691e703ae35c92f5d383d287e30391327a2331e82603fea8f6d5d8fbff1aa98decb03691bd60ae5a4c8d79ffd3a90844

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024048.exe

Filesize
184KB

MD5
f8d1d1049f03f2a02caf76e3063e09f4

SHA1
45dffca2e783f7429aad2e6ce40ec7521bc1c140

SHA256
c090bc4d59f261ede9d650f202093311cf620cbc69a363e8cd2f70e729de5dd9

SHA512
ad09c89856be03c7e06050ce9c9412c65a33b61ee16f18a47d3a153311ef70ee84314e9b31ae8c5e96820e9ac3479ef0ce5741ea7ad6102b936617f8e5f06d5e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0024048.exe

Filesize
184KB

MD5
f8d1d1049f03f2a02caf76e3063e09f4

SHA1
45dffca2e783f7429aad2e6ce40ec7521bc1c140

SHA256
c090bc4d59f261ede9d650f202093311cf620cbc69a363e8cd2f70e729de5dd9

SHA512
ad09c89856be03c7e06050ce9c9412c65a33b61ee16f18a47d3a153311ef70ee84314e9b31ae8c5e96820e9ac3479ef0ce5741ea7ad6102b936617f8e5f06d5e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6539524.exe

Filesize
145KB

MD5
7e944f5789a8a226490d2ae03b65148d

SHA1
2e233ca174ef5549b91974cd9b2a5d42c7ec98d9

SHA256
fa6f65c685c3ae56982dafb088bd00c64395456ea10b80e1d0b887be453df6ec

SHA512
b99536151fbf353d09f0eac22ab25af5aad1b3ff8eae0f6bb3c281d17497645c8dd6b0d22c5132a5e39986fd274c122a796279cd0667404e2d99c359ac9ae29e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6539524.exe

Filesize
145KB

MD5
7e944f5789a8a226490d2ae03b65148d

SHA1
2e233ca174ef5549b91974cd9b2a5d42c7ec98d9

SHA256
fa6f65c685c3ae56982dafb088bd00c64395456ea10b80e1d0b887be453df6ec

SHA512
b99536151fbf353d09f0eac22ab25af5aad1b3ff8eae0f6bb3c281d17497645c8dd6b0d22c5132a5e39986fd274c122a796279cd0667404e2d99c359ac9ae29e

Download Submit
memory/676-91-0x0000000000AE0000-0x0000000000AF7000-memory.dmp

Filesize
92KB

Download
memory/676-109-0x0000000000AE0000-0x0000000000AF7000-memory.dmp

Filesize
92KB

Download
memory/676-88-0x0000000000AE0000-0x0000000000AF7000-memory.dmp

Filesize
92KB

Download
memory/676-93-0x0000000000AE0000-0x0000000000AF7000-memory.dmp

Filesize
92KB

Download
memory/676-95-0x0000000000AE0000-0x0000000000AF7000-memory.dmp

Filesize
92KB

Download
memory/676-97-0x0000000000AE0000-0x0000000000AF7000-memory.dmp

Filesize
92KB

Download
memory/676-99-0x0000000000AE0000-0x0000000000AF7000-memory.dmp

Filesize
92KB

Download
memory/676-101-0x0000000000AE0000-0x0000000000AF7000-memory.dmp

Filesize
92KB

Download
memory/676-103-0x0000000000AE0000-0x0000000000AF7000-memory.dmp

Filesize
92KB

Download
memory/676-105-0x0000000000AE0000-0x0000000000AF7000-memory.dmp

Filesize
92KB

Download
memory/676-107-0x0000000000AE0000-0x0000000000AF7000-memory.dmp

Filesize
92KB

Download
memory/676-89-0x0000000000AE0000-0x0000000000AF7000-memory.dmp

Filesize
92KB

Download
memory/676-111-0x0000000000AE0000-0x0000000000AF7000-memory.dmp

Filesize
92KB

Download
memory/676-113-0x0000000000AE0000-0x0000000000AF7000-memory.dmp

Filesize
92KB

Download
memory/676-115-0x0000000000AE0000-0x0000000000AF7000-memory.dmp

Filesize
92KB

Download
memory/676-116-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/676-87-0x0000000000AE0000-0x0000000000AFC000-memory.dmp

Filesize
112KB

Download
memory/676-86-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/676-85-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/676-84-0x00000000003D0000-0x00000000003EE000-memory.dmp

Filesize
120KB

Download
memory/1236-123-0x0000000000C00000-0x0000000000C2A000-memory.dmp

Filesize
168KB

Download
memory/1236-124-0x00000000006E0000-0x0000000000720000-memory.dmp

Filesize
256KB

Download
memory/1236-125-0x00000000006E0000-0x0000000000720000-memory.dmp

Filesize
256KB

Download