redline | 98fc22a5f851142421bcec6c3ef6a7004a9994a23e1401ce6f75e6c0755bc058

Analysis

max time kernel
130s
max time network
143s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-05-2023 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

localization119.exe
Size

1.0MB
MD5

d66f0b5b8addb09ddb645945189091f9
SHA1

34fc4fe382a38652e33a397ef5162a109cf1f0cf
SHA256

98fc22a5f851142421bcec6c3ef6a7004a9994a23e1401ce6f75e6c0755bc058
SHA512

3e5ff99d7527f4399e9a52f1e3c003e64d792c2a4c50596e6cf2a95d99279ae63c25abf3ebde0c92f7dc8f8aad4b373d6c4ff4d17735608bd4f0eeb7120f5c78
SSDEEP

24576:Oy6BDxCwPCP5qsCAlE56LBNDY9Yb3zWWGPvJ:dyCBP5q3W7LnDrW

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0062749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0062749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0062749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0062749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0062749.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k0062749.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2040	y6085755.exe
2028	y8927036.exe
1460	k0062749.exe
1044	l1664876.exe

Loads dropped DLL 8 IoCs

pid	Process
832	localization119.exe
2040	y6085755.exe
2040	y6085755.exe
2028	y8927036.exe
2028	y8927036.exe
1460	k0062749.exe
2028	y8927036.exe
1044	l1664876.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k0062749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0062749.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	localization119.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	localization119.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6085755.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6085755.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8927036.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8927036.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1460	k0062749.exe
1460	k0062749.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	k0062749.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 2040	832	localization119.exe	28
PID 832 wrote to memory of 2040	832	localization119.exe	28
PID 832 wrote to memory of 2040	832	localization119.exe	28
PID 832 wrote to memory of 2040	832	localization119.exe	28
PID 832 wrote to memory of 2040	832	localization119.exe	28
PID 832 wrote to memory of 2040	832	localization119.exe	28
PID 832 wrote to memory of 2040	832	localization119.exe	28
PID 2040 wrote to memory of 2028	2040	y6085755.exe	29
PID 2040 wrote to memory of 2028	2040	y6085755.exe	29
PID 2040 wrote to memory of 2028	2040	y6085755.exe	29
PID 2040 wrote to memory of 2028	2040	y6085755.exe	29
PID 2040 wrote to memory of 2028	2040	y6085755.exe	29
PID 2040 wrote to memory of 2028	2040	y6085755.exe	29
PID 2040 wrote to memory of 2028	2040	y6085755.exe	29
PID 2028 wrote to memory of 1460	2028	y8927036.exe	30
PID 2028 wrote to memory of 1460	2028	y8927036.exe	30
PID 2028 wrote to memory of 1460	2028	y8927036.exe	30
PID 2028 wrote to memory of 1460	2028	y8927036.exe	30
PID 2028 wrote to memory of 1460	2028	y8927036.exe	30
PID 2028 wrote to memory of 1460	2028	y8927036.exe	30
PID 2028 wrote to memory of 1460	2028	y8927036.exe	30
PID 2028 wrote to memory of 1044	2028	y8927036.exe	31
PID 2028 wrote to memory of 1044	2028	y8927036.exe	31
PID 2028 wrote to memory of 1044	2028	y8927036.exe	31
PID 2028 wrote to memory of 1044	2028	y8927036.exe	31
PID 2028 wrote to memory of 1044	2028	y8927036.exe	31
PID 2028 wrote to memory of 1044	2028	y8927036.exe	31
PID 2028 wrote to memory of 1044	2028	y8927036.exe	31

C:\Users\Admin\AppData\Local\Temp\localization119.exe
"C:\Users\Admin\AppData\Local\Temp\localization119.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:832
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6085755.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6085755.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8927036.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8927036.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0062749.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0062749.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1664876.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1664876.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6085755.exe

Filesize
749KB

MD5
4e27327cba5a59696ab0530139f4144c

SHA1
436bf7bcd6339345f7e994b2ea88f06c1c5098e1

SHA256
ec4f6aa4aa9cc59175c5287d5f4f7f8871772158258f6155bc5b2d932d0c87e2

SHA512
a77ed8e226048fde48a44e6dff9d6750d5c14394bbe39b467b6d78a01f68020a5700aef363b62b98421aa3f60130c87805eca6807a7dbacda414db2c13e9f351

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6085755.exe

Filesize
749KB

MD5
4e27327cba5a59696ab0530139f4144c

SHA1
436bf7bcd6339345f7e994b2ea88f06c1c5098e1

SHA256
ec4f6aa4aa9cc59175c5287d5f4f7f8871772158258f6155bc5b2d932d0c87e2

SHA512
a77ed8e226048fde48a44e6dff9d6750d5c14394bbe39b467b6d78a01f68020a5700aef363b62b98421aa3f60130c87805eca6807a7dbacda414db2c13e9f351

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8927036.exe

Filesize
305KB

MD5
4e7294decea5e562609ff597e50feb0e

SHA1
17e6e9799a09c933d11d8593444512201c2d3fee

SHA256
cc6950bf8a6dd816bc96663992d541d840415b6e5956f81739464b86218dce63

SHA512
94c9f788ccdc409ae8855f139436bf86549b970e809fda4b0f121fd2b8f963b0fd3847797987f79d5997103ab98237c582ec9c51e6fcb5579ad9f7fcc3c03d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8927036.exe

Filesize
305KB

MD5
4e7294decea5e562609ff597e50feb0e

SHA1
17e6e9799a09c933d11d8593444512201c2d3fee

SHA256
cc6950bf8a6dd816bc96663992d541d840415b6e5956f81739464b86218dce63

SHA512
94c9f788ccdc409ae8855f139436bf86549b970e809fda4b0f121fd2b8f963b0fd3847797987f79d5997103ab98237c582ec9c51e6fcb5579ad9f7fcc3c03d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0062749.exe

Filesize
186KB

MD5
6bf0b41bd0e040acad8976cc4190c6be

SHA1
ae15b649ddbac584a270961087dad64065f19bbb

SHA256
d8e557ed7708a738ee0d08a503e1ad76e8ceaebcf1627332cc4012f4a6d22a5f

SHA512
a343e81103a0c84e09840f3b9c4071d5d820fdb2ca621ebc225e4facbfee4822c86981d38be427893e5e6b49d94aed88cd81b6ad152d724168ec6e2fcc30f3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0062749.exe

Filesize
186KB

MD5
6bf0b41bd0e040acad8976cc4190c6be

SHA1
ae15b649ddbac584a270961087dad64065f19bbb

SHA256
d8e557ed7708a738ee0d08a503e1ad76e8ceaebcf1627332cc4012f4a6d22a5f

SHA512
a343e81103a0c84e09840f3b9c4071d5d820fdb2ca621ebc225e4facbfee4822c86981d38be427893e5e6b49d94aed88cd81b6ad152d724168ec6e2fcc30f3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1664876.exe

Filesize
146KB

MD5
123507043cfa64bd6a8d0c3a87b54f0e

SHA1
32680124a13105d83975b1d5b3838d99a96bf15e

SHA256
a40b5658e6f9f20928f12023ed6d225be8d7e04dc2ccdbc8e84179a3cf16b38a

SHA512
800ffee7c9666ec0f53d55a8232dbeab3c5226fb52d8977d74adcf7a551cd34fd588378eca9acecdea1868d095ce9fa800a385f02e8f47c30b6f3bb74cd14d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1664876.exe

Filesize
146KB

MD5
123507043cfa64bd6a8d0c3a87b54f0e

SHA1
32680124a13105d83975b1d5b3838d99a96bf15e

SHA256
a40b5658e6f9f20928f12023ed6d225be8d7e04dc2ccdbc8e84179a3cf16b38a

SHA512
800ffee7c9666ec0f53d55a8232dbeab3c5226fb52d8977d74adcf7a551cd34fd588378eca9acecdea1868d095ce9fa800a385f02e8f47c30b6f3bb74cd14d45

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6085755.exe

Filesize
749KB

MD5
4e27327cba5a59696ab0530139f4144c

SHA1
436bf7bcd6339345f7e994b2ea88f06c1c5098e1

SHA256
ec4f6aa4aa9cc59175c5287d5f4f7f8871772158258f6155bc5b2d932d0c87e2

SHA512
a77ed8e226048fde48a44e6dff9d6750d5c14394bbe39b467b6d78a01f68020a5700aef363b62b98421aa3f60130c87805eca6807a7dbacda414db2c13e9f351

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6085755.exe

Filesize
749KB

MD5
4e27327cba5a59696ab0530139f4144c

SHA1
436bf7bcd6339345f7e994b2ea88f06c1c5098e1

SHA256
ec4f6aa4aa9cc59175c5287d5f4f7f8871772158258f6155bc5b2d932d0c87e2

SHA512
a77ed8e226048fde48a44e6dff9d6750d5c14394bbe39b467b6d78a01f68020a5700aef363b62b98421aa3f60130c87805eca6807a7dbacda414db2c13e9f351

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8927036.exe

Filesize
305KB

MD5
4e7294decea5e562609ff597e50feb0e

SHA1
17e6e9799a09c933d11d8593444512201c2d3fee

SHA256
cc6950bf8a6dd816bc96663992d541d840415b6e5956f81739464b86218dce63

SHA512
94c9f788ccdc409ae8855f139436bf86549b970e809fda4b0f121fd2b8f963b0fd3847797987f79d5997103ab98237c582ec9c51e6fcb5579ad9f7fcc3c03d50

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8927036.exe

Filesize
305KB

MD5
4e7294decea5e562609ff597e50feb0e

SHA1
17e6e9799a09c933d11d8593444512201c2d3fee

SHA256
cc6950bf8a6dd816bc96663992d541d840415b6e5956f81739464b86218dce63

SHA512
94c9f788ccdc409ae8855f139436bf86549b970e809fda4b0f121fd2b8f963b0fd3847797987f79d5997103ab98237c582ec9c51e6fcb5579ad9f7fcc3c03d50

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0062749.exe

Filesize
186KB

MD5
6bf0b41bd0e040acad8976cc4190c6be

SHA1
ae15b649ddbac584a270961087dad64065f19bbb

SHA256
d8e557ed7708a738ee0d08a503e1ad76e8ceaebcf1627332cc4012f4a6d22a5f

SHA512
a343e81103a0c84e09840f3b9c4071d5d820fdb2ca621ebc225e4facbfee4822c86981d38be427893e5e6b49d94aed88cd81b6ad152d724168ec6e2fcc30f3b1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0062749.exe

Filesize
186KB

MD5
6bf0b41bd0e040acad8976cc4190c6be

SHA1
ae15b649ddbac584a270961087dad64065f19bbb

SHA256
d8e557ed7708a738ee0d08a503e1ad76e8ceaebcf1627332cc4012f4a6d22a5f

SHA512
a343e81103a0c84e09840f3b9c4071d5d820fdb2ca621ebc225e4facbfee4822c86981d38be427893e5e6b49d94aed88cd81b6ad152d724168ec6e2fcc30f3b1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1664876.exe

Filesize
146KB

MD5
123507043cfa64bd6a8d0c3a87b54f0e

SHA1
32680124a13105d83975b1d5b3838d99a96bf15e

SHA256
a40b5658e6f9f20928f12023ed6d225be8d7e04dc2ccdbc8e84179a3cf16b38a

SHA512
800ffee7c9666ec0f53d55a8232dbeab3c5226fb52d8977d74adcf7a551cd34fd588378eca9acecdea1868d095ce9fa800a385f02e8f47c30b6f3bb74cd14d45

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1664876.exe

Filesize
146KB

MD5
123507043cfa64bd6a8d0c3a87b54f0e

SHA1
32680124a13105d83975b1d5b3838d99a96bf15e

SHA256
a40b5658e6f9f20928f12023ed6d225be8d7e04dc2ccdbc8e84179a3cf16b38a

SHA512
800ffee7c9666ec0f53d55a8232dbeab3c5226fb52d8977d74adcf7a551cd34fd588378eca9acecdea1868d095ce9fa800a385f02e8f47c30b6f3bb74cd14d45

Download Submit
memory/1044-123-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/1044-122-0x0000000000E00000-0x0000000000E2A000-memory.dmp

Filesize
168KB

Download
memory/1044-124-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/1460-87-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1460-97-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1460-99-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1460-101-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1460-103-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1460-105-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1460-107-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1460-109-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1460-111-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1460-113-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1460-114-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/1460-115-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/1460-95-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1460-93-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1460-89-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1460-91-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1460-86-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1460-85-0x00000000007E0000-0x00000000007FC000-memory.dmp

Filesize
112KB

Download
memory/1460-84-0x0000000000490000-0x00000000004AE000-memory.dmp

Filesize
120KB

Download