redline | 903dc8ab5fda74961759ac38659486b390d8ed0a093519d2ff7b7bd5f45b01ed

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-06-2023 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

185679c1298c3016bb3fa5969d6094be.exe
Size

856KB
MD5

185679c1298c3016bb3fa5969d6094be
SHA1

223fa5aa925d9a30f03d62110945f00110fa32b7
SHA256

903dc8ab5fda74961759ac38659486b390d8ed0a093519d2ff7b7bd5f45b01ed
SHA512

16f938c11a2a97c144d33d5aa69b89b3ffba6c0b1b6ce032b7e2f41e6de0dc587e6365694c3e8af4489d56c0edc770aa6cd0ec895b5e866817757b237dd5d954
SSDEEP

24576:EyncUtO7A6LbI7xy926PDRTlOog29qmzFHP:TcU8PY7xy9DVlO72MSH

Score

10^/10

redline lupa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lupa

83.97.73.126:19048

Attributes

auth_value
6a764aa41830c77712442516d143bc9c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	o8402077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o8402077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o8402077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o8402077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o8402077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o8402077.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
932	z6490630.exe
572	z5015341.exe
1112	o8402077.exe
1704	p8036149.exe

Loads dropped DLL 7 IoCs

pid	Process
1716	185679c1298c3016bb3fa5969d6094be.exe
932	z6490630.exe
932	z6490630.exe
572	z5015341.exe
572	z5015341.exe
572	z5015341.exe
1704	p8036149.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	o8402077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	o8402077.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6490630.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6490630.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5015341.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5015341.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	185679c1298c3016bb3fa5969d6094be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	185679c1298c3016bb3fa5969d6094be.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1112	o8402077.exe
1112	o8402077.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	o8402077.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 932	1716	185679c1298c3016bb3fa5969d6094be.exe	27
PID 1716 wrote to memory of 932	1716	185679c1298c3016bb3fa5969d6094be.exe	27
PID 1716 wrote to memory of 932	1716	185679c1298c3016bb3fa5969d6094be.exe	27
PID 1716 wrote to memory of 932	1716	185679c1298c3016bb3fa5969d6094be.exe	27
PID 1716 wrote to memory of 932	1716	185679c1298c3016bb3fa5969d6094be.exe	27
PID 1716 wrote to memory of 932	1716	185679c1298c3016bb3fa5969d6094be.exe	27
PID 1716 wrote to memory of 932	1716	185679c1298c3016bb3fa5969d6094be.exe	27
PID 932 wrote to memory of 572	932	z6490630.exe	28
PID 932 wrote to memory of 572	932	z6490630.exe	28
PID 932 wrote to memory of 572	932	z6490630.exe	28
PID 932 wrote to memory of 572	932	z6490630.exe	28
PID 932 wrote to memory of 572	932	z6490630.exe	28
PID 932 wrote to memory of 572	932	z6490630.exe	28
PID 932 wrote to memory of 572	932	z6490630.exe	28
PID 572 wrote to memory of 1112	572	z5015341.exe	29
PID 572 wrote to memory of 1112	572	z5015341.exe	29
PID 572 wrote to memory of 1112	572	z5015341.exe	29
PID 572 wrote to memory of 1112	572	z5015341.exe	29
PID 572 wrote to memory of 1112	572	z5015341.exe	29
PID 572 wrote to memory of 1112	572	z5015341.exe	29
PID 572 wrote to memory of 1112	572	z5015341.exe	29
PID 572 wrote to memory of 1704	572	z5015341.exe	30
PID 572 wrote to memory of 1704	572	z5015341.exe	30
PID 572 wrote to memory of 1704	572	z5015341.exe	30
PID 572 wrote to memory of 1704	572	z5015341.exe	30
PID 572 wrote to memory of 1704	572	z5015341.exe	30
PID 572 wrote to memory of 1704	572	z5015341.exe	30
PID 572 wrote to memory of 1704	572	z5015341.exe	30

C:\Users\Admin\AppData\Local\Temp\185679c1298c3016bb3fa5969d6094be.exe
"C:\Users\Admin\AppData\Local\Temp\185679c1298c3016bb3fa5969d6094be.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6490630.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6490630.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5015341.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5015341.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8402077.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8402077.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1112
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8036149.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8036149.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6490630.exe

Filesize
412KB

MD5
277cd619845913b397665926e126dcfe

SHA1
9140be4c6722a4b56809f4fc7d91c6c58ebd1372

SHA256
0afebfb41607d43ef19312ad4a4d3b9726905729dcf19c9e13b1d1437dde69cc

SHA512
2a35bc54b19b931b7377b01c2d17aa8cc8f035a12aef3a2f55531d983ae0edbcac700ccdabba088464d08cd3a19aec770c3c61b5491c2d9b29390f1faf751994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6490630.exe

Filesize
412KB

MD5
277cd619845913b397665926e126dcfe

SHA1
9140be4c6722a4b56809f4fc7d91c6c58ebd1372

SHA256
0afebfb41607d43ef19312ad4a4d3b9726905729dcf19c9e13b1d1437dde69cc

SHA512
2a35bc54b19b931b7377b01c2d17aa8cc8f035a12aef3a2f55531d983ae0edbcac700ccdabba088464d08cd3a19aec770c3c61b5491c2d9b29390f1faf751994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5015341.exe

Filesize
206KB

MD5
793817edd3de69d6901ddb5890ae68a2

SHA1
e7240c343c703f99c0b0bcc6a09f27b5837ce4ae

SHA256
ce1881ffad5fa4843c0647758f7f4531f23f55f057cd7a5301b838732a9f4b4b

SHA512
21e152064cf9765e3b437e357c1a0929e0085606ed6041d605cf575a0b5afb5750f99c4546b6818cfddc0041f6bb7792794c03dd6f47a2afa634c69186e222ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5015341.exe

Filesize
206KB

MD5
793817edd3de69d6901ddb5890ae68a2

SHA1
e7240c343c703f99c0b0bcc6a09f27b5837ce4ae

SHA256
ce1881ffad5fa4843c0647758f7f4531f23f55f057cd7a5301b838732a9f4b4b

SHA512
21e152064cf9765e3b437e357c1a0929e0085606ed6041d605cf575a0b5afb5750f99c4546b6818cfddc0041f6bb7792794c03dd6f47a2afa634c69186e222ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8402077.exe

Filesize
14KB

MD5
9bf43161f27cab9126e8a3a4cbdcdd00

SHA1
73bbcd368ff6a0ad1e6515f84363ed8c123d6a3e

SHA256
41c52d01c38a6736b73116197587d88b0c28eb247c1fecd3f176ddb1b55f3284

SHA512
426a105a71514317ef530921fa20cd4cba01dd7eb4f8931c99ff417a332bb200ba5a602e19aab760e2dc5636dfa508d7c5c2acb8c0b1a298a9acc88aae345d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8402077.exe

Filesize
14KB

MD5
9bf43161f27cab9126e8a3a4cbdcdd00

SHA1
73bbcd368ff6a0ad1e6515f84363ed8c123d6a3e

SHA256
41c52d01c38a6736b73116197587d88b0c28eb247c1fecd3f176ddb1b55f3284

SHA512
426a105a71514317ef530921fa20cd4cba01dd7eb4f8931c99ff417a332bb200ba5a602e19aab760e2dc5636dfa508d7c5c2acb8c0b1a298a9acc88aae345d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8036149.exe

Filesize
172KB

MD5
5c17a84575898e1a6ee6b3d02f1a810c

SHA1
78abfd3313487902f0f687d0f65506cfc18d30c7

SHA256
28c44f70f1c4daba8aaea50540facf296f2bdf284f962eecc3bdd83e711d8960

SHA512
37cdf67779661480007972a1a00dc9f969fff573436f7ad8fb65ad1e2ea72307aa3436561f38a68dde3f180fd66145ad551d778dc83ba3c313ae17c62be459c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8036149.exe

Filesize
172KB

MD5
5c17a84575898e1a6ee6b3d02f1a810c

SHA1
78abfd3313487902f0f687d0f65506cfc18d30c7

SHA256
28c44f70f1c4daba8aaea50540facf296f2bdf284f962eecc3bdd83e711d8960

SHA512
37cdf67779661480007972a1a00dc9f969fff573436f7ad8fb65ad1e2ea72307aa3436561f38a68dde3f180fd66145ad551d778dc83ba3c313ae17c62be459c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6490630.exe

Filesize
412KB

MD5
277cd619845913b397665926e126dcfe

SHA1
9140be4c6722a4b56809f4fc7d91c6c58ebd1372

SHA256
0afebfb41607d43ef19312ad4a4d3b9726905729dcf19c9e13b1d1437dde69cc

SHA512
2a35bc54b19b931b7377b01c2d17aa8cc8f035a12aef3a2f55531d983ae0edbcac700ccdabba088464d08cd3a19aec770c3c61b5491c2d9b29390f1faf751994

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6490630.exe

Filesize
412KB

MD5
277cd619845913b397665926e126dcfe

SHA1
9140be4c6722a4b56809f4fc7d91c6c58ebd1372

SHA256
0afebfb41607d43ef19312ad4a4d3b9726905729dcf19c9e13b1d1437dde69cc

SHA512
2a35bc54b19b931b7377b01c2d17aa8cc8f035a12aef3a2f55531d983ae0edbcac700ccdabba088464d08cd3a19aec770c3c61b5491c2d9b29390f1faf751994

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5015341.exe

Filesize
206KB

MD5
793817edd3de69d6901ddb5890ae68a2

SHA1
e7240c343c703f99c0b0bcc6a09f27b5837ce4ae

SHA256
ce1881ffad5fa4843c0647758f7f4531f23f55f057cd7a5301b838732a9f4b4b

SHA512
21e152064cf9765e3b437e357c1a0929e0085606ed6041d605cf575a0b5afb5750f99c4546b6818cfddc0041f6bb7792794c03dd6f47a2afa634c69186e222ff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5015341.exe

Filesize
206KB

MD5
793817edd3de69d6901ddb5890ae68a2

SHA1
e7240c343c703f99c0b0bcc6a09f27b5837ce4ae

SHA256
ce1881ffad5fa4843c0647758f7f4531f23f55f057cd7a5301b838732a9f4b4b

SHA512
21e152064cf9765e3b437e357c1a0929e0085606ed6041d605cf575a0b5afb5750f99c4546b6818cfddc0041f6bb7792794c03dd6f47a2afa634c69186e222ff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8402077.exe

Filesize
14KB

MD5
9bf43161f27cab9126e8a3a4cbdcdd00

SHA1
73bbcd368ff6a0ad1e6515f84363ed8c123d6a3e

SHA256
41c52d01c38a6736b73116197587d88b0c28eb247c1fecd3f176ddb1b55f3284

SHA512
426a105a71514317ef530921fa20cd4cba01dd7eb4f8931c99ff417a332bb200ba5a602e19aab760e2dc5636dfa508d7c5c2acb8c0b1a298a9acc88aae345d50

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8036149.exe

Filesize
172KB

MD5
5c17a84575898e1a6ee6b3d02f1a810c

SHA1
78abfd3313487902f0f687d0f65506cfc18d30c7

SHA256
28c44f70f1c4daba8aaea50540facf296f2bdf284f962eecc3bdd83e711d8960

SHA512
37cdf67779661480007972a1a00dc9f969fff573436f7ad8fb65ad1e2ea72307aa3436561f38a68dde3f180fd66145ad551d778dc83ba3c313ae17c62be459c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8036149.exe

Filesize
172KB

MD5
5c17a84575898e1a6ee6b3d02f1a810c

SHA1
78abfd3313487902f0f687d0f65506cfc18d30c7

SHA256
28c44f70f1c4daba8aaea50540facf296f2bdf284f962eecc3bdd83e711d8960

SHA512
37cdf67779661480007972a1a00dc9f969fff573436f7ad8fb65ad1e2ea72307aa3436561f38a68dde3f180fd66145ad551d778dc83ba3c313ae17c62be459c0

Download Submit
memory/1112-82-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

Filesize
40KB

Download
memory/1704-89-0x0000000001170000-0x00000000011A0000-memory.dmp

Filesize
192KB

Download
memory/1704-90-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/1704-91-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/1704-92-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download