redline | 6d1bdf221c71b527cbe1e269e2262ee2d889ccec6896d68fd02bad138f598a2d

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/06/2023, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

468a11b146618e46cd490852ff898d34.exe
Size

584KB
MD5

468a11b146618e46cd490852ff898d34
SHA1

b6b4eafc9434d2cd6092b9f90b8952554d553962
SHA256

6d1bdf221c71b527cbe1e269e2262ee2d889ccec6896d68fd02bad138f598a2d
SHA512

2dd13d4570c43e4482cd33aa144f2698e472429c5f5608ca97e5ba6ddf35d6d183ef07a8b77720e0d9ba80364a7f6024b4f130eaa2152e7438f79b863da84cb5
SSDEEP

12288:MMrqy90MN+uFpUvsRivPrQVN7U5WOl9fuUXVOcp6EmTL:Gyr+kzRgPqNUg6uUXPkEOL

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1461311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1461311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1461311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1461311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1461311.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k1461311.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1808	y6844663.exe
464	y4414596.exe
1196	k1461311.exe
768	l1909337.exe

Loads dropped DLL 7 IoCs

pid	Process
748	468a11b146618e46cd490852ff898d34.exe
1808	y6844663.exe
1808	y6844663.exe
464	y4414596.exe
464	y4414596.exe
464	y4414596.exe
768	l1909337.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	k1461311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1461311.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	468a11b146618e46cd490852ff898d34.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6844663.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6844663.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4414596.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y4414596.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	468a11b146618e46cd490852ff898d34.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1196	k1461311.exe
1196	k1461311.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	k1461311.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1808	748	468a11b146618e46cd490852ff898d34.exe	26
PID 748 wrote to memory of 1808	748	468a11b146618e46cd490852ff898d34.exe	26
PID 748 wrote to memory of 1808	748	468a11b146618e46cd490852ff898d34.exe	26
PID 748 wrote to memory of 1808	748	468a11b146618e46cd490852ff898d34.exe	26
PID 748 wrote to memory of 1808	748	468a11b146618e46cd490852ff898d34.exe	26
PID 748 wrote to memory of 1808	748	468a11b146618e46cd490852ff898d34.exe	26
PID 748 wrote to memory of 1808	748	468a11b146618e46cd490852ff898d34.exe	26
PID 1808 wrote to memory of 464	1808	y6844663.exe	27
PID 1808 wrote to memory of 464	1808	y6844663.exe	27
PID 1808 wrote to memory of 464	1808	y6844663.exe	27
PID 1808 wrote to memory of 464	1808	y6844663.exe	27
PID 1808 wrote to memory of 464	1808	y6844663.exe	27
PID 1808 wrote to memory of 464	1808	y6844663.exe	27
PID 1808 wrote to memory of 464	1808	y6844663.exe	27
PID 464 wrote to memory of 1196	464	y4414596.exe	28
PID 464 wrote to memory of 1196	464	y4414596.exe	28
PID 464 wrote to memory of 1196	464	y4414596.exe	28
PID 464 wrote to memory of 1196	464	y4414596.exe	28
PID 464 wrote to memory of 1196	464	y4414596.exe	28
PID 464 wrote to memory of 1196	464	y4414596.exe	28
PID 464 wrote to memory of 1196	464	y4414596.exe	28
PID 464 wrote to memory of 768	464	y4414596.exe	29
PID 464 wrote to memory of 768	464	y4414596.exe	29
PID 464 wrote to memory of 768	464	y4414596.exe	29
PID 464 wrote to memory of 768	464	y4414596.exe	29
PID 464 wrote to memory of 768	464	y4414596.exe	29
PID 464 wrote to memory of 768	464	y4414596.exe	29
PID 464 wrote to memory of 768	464	y4414596.exe	29

C:\Users\Admin\AppData\Local\Temp\468a11b146618e46cd490852ff898d34.exe
"C:\Users\Admin\AppData\Local\Temp\468a11b146618e46cd490852ff898d34.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6844663.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6844663.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4414596.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4414596.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1461311.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1461311.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1909337.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1909337.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6844663.exe

Filesize
377KB

MD5
859dce6c5376c9b5d9245697e9e7be44

SHA1
be4519194aea8e50cda47ec96f1920d6d3f60b05

SHA256
6f40aa97e9c931ee6d0dcc3c5289cc23aa24daa80bccf76f3f591fcd0cbb7d21

SHA512
ae495dd017d399360e5578e2b9286492ff2898bb6696e60cd89db527a39455339549cffea67f939a4aa28f570758cb7e204d926fbcbea3240abd35aa61f19ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6844663.exe

Filesize
377KB

MD5
859dce6c5376c9b5d9245697e9e7be44

SHA1
be4519194aea8e50cda47ec96f1920d6d3f60b05

SHA256
6f40aa97e9c931ee6d0dcc3c5289cc23aa24daa80bccf76f3f591fcd0cbb7d21

SHA512
ae495dd017d399360e5578e2b9286492ff2898bb6696e60cd89db527a39455339549cffea67f939a4aa28f570758cb7e204d926fbcbea3240abd35aa61f19ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4414596.exe

Filesize
206KB

MD5
a1233ef95cebb9748c2af8c11cfb9eab

SHA1
589306329a935a887700241a9c6df4772a0f7726

SHA256
86852900e45679c4fa9ddd5819bf02acd4c1dd296a3395f1dda882e243352a97

SHA512
b4562b2b6ad3530dc2014707c7037c71e7e15a61dd09f088c0333ea7bef8f86259442c8c34612c5a0fb635435df0d92a3e5cde917be9de8d7302307df497cd9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4414596.exe

Filesize
206KB

MD5
a1233ef95cebb9748c2af8c11cfb9eab

SHA1
589306329a935a887700241a9c6df4772a0f7726

SHA256
86852900e45679c4fa9ddd5819bf02acd4c1dd296a3395f1dda882e243352a97

SHA512
b4562b2b6ad3530dc2014707c7037c71e7e15a61dd09f088c0333ea7bef8f86259442c8c34612c5a0fb635435df0d92a3e5cde917be9de8d7302307df497cd9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1461311.exe

Filesize
12KB

MD5
04c94ad223bab696de00a1fdfaf5e614

SHA1
9185415c103f3b46d5db57a52920603bc19db839

SHA256
da90d38e1ffcb41ce0c67ff25152839c9e898243ce1537de76ab118b49ba3f9a

SHA512
be8106939d470521437fcdd9a4f2f010116748fc837fcdcd5fbdbf90999cd7b699abaa250c4019a06ea7d5de0deeeec3a90410b4b2a6b37f757a3277549a7e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1461311.exe

Filesize
12KB

MD5
04c94ad223bab696de00a1fdfaf5e614

SHA1
9185415c103f3b46d5db57a52920603bc19db839

SHA256
da90d38e1ffcb41ce0c67ff25152839c9e898243ce1537de76ab118b49ba3f9a

SHA512
be8106939d470521437fcdd9a4f2f010116748fc837fcdcd5fbdbf90999cd7b699abaa250c4019a06ea7d5de0deeeec3a90410b4b2a6b37f757a3277549a7e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1909337.exe

Filesize
172KB

MD5
f22307dc135c6d9803ea140e5524711a

SHA1
595131d77deaee3fda0a49f90eb3ab0f63792914

SHA256
98b56405565a8b823bdfb3872c4ebaae463c27826c8afb21efaecde328a8f136

SHA512
73a8160f5e45142a6c7d5b6320328a60bb3439ec474ef881b01a704591f2cd37ea790cdefe81efd3a90a2cd19575ab9d47af702c9725a915f3e16f7474e2cd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1909337.exe

Filesize
172KB

MD5
f22307dc135c6d9803ea140e5524711a

SHA1
595131d77deaee3fda0a49f90eb3ab0f63792914

SHA256
98b56405565a8b823bdfb3872c4ebaae463c27826c8afb21efaecde328a8f136

SHA512
73a8160f5e45142a6c7d5b6320328a60bb3439ec474ef881b01a704591f2cd37ea790cdefe81efd3a90a2cd19575ab9d47af702c9725a915f3e16f7474e2cd6a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6844663.exe

Filesize
377KB

MD5
859dce6c5376c9b5d9245697e9e7be44

SHA1
be4519194aea8e50cda47ec96f1920d6d3f60b05

SHA256
6f40aa97e9c931ee6d0dcc3c5289cc23aa24daa80bccf76f3f591fcd0cbb7d21

SHA512
ae495dd017d399360e5578e2b9286492ff2898bb6696e60cd89db527a39455339549cffea67f939a4aa28f570758cb7e204d926fbcbea3240abd35aa61f19ddd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6844663.exe

Filesize
377KB

MD5
859dce6c5376c9b5d9245697e9e7be44

SHA1
be4519194aea8e50cda47ec96f1920d6d3f60b05

SHA256
6f40aa97e9c931ee6d0dcc3c5289cc23aa24daa80bccf76f3f591fcd0cbb7d21

SHA512
ae495dd017d399360e5578e2b9286492ff2898bb6696e60cd89db527a39455339549cffea67f939a4aa28f570758cb7e204d926fbcbea3240abd35aa61f19ddd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4414596.exe

Filesize
206KB

MD5
a1233ef95cebb9748c2af8c11cfb9eab

SHA1
589306329a935a887700241a9c6df4772a0f7726

SHA256
86852900e45679c4fa9ddd5819bf02acd4c1dd296a3395f1dda882e243352a97

SHA512
b4562b2b6ad3530dc2014707c7037c71e7e15a61dd09f088c0333ea7bef8f86259442c8c34612c5a0fb635435df0d92a3e5cde917be9de8d7302307df497cd9e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4414596.exe

Filesize
206KB

MD5
a1233ef95cebb9748c2af8c11cfb9eab

SHA1
589306329a935a887700241a9c6df4772a0f7726

SHA256
86852900e45679c4fa9ddd5819bf02acd4c1dd296a3395f1dda882e243352a97

SHA512
b4562b2b6ad3530dc2014707c7037c71e7e15a61dd09f088c0333ea7bef8f86259442c8c34612c5a0fb635435df0d92a3e5cde917be9de8d7302307df497cd9e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1461311.exe

Filesize
12KB

MD5
04c94ad223bab696de00a1fdfaf5e614

SHA1
9185415c103f3b46d5db57a52920603bc19db839

SHA256
da90d38e1ffcb41ce0c67ff25152839c9e898243ce1537de76ab118b49ba3f9a

SHA512
be8106939d470521437fcdd9a4f2f010116748fc837fcdcd5fbdbf90999cd7b699abaa250c4019a06ea7d5de0deeeec3a90410b4b2a6b37f757a3277549a7e00

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1909337.exe

Filesize
172KB

MD5
f22307dc135c6d9803ea140e5524711a

SHA1
595131d77deaee3fda0a49f90eb3ab0f63792914

SHA256
98b56405565a8b823bdfb3872c4ebaae463c27826c8afb21efaecde328a8f136

SHA512
73a8160f5e45142a6c7d5b6320328a60bb3439ec474ef881b01a704591f2cd37ea790cdefe81efd3a90a2cd19575ab9d47af702c9725a915f3e16f7474e2cd6a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1909337.exe

Filesize
172KB

MD5
f22307dc135c6d9803ea140e5524711a

SHA1
595131d77deaee3fda0a49f90eb3ab0f63792914

SHA256
98b56405565a8b823bdfb3872c4ebaae463c27826c8afb21efaecde328a8f136

SHA512
73a8160f5e45142a6c7d5b6320328a60bb3439ec474ef881b01a704591f2cd37ea790cdefe81efd3a90a2cd19575ab9d47af702c9725a915f3e16f7474e2cd6a

Download Submit
memory/768-89-0x00000000013D0000-0x0000000001400000-memory.dmp

Filesize
192KB

Download
memory/768-90-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/768-91-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/768-92-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/1196-82-0x0000000001080000-0x000000000108A000-memory.dmp

Filesize
40KB

Download