redline | bbfbc8baa1749a48c885d26b409fa77c0132abb3d5da335609987a3e75ad8f14

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/05/2023, 21:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35647.exe
Size

1.0MB
MD5

e0c13213521584d4efd1d4962dc6cc23
SHA1

006b36797290c0bd82a2530d873e01ae2a8f9ab0
SHA256

bbfbc8baa1749a48c885d26b409fa77c0132abb3d5da335609987a3e75ad8f14
SHA512

dc8b73a90b807f6c44f9eedc8b25283e15828630e79dbd7313f4695eca6fe7b6d4c94e09b8e84c89b894a926d4afe199a6ccaa8614a8709e1c140a8a81d8af28
SSDEEP

24576:KyWnQHpbVqg3eqWNFgKl4VeRPLj3QU+kI6Czz:RnHpQtqWNKVuPLc5

Score

10^/10

redline daza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

daza

77.91.124.251:19065

Attributes

auth_value
0bd5963efefdd6409185423d5ca3439c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k6879481.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k6879481.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k6879481.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k6879481.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k6879481.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k6879481.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1440	y6683336.exe
364	y9284857.exe
764	k6879481.exe
1792	l8180968.exe

Loads dropped DLL 8 IoCs

pid	Process
1604	35647.exe
1440	y6683336.exe
1440	y6683336.exe
364	y9284857.exe
364	y9284857.exe
764	k6879481.exe
364	y9284857.exe
1792	l8180968.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k6879481.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k6879481.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	35647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	35647.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6683336.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6683336.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9284857.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9284857.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
764	k6879481.exe
764	k6879481.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	k6879481.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1440	1604	35647.exe	28
PID 1604 wrote to memory of 1440	1604	35647.exe	28
PID 1604 wrote to memory of 1440	1604	35647.exe	28
PID 1604 wrote to memory of 1440	1604	35647.exe	28
PID 1604 wrote to memory of 1440	1604	35647.exe	28
PID 1604 wrote to memory of 1440	1604	35647.exe	28
PID 1604 wrote to memory of 1440	1604	35647.exe	28
PID 1440 wrote to memory of 364	1440	y6683336.exe	29
PID 1440 wrote to memory of 364	1440	y6683336.exe	29
PID 1440 wrote to memory of 364	1440	y6683336.exe	29
PID 1440 wrote to memory of 364	1440	y6683336.exe	29
PID 1440 wrote to memory of 364	1440	y6683336.exe	29
PID 1440 wrote to memory of 364	1440	y6683336.exe	29
PID 1440 wrote to memory of 364	1440	y6683336.exe	29
PID 364 wrote to memory of 764	364	y9284857.exe	30
PID 364 wrote to memory of 764	364	y9284857.exe	30
PID 364 wrote to memory of 764	364	y9284857.exe	30
PID 364 wrote to memory of 764	364	y9284857.exe	30
PID 364 wrote to memory of 764	364	y9284857.exe	30
PID 364 wrote to memory of 764	364	y9284857.exe	30
PID 364 wrote to memory of 764	364	y9284857.exe	30
PID 364 wrote to memory of 1792	364	y9284857.exe	31
PID 364 wrote to memory of 1792	364	y9284857.exe	31
PID 364 wrote to memory of 1792	364	y9284857.exe	31
PID 364 wrote to memory of 1792	364	y9284857.exe	31
PID 364 wrote to memory of 1792	364	y9284857.exe	31
PID 364 wrote to memory of 1792	364	y9284857.exe	31
PID 364 wrote to memory of 1792	364	y9284857.exe	31

C:\Users\Admin\AppData\Local\Temp\35647.exe
"C:\Users\Admin\AppData\Local\Temp\35647.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6683336.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6683336.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9284857.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9284857.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6879481.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6879481.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:764
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8180968.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8180968.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6683336.exe

Filesize
750KB

MD5
c8f9ddf8406a18a3805c4a6001823212

SHA1
4f5dddc7a6e941be0a3e3a90b664fd3d77ab6faa

SHA256
186c47df688e78f4ef8ce4521631aad082fc0e76d4138cb07936828987d2520d

SHA512
fac1bb8f3904ee1390fb08c33a4e66abb5fb045a1e0f820dfe07ba4ba21fc881ade17bd1f558e96ef562e7fbfa991431fd289db53ee025728ea1a5556b40e20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6683336.exe

Filesize
750KB

MD5
c8f9ddf8406a18a3805c4a6001823212

SHA1
4f5dddc7a6e941be0a3e3a90b664fd3d77ab6faa

SHA256
186c47df688e78f4ef8ce4521631aad082fc0e76d4138cb07936828987d2520d

SHA512
fac1bb8f3904ee1390fb08c33a4e66abb5fb045a1e0f820dfe07ba4ba21fc881ade17bd1f558e96ef562e7fbfa991431fd289db53ee025728ea1a5556b40e20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9284857.exe

Filesize
305KB

MD5
dcd5c05b304c4d6920bf842eb806f563

SHA1
f674c040bcb97205cc29b381d56a31e0cbf78b87

SHA256
a8a04d2c0d71138b688c9f2973d1e2f4978fda67038693e738748a689ee3ad5a

SHA512
3ffb6060c7ba883a6b968fefc232b995378a22b03dd2a2379767663aac42383fea1c8399b30b84a2e6ca24b46ff6aa2fc832a545fdd860b11e90aee79ef67989

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9284857.exe

Filesize
305KB

MD5
dcd5c05b304c4d6920bf842eb806f563

SHA1
f674c040bcb97205cc29b381d56a31e0cbf78b87

SHA256
a8a04d2c0d71138b688c9f2973d1e2f4978fda67038693e738748a689ee3ad5a

SHA512
3ffb6060c7ba883a6b968fefc232b995378a22b03dd2a2379767663aac42383fea1c8399b30b84a2e6ca24b46ff6aa2fc832a545fdd860b11e90aee79ef67989

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6879481.exe

Filesize
184KB

MD5
3693328b10f9c5d662f32efe4797103f

SHA1
6dca212bfa7f4387bd103e5b42185111b11acf27

SHA256
ea01bab1cefe35fbedd4439ff6cb4c308d9050b384262faac11b9c726e7aaba6

SHA512
13911849dc9cc8228a31dce46bfca651324b6d8a7f89999029c3482abd6c7af40f16fa6b6dfbb84a7764c705339bb747bcc0debafbe597f9b526d01739d63170

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6879481.exe

Filesize
184KB

MD5
3693328b10f9c5d662f32efe4797103f

SHA1
6dca212bfa7f4387bd103e5b42185111b11acf27

SHA256
ea01bab1cefe35fbedd4439ff6cb4c308d9050b384262faac11b9c726e7aaba6

SHA512
13911849dc9cc8228a31dce46bfca651324b6d8a7f89999029c3482abd6c7af40f16fa6b6dfbb84a7764c705339bb747bcc0debafbe597f9b526d01739d63170

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8180968.exe

Filesize
145KB

MD5
924052d45d9705d06b6749c41bc055a0

SHA1
e625dfe4040ad877f1515a281c8658e5effedec2

SHA256
71601a39e85fcde2dd876a2435428505a1c0222c0a9127ca603f6e4f45f9da5c

SHA512
517322bcee1a62c099e934a850a30968b4a39ecffce736ca24bb84dcd356fc0dff142a5bcaff187efe6251aae5ac1bc5cda20479c1847a11d24f20f956fd9c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8180968.exe

Filesize
145KB

MD5
924052d45d9705d06b6749c41bc055a0

SHA1
e625dfe4040ad877f1515a281c8658e5effedec2

SHA256
71601a39e85fcde2dd876a2435428505a1c0222c0a9127ca603f6e4f45f9da5c

SHA512
517322bcee1a62c099e934a850a30968b4a39ecffce736ca24bb84dcd356fc0dff142a5bcaff187efe6251aae5ac1bc5cda20479c1847a11d24f20f956fd9c2d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6683336.exe

Filesize
750KB

MD5
c8f9ddf8406a18a3805c4a6001823212

SHA1
4f5dddc7a6e941be0a3e3a90b664fd3d77ab6faa

SHA256
186c47df688e78f4ef8ce4521631aad082fc0e76d4138cb07936828987d2520d

SHA512
fac1bb8f3904ee1390fb08c33a4e66abb5fb045a1e0f820dfe07ba4ba21fc881ade17bd1f558e96ef562e7fbfa991431fd289db53ee025728ea1a5556b40e20a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6683336.exe

Filesize
750KB

MD5
c8f9ddf8406a18a3805c4a6001823212

SHA1
4f5dddc7a6e941be0a3e3a90b664fd3d77ab6faa

SHA256
186c47df688e78f4ef8ce4521631aad082fc0e76d4138cb07936828987d2520d

SHA512
fac1bb8f3904ee1390fb08c33a4e66abb5fb045a1e0f820dfe07ba4ba21fc881ade17bd1f558e96ef562e7fbfa991431fd289db53ee025728ea1a5556b40e20a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9284857.exe

Filesize
305KB

MD5
dcd5c05b304c4d6920bf842eb806f563

SHA1
f674c040bcb97205cc29b381d56a31e0cbf78b87

SHA256
a8a04d2c0d71138b688c9f2973d1e2f4978fda67038693e738748a689ee3ad5a

SHA512
3ffb6060c7ba883a6b968fefc232b995378a22b03dd2a2379767663aac42383fea1c8399b30b84a2e6ca24b46ff6aa2fc832a545fdd860b11e90aee79ef67989

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9284857.exe

Filesize
305KB

MD5
dcd5c05b304c4d6920bf842eb806f563

SHA1
f674c040bcb97205cc29b381d56a31e0cbf78b87

SHA256
a8a04d2c0d71138b688c9f2973d1e2f4978fda67038693e738748a689ee3ad5a

SHA512
3ffb6060c7ba883a6b968fefc232b995378a22b03dd2a2379767663aac42383fea1c8399b30b84a2e6ca24b46ff6aa2fc832a545fdd860b11e90aee79ef67989

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6879481.exe

Filesize
184KB

MD5
3693328b10f9c5d662f32efe4797103f

SHA1
6dca212bfa7f4387bd103e5b42185111b11acf27

SHA256
ea01bab1cefe35fbedd4439ff6cb4c308d9050b384262faac11b9c726e7aaba6

SHA512
13911849dc9cc8228a31dce46bfca651324b6d8a7f89999029c3482abd6c7af40f16fa6b6dfbb84a7764c705339bb747bcc0debafbe597f9b526d01739d63170

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6879481.exe

Filesize
184KB

MD5
3693328b10f9c5d662f32efe4797103f

SHA1
6dca212bfa7f4387bd103e5b42185111b11acf27

SHA256
ea01bab1cefe35fbedd4439ff6cb4c308d9050b384262faac11b9c726e7aaba6

SHA512
13911849dc9cc8228a31dce46bfca651324b6d8a7f89999029c3482abd6c7af40f16fa6b6dfbb84a7764c705339bb747bcc0debafbe597f9b526d01739d63170

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8180968.exe

Filesize
145KB

MD5
924052d45d9705d06b6749c41bc055a0

SHA1
e625dfe4040ad877f1515a281c8658e5effedec2

SHA256
71601a39e85fcde2dd876a2435428505a1c0222c0a9127ca603f6e4f45f9da5c

SHA512
517322bcee1a62c099e934a850a30968b4a39ecffce736ca24bb84dcd356fc0dff142a5bcaff187efe6251aae5ac1bc5cda20479c1847a11d24f20f956fd9c2d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8180968.exe

Filesize
145KB

MD5
924052d45d9705d06b6749c41bc055a0

SHA1
e625dfe4040ad877f1515a281c8658e5effedec2

SHA256
71601a39e85fcde2dd876a2435428505a1c0222c0a9127ca603f6e4f45f9da5c

SHA512
517322bcee1a62c099e934a850a30968b4a39ecffce736ca24bb84dcd356fc0dff142a5bcaff187efe6251aae5ac1bc5cda20479c1847a11d24f20f956fd9c2d

Download Submit
memory/764-93-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/764-111-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/764-87-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/764-95-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/764-97-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/764-99-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/764-101-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/764-103-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/764-105-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/764-107-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/764-109-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/764-91-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/764-113-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/764-114-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/764-115-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/764-89-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/764-86-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/764-85-0x0000000000AE0000-0x0000000000AFC000-memory.dmp

Filesize
112KB

Download
memory/764-84-0x00000000003E0000-0x00000000003FE000-memory.dmp

Filesize
120KB

Download
memory/1792-122-0x0000000001350000-0x000000000137A000-memory.dmp

Filesize
168KB

Download
memory/1792-123-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download
memory/1792-124-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download