redline | f4c6b3aa2ea3f34522b9d1176bb4fcc04a18c01a582f6b0d6e8b4dc63233510b

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/06/2023, 11:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

09648799.exe
Size

585KB
MD5

d3f4b45b3f58b633d11131989704fbc4
SHA1

48dad1c9ba28fefe19be459f33ba6148ca4ea612
SHA256

f4c6b3aa2ea3f34522b9d1176bb4fcc04a18c01a582f6b0d6e8b4dc63233510b
SHA512

a2babcc6b5dfbf813163befff3e48da289ec7096b28961a8a5423983326e2f1b692a9acccf9cc389dbccf3777df6e6cfb101d7cd0b8233ebb549feb55c90fa2e
SSDEEP

12288:eMroy90iZnCErEXNTO41f25P+yyp0ZDgD1IoY83XjvnPW/2:iy1nCEr0NOP1yp0ZDgDHXzPJ

Score

10^/10

redline diza discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k7447684.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k7447684.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k7447684.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k7447684.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k7447684.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k7447684.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2040	y5534391.exe
584	y9692379.exe
580	k7447684.exe
888	l5011127.exe

Loads dropped DLL 7 IoCs

pid	Process
2044	09648799.exe
2040	y5534391.exe
2040	y5534391.exe
584	y9692379.exe
584	y9692379.exe
584	y9692379.exe
888	l5011127.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	k7447684.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k7447684.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	09648799.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	09648799.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5534391.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5534391.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9692379.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9692379.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
580	k7447684.exe
580	k7447684.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe
888	l5011127.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	580	k7447684.exe
Token: SeDebugPrivilege	888	l5011127.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2040	2044	09648799.exe	27
PID 2044 wrote to memory of 2040	2044	09648799.exe	27
PID 2044 wrote to memory of 2040	2044	09648799.exe	27
PID 2044 wrote to memory of 2040	2044	09648799.exe	27
PID 2044 wrote to memory of 2040	2044	09648799.exe	27
PID 2044 wrote to memory of 2040	2044	09648799.exe	27
PID 2044 wrote to memory of 2040	2044	09648799.exe	27
PID 2040 wrote to memory of 584	2040	y5534391.exe	28
PID 2040 wrote to memory of 584	2040	y5534391.exe	28
PID 2040 wrote to memory of 584	2040	y5534391.exe	28
PID 2040 wrote to memory of 584	2040	y5534391.exe	28
PID 2040 wrote to memory of 584	2040	y5534391.exe	28
PID 2040 wrote to memory of 584	2040	y5534391.exe	28
PID 2040 wrote to memory of 584	2040	y5534391.exe	28
PID 584 wrote to memory of 580	584	y9692379.exe	29
PID 584 wrote to memory of 580	584	y9692379.exe	29
PID 584 wrote to memory of 580	584	y9692379.exe	29
PID 584 wrote to memory of 580	584	y9692379.exe	29
PID 584 wrote to memory of 580	584	y9692379.exe	29
PID 584 wrote to memory of 580	584	y9692379.exe	29
PID 584 wrote to memory of 580	584	y9692379.exe	29
PID 584 wrote to memory of 888	584	y9692379.exe	30
PID 584 wrote to memory of 888	584	y9692379.exe	30
PID 584 wrote to memory of 888	584	y9692379.exe	30
PID 584 wrote to memory of 888	584	y9692379.exe	30
PID 584 wrote to memory of 888	584	y9692379.exe	30
PID 584 wrote to memory of 888	584	y9692379.exe	30
PID 584 wrote to memory of 888	584	y9692379.exe	30

C:\Users\Admin\AppData\Local\Temp\09648799.exe
"C:\Users\Admin\AppData\Local\Temp\09648799.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5534391.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5534391.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9692379.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9692379.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7447684.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7447684.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:580
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5011127.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5011127.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5534391.exe

Filesize
377KB

MD5
a99b6fb4afc945dcbc7bdf16f54f0c66

SHA1
8872b1a8ae8dc8a60792505858c7a4d24b189035

SHA256
370468e1b7b5cfe5c2e6295821d960fd1d2d2992cea4d222574ec762cf91d8d6

SHA512
2eae11694cdc8e1abeb0faa4f6825122bb494b2155e069c9ac873be549a96e4d3c58cbd0b48a74d1d59ebc579003c5b678d9d9139d29130955f6683fa9504204

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5534391.exe

Filesize
377KB

MD5
a99b6fb4afc945dcbc7bdf16f54f0c66

SHA1
8872b1a8ae8dc8a60792505858c7a4d24b189035

SHA256
370468e1b7b5cfe5c2e6295821d960fd1d2d2992cea4d222574ec762cf91d8d6

SHA512
2eae11694cdc8e1abeb0faa4f6825122bb494b2155e069c9ac873be549a96e4d3c58cbd0b48a74d1d59ebc579003c5b678d9d9139d29130955f6683fa9504204

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9692379.exe

Filesize
206KB

MD5
9c6932a8ce54c8bb48dca2e164b8d84c

SHA1
34a393958f8899f99171f0061ae6c95f35e72d8e

SHA256
3a2c4206923a1f7503318bc7fedd042e63f8fc60f691e2b7f58c10d3dd6cd1c7

SHA512
617a7433f3ca3798ea45d3392ab33bf47b942956188ada61964894f4b2c7be71d7b51e0d3e7a6b5603342ada20d024b8b92db782b3d4f700228dbf9179e58750

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9692379.exe

Filesize
206KB

MD5
9c6932a8ce54c8bb48dca2e164b8d84c

SHA1
34a393958f8899f99171f0061ae6c95f35e72d8e

SHA256
3a2c4206923a1f7503318bc7fedd042e63f8fc60f691e2b7f58c10d3dd6cd1c7

SHA512
617a7433f3ca3798ea45d3392ab33bf47b942956188ada61964894f4b2c7be71d7b51e0d3e7a6b5603342ada20d024b8b92db782b3d4f700228dbf9179e58750

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7447684.exe

Filesize
13KB

MD5
8c5b902f8f04eb197ba4bda35c545633

SHA1
dbe003522527f78dbc4d6b1d23624c642b644a64

SHA256
dbb4fded8f55b3bf8a2162ee382ba5babb0a9883a36b529096153d8cee3aa1dd

SHA512
a40dd7933931a062be5669aa0f6083ee7f83b325283e48c1cda2353809e496823f3cf6242d20b7dab3f7ccd0945f6d30ebdd74c7820df5bd78cf6853d47647f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7447684.exe

Filesize
13KB

MD5
8c5b902f8f04eb197ba4bda35c545633

SHA1
dbe003522527f78dbc4d6b1d23624c642b644a64

SHA256
dbb4fded8f55b3bf8a2162ee382ba5babb0a9883a36b529096153d8cee3aa1dd

SHA512
a40dd7933931a062be5669aa0f6083ee7f83b325283e48c1cda2353809e496823f3cf6242d20b7dab3f7ccd0945f6d30ebdd74c7820df5bd78cf6853d47647f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5011127.exe

Filesize
172KB

MD5
27d2acc0cc8925a40db30e5f5a828703

SHA1
1c0563a13b449242d1b76aa2e09130f3a02833b0

SHA256
414032ba86ad37ae76ac8386eb15558cbd9c58256e49700be236ad2b8786d85e

SHA512
afdfceca82f8dae1d55ca136c65361a67e5b519a157e96259aea9b4fd52c4367e907c8c6b7eb9ea98d4ca591755b47a6968bec199c2d3fa106119380b30c7b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5011127.exe

Filesize
172KB

MD5
27d2acc0cc8925a40db30e5f5a828703

SHA1
1c0563a13b449242d1b76aa2e09130f3a02833b0

SHA256
414032ba86ad37ae76ac8386eb15558cbd9c58256e49700be236ad2b8786d85e

SHA512
afdfceca82f8dae1d55ca136c65361a67e5b519a157e96259aea9b4fd52c4367e907c8c6b7eb9ea98d4ca591755b47a6968bec199c2d3fa106119380b30c7b1a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5534391.exe

Filesize
377KB

MD5
a99b6fb4afc945dcbc7bdf16f54f0c66

SHA1
8872b1a8ae8dc8a60792505858c7a4d24b189035

SHA256
370468e1b7b5cfe5c2e6295821d960fd1d2d2992cea4d222574ec762cf91d8d6

SHA512
2eae11694cdc8e1abeb0faa4f6825122bb494b2155e069c9ac873be549a96e4d3c58cbd0b48a74d1d59ebc579003c5b678d9d9139d29130955f6683fa9504204

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5534391.exe

Filesize
377KB

MD5
a99b6fb4afc945dcbc7bdf16f54f0c66

SHA1
8872b1a8ae8dc8a60792505858c7a4d24b189035

SHA256
370468e1b7b5cfe5c2e6295821d960fd1d2d2992cea4d222574ec762cf91d8d6

SHA512
2eae11694cdc8e1abeb0faa4f6825122bb494b2155e069c9ac873be549a96e4d3c58cbd0b48a74d1d59ebc579003c5b678d9d9139d29130955f6683fa9504204

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9692379.exe

Filesize
206KB

MD5
9c6932a8ce54c8bb48dca2e164b8d84c

SHA1
34a393958f8899f99171f0061ae6c95f35e72d8e

SHA256
3a2c4206923a1f7503318bc7fedd042e63f8fc60f691e2b7f58c10d3dd6cd1c7

SHA512
617a7433f3ca3798ea45d3392ab33bf47b942956188ada61964894f4b2c7be71d7b51e0d3e7a6b5603342ada20d024b8b92db782b3d4f700228dbf9179e58750

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9692379.exe

Filesize
206KB

MD5
9c6932a8ce54c8bb48dca2e164b8d84c

SHA1
34a393958f8899f99171f0061ae6c95f35e72d8e

SHA256
3a2c4206923a1f7503318bc7fedd042e63f8fc60f691e2b7f58c10d3dd6cd1c7

SHA512
617a7433f3ca3798ea45d3392ab33bf47b942956188ada61964894f4b2c7be71d7b51e0d3e7a6b5603342ada20d024b8b92db782b3d4f700228dbf9179e58750

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7447684.exe

Filesize
13KB

MD5
8c5b902f8f04eb197ba4bda35c545633

SHA1
dbe003522527f78dbc4d6b1d23624c642b644a64

SHA256
dbb4fded8f55b3bf8a2162ee382ba5babb0a9883a36b529096153d8cee3aa1dd

SHA512
a40dd7933931a062be5669aa0f6083ee7f83b325283e48c1cda2353809e496823f3cf6242d20b7dab3f7ccd0945f6d30ebdd74c7820df5bd78cf6853d47647f9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5011127.exe

Filesize
172KB

MD5
27d2acc0cc8925a40db30e5f5a828703

SHA1
1c0563a13b449242d1b76aa2e09130f3a02833b0

SHA256
414032ba86ad37ae76ac8386eb15558cbd9c58256e49700be236ad2b8786d85e

SHA512
afdfceca82f8dae1d55ca136c65361a67e5b519a157e96259aea9b4fd52c4367e907c8c6b7eb9ea98d4ca591755b47a6968bec199c2d3fa106119380b30c7b1a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5011127.exe

Filesize
172KB

MD5
27d2acc0cc8925a40db30e5f5a828703

SHA1
1c0563a13b449242d1b76aa2e09130f3a02833b0

SHA256
414032ba86ad37ae76ac8386eb15558cbd9c58256e49700be236ad2b8786d85e

SHA512
afdfceca82f8dae1d55ca136c65361a67e5b519a157e96259aea9b4fd52c4367e907c8c6b7eb9ea98d4ca591755b47a6968bec199c2d3fa106119380b30c7b1a

Download Submit
memory/580-82-0x0000000000A30000-0x0000000000A3A000-memory.dmp

Filesize
40KB

Download
memory/888-89-0x0000000000E90000-0x0000000000EC0000-memory.dmp

Filesize
192KB

Download
memory/888-90-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/888-91-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/888-92-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download