redline | e3420fc8be6b383d3c81fc05dea3d7243d88f8c58d946e120fc49115412017a2

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/06/2023, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08259899.exe
Size

585KB
MD5

48fd57fde93bc3ea676506d9bc86ec90
SHA1

9768e0856cf7ce7b08609292dac2bc9546f70803
SHA256

e3420fc8be6b383d3c81fc05dea3d7243d88f8c58d946e120fc49115412017a2
SHA512

c65362f0cfbb7fcfd1ad6ded1bcd81ed215b6f9f785b5d90c40e6ef103f1063c2c944d413ca22361924e1b635eac95449123ea8e36f16ce0ae468c7602953ac3
SSDEEP

12288:lMrMy900rOFPjYRfLUWvxD/5D6pwIMbByl8V3oVpsFLJZy:xyhgYNLlF5D6poByNVpo7y

Score

10^/10

redline diza discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k6294941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k6294941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k6294941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k6294941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k6294941.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k6294941.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
300	y9454163.exe
1692	y7752669.exe
1756	k6294941.exe
1076	l9052720.exe

Loads dropped DLL 7 IoCs

pid	Process
1716	08259899.exe
300	y9454163.exe
300	y9454163.exe
1692	y7752669.exe
1692	y7752669.exe
1692	y7752669.exe
1076	l9052720.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	k6294941.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k6294941.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	08259899.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	08259899.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9454163.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9454163.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7752669.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y7752669.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1756	k6294941.exe
1756	k6294941.exe
1076	l9052720.exe
1076	l9052720.exe
1076	l9052720.exe
1076	l9052720.exe
1076	l9052720.exe
1076	l9052720.exe
1076	l9052720.exe
1076	l9052720.exe
1076	l9052720.exe
1076	l9052720.exe
1076	l9052720.exe
1076	l9052720.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	k6294941.exe
Token: SeDebugPrivilege	1076	l9052720.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 300	1716	08259899.exe	27
PID 1716 wrote to memory of 300	1716	08259899.exe	27
PID 1716 wrote to memory of 300	1716	08259899.exe	27
PID 1716 wrote to memory of 300	1716	08259899.exe	27
PID 1716 wrote to memory of 300	1716	08259899.exe	27
PID 1716 wrote to memory of 300	1716	08259899.exe	27
PID 1716 wrote to memory of 300	1716	08259899.exe	27
PID 300 wrote to memory of 1692	300	y9454163.exe	28
PID 300 wrote to memory of 1692	300	y9454163.exe	28
PID 300 wrote to memory of 1692	300	y9454163.exe	28
PID 300 wrote to memory of 1692	300	y9454163.exe	28
PID 300 wrote to memory of 1692	300	y9454163.exe	28
PID 300 wrote to memory of 1692	300	y9454163.exe	28
PID 300 wrote to memory of 1692	300	y9454163.exe	28
PID 1692 wrote to memory of 1756	1692	y7752669.exe	29
PID 1692 wrote to memory of 1756	1692	y7752669.exe	29
PID 1692 wrote to memory of 1756	1692	y7752669.exe	29
PID 1692 wrote to memory of 1756	1692	y7752669.exe	29
PID 1692 wrote to memory of 1756	1692	y7752669.exe	29
PID 1692 wrote to memory of 1756	1692	y7752669.exe	29
PID 1692 wrote to memory of 1756	1692	y7752669.exe	29
PID 1692 wrote to memory of 1076	1692	y7752669.exe	30
PID 1692 wrote to memory of 1076	1692	y7752669.exe	30
PID 1692 wrote to memory of 1076	1692	y7752669.exe	30
PID 1692 wrote to memory of 1076	1692	y7752669.exe	30
PID 1692 wrote to memory of 1076	1692	y7752669.exe	30
PID 1692 wrote to memory of 1076	1692	y7752669.exe	30
PID 1692 wrote to memory of 1076	1692	y7752669.exe	30

C:\Users\Admin\AppData\Local\Temp\08259899.exe
"C:\Users\Admin\AppData\Local\Temp\08259899.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9454163.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9454163.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:300
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7752669.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7752669.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6294941.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6294941.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9052720.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9052720.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9454163.exe

Filesize
377KB

MD5
46afa44e4e1ec95815aaa6d25a5ff3cd

SHA1
ad7a1a73faa677adc1c5ddfab32fe6af070bd977

SHA256
f35e633855fe2d8bc3ba4afaa949f35e63d645dfe1f17afa6de79efe851dfb11

SHA512
5158bd75d29d21a33021d29a795208aaa231a0976fe037fab2bf04b8b0f5724343f30c32002b8236e1974bf1af87627c69fb06fbff0cf048440db4f958e80bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9454163.exe

Filesize
377KB

MD5
46afa44e4e1ec95815aaa6d25a5ff3cd

SHA1
ad7a1a73faa677adc1c5ddfab32fe6af070bd977

SHA256
f35e633855fe2d8bc3ba4afaa949f35e63d645dfe1f17afa6de79efe851dfb11

SHA512
5158bd75d29d21a33021d29a795208aaa231a0976fe037fab2bf04b8b0f5724343f30c32002b8236e1974bf1af87627c69fb06fbff0cf048440db4f958e80bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7752669.exe

Filesize
206KB

MD5
d0077dcfc462dd25521cff19de64ea59

SHA1
1781bf807c41aa3b3caf493e0503afd215f497de

SHA256
852bd972e543f61432ff6ca4d3547649cf4b63e65b340153cb912a5ce639b896

SHA512
381573feda29c8b7528814157c9dd4f84a3fae1e12a4b03dbebf78f0174e4b82cd88b2177b5c59d254d904ae1ad2453000dbf3b06329a2ced5b853c33c330456

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7752669.exe

Filesize
206KB

MD5
d0077dcfc462dd25521cff19de64ea59

SHA1
1781bf807c41aa3b3caf493e0503afd215f497de

SHA256
852bd972e543f61432ff6ca4d3547649cf4b63e65b340153cb912a5ce639b896

SHA512
381573feda29c8b7528814157c9dd4f84a3fae1e12a4b03dbebf78f0174e4b82cd88b2177b5c59d254d904ae1ad2453000dbf3b06329a2ced5b853c33c330456

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6294941.exe

Filesize
13KB

MD5
c8ffef0f74daf1371e0c34cda29dabb9

SHA1
cbe06286918051ae45e5e11120b2cf49e00f7d86

SHA256
b2d3f56be024f288423be750240b42312c6c97c5973caf58906f8196790f0d14

SHA512
de01e3adf8255da86180aceeddec10690ce8f1c40bdc65d81023934bb73a8656ce9c65fd43fcae344ac01cad9ca55765dde5e636eeb95ee39d3e802851e10d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6294941.exe

Filesize
13KB

MD5
c8ffef0f74daf1371e0c34cda29dabb9

SHA1
cbe06286918051ae45e5e11120b2cf49e00f7d86

SHA256
b2d3f56be024f288423be750240b42312c6c97c5973caf58906f8196790f0d14

SHA512
de01e3adf8255da86180aceeddec10690ce8f1c40bdc65d81023934bb73a8656ce9c65fd43fcae344ac01cad9ca55765dde5e636eeb95ee39d3e802851e10d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9052720.exe

Filesize
172KB

MD5
7eb9e2e5f30e56c6929360ba44ea1085

SHA1
b53421e7a9ec49ebacd48bc51c59904cb2452d47

SHA256
8c497e715ba002c8d1fd66438f419bc5c99ca3ad06e2777c775c1a8bd663e491

SHA512
e5b5f29a6a5c1b1d9f01bc1eb3154386407bdba825b72c225edc316b35c9545ec3e59b5c762fe84c44760dcf87da239f5098d0b03e5a7413a5bfde9329be674e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9052720.exe

Filesize
172KB

MD5
7eb9e2e5f30e56c6929360ba44ea1085

SHA1
b53421e7a9ec49ebacd48bc51c59904cb2452d47

SHA256
8c497e715ba002c8d1fd66438f419bc5c99ca3ad06e2777c775c1a8bd663e491

SHA512
e5b5f29a6a5c1b1d9f01bc1eb3154386407bdba825b72c225edc316b35c9545ec3e59b5c762fe84c44760dcf87da239f5098d0b03e5a7413a5bfde9329be674e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9454163.exe

Filesize
377KB

MD5
46afa44e4e1ec95815aaa6d25a5ff3cd

SHA1
ad7a1a73faa677adc1c5ddfab32fe6af070bd977

SHA256
f35e633855fe2d8bc3ba4afaa949f35e63d645dfe1f17afa6de79efe851dfb11

SHA512
5158bd75d29d21a33021d29a795208aaa231a0976fe037fab2bf04b8b0f5724343f30c32002b8236e1974bf1af87627c69fb06fbff0cf048440db4f958e80bd0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9454163.exe

Filesize
377KB

MD5
46afa44e4e1ec95815aaa6d25a5ff3cd

SHA1
ad7a1a73faa677adc1c5ddfab32fe6af070bd977

SHA256
f35e633855fe2d8bc3ba4afaa949f35e63d645dfe1f17afa6de79efe851dfb11

SHA512
5158bd75d29d21a33021d29a795208aaa231a0976fe037fab2bf04b8b0f5724343f30c32002b8236e1974bf1af87627c69fb06fbff0cf048440db4f958e80bd0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7752669.exe

Filesize
206KB

MD5
d0077dcfc462dd25521cff19de64ea59

SHA1
1781bf807c41aa3b3caf493e0503afd215f497de

SHA256
852bd972e543f61432ff6ca4d3547649cf4b63e65b340153cb912a5ce639b896

SHA512
381573feda29c8b7528814157c9dd4f84a3fae1e12a4b03dbebf78f0174e4b82cd88b2177b5c59d254d904ae1ad2453000dbf3b06329a2ced5b853c33c330456

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7752669.exe

Filesize
206KB

MD5
d0077dcfc462dd25521cff19de64ea59

SHA1
1781bf807c41aa3b3caf493e0503afd215f497de

SHA256
852bd972e543f61432ff6ca4d3547649cf4b63e65b340153cb912a5ce639b896

SHA512
381573feda29c8b7528814157c9dd4f84a3fae1e12a4b03dbebf78f0174e4b82cd88b2177b5c59d254d904ae1ad2453000dbf3b06329a2ced5b853c33c330456

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6294941.exe

Filesize
13KB

MD5
c8ffef0f74daf1371e0c34cda29dabb9

SHA1
cbe06286918051ae45e5e11120b2cf49e00f7d86

SHA256
b2d3f56be024f288423be750240b42312c6c97c5973caf58906f8196790f0d14

SHA512
de01e3adf8255da86180aceeddec10690ce8f1c40bdc65d81023934bb73a8656ce9c65fd43fcae344ac01cad9ca55765dde5e636eeb95ee39d3e802851e10d66

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9052720.exe

Filesize
172KB

MD5
7eb9e2e5f30e56c6929360ba44ea1085

SHA1
b53421e7a9ec49ebacd48bc51c59904cb2452d47

SHA256
8c497e715ba002c8d1fd66438f419bc5c99ca3ad06e2777c775c1a8bd663e491

SHA512
e5b5f29a6a5c1b1d9f01bc1eb3154386407bdba825b72c225edc316b35c9545ec3e59b5c762fe84c44760dcf87da239f5098d0b03e5a7413a5bfde9329be674e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9052720.exe

Filesize
172KB

MD5
7eb9e2e5f30e56c6929360ba44ea1085

SHA1
b53421e7a9ec49ebacd48bc51c59904cb2452d47

SHA256
8c497e715ba002c8d1fd66438f419bc5c99ca3ad06e2777c775c1a8bd663e491

SHA512
e5b5f29a6a5c1b1d9f01bc1eb3154386407bdba825b72c225edc316b35c9545ec3e59b5c762fe84c44760dcf87da239f5098d0b03e5a7413a5bfde9329be674e

Download Submit
memory/1076-89-0x0000000000880000-0x00000000008B0000-memory.dmp

Filesize
192KB

Download
memory/1076-90-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/1076-91-0x0000000004450000-0x0000000004490000-memory.dmp

Filesize
256KB

Download
memory/1076-92-0x0000000004450000-0x0000000004490000-memory.dmp

Filesize
256KB

Download
memory/1756-82-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download