redline | e620a7fe222cfae8267806ee2380227dc3709d3bfb8adec2e09dde30af7dabe1

Analysis

max time kernel
133s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/05/2023, 10:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CloudCheatsSetup611.exe
Size

1.0MB
MD5

ec17d6ab47c9f62304b5a3344295323f
SHA1

cad1cca91444ce77a7ca6500ba0d3fd7eb5d706d
SHA256

e620a7fe222cfae8267806ee2380227dc3709d3bfb8adec2e09dde30af7dabe1
SHA512

f7a55b44c66fb16d82f3363c5278a84d842d43daeff146864bf54d820ab6a21055e92e9e7dd67b9f8c96e600848c8bb1f8b424d7633da03431305ef245be8a6c
SSDEEP

24576:SyTxIznaNb7hMuC5rP4qQSAy3Swb1lzIgTXUg7OGVCkBdDMN:5TWzaNb7h1C1P4qGng3PTYGQGdD

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k5473954.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k5473954.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k5473954.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k5473954.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k5473954.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k5473954.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1652	y0144073.exe
1760	y5108154.exe
1720	k5473954.exe
280	l4740500.exe

Loads dropped DLL 8 IoCs

pid	Process
892	CloudCheatsSetup611.exe
1652	y0144073.exe
1652	y0144073.exe
1760	y5108154.exe
1760	y5108154.exe
1720	k5473954.exe
1760	y5108154.exe
280	l4740500.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k5473954.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k5473954.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5108154.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5108154.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	CloudCheatsSetup611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	CloudCheatsSetup611.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0144073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0144073.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1720	k5473954.exe
1720	k5473954.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	k5473954.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 1652	892	CloudCheatsSetup611.exe	27
PID 892 wrote to memory of 1652	892	CloudCheatsSetup611.exe	27
PID 892 wrote to memory of 1652	892	CloudCheatsSetup611.exe	27
PID 892 wrote to memory of 1652	892	CloudCheatsSetup611.exe	27
PID 892 wrote to memory of 1652	892	CloudCheatsSetup611.exe	27
PID 892 wrote to memory of 1652	892	CloudCheatsSetup611.exe	27
PID 892 wrote to memory of 1652	892	CloudCheatsSetup611.exe	27
PID 1652 wrote to memory of 1760	1652	y0144073.exe	28
PID 1652 wrote to memory of 1760	1652	y0144073.exe	28
PID 1652 wrote to memory of 1760	1652	y0144073.exe	28
PID 1652 wrote to memory of 1760	1652	y0144073.exe	28
PID 1652 wrote to memory of 1760	1652	y0144073.exe	28
PID 1652 wrote to memory of 1760	1652	y0144073.exe	28
PID 1652 wrote to memory of 1760	1652	y0144073.exe	28
PID 1760 wrote to memory of 1720	1760	y5108154.exe	29
PID 1760 wrote to memory of 1720	1760	y5108154.exe	29
PID 1760 wrote to memory of 1720	1760	y5108154.exe	29
PID 1760 wrote to memory of 1720	1760	y5108154.exe	29
PID 1760 wrote to memory of 1720	1760	y5108154.exe	29
PID 1760 wrote to memory of 1720	1760	y5108154.exe	29
PID 1760 wrote to memory of 1720	1760	y5108154.exe	29
PID 1760 wrote to memory of 280	1760	y5108154.exe	30
PID 1760 wrote to memory of 280	1760	y5108154.exe	30
PID 1760 wrote to memory of 280	1760	y5108154.exe	30
PID 1760 wrote to memory of 280	1760	y5108154.exe	30
PID 1760 wrote to memory of 280	1760	y5108154.exe	30
PID 1760 wrote to memory of 280	1760	y5108154.exe	30
PID 1760 wrote to memory of 280	1760	y5108154.exe	30

C:\Users\Admin\AppData\Local\Temp\CloudCheatsSetup611.exe
"C:\Users\Admin\AppData\Local\Temp\CloudCheatsSetup611.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:892
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0144073.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0144073.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5108154.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5108154.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5473954.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5473954.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4740500.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4740500.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0144073.exe

Filesize
751KB

MD5
42a51bd61110c8b19d90903fb82c8e5d

SHA1
2dcd2a1030564897f0db0d597ed4fe840582a6a5

SHA256
10256d93b46f5266313913acafd786e4b1995bd2461c58bc9d9fd6b3ae3d83a5

SHA512
2a6cfb7462235b8e47ad5f55f8023acc3d8ed10edd728cf3ba040fb252b22b5721ef5276057211a39301f974e4b12b1443f474bc287bfaed8791b0ba95c125d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0144073.exe

Filesize
751KB

MD5
42a51bd61110c8b19d90903fb82c8e5d

SHA1
2dcd2a1030564897f0db0d597ed4fe840582a6a5

SHA256
10256d93b46f5266313913acafd786e4b1995bd2461c58bc9d9fd6b3ae3d83a5

SHA512
2a6cfb7462235b8e47ad5f55f8023acc3d8ed10edd728cf3ba040fb252b22b5721ef5276057211a39301f974e4b12b1443f474bc287bfaed8791b0ba95c125d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5108154.exe

Filesize
305KB

MD5
7303626f91c39e556ca6de2f50efb80e

SHA1
8bcf83da3dfd60eb04fbd99a968a5ed6b3f0d81e

SHA256
98da7f259c3a773e67f44ff6fea3b82adbcbb80f6c41aa51cf0d1f3ae81aee63

SHA512
81125d37f80642a9042123b633c08d7b5e2ffc9ef0b00980c13d0028c83b18fb5870971bb2053beafda30c641a1bc998d44c4cb4bb4d5a5c5a29b2cf8deb1732

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5108154.exe

Filesize
305KB

MD5
7303626f91c39e556ca6de2f50efb80e

SHA1
8bcf83da3dfd60eb04fbd99a968a5ed6b3f0d81e

SHA256
98da7f259c3a773e67f44ff6fea3b82adbcbb80f6c41aa51cf0d1f3ae81aee63

SHA512
81125d37f80642a9042123b633c08d7b5e2ffc9ef0b00980c13d0028c83b18fb5870971bb2053beafda30c641a1bc998d44c4cb4bb4d5a5c5a29b2cf8deb1732

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5473954.exe

Filesize
186KB

MD5
7e481b0244a7697651648db986ad7359

SHA1
4365446b63fa7cff020660e9fd2c2c34c1bd975b

SHA256
7539c2a97b7e99b8593c56bc8caf4139d5cd805b12a12e37399d8d106e33810a

SHA512
d17e37b8aac279784a5f0ba82a76ae2632480db78c383e5817e673060cf260f3564f22d585aa01083364824748cb3ab21cb18c00ebd230861232f071a9238c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5473954.exe

Filesize
186KB

MD5
7e481b0244a7697651648db986ad7359

SHA1
4365446b63fa7cff020660e9fd2c2c34c1bd975b

SHA256
7539c2a97b7e99b8593c56bc8caf4139d5cd805b12a12e37399d8d106e33810a

SHA512
d17e37b8aac279784a5f0ba82a76ae2632480db78c383e5817e673060cf260f3564f22d585aa01083364824748cb3ab21cb18c00ebd230861232f071a9238c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4740500.exe

Filesize
145KB

MD5
77df85f1510bc4682d4c2a8ca7c6fe9d

SHA1
b9a04b4da27041ad1e05d24fe99e3db817b2cba5

SHA256
6ad070278a99e05a4081f39b0dcd8d3a98cbab9f1dcca45f55dda39df51ddc90

SHA512
b871bb551caa44d778f159f2a4b43838c826bf10b029e8922116ba02dcd03971e2ee15bc8f0f1e6cfdd7364ac83eba4fbd80c5cc772e3145f7eadae3a5d0578d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4740500.exe

Filesize
145KB

MD5
77df85f1510bc4682d4c2a8ca7c6fe9d

SHA1
b9a04b4da27041ad1e05d24fe99e3db817b2cba5

SHA256
6ad070278a99e05a4081f39b0dcd8d3a98cbab9f1dcca45f55dda39df51ddc90

SHA512
b871bb551caa44d778f159f2a4b43838c826bf10b029e8922116ba02dcd03971e2ee15bc8f0f1e6cfdd7364ac83eba4fbd80c5cc772e3145f7eadae3a5d0578d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0144073.exe

Filesize
751KB

MD5
42a51bd61110c8b19d90903fb82c8e5d

SHA1
2dcd2a1030564897f0db0d597ed4fe840582a6a5

SHA256
10256d93b46f5266313913acafd786e4b1995bd2461c58bc9d9fd6b3ae3d83a5

SHA512
2a6cfb7462235b8e47ad5f55f8023acc3d8ed10edd728cf3ba040fb252b22b5721ef5276057211a39301f974e4b12b1443f474bc287bfaed8791b0ba95c125d2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0144073.exe

Filesize
751KB

MD5
42a51bd61110c8b19d90903fb82c8e5d

SHA1
2dcd2a1030564897f0db0d597ed4fe840582a6a5

SHA256
10256d93b46f5266313913acafd786e4b1995bd2461c58bc9d9fd6b3ae3d83a5

SHA512
2a6cfb7462235b8e47ad5f55f8023acc3d8ed10edd728cf3ba040fb252b22b5721ef5276057211a39301f974e4b12b1443f474bc287bfaed8791b0ba95c125d2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5108154.exe

Filesize
305KB

MD5
7303626f91c39e556ca6de2f50efb80e

SHA1
8bcf83da3dfd60eb04fbd99a968a5ed6b3f0d81e

SHA256
98da7f259c3a773e67f44ff6fea3b82adbcbb80f6c41aa51cf0d1f3ae81aee63

SHA512
81125d37f80642a9042123b633c08d7b5e2ffc9ef0b00980c13d0028c83b18fb5870971bb2053beafda30c641a1bc998d44c4cb4bb4d5a5c5a29b2cf8deb1732

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5108154.exe

Filesize
305KB

MD5
7303626f91c39e556ca6de2f50efb80e

SHA1
8bcf83da3dfd60eb04fbd99a968a5ed6b3f0d81e

SHA256
98da7f259c3a773e67f44ff6fea3b82adbcbb80f6c41aa51cf0d1f3ae81aee63

SHA512
81125d37f80642a9042123b633c08d7b5e2ffc9ef0b00980c13d0028c83b18fb5870971bb2053beafda30c641a1bc998d44c4cb4bb4d5a5c5a29b2cf8deb1732

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5473954.exe

Filesize
186KB

MD5
7e481b0244a7697651648db986ad7359

SHA1
4365446b63fa7cff020660e9fd2c2c34c1bd975b

SHA256
7539c2a97b7e99b8593c56bc8caf4139d5cd805b12a12e37399d8d106e33810a

SHA512
d17e37b8aac279784a5f0ba82a76ae2632480db78c383e5817e673060cf260f3564f22d585aa01083364824748cb3ab21cb18c00ebd230861232f071a9238c39

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5473954.exe

Filesize
186KB

MD5
7e481b0244a7697651648db986ad7359

SHA1
4365446b63fa7cff020660e9fd2c2c34c1bd975b

SHA256
7539c2a97b7e99b8593c56bc8caf4139d5cd805b12a12e37399d8d106e33810a

SHA512
d17e37b8aac279784a5f0ba82a76ae2632480db78c383e5817e673060cf260f3564f22d585aa01083364824748cb3ab21cb18c00ebd230861232f071a9238c39

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4740500.exe

Filesize
145KB

MD5
77df85f1510bc4682d4c2a8ca7c6fe9d

SHA1
b9a04b4da27041ad1e05d24fe99e3db817b2cba5

SHA256
6ad070278a99e05a4081f39b0dcd8d3a98cbab9f1dcca45f55dda39df51ddc90

SHA512
b871bb551caa44d778f159f2a4b43838c826bf10b029e8922116ba02dcd03971e2ee15bc8f0f1e6cfdd7364ac83eba4fbd80c5cc772e3145f7eadae3a5d0578d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4740500.exe

Filesize
145KB

MD5
77df85f1510bc4682d4c2a8ca7c6fe9d

SHA1
b9a04b4da27041ad1e05d24fe99e3db817b2cba5

SHA256
6ad070278a99e05a4081f39b0dcd8d3a98cbab9f1dcca45f55dda39df51ddc90

SHA512
b871bb551caa44d778f159f2a4b43838c826bf10b029e8922116ba02dcd03971e2ee15bc8f0f1e6cfdd7364ac83eba4fbd80c5cc772e3145f7eadae3a5d0578d

Download Submit
memory/280-123-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/280-122-0x0000000000070000-0x000000000009A000-memory.dmp

Filesize
168KB

Download
memory/280-124-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/1720-93-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1720-97-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1720-99-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1720-101-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1720-103-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1720-105-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1720-107-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1720-109-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1720-111-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1720-113-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1720-114-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/1720-115-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/1720-95-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1720-91-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1720-89-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1720-87-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1720-86-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1720-85-0x0000000002100000-0x000000000211C000-memory.dmp

Filesize
112KB

Download
memory/1720-84-0x0000000000310000-0x000000000032E000-memory.dmp

Filesize
120KB

Download