redline | d018bbce713951b1cc773b70806743b912e20ee16d9a995e42fdf448c91c392c

Analysis

max time kernel
131s
max time network
144s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/06/2023, 11:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

03539199.exe
Size

585KB
MD5

cec4bd951390d4ec90489e02ed8a998c
SHA1

209163409815833e8c477c84a05bc877934a5ed7
SHA256

d018bbce713951b1cc773b70806743b912e20ee16d9a995e42fdf448c91c392c
SHA512

f8a4948e2cf7253273221599dc91f18098fd303e0150964b176427416752ef2aca0d570dc825861754bfb45564003be8bb10ad870c1b71ff9adf8f93e5091ab2
SSDEEP

12288:aMrcy90U5NskWgdc4okuhOqdgAIjKM5LgQJxmLy6:yylNxSkAIKM2+mO6

Score

10^/10

redline diza discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8507075.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8507075.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8507075.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k8507075.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8507075.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8507075.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2028	y5950734.exe
764	y1064783.exe
440	k8507075.exe
112	l2919694.exe

Loads dropped DLL 7 IoCs

pid	Process
2032	03539199.exe
2028	y5950734.exe
2028	y5950734.exe
764	y1064783.exe
764	y1064783.exe
764	y1064783.exe
112	l2919694.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	k8507075.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8507075.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5950734.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1064783.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y1064783.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	03539199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	03539199.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5950734.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
440	k8507075.exe
440	k8507075.exe
112	l2919694.exe
112	l2919694.exe
112	l2919694.exe
112	l2919694.exe
112	l2919694.exe
112	l2919694.exe
112	l2919694.exe
112	l2919694.exe
112	l2919694.exe
112	l2919694.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	440	k8507075.exe
Token: SeDebugPrivilege	112	l2919694.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2028	2032	03539199.exe	28
PID 2032 wrote to memory of 2028	2032	03539199.exe	28
PID 2032 wrote to memory of 2028	2032	03539199.exe	28
PID 2032 wrote to memory of 2028	2032	03539199.exe	28
PID 2032 wrote to memory of 2028	2032	03539199.exe	28
PID 2032 wrote to memory of 2028	2032	03539199.exe	28
PID 2032 wrote to memory of 2028	2032	03539199.exe	28
PID 2028 wrote to memory of 764	2028	y5950734.exe	29
PID 2028 wrote to memory of 764	2028	y5950734.exe	29
PID 2028 wrote to memory of 764	2028	y5950734.exe	29
PID 2028 wrote to memory of 764	2028	y5950734.exe	29
PID 2028 wrote to memory of 764	2028	y5950734.exe	29
PID 2028 wrote to memory of 764	2028	y5950734.exe	29
PID 2028 wrote to memory of 764	2028	y5950734.exe	29
PID 764 wrote to memory of 440	764	y1064783.exe	30
PID 764 wrote to memory of 440	764	y1064783.exe	30
PID 764 wrote to memory of 440	764	y1064783.exe	30
PID 764 wrote to memory of 440	764	y1064783.exe	30
PID 764 wrote to memory of 440	764	y1064783.exe	30
PID 764 wrote to memory of 440	764	y1064783.exe	30
PID 764 wrote to memory of 440	764	y1064783.exe	30
PID 764 wrote to memory of 112	764	y1064783.exe	31
PID 764 wrote to memory of 112	764	y1064783.exe	31
PID 764 wrote to memory of 112	764	y1064783.exe	31
PID 764 wrote to memory of 112	764	y1064783.exe	31
PID 764 wrote to memory of 112	764	y1064783.exe	31
PID 764 wrote to memory of 112	764	y1064783.exe	31
PID 764 wrote to memory of 112	764	y1064783.exe	31

C:\Users\Admin\AppData\Local\Temp\03539199.exe
"C:\Users\Admin\AppData\Local\Temp\03539199.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5950734.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5950734.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1064783.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1064783.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8507075.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8507075.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:440
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2919694.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2919694.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5950734.exe

Filesize
377KB

MD5
1176fbe0c277cb23e12cc7c1294cb85d

SHA1
70d2dc318e90bcaa82876c2c2477798518e97f3f

SHA256
4a6c00a090e29d3b3b239ac52fd79f1f9373d549d729c7720debe1c905ad355f

SHA512
369b71d3067c0b852cdbdcd844c142f0692b378540d58d804bbee13ae7e34e1bd78bae435ac16d323947d83a15bb0ead0fcf83b592c3fc201c80d5de43583e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5950734.exe

Filesize
377KB

MD5
1176fbe0c277cb23e12cc7c1294cb85d

SHA1
70d2dc318e90bcaa82876c2c2477798518e97f3f

SHA256
4a6c00a090e29d3b3b239ac52fd79f1f9373d549d729c7720debe1c905ad355f

SHA512
369b71d3067c0b852cdbdcd844c142f0692b378540d58d804bbee13ae7e34e1bd78bae435ac16d323947d83a15bb0ead0fcf83b592c3fc201c80d5de43583e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1064783.exe

Filesize
206KB

MD5
3a558967f7bdc0999980ac27c38ec245

SHA1
32d50f6305255db9948407c818c7ebf799868bc0

SHA256
348d22ebcce0385d55a6b7356a06e95a76cd30b3bd85c2f05197d56527c7bd85

SHA512
df4a36bbdbf6d6a3cccd05609faaa4910aa5c8781475845fe2f0579252171ff7b3114aa360e5792812147ba9ebd2233f78d920034c74337604d7c8e116346cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1064783.exe

Filesize
206KB

MD5
3a558967f7bdc0999980ac27c38ec245

SHA1
32d50f6305255db9948407c818c7ebf799868bc0

SHA256
348d22ebcce0385d55a6b7356a06e95a76cd30b3bd85c2f05197d56527c7bd85

SHA512
df4a36bbdbf6d6a3cccd05609faaa4910aa5c8781475845fe2f0579252171ff7b3114aa360e5792812147ba9ebd2233f78d920034c74337604d7c8e116346cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8507075.exe

Filesize
13KB

MD5
6d94065be6eb42197ddd19d827cd6863

SHA1
1a855d0dffb58b07ea6ae2b42f13d287fed9ecd3

SHA256
fb564eedb9f9f18a7711af5e4c457ed3e2ed31dbdcaf6fe5f64cc8ca1b401ab0

SHA512
0e49bdccb8874dc4cc502d739bf0b9f7aed1774a83853daa0323795d22529624e326f56c6cceb8fa8b2860a08ba4135017d4fb59ea7416e4e00f335e90778295

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8507075.exe

Filesize
13KB

MD5
6d94065be6eb42197ddd19d827cd6863

SHA1
1a855d0dffb58b07ea6ae2b42f13d287fed9ecd3

SHA256
fb564eedb9f9f18a7711af5e4c457ed3e2ed31dbdcaf6fe5f64cc8ca1b401ab0

SHA512
0e49bdccb8874dc4cc502d739bf0b9f7aed1774a83853daa0323795d22529624e326f56c6cceb8fa8b2860a08ba4135017d4fb59ea7416e4e00f335e90778295

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2919694.exe

Filesize
172KB

MD5
2cfb83c873d2269f7d5152d27e9ed493

SHA1
8a1b52f66b34ad360ec2e77fb3b4f582266e55c8

SHA256
c4024d657f566a3b637cb33b011fb27da7e0d536527bf52c88006864ff1c173b

SHA512
1e251c238f15dca9ae67cbd949e9dcff0470a03bc96f179be5452299eea765c5f876d13e549073749c5319edfdfd792454875c97b442fa66e4f3e64e5ecd98d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2919694.exe

Filesize
172KB

MD5
2cfb83c873d2269f7d5152d27e9ed493

SHA1
8a1b52f66b34ad360ec2e77fb3b4f582266e55c8

SHA256
c4024d657f566a3b637cb33b011fb27da7e0d536527bf52c88006864ff1c173b

SHA512
1e251c238f15dca9ae67cbd949e9dcff0470a03bc96f179be5452299eea765c5f876d13e549073749c5319edfdfd792454875c97b442fa66e4f3e64e5ecd98d6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5950734.exe

Filesize
377KB

MD5
1176fbe0c277cb23e12cc7c1294cb85d

SHA1
70d2dc318e90bcaa82876c2c2477798518e97f3f

SHA256
4a6c00a090e29d3b3b239ac52fd79f1f9373d549d729c7720debe1c905ad355f

SHA512
369b71d3067c0b852cdbdcd844c142f0692b378540d58d804bbee13ae7e34e1bd78bae435ac16d323947d83a15bb0ead0fcf83b592c3fc201c80d5de43583e13

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5950734.exe

Filesize
377KB

MD5
1176fbe0c277cb23e12cc7c1294cb85d

SHA1
70d2dc318e90bcaa82876c2c2477798518e97f3f

SHA256
4a6c00a090e29d3b3b239ac52fd79f1f9373d549d729c7720debe1c905ad355f

SHA512
369b71d3067c0b852cdbdcd844c142f0692b378540d58d804bbee13ae7e34e1bd78bae435ac16d323947d83a15bb0ead0fcf83b592c3fc201c80d5de43583e13

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1064783.exe

Filesize
206KB

MD5
3a558967f7bdc0999980ac27c38ec245

SHA1
32d50f6305255db9948407c818c7ebf799868bc0

SHA256
348d22ebcce0385d55a6b7356a06e95a76cd30b3bd85c2f05197d56527c7bd85

SHA512
df4a36bbdbf6d6a3cccd05609faaa4910aa5c8781475845fe2f0579252171ff7b3114aa360e5792812147ba9ebd2233f78d920034c74337604d7c8e116346cde

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1064783.exe

Filesize
206KB

MD5
3a558967f7bdc0999980ac27c38ec245

SHA1
32d50f6305255db9948407c818c7ebf799868bc0

SHA256
348d22ebcce0385d55a6b7356a06e95a76cd30b3bd85c2f05197d56527c7bd85

SHA512
df4a36bbdbf6d6a3cccd05609faaa4910aa5c8781475845fe2f0579252171ff7b3114aa360e5792812147ba9ebd2233f78d920034c74337604d7c8e116346cde

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8507075.exe

Filesize
13KB

MD5
6d94065be6eb42197ddd19d827cd6863

SHA1
1a855d0dffb58b07ea6ae2b42f13d287fed9ecd3

SHA256
fb564eedb9f9f18a7711af5e4c457ed3e2ed31dbdcaf6fe5f64cc8ca1b401ab0

SHA512
0e49bdccb8874dc4cc502d739bf0b9f7aed1774a83853daa0323795d22529624e326f56c6cceb8fa8b2860a08ba4135017d4fb59ea7416e4e00f335e90778295

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2919694.exe

Filesize
172KB

MD5
2cfb83c873d2269f7d5152d27e9ed493

SHA1
8a1b52f66b34ad360ec2e77fb3b4f582266e55c8

SHA256
c4024d657f566a3b637cb33b011fb27da7e0d536527bf52c88006864ff1c173b

SHA512
1e251c238f15dca9ae67cbd949e9dcff0470a03bc96f179be5452299eea765c5f876d13e549073749c5319edfdfd792454875c97b442fa66e4f3e64e5ecd98d6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2919694.exe

Filesize
172KB

MD5
2cfb83c873d2269f7d5152d27e9ed493

SHA1
8a1b52f66b34ad360ec2e77fb3b4f582266e55c8

SHA256
c4024d657f566a3b637cb33b011fb27da7e0d536527bf52c88006864ff1c173b

SHA512
1e251c238f15dca9ae67cbd949e9dcff0470a03bc96f179be5452299eea765c5f876d13e549073749c5319edfdfd792454875c97b442fa66e4f3e64e5ecd98d6

Download Submit
memory/112-89-0x0000000000A60000-0x0000000000A90000-memory.dmp

Filesize
192KB

Download
memory/112-90-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/112-91-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/112-92-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/440-82-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download