redline | 457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8

Analysis

max time kernel
298s
max time network
300s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-05-2023 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe
Size

1.0MB
MD5

57e3240e91b855b16fc01b3a0e675d1c
SHA1

860c69daa332dc6e7c949ff7fadad26eac3c7303
SHA256

457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8
SHA512

606f9327fba60b0a2b7665ae9024e8043b766fb740d9afdc0f8dee4e3774ad81439158b5fd464ccda9017115969dcee7f5774ef81f48c6f9539a425c7d5054bc
SSDEEP

24576:ny3lHqJQ+g53DiBq/SCLACqywNv0m02rJM8QX6OJ5:y1H953DiBqRH+vl02r4X6

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8704938.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
888	y1900768.exe
768	y9646688.exe
1476	k8704938.exe
1408	l2928420.exe

Loads dropped DLL 8 IoCs

pid	Process
2008	457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe
888	y1900768.exe
888	y1900768.exe
768	y9646688.exe
768	y9646688.exe
1476	k8704938.exe
768	y9646688.exe
1408	l2928420.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8704938.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1900768.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1900768.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9646688.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9646688.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1476	k8704938.exe
1476	k8704938.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	k8704938.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 888	2008	457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe	28
PID 2008 wrote to memory of 888	2008	457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe	28
PID 2008 wrote to memory of 888	2008	457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe	28
PID 2008 wrote to memory of 888	2008	457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe	28
PID 2008 wrote to memory of 888	2008	457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe	28
PID 2008 wrote to memory of 888	2008	457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe	28
PID 2008 wrote to memory of 888	2008	457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe	28
PID 888 wrote to memory of 768	888	y1900768.exe	29
PID 888 wrote to memory of 768	888	y1900768.exe	29
PID 888 wrote to memory of 768	888	y1900768.exe	29
PID 888 wrote to memory of 768	888	y1900768.exe	29
PID 888 wrote to memory of 768	888	y1900768.exe	29
PID 888 wrote to memory of 768	888	y1900768.exe	29
PID 888 wrote to memory of 768	888	y1900768.exe	29
PID 768 wrote to memory of 1476	768	y9646688.exe	30
PID 768 wrote to memory of 1476	768	y9646688.exe	30
PID 768 wrote to memory of 1476	768	y9646688.exe	30
PID 768 wrote to memory of 1476	768	y9646688.exe	30
PID 768 wrote to memory of 1476	768	y9646688.exe	30
PID 768 wrote to memory of 1476	768	y9646688.exe	30
PID 768 wrote to memory of 1476	768	y9646688.exe	30
PID 768 wrote to memory of 1408	768	y9646688.exe	31
PID 768 wrote to memory of 1408	768	y9646688.exe	31
PID 768 wrote to memory of 1408	768	y9646688.exe	31
PID 768 wrote to memory of 1408	768	y9646688.exe	31
PID 768 wrote to memory of 1408	768	y9646688.exe	31
PID 768 wrote to memory of 1408	768	y9646688.exe	31
PID 768 wrote to memory of 1408	768	y9646688.exe	31

C:\Users\Admin\AppData\Local\Temp\457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe
"C:\Users\Admin\AppData\Local\Temp\457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1900768.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1900768.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9646688.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9646688.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8704938.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8704938.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2928420.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2928420.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1900768.exe

Filesize
750KB

MD5
4c7cba3a55b78101c772c5a36dc4854b

SHA1
696b83b6fe555c5b7239f6f6d6d33c2511f885d9

SHA256
31eb80847dbb0e4aff78f011d60c6a6b46ed2050e050bcc7b262b07a30b62fae

SHA512
2c2a97a0c40a74396b138e2ca9ce54e6e9bba507268813e3e252df227661f53fa87164a22f98e7c2f40e0040482d47e2f8b8e30a71bf715baca788157afeb5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1900768.exe

Filesize
750KB

MD5
4c7cba3a55b78101c772c5a36dc4854b

SHA1
696b83b6fe555c5b7239f6f6d6d33c2511f885d9

SHA256
31eb80847dbb0e4aff78f011d60c6a6b46ed2050e050bcc7b262b07a30b62fae

SHA512
2c2a97a0c40a74396b138e2ca9ce54e6e9bba507268813e3e252df227661f53fa87164a22f98e7c2f40e0040482d47e2f8b8e30a71bf715baca788157afeb5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9646688.exe

Filesize
305KB

MD5
b15f12fa6678d9d697cc6805a6db603f

SHA1
83a974b62218eb7a064cc6d5d0d3f64b161380e4

SHA256
d6e1a1f38e2b9cdc8e2f1533006875f728417893e6793d41a14f2b66f361a295

SHA512
d0da911794b407c447abc8773ca83f4181cfbc0125e33f93f62c798c2b8c85a2eae402a2fe9761327b03d3d256e44ed1aed9b624a07218d7347567bc84bc94a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9646688.exe

Filesize
305KB

MD5
b15f12fa6678d9d697cc6805a6db603f

SHA1
83a974b62218eb7a064cc6d5d0d3f64b161380e4

SHA256
d6e1a1f38e2b9cdc8e2f1533006875f728417893e6793d41a14f2b66f361a295

SHA512
d0da911794b407c447abc8773ca83f4181cfbc0125e33f93f62c798c2b8c85a2eae402a2fe9761327b03d3d256e44ed1aed9b624a07218d7347567bc84bc94a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8704938.exe

Filesize
184KB

MD5
58dba47f9c7d53ae734da0f314af09b1

SHA1
85146261b71e0bfdbb5854b77d72f4cd3b461d89

SHA256
97399d4a530ea277cb9502555ee3d85100e1e9a1c56a173fa6c570df0c5f88a4

SHA512
f1a0f7802130e119979afe60f254e659e0eaf141c5a8618a143d3eecff4d038681f9cfccf9af190fed269018cd8897d59e432a545aaac5af8c3e724d21a19e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8704938.exe

Filesize
184KB

MD5
58dba47f9c7d53ae734da0f314af09b1

SHA1
85146261b71e0bfdbb5854b77d72f4cd3b461d89

SHA256
97399d4a530ea277cb9502555ee3d85100e1e9a1c56a173fa6c570df0c5f88a4

SHA512
f1a0f7802130e119979afe60f254e659e0eaf141c5a8618a143d3eecff4d038681f9cfccf9af190fed269018cd8897d59e432a545aaac5af8c3e724d21a19e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2928420.exe

Filesize
145KB

MD5
71c3ccdf8723c44dbe1d0fa7800ccca5

SHA1
83406d3e8591985d6a0b42549e643ec0764a4b57

SHA256
a33012df84df0946bd2a348e8682f266487763eef41a9232874ae9ec013f97e6

SHA512
d908bbf9008c88fae675707902d6f12159be1be1e2c16a1863eaa8b9d07c3c3f0d38561e32d1c19fabcb94236155a5698c0b26aaec178e333521b68ded1c779e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2928420.exe

Filesize
145KB

MD5
71c3ccdf8723c44dbe1d0fa7800ccca5

SHA1
83406d3e8591985d6a0b42549e643ec0764a4b57

SHA256
a33012df84df0946bd2a348e8682f266487763eef41a9232874ae9ec013f97e6

SHA512
d908bbf9008c88fae675707902d6f12159be1be1e2c16a1863eaa8b9d07c3c3f0d38561e32d1c19fabcb94236155a5698c0b26aaec178e333521b68ded1c779e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1900768.exe

Filesize
750KB

MD5
4c7cba3a55b78101c772c5a36dc4854b

SHA1
696b83b6fe555c5b7239f6f6d6d33c2511f885d9

SHA256
31eb80847dbb0e4aff78f011d60c6a6b46ed2050e050bcc7b262b07a30b62fae

SHA512
2c2a97a0c40a74396b138e2ca9ce54e6e9bba507268813e3e252df227661f53fa87164a22f98e7c2f40e0040482d47e2f8b8e30a71bf715baca788157afeb5db

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1900768.exe

Filesize
750KB

MD5
4c7cba3a55b78101c772c5a36dc4854b

SHA1
696b83b6fe555c5b7239f6f6d6d33c2511f885d9

SHA256
31eb80847dbb0e4aff78f011d60c6a6b46ed2050e050bcc7b262b07a30b62fae

SHA512
2c2a97a0c40a74396b138e2ca9ce54e6e9bba507268813e3e252df227661f53fa87164a22f98e7c2f40e0040482d47e2f8b8e30a71bf715baca788157afeb5db

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9646688.exe

Filesize
305KB

MD5
b15f12fa6678d9d697cc6805a6db603f

SHA1
83a974b62218eb7a064cc6d5d0d3f64b161380e4

SHA256
d6e1a1f38e2b9cdc8e2f1533006875f728417893e6793d41a14f2b66f361a295

SHA512
d0da911794b407c447abc8773ca83f4181cfbc0125e33f93f62c798c2b8c85a2eae402a2fe9761327b03d3d256e44ed1aed9b624a07218d7347567bc84bc94a1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9646688.exe

Filesize
305KB

MD5
b15f12fa6678d9d697cc6805a6db603f

SHA1
83a974b62218eb7a064cc6d5d0d3f64b161380e4

SHA256
d6e1a1f38e2b9cdc8e2f1533006875f728417893e6793d41a14f2b66f361a295

SHA512
d0da911794b407c447abc8773ca83f4181cfbc0125e33f93f62c798c2b8c85a2eae402a2fe9761327b03d3d256e44ed1aed9b624a07218d7347567bc84bc94a1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8704938.exe

Filesize
184KB

MD5
58dba47f9c7d53ae734da0f314af09b1

SHA1
85146261b71e0bfdbb5854b77d72f4cd3b461d89

SHA256
97399d4a530ea277cb9502555ee3d85100e1e9a1c56a173fa6c570df0c5f88a4

SHA512
f1a0f7802130e119979afe60f254e659e0eaf141c5a8618a143d3eecff4d038681f9cfccf9af190fed269018cd8897d59e432a545aaac5af8c3e724d21a19e64

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8704938.exe

Filesize
184KB

MD5
58dba47f9c7d53ae734da0f314af09b1

SHA1
85146261b71e0bfdbb5854b77d72f4cd3b461d89

SHA256
97399d4a530ea277cb9502555ee3d85100e1e9a1c56a173fa6c570df0c5f88a4

SHA512
f1a0f7802130e119979afe60f254e659e0eaf141c5a8618a143d3eecff4d038681f9cfccf9af190fed269018cd8897d59e432a545aaac5af8c3e724d21a19e64

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2928420.exe

Filesize
145KB

MD5
71c3ccdf8723c44dbe1d0fa7800ccca5

SHA1
83406d3e8591985d6a0b42549e643ec0764a4b57

SHA256
a33012df84df0946bd2a348e8682f266487763eef41a9232874ae9ec013f97e6

SHA512
d908bbf9008c88fae675707902d6f12159be1be1e2c16a1863eaa8b9d07c3c3f0d38561e32d1c19fabcb94236155a5698c0b26aaec178e333521b68ded1c779e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2928420.exe

Filesize
145KB

MD5
71c3ccdf8723c44dbe1d0fa7800ccca5

SHA1
83406d3e8591985d6a0b42549e643ec0764a4b57

SHA256
a33012df84df0946bd2a348e8682f266487763eef41a9232874ae9ec013f97e6

SHA512
d908bbf9008c88fae675707902d6f12159be1be1e2c16a1863eaa8b9d07c3c3f0d38561e32d1c19fabcb94236155a5698c0b26aaec178e333521b68ded1c779e

Download Submit
memory/1408-124-0x0000000004CD0000-0x0000000004D10000-memory.dmp

Filesize
256KB

Download
memory/1408-123-0x00000000000F0000-0x000000000011A000-memory.dmp

Filesize
168KB

Download
memory/1408-125-0x0000000004CD0000-0x0000000004D10000-memory.dmp

Filesize
256KB

Download
memory/1476-92-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1476-112-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1476-98-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1476-100-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1476-102-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1476-104-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1476-106-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1476-108-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1476-110-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1476-96-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1476-114-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1476-115-0x0000000004CC0000-0x0000000004D00000-memory.dmp

Filesize
256KB

Download
memory/1476-116-0x0000000004CC0000-0x0000000004D00000-memory.dmp

Filesize
256KB

Download
memory/1476-94-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1476-90-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1476-88-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1476-87-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1476-86-0x00000000020E0000-0x00000000020FC000-memory.dmp

Filesize
112KB

Download
memory/1476-85-0x0000000004CC0000-0x0000000004D00000-memory.dmp

Filesize
256KB

Download
memory/1476-84-0x0000000000B90000-0x0000000000BAE000-memory.dmp

Filesize
120KB

Download