redline | eb75a0b6dcedca927195b507970f3bc289f0afec42b6c1f1779f538159e4aa80

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/05/2023, 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

service.exe
Size

1.0MB
MD5

b147ea5273354dfe145510830eba7781
SHA1

0e87b97ee2d1da3a3b72238428bc990665a07df7
SHA256

eb75a0b6dcedca927195b507970f3bc289f0afec42b6c1f1779f538159e4aa80
SHA512

b7090a08f054ed2d12b7742a071214ad5e952d3dd62e4a3a6d1855d2f57d54df22121a4719624f49149319a3a401c3fbcaf972402bf21bb232e62ce06e4f5e80
SSDEEP

24576:UyJTwjxtNKhEKYm/Z06CIORLZF51it26BBE5Kx3:jtGNKn/nCImzAt2Z5a

Score

10^/10

redline deren evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

deren

77.91.68.253:19065

Attributes

auth_value
04a169f1fb198bfbeca74d0e06ea2d54

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k2930609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k2930609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k2930609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k2930609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k2930609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k2930609.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1996	y7695420.exe
1816	y8077328.exe
320	k2930609.exe
988	l6616862.exe

Loads dropped DLL 8 IoCs

pid	Process
1728	service.exe
1996	y7695420.exe
1996	y7695420.exe
1816	y8077328.exe
1816	y8077328.exe
320	k2930609.exe
1816	y8077328.exe
988	l6616862.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k2930609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k2930609.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7695420.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8077328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8077328.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	service.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7695420.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
320	k2930609.exe
320	k2930609.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	k2930609.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1996	1728	service.exe	28
PID 1728 wrote to memory of 1996	1728	service.exe	28
PID 1728 wrote to memory of 1996	1728	service.exe	28
PID 1728 wrote to memory of 1996	1728	service.exe	28
PID 1728 wrote to memory of 1996	1728	service.exe	28
PID 1728 wrote to memory of 1996	1728	service.exe	28
PID 1728 wrote to memory of 1996	1728	service.exe	28
PID 1996 wrote to memory of 1816	1996	y7695420.exe	29
PID 1996 wrote to memory of 1816	1996	y7695420.exe	29
PID 1996 wrote to memory of 1816	1996	y7695420.exe	29
PID 1996 wrote to memory of 1816	1996	y7695420.exe	29
PID 1996 wrote to memory of 1816	1996	y7695420.exe	29
PID 1996 wrote to memory of 1816	1996	y7695420.exe	29
PID 1996 wrote to memory of 1816	1996	y7695420.exe	29
PID 1816 wrote to memory of 320	1816	y8077328.exe	30
PID 1816 wrote to memory of 320	1816	y8077328.exe	30
PID 1816 wrote to memory of 320	1816	y8077328.exe	30
PID 1816 wrote to memory of 320	1816	y8077328.exe	30
PID 1816 wrote to memory of 320	1816	y8077328.exe	30
PID 1816 wrote to memory of 320	1816	y8077328.exe	30
PID 1816 wrote to memory of 320	1816	y8077328.exe	30
PID 1816 wrote to memory of 988	1816	y8077328.exe	31
PID 1816 wrote to memory of 988	1816	y8077328.exe	31
PID 1816 wrote to memory of 988	1816	y8077328.exe	31
PID 1816 wrote to memory of 988	1816	y8077328.exe	31
PID 1816 wrote to memory of 988	1816	y8077328.exe	31
PID 1816 wrote to memory of 988	1816	y8077328.exe	31
PID 1816 wrote to memory of 988	1816	y8077328.exe	31

C:\Users\Admin\AppData\Local\Temp\service.exe
"C:\Users\Admin\AppData\Local\Temp\service.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7695420.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7695420.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8077328.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8077328.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2930609.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2930609.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:320
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6616862.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6616862.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7695420.exe

Filesize
750KB

MD5
aa86c92bfc4e8f108f5ace8f69082785

SHA1
bdec99f42d130f9de90f43a17adfd07748aa169f

SHA256
78aff98e297b72e6710693e5d328ee6e804066df47d421ec47ff152ddc764604

SHA512
6fd3b6761e47eea41d94dfa99fba6fe257f2105ffb33ac7f6c5f5f3058844b2c1cc8f1e5db184bc564c259bd3dc5e87fdcab4bd7eae637f9df41eaf408aa9b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7695420.exe

Filesize
750KB

MD5
aa86c92bfc4e8f108f5ace8f69082785

SHA1
bdec99f42d130f9de90f43a17adfd07748aa169f

SHA256
78aff98e297b72e6710693e5d328ee6e804066df47d421ec47ff152ddc764604

SHA512
6fd3b6761e47eea41d94dfa99fba6fe257f2105ffb33ac7f6c5f5f3058844b2c1cc8f1e5db184bc564c259bd3dc5e87fdcab4bd7eae637f9df41eaf408aa9b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8077328.exe

Filesize
305KB

MD5
4ddfaf4a3a7b9681ffd630a8c5c0aac9

SHA1
0e7d541fea149833ee9990dffafb89951adf40e4

SHA256
88e647000dd2c98511b05c52dd93dbfaf47db286eb9db99b8164abefa416eae9

SHA512
49a1e3e5ce4440b0cd2d30249aaf9ef55e89ce80fab4523b8bde35b5591a92109bfa509e740334e78388d8d88ecb6b854b50c31470b6282204447f3f2a82c6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8077328.exe

Filesize
305KB

MD5
4ddfaf4a3a7b9681ffd630a8c5c0aac9

SHA1
0e7d541fea149833ee9990dffafb89951adf40e4

SHA256
88e647000dd2c98511b05c52dd93dbfaf47db286eb9db99b8164abefa416eae9

SHA512
49a1e3e5ce4440b0cd2d30249aaf9ef55e89ce80fab4523b8bde35b5591a92109bfa509e740334e78388d8d88ecb6b854b50c31470b6282204447f3f2a82c6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2930609.exe

Filesize
184KB

MD5
6c1801b306bd9c503277b5add4bda423

SHA1
7cef0c460f767d020705ff0923a96907ebd3fb09

SHA256
8d46cc1470b329d45ad2d833a7e6bc0d77ef7e04e8e2fd2b3875465dc0e2ef1b

SHA512
e121a2faefa3c76ce9cedfe8b6d167c0aaddee27396ed0dbbdbbed44b98fcaad932260217ed3d4b1d68c8a5255dbb4d608b3419b5ec85e7727a0df33077bae1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2930609.exe

Filesize
184KB

MD5
6c1801b306bd9c503277b5add4bda423

SHA1
7cef0c460f767d020705ff0923a96907ebd3fb09

SHA256
8d46cc1470b329d45ad2d833a7e6bc0d77ef7e04e8e2fd2b3875465dc0e2ef1b

SHA512
e121a2faefa3c76ce9cedfe8b6d167c0aaddee27396ed0dbbdbbed44b98fcaad932260217ed3d4b1d68c8a5255dbb4d608b3419b5ec85e7727a0df33077bae1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6616862.exe

Filesize
145KB

MD5
074175253f55fcd9de48d502cce71f27

SHA1
09847a8a204dcfd74c8cc5b755e573974f4c79ad

SHA256
e77e7622677681179ca6b902eb406a27a9eb5fd33296ae1f23e7fb56e9688fc7

SHA512
0553dec20abe6f5629678de9d38cb328a44f77dd204c3006f977581fa1db8d1bc8bfb8e7b93fd1e63df409fd821bebda80e16b2e1c232b90f821f6edac728be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6616862.exe

Filesize
145KB

MD5
074175253f55fcd9de48d502cce71f27

SHA1
09847a8a204dcfd74c8cc5b755e573974f4c79ad

SHA256
e77e7622677681179ca6b902eb406a27a9eb5fd33296ae1f23e7fb56e9688fc7

SHA512
0553dec20abe6f5629678de9d38cb328a44f77dd204c3006f977581fa1db8d1bc8bfb8e7b93fd1e63df409fd821bebda80e16b2e1c232b90f821f6edac728be1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7695420.exe

Filesize
750KB

MD5
aa86c92bfc4e8f108f5ace8f69082785

SHA1
bdec99f42d130f9de90f43a17adfd07748aa169f

SHA256
78aff98e297b72e6710693e5d328ee6e804066df47d421ec47ff152ddc764604

SHA512
6fd3b6761e47eea41d94dfa99fba6fe257f2105ffb33ac7f6c5f5f3058844b2c1cc8f1e5db184bc564c259bd3dc5e87fdcab4bd7eae637f9df41eaf408aa9b66

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7695420.exe

Filesize
750KB

MD5
aa86c92bfc4e8f108f5ace8f69082785

SHA1
bdec99f42d130f9de90f43a17adfd07748aa169f

SHA256
78aff98e297b72e6710693e5d328ee6e804066df47d421ec47ff152ddc764604

SHA512
6fd3b6761e47eea41d94dfa99fba6fe257f2105ffb33ac7f6c5f5f3058844b2c1cc8f1e5db184bc564c259bd3dc5e87fdcab4bd7eae637f9df41eaf408aa9b66

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8077328.exe

Filesize
305KB

MD5
4ddfaf4a3a7b9681ffd630a8c5c0aac9

SHA1
0e7d541fea149833ee9990dffafb89951adf40e4

SHA256
88e647000dd2c98511b05c52dd93dbfaf47db286eb9db99b8164abefa416eae9

SHA512
49a1e3e5ce4440b0cd2d30249aaf9ef55e89ce80fab4523b8bde35b5591a92109bfa509e740334e78388d8d88ecb6b854b50c31470b6282204447f3f2a82c6e5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8077328.exe

Filesize
305KB

MD5
4ddfaf4a3a7b9681ffd630a8c5c0aac9

SHA1
0e7d541fea149833ee9990dffafb89951adf40e4

SHA256
88e647000dd2c98511b05c52dd93dbfaf47db286eb9db99b8164abefa416eae9

SHA512
49a1e3e5ce4440b0cd2d30249aaf9ef55e89ce80fab4523b8bde35b5591a92109bfa509e740334e78388d8d88ecb6b854b50c31470b6282204447f3f2a82c6e5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2930609.exe

Filesize
184KB

MD5
6c1801b306bd9c503277b5add4bda423

SHA1
7cef0c460f767d020705ff0923a96907ebd3fb09

SHA256
8d46cc1470b329d45ad2d833a7e6bc0d77ef7e04e8e2fd2b3875465dc0e2ef1b

SHA512
e121a2faefa3c76ce9cedfe8b6d167c0aaddee27396ed0dbbdbbed44b98fcaad932260217ed3d4b1d68c8a5255dbb4d608b3419b5ec85e7727a0df33077bae1c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2930609.exe

Filesize
184KB

MD5
6c1801b306bd9c503277b5add4bda423

SHA1
7cef0c460f767d020705ff0923a96907ebd3fb09

SHA256
8d46cc1470b329d45ad2d833a7e6bc0d77ef7e04e8e2fd2b3875465dc0e2ef1b

SHA512
e121a2faefa3c76ce9cedfe8b6d167c0aaddee27396ed0dbbdbbed44b98fcaad932260217ed3d4b1d68c8a5255dbb4d608b3419b5ec85e7727a0df33077bae1c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6616862.exe

Filesize
145KB

MD5
074175253f55fcd9de48d502cce71f27

SHA1
09847a8a204dcfd74c8cc5b755e573974f4c79ad

SHA256
e77e7622677681179ca6b902eb406a27a9eb5fd33296ae1f23e7fb56e9688fc7

SHA512
0553dec20abe6f5629678de9d38cb328a44f77dd204c3006f977581fa1db8d1bc8bfb8e7b93fd1e63df409fd821bebda80e16b2e1c232b90f821f6edac728be1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6616862.exe

Filesize
145KB

MD5
074175253f55fcd9de48d502cce71f27

SHA1
09847a8a204dcfd74c8cc5b755e573974f4c79ad

SHA256
e77e7622677681179ca6b902eb406a27a9eb5fd33296ae1f23e7fb56e9688fc7

SHA512
0553dec20abe6f5629678de9d38cb328a44f77dd204c3006f977581fa1db8d1bc8bfb8e7b93fd1e63df409fd821bebda80e16b2e1c232b90f821f6edac728be1

Download Submit
memory/320-91-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/320-109-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/320-88-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/320-93-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/320-95-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/320-97-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/320-99-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/320-101-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/320-103-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/320-105-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/320-107-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/320-89-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/320-111-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/320-113-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/320-115-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/320-87-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/320-86-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/320-85-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/320-84-0x00000000003D0000-0x00000000003EE000-memory.dmp

Filesize
120KB

Download
memory/988-122-0x0000000001160000-0x000000000118A000-memory.dmp

Filesize
168KB

Download
memory/988-123-0x0000000004FB0000-0x0000000004FF0000-memory.dmp

Filesize
256KB

Download
memory/988-124-0x0000000004FB0000-0x0000000004FF0000-memory.dmp

Filesize
256KB

Download