redline | f78dcd9565982099152691358ef070597428bb9f27c8c5ec798b1f52e479f964

Analysis

max time kernel
297s
max time network
299s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24/05/2023, 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f78dcd9565982099152691358ef070597428bb9f27c8c5ec798b1f52e479f964.exe
Size

1.0MB
MD5

b1e1f53e7c2d8801070f9374498b4a6b
SHA1

edb8b1cd6bf43170ecbae3c73d3bef0cd74e7728
SHA256

f78dcd9565982099152691358ef070597428bb9f27c8c5ec798b1f52e479f964
SHA512

faf1ea7eef93c806f499a6dbe644032f71c334e09bbbdc8eb81a5c6e2778f57633a97a57913fc3798d682680a7cdaacc042a7f1a2ed00faf40c31b273f175453
SSDEEP

24576:GyeSzmwOLMk9cm03qafgsotrYlNQE55HdZ+D66Moe3GLroMl:Ve+BQBu3qU4yQEnX+2ro9Lrx

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k5673011.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k5673011.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k5673011.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k5673011.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k5673011.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k5673011.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2040	y5727639.exe
748	y8772606.exe
1472	k5673011.exe
1500	l8651501.exe

Loads dropped DLL 8 IoCs

pid	Process
1304	f78dcd9565982099152691358ef070597428bb9f27c8c5ec798b1f52e479f964.exe
2040	y5727639.exe
2040	y5727639.exe
748	y8772606.exe
748	y8772606.exe
1472	k5673011.exe
748	y8772606.exe
1500	l8651501.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k5673011.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k5673011.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8772606.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8772606.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f78dcd9565982099152691358ef070597428bb9f27c8c5ec798b1f52e479f964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f78dcd9565982099152691358ef070597428bb9f27c8c5ec798b1f52e479f964.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5727639.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5727639.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1472	k5673011.exe
1472	k5673011.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	k5673011.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2040	1304	f78dcd9565982099152691358ef070597428bb9f27c8c5ec798b1f52e479f964.exe	27
PID 1304 wrote to memory of 2040	1304	f78dcd9565982099152691358ef070597428bb9f27c8c5ec798b1f52e479f964.exe	27
PID 1304 wrote to memory of 2040	1304	f78dcd9565982099152691358ef070597428bb9f27c8c5ec798b1f52e479f964.exe	27
PID 1304 wrote to memory of 2040	1304	f78dcd9565982099152691358ef070597428bb9f27c8c5ec798b1f52e479f964.exe	27
PID 1304 wrote to memory of 2040	1304	f78dcd9565982099152691358ef070597428bb9f27c8c5ec798b1f52e479f964.exe	27
PID 1304 wrote to memory of 2040	1304	f78dcd9565982099152691358ef070597428bb9f27c8c5ec798b1f52e479f964.exe	27
PID 1304 wrote to memory of 2040	1304	f78dcd9565982099152691358ef070597428bb9f27c8c5ec798b1f52e479f964.exe	27
PID 2040 wrote to memory of 748	2040	y5727639.exe	28
PID 2040 wrote to memory of 748	2040	y5727639.exe	28
PID 2040 wrote to memory of 748	2040	y5727639.exe	28
PID 2040 wrote to memory of 748	2040	y5727639.exe	28
PID 2040 wrote to memory of 748	2040	y5727639.exe	28
PID 2040 wrote to memory of 748	2040	y5727639.exe	28
PID 2040 wrote to memory of 748	2040	y5727639.exe	28
PID 748 wrote to memory of 1472	748	y8772606.exe	29
PID 748 wrote to memory of 1472	748	y8772606.exe	29
PID 748 wrote to memory of 1472	748	y8772606.exe	29
PID 748 wrote to memory of 1472	748	y8772606.exe	29
PID 748 wrote to memory of 1472	748	y8772606.exe	29
PID 748 wrote to memory of 1472	748	y8772606.exe	29
PID 748 wrote to memory of 1472	748	y8772606.exe	29
PID 748 wrote to memory of 1500	748	y8772606.exe	30
PID 748 wrote to memory of 1500	748	y8772606.exe	30
PID 748 wrote to memory of 1500	748	y8772606.exe	30
PID 748 wrote to memory of 1500	748	y8772606.exe	30
PID 748 wrote to memory of 1500	748	y8772606.exe	30
PID 748 wrote to memory of 1500	748	y8772606.exe	30
PID 748 wrote to memory of 1500	748	y8772606.exe	30

C:\Users\Admin\AppData\Local\Temp\f78dcd9565982099152691358ef070597428bb9f27c8c5ec798b1f52e479f964.exe
"C:\Users\Admin\AppData\Local\Temp\f78dcd9565982099152691358ef070597428bb9f27c8c5ec798b1f52e479f964.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5727639.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5727639.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8772606.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8772606.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5673011.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5673011.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8651501.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8651501.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5727639.exe

Filesize
750KB

MD5
c2d646f939b48f05bf04a8789f62de1a

SHA1
fa660f3f4be7a8b919ad2037d5ebf4b2b8996126

SHA256
1413bc610f63b9f18607631548709bb13078306c845853b5f9cabf618c269081

SHA512
dd5e11aa4db5592d14b339da4bb7b0d39bb11ac275a907782558e7bff17fe4f623b4b59a75c7ba9aa24931b510f39f31d7f9b2ccf1e44da3457c11d3b95dce9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5727639.exe

Filesize
750KB

MD5
c2d646f939b48f05bf04a8789f62de1a

SHA1
fa660f3f4be7a8b919ad2037d5ebf4b2b8996126

SHA256
1413bc610f63b9f18607631548709bb13078306c845853b5f9cabf618c269081

SHA512
dd5e11aa4db5592d14b339da4bb7b0d39bb11ac275a907782558e7bff17fe4f623b4b59a75c7ba9aa24931b510f39f31d7f9b2ccf1e44da3457c11d3b95dce9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8772606.exe

Filesize
305KB

MD5
fd36b33b78036f478dc344679444a48d

SHA1
3c83078c43617ae571d9a61b39eae4ede88bc22d

SHA256
17bc50312cc61f67d4ffc530e68cc65d87024a1bf1a1de2f6a68da1a9cad517f

SHA512
3ea3f4102233ece6bc69a8162b6dc11ccb634c429889f060e6f4c1996cbbbe2102f222600f74ef9fcb57e47bdf5ff4b9fc571296d63a237d94ef621e723cc1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8772606.exe

Filesize
305KB

MD5
fd36b33b78036f478dc344679444a48d

SHA1
3c83078c43617ae571d9a61b39eae4ede88bc22d

SHA256
17bc50312cc61f67d4ffc530e68cc65d87024a1bf1a1de2f6a68da1a9cad517f

SHA512
3ea3f4102233ece6bc69a8162b6dc11ccb634c429889f060e6f4c1996cbbbe2102f222600f74ef9fcb57e47bdf5ff4b9fc571296d63a237d94ef621e723cc1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5673011.exe

Filesize
186KB

MD5
49645c5b76a460482704cc906a32a88f

SHA1
020bc5831e65c8ba96a9264bf8f7f2fd07c278f7

SHA256
2dc9ea7896fa1feaea9536b0477ab0c539fea5dba19b45d7a9fea95fb3582430

SHA512
e99880e1982bf60cb90c1be8b2b13d8ed3f5d6ac088c0869435b9009006c82e50d540fff4b75f528f51de3eacb9b7fbf9ccfd3b8b0045a638455c46409619c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5673011.exe

Filesize
186KB

MD5
49645c5b76a460482704cc906a32a88f

SHA1
020bc5831e65c8ba96a9264bf8f7f2fd07c278f7

SHA256
2dc9ea7896fa1feaea9536b0477ab0c539fea5dba19b45d7a9fea95fb3582430

SHA512
e99880e1982bf60cb90c1be8b2b13d8ed3f5d6ac088c0869435b9009006c82e50d540fff4b75f528f51de3eacb9b7fbf9ccfd3b8b0045a638455c46409619c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8651501.exe

Filesize
145KB

MD5
f3a1b1d2ac79f84c371a57a5ef6b8be0

SHA1
be248f36db9ad424a58ccb30b5927a08309034ec

SHA256
9077b4c4dc0f48821438ce6982b8e2d2139346daa86e53c7415c198f99b8d0b5

SHA512
a5fefc186379b444c29407ec5026c10d29fe4d9b9630635f8acdee8163d0862264f1fb7160f78318152d948d8c02b3222fbc743a01a07a40f23fe71685b1e5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8651501.exe

Filesize
145KB

MD5
f3a1b1d2ac79f84c371a57a5ef6b8be0

SHA1
be248f36db9ad424a58ccb30b5927a08309034ec

SHA256
9077b4c4dc0f48821438ce6982b8e2d2139346daa86e53c7415c198f99b8d0b5

SHA512
a5fefc186379b444c29407ec5026c10d29fe4d9b9630635f8acdee8163d0862264f1fb7160f78318152d948d8c02b3222fbc743a01a07a40f23fe71685b1e5b9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5727639.exe

Filesize
750KB

MD5
c2d646f939b48f05bf04a8789f62de1a

SHA1
fa660f3f4be7a8b919ad2037d5ebf4b2b8996126

SHA256
1413bc610f63b9f18607631548709bb13078306c845853b5f9cabf618c269081

SHA512
dd5e11aa4db5592d14b339da4bb7b0d39bb11ac275a907782558e7bff17fe4f623b4b59a75c7ba9aa24931b510f39f31d7f9b2ccf1e44da3457c11d3b95dce9f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5727639.exe

Filesize
750KB

MD5
c2d646f939b48f05bf04a8789f62de1a

SHA1
fa660f3f4be7a8b919ad2037d5ebf4b2b8996126

SHA256
1413bc610f63b9f18607631548709bb13078306c845853b5f9cabf618c269081

SHA512
dd5e11aa4db5592d14b339da4bb7b0d39bb11ac275a907782558e7bff17fe4f623b4b59a75c7ba9aa24931b510f39f31d7f9b2ccf1e44da3457c11d3b95dce9f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8772606.exe

Filesize
305KB

MD5
fd36b33b78036f478dc344679444a48d

SHA1
3c83078c43617ae571d9a61b39eae4ede88bc22d

SHA256
17bc50312cc61f67d4ffc530e68cc65d87024a1bf1a1de2f6a68da1a9cad517f

SHA512
3ea3f4102233ece6bc69a8162b6dc11ccb634c429889f060e6f4c1996cbbbe2102f222600f74ef9fcb57e47bdf5ff4b9fc571296d63a237d94ef621e723cc1c4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8772606.exe

Filesize
305KB

MD5
fd36b33b78036f478dc344679444a48d

SHA1
3c83078c43617ae571d9a61b39eae4ede88bc22d

SHA256
17bc50312cc61f67d4ffc530e68cc65d87024a1bf1a1de2f6a68da1a9cad517f

SHA512
3ea3f4102233ece6bc69a8162b6dc11ccb634c429889f060e6f4c1996cbbbe2102f222600f74ef9fcb57e47bdf5ff4b9fc571296d63a237d94ef621e723cc1c4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5673011.exe

Filesize
186KB

MD5
49645c5b76a460482704cc906a32a88f

SHA1
020bc5831e65c8ba96a9264bf8f7f2fd07c278f7

SHA256
2dc9ea7896fa1feaea9536b0477ab0c539fea5dba19b45d7a9fea95fb3582430

SHA512
e99880e1982bf60cb90c1be8b2b13d8ed3f5d6ac088c0869435b9009006c82e50d540fff4b75f528f51de3eacb9b7fbf9ccfd3b8b0045a638455c46409619c22

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5673011.exe

Filesize
186KB

MD5
49645c5b76a460482704cc906a32a88f

SHA1
020bc5831e65c8ba96a9264bf8f7f2fd07c278f7

SHA256
2dc9ea7896fa1feaea9536b0477ab0c539fea5dba19b45d7a9fea95fb3582430

SHA512
e99880e1982bf60cb90c1be8b2b13d8ed3f5d6ac088c0869435b9009006c82e50d540fff4b75f528f51de3eacb9b7fbf9ccfd3b8b0045a638455c46409619c22

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8651501.exe

Filesize
145KB

MD5
f3a1b1d2ac79f84c371a57a5ef6b8be0

SHA1
be248f36db9ad424a58ccb30b5927a08309034ec

SHA256
9077b4c4dc0f48821438ce6982b8e2d2139346daa86e53c7415c198f99b8d0b5

SHA512
a5fefc186379b444c29407ec5026c10d29fe4d9b9630635f8acdee8163d0862264f1fb7160f78318152d948d8c02b3222fbc743a01a07a40f23fe71685b1e5b9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8651501.exe

Filesize
145KB

MD5
f3a1b1d2ac79f84c371a57a5ef6b8be0

SHA1
be248f36db9ad424a58ccb30b5927a08309034ec

SHA256
9077b4c4dc0f48821438ce6982b8e2d2139346daa86e53c7415c198f99b8d0b5

SHA512
a5fefc186379b444c29407ec5026c10d29fe4d9b9630635f8acdee8163d0862264f1fb7160f78318152d948d8c02b3222fbc743a01a07a40f23fe71685b1e5b9

Download Submit
memory/1472-91-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/1472-109-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/1472-88-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/1472-93-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/1472-95-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/1472-101-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/1472-99-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/1472-97-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/1472-103-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/1472-105-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/1472-107-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/1472-89-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/1472-111-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/1472-113-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/1472-115-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/1472-87-0x0000000000620000-0x000000000063C000-memory.dmp

Filesize
112KB

Download
memory/1472-86-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/1472-85-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/1472-84-0x00000000003E0000-0x00000000003FE000-memory.dmp

Filesize
120KB

Download
memory/1500-122-0x0000000001370000-0x000000000139A000-memory.dmp

Filesize
168KB

Download
memory/1500-123-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1500-124-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download