redline | 3c785e270042f3778b2321d0be981e2252fbe5dc55109b38b66a6e5c1418e204

Analysis

max time kernel
135s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/06/2023, 11:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

07118299.exe
Size

585KB
MD5

bb4539edbb8fa9c890cc49978383414d
SHA1

61a759e91f6cdeacffbb1cab32e692b7075efaa8
SHA256

3c785e270042f3778b2321d0be981e2252fbe5dc55109b38b66a6e5c1418e204
SHA512

8e54826a8fccdb64714bff359ae9223dadb00cfb5de15456e6a15c66d1a16faa9dee836101527ca8fe7f5e1e714c77e776bcb377466951207ca51ba546745fa5
SSDEEP

12288:TMrqy90Z037vhyfXuO8v59X22y+MXZejR1EQP/eq64aNZa:lyYy6uD/ZMp2EeeDVa

Score

10^/10

redline diza discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k4225289.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k4225289.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k4225289.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k4225289.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k4225289.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k4225289.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1224	y0826039.exe
836	y1856327.exe
1668	k4225289.exe
928	l4429849.exe

Loads dropped DLL 7 IoCs

pid	Process
1696	07118299.exe
1224	y0826039.exe
1224	y0826039.exe
836	y1856327.exe
836	y1856327.exe
836	y1856327.exe
928	l4429849.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	k4225289.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k4225289.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y1856327.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	07118299.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	07118299.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0826039.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0826039.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1856327.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1668	k4225289.exe
1668	k4225289.exe
928	l4429849.exe
928	l4429849.exe
928	l4429849.exe
928	l4429849.exe
928	l4429849.exe
928	l4429849.exe
928	l4429849.exe
928	l4429849.exe
928	l4429849.exe
928	l4429849.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	k4225289.exe
Token: SeDebugPrivilege	928	l4429849.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1224	1696	07118299.exe	26
PID 1696 wrote to memory of 1224	1696	07118299.exe	26
PID 1696 wrote to memory of 1224	1696	07118299.exe	26
PID 1696 wrote to memory of 1224	1696	07118299.exe	26
PID 1696 wrote to memory of 1224	1696	07118299.exe	26
PID 1696 wrote to memory of 1224	1696	07118299.exe	26
PID 1696 wrote to memory of 1224	1696	07118299.exe	26
PID 1224 wrote to memory of 836	1224	y0826039.exe	27
PID 1224 wrote to memory of 836	1224	y0826039.exe	27
PID 1224 wrote to memory of 836	1224	y0826039.exe	27
PID 1224 wrote to memory of 836	1224	y0826039.exe	27
PID 1224 wrote to memory of 836	1224	y0826039.exe	27
PID 1224 wrote to memory of 836	1224	y0826039.exe	27
PID 1224 wrote to memory of 836	1224	y0826039.exe	27
PID 836 wrote to memory of 1668	836	y1856327.exe	28
PID 836 wrote to memory of 1668	836	y1856327.exe	28
PID 836 wrote to memory of 1668	836	y1856327.exe	28
PID 836 wrote to memory of 1668	836	y1856327.exe	28
PID 836 wrote to memory of 1668	836	y1856327.exe	28
PID 836 wrote to memory of 1668	836	y1856327.exe	28
PID 836 wrote to memory of 1668	836	y1856327.exe	28
PID 836 wrote to memory of 928	836	y1856327.exe	29
PID 836 wrote to memory of 928	836	y1856327.exe	29
PID 836 wrote to memory of 928	836	y1856327.exe	29
PID 836 wrote to memory of 928	836	y1856327.exe	29
PID 836 wrote to memory of 928	836	y1856327.exe	29
PID 836 wrote to memory of 928	836	y1856327.exe	29
PID 836 wrote to memory of 928	836	y1856327.exe	29

C:\Users\Admin\AppData\Local\Temp\07118299.exe
"C:\Users\Admin\AppData\Local\Temp\07118299.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe

Filesize
377KB

MD5
04c913636eef8e009b67a6471aceb1cc

SHA1
50c666e0fc32181e3673352451e67167aa15632a

SHA256
bc8b22566ddc8ccf1ecfe8e4b78ff376ca85f6ccc4b4675079c11a9cff9d905d

SHA512
3cc52eb2a662069f3062994197f1a2ace2b49d266ff0243ff5b328601df0863a9bba52e15f36d6b47b3aeec9ba94183a0f9aee99224382b28670c60186e6baba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe

Filesize
377KB

MD5
04c913636eef8e009b67a6471aceb1cc

SHA1
50c666e0fc32181e3673352451e67167aa15632a

SHA256
bc8b22566ddc8ccf1ecfe8e4b78ff376ca85f6ccc4b4675079c11a9cff9d905d

SHA512
3cc52eb2a662069f3062994197f1a2ace2b49d266ff0243ff5b328601df0863a9bba52e15f36d6b47b3aeec9ba94183a0f9aee99224382b28670c60186e6baba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe

Filesize
206KB

MD5
141cac089e26c4f0c69e0d7e512f7be1

SHA1
5509723287d89cfbbdd084d6480f8f7c962f2e47

SHA256
45d242d5c7f3fe4a5537a71920b7fea210883a561fbedcf3d91022bd566a1f82

SHA512
35ed5701857d1eb28a85d6651549e51443166180a25d90b2bd2240424f21775f83c4bd5fabe9bccd71c8afcc9d4b336184cd569d120b0ec27a936090a40baa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe

Filesize
206KB

MD5
141cac089e26c4f0c69e0d7e512f7be1

SHA1
5509723287d89cfbbdd084d6480f8f7c962f2e47

SHA256
45d242d5c7f3fe4a5537a71920b7fea210883a561fbedcf3d91022bd566a1f82

SHA512
35ed5701857d1eb28a85d6651549e51443166180a25d90b2bd2240424f21775f83c4bd5fabe9bccd71c8afcc9d4b336184cd569d120b0ec27a936090a40baa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exe

Filesize
13KB

MD5
2729520af0a8af272be9fa9a08374fed

SHA1
287f245bc42c5672947f9be216934c3193ff20fd

SHA256
5ba9237ec136790729e884f911cb938883dfe89921928fb95d183c9fbea6b3a7

SHA512
eba559f01fb22ac033f05792fa2c5a99c9221a9d96267451b42852192722e25c75a76208270a53d1fdd8db0d98e997f6303e09efc79e0261215f8105d520738d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exe

Filesize
13KB

MD5
2729520af0a8af272be9fa9a08374fed

SHA1
287f245bc42c5672947f9be216934c3193ff20fd

SHA256
5ba9237ec136790729e884f911cb938883dfe89921928fb95d183c9fbea6b3a7

SHA512
eba559f01fb22ac033f05792fa2c5a99c9221a9d96267451b42852192722e25c75a76208270a53d1fdd8db0d98e997f6303e09efc79e0261215f8105d520738d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe

Filesize
172KB

MD5
9ee6e7a9103170f2f829a497879dec4d

SHA1
1013f962d3071a62ef343cb8d93888264d528d64

SHA256
77ef79a08394225118c83157a36af2d018283c0ca5dc927e657a546cd99e1f39

SHA512
60bf3d3dec2bb2f3ee7ad5de4eee72ad11ed3517e36441be975548d0eff46f96202ad01effe7bb7207638196869328a0bda05d805fd26658d64e3c69d0061ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe

Filesize
172KB

MD5
9ee6e7a9103170f2f829a497879dec4d

SHA1
1013f962d3071a62ef343cb8d93888264d528d64

SHA256
77ef79a08394225118c83157a36af2d018283c0ca5dc927e657a546cd99e1f39

SHA512
60bf3d3dec2bb2f3ee7ad5de4eee72ad11ed3517e36441be975548d0eff46f96202ad01effe7bb7207638196869328a0bda05d805fd26658d64e3c69d0061ef4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe

Filesize
377KB

MD5
04c913636eef8e009b67a6471aceb1cc

SHA1
50c666e0fc32181e3673352451e67167aa15632a

SHA256
bc8b22566ddc8ccf1ecfe8e4b78ff376ca85f6ccc4b4675079c11a9cff9d905d

SHA512
3cc52eb2a662069f3062994197f1a2ace2b49d266ff0243ff5b328601df0863a9bba52e15f36d6b47b3aeec9ba94183a0f9aee99224382b28670c60186e6baba

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0826039.exe

Filesize
377KB

MD5
04c913636eef8e009b67a6471aceb1cc

SHA1
50c666e0fc32181e3673352451e67167aa15632a

SHA256
bc8b22566ddc8ccf1ecfe8e4b78ff376ca85f6ccc4b4675079c11a9cff9d905d

SHA512
3cc52eb2a662069f3062994197f1a2ace2b49d266ff0243ff5b328601df0863a9bba52e15f36d6b47b3aeec9ba94183a0f9aee99224382b28670c60186e6baba

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe

Filesize
206KB

MD5
141cac089e26c4f0c69e0d7e512f7be1

SHA1
5509723287d89cfbbdd084d6480f8f7c962f2e47

SHA256
45d242d5c7f3fe4a5537a71920b7fea210883a561fbedcf3d91022bd566a1f82

SHA512
35ed5701857d1eb28a85d6651549e51443166180a25d90b2bd2240424f21775f83c4bd5fabe9bccd71c8afcc9d4b336184cd569d120b0ec27a936090a40baa00

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1856327.exe

Filesize
206KB

MD5
141cac089e26c4f0c69e0d7e512f7be1

SHA1
5509723287d89cfbbdd084d6480f8f7c962f2e47

SHA256
45d242d5c7f3fe4a5537a71920b7fea210883a561fbedcf3d91022bd566a1f82

SHA512
35ed5701857d1eb28a85d6651549e51443166180a25d90b2bd2240424f21775f83c4bd5fabe9bccd71c8afcc9d4b336184cd569d120b0ec27a936090a40baa00

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4225289.exe

Filesize
13KB

MD5
2729520af0a8af272be9fa9a08374fed

SHA1
287f245bc42c5672947f9be216934c3193ff20fd

SHA256
5ba9237ec136790729e884f911cb938883dfe89921928fb95d183c9fbea6b3a7

SHA512
eba559f01fb22ac033f05792fa2c5a99c9221a9d96267451b42852192722e25c75a76208270a53d1fdd8db0d98e997f6303e09efc79e0261215f8105d520738d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe

Filesize
172KB

MD5
9ee6e7a9103170f2f829a497879dec4d

SHA1
1013f962d3071a62ef343cb8d93888264d528d64

SHA256
77ef79a08394225118c83157a36af2d018283c0ca5dc927e657a546cd99e1f39

SHA512
60bf3d3dec2bb2f3ee7ad5de4eee72ad11ed3517e36441be975548d0eff46f96202ad01effe7bb7207638196869328a0bda05d805fd26658d64e3c69d0061ef4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4429849.exe

Filesize
172KB

MD5
9ee6e7a9103170f2f829a497879dec4d

SHA1
1013f962d3071a62ef343cb8d93888264d528d64

SHA256
77ef79a08394225118c83157a36af2d018283c0ca5dc927e657a546cd99e1f39

SHA512
60bf3d3dec2bb2f3ee7ad5de4eee72ad11ed3517e36441be975548d0eff46f96202ad01effe7bb7207638196869328a0bda05d805fd26658d64e3c69d0061ef4

Download Submit
memory/928-89-0x00000000001A0000-0x00000000001D0000-memory.dmp

Filesize
192KB

Download
memory/928-90-0x0000000000530000-0x0000000000536000-memory.dmp

Filesize
24KB

Download
memory/928-91-0x00000000008C0000-0x0000000000900000-memory.dmp

Filesize
256KB

Download
memory/928-92-0x00000000008C0000-0x0000000000900000-memory.dmp

Filesize
256KB

Download
memory/1668-82-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download