redline | 152e377e630a9f676dde3ef11d41884af99726af69af12e0385348ad972b3970

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2023 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

152e377e630a9f676dde3ef11d41884af99726af69af12e0385348ad972b3970.exe
Size

776KB
MD5

f87f992f761726b984b7005c313bf852
SHA1

351ad717b39574c4e702aa1e21dc3dbf488cc5e0
SHA256

152e377e630a9f676dde3ef11d41884af99726af69af12e0385348ad972b3970
SHA512

efbf41b8b374422d7b52c38ac3a916407da6e987a6a6b7c292cc992695cc90e852c33bf07ee6f5a36722f145cd1a44ceca23035e66789af08bbe56db9e3fe208
SSDEEP

12288:EMrDy90A+3pyTjHgLzGd/JlZiSSCJ4tzWI8zMJeRqT042ckXQtxuE9tmRS1sCZkP:fy1gfk/JlDnI8zMIY0tXQtxuE9t+AW

Score

10^/10

redline masa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

masa

83.97.73.126:19048

Attributes

auth_value
9f945269efb5978b14b0bdd13ea1f115

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9882693.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9882693.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9882693.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9882693.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9882693.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9882693.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
2180	v9326665.exe
1092	v2040264.exe
2004	v7336512.exe
1264	a9882693.exe
1664	b0590108.exe
4220	c8013605.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9882693.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2040264.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2040264.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7336512.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7336512.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	152e377e630a9f676dde3ef11d41884af99726af69af12e0385348ad972b3970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	152e377e630a9f676dde3ef11d41884af99726af69af12e0385348ad972b3970.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9326665.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9326665.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1664 set thread context of 2612	1664	b0590108.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
676	1664	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1264	a9882693.exe
1264	a9882693.exe
2612	AppLaunch.exe
2612	AppLaunch.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe
4220	c8013605.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1264	a9882693.exe
Token: SeDebugPrivilege	2612	AppLaunch.exe
Token: SeDebugPrivilege	4220	c8013605.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 2180	4764	152e377e630a9f676dde3ef11d41884af99726af69af12e0385348ad972b3970.exe	84
PID 4764 wrote to memory of 2180	4764	152e377e630a9f676dde3ef11d41884af99726af69af12e0385348ad972b3970.exe	84
PID 4764 wrote to memory of 2180	4764	152e377e630a9f676dde3ef11d41884af99726af69af12e0385348ad972b3970.exe	84
PID 2180 wrote to memory of 1092	2180	v9326665.exe	85
PID 2180 wrote to memory of 1092	2180	v9326665.exe	85
PID 2180 wrote to memory of 1092	2180	v9326665.exe	85
PID 1092 wrote to memory of 2004	1092	v2040264.exe	86
PID 1092 wrote to memory of 2004	1092	v2040264.exe	86
PID 1092 wrote to memory of 2004	1092	v2040264.exe	86
PID 2004 wrote to memory of 1264	2004	v7336512.exe	87
PID 2004 wrote to memory of 1264	2004	v7336512.exe	87
PID 2004 wrote to memory of 1664	2004	v7336512.exe	90
PID 2004 wrote to memory of 1664	2004	v7336512.exe	90
PID 2004 wrote to memory of 1664	2004	v7336512.exe	90
PID 1664 wrote to memory of 2612	1664	b0590108.exe	92
PID 1664 wrote to memory of 2612	1664	b0590108.exe	92
PID 1664 wrote to memory of 2612	1664	b0590108.exe	92
PID 1664 wrote to memory of 2612	1664	b0590108.exe	92
PID 1664 wrote to memory of 2612	1664	b0590108.exe	92
PID 1092 wrote to memory of 4220	1092	v2040264.exe	95
PID 1092 wrote to memory of 4220	1092	v2040264.exe	95
PID 1092 wrote to memory of 4220	1092	v2040264.exe	95

C:\Users\Admin\AppData\Local\Temp\152e377e630a9f676dde3ef11d41884af99726af69af12e0385348ad972b3970.exe
"C:\Users\Admin\AppData\Local\Temp\152e377e630a9f676dde3ef11d41884af99726af69af12e0385348ad972b3970.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9326665.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9326665.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2040264.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2040264.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7336512.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7336512.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9882693.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9882693.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0590108.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0590108.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1664
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 152
        6⤵
        Program crash
        
        PID:676
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8013605.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8013605.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1664 -ip 1664
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9326665.exe

Filesize
576KB

MD5
0eb16eec27b5ee6b4ef64ff2b9cd3750

SHA1
a6260afb7fb28b356371b0e56fdf5b35cdec6099

SHA256
80250f7c610c8ae7c1a94c06b702b5affb6f668a85beeaa7273ba86bcfc06652

SHA512
189771a158d73645afff945215b7a2e1a7c7335eebc2a563986638c05c5fd0d613d4241ca4948f4a4bd09b909e8f1067a8dc5eede3c21b10f4ba2753cc0838e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9326665.exe

Filesize
576KB

MD5
0eb16eec27b5ee6b4ef64ff2b9cd3750

SHA1
a6260afb7fb28b356371b0e56fdf5b35cdec6099

SHA256
80250f7c610c8ae7c1a94c06b702b5affb6f668a85beeaa7273ba86bcfc06652

SHA512
189771a158d73645afff945215b7a2e1a7c7335eebc2a563986638c05c5fd0d613d4241ca4948f4a4bd09b909e8f1067a8dc5eede3c21b10f4ba2753cc0838e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2040264.exe

Filesize
351KB

MD5
bdcfef2ee21c6ff5b41ac31e0fffa9a6

SHA1
8aeb31414754c52798804c8e47b54e64a7be4a73

SHA256
1346219d470fecda9fe88b816f60d6e4dd94e00a255074804335de45b36d4307

SHA512
92dd87c3b13a8879c42c0ad76738d27d15cde925b0bd040be463148fc06ccd4875f2ed2ec4fa1cb35794d2d92de389c713a5f2c9edbf0ebbaf9bf876c50a9990

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2040264.exe

Filesize
351KB

MD5
bdcfef2ee21c6ff5b41ac31e0fffa9a6

SHA1
8aeb31414754c52798804c8e47b54e64a7be4a73

SHA256
1346219d470fecda9fe88b816f60d6e4dd94e00a255074804335de45b36d4307

SHA512
92dd87c3b13a8879c42c0ad76738d27d15cde925b0bd040be463148fc06ccd4875f2ed2ec4fa1cb35794d2d92de389c713a5f2c9edbf0ebbaf9bf876c50a9990

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8013605.exe

Filesize
172KB

MD5
49de81a59cdb3babc16e030a673b185d

SHA1
99788772f2fad3780ee8152db36a827dfa0e472f

SHA256
ec93523ffe38d955eb6b2947e4f414f3e3a22411c5497d9021fc138244b722e9

SHA512
35f0b4ce21ac4ebff6166c087fe183674963f6c0a96a9161a854e1756f28672befd16b2e6e814b8462428f87bf240bb740a40cb3fd41ed8a96dd90dd3c31ced0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8013605.exe

Filesize
172KB

MD5
49de81a59cdb3babc16e030a673b185d

SHA1
99788772f2fad3780ee8152db36a827dfa0e472f

SHA256
ec93523ffe38d955eb6b2947e4f414f3e3a22411c5497d9021fc138244b722e9

SHA512
35f0b4ce21ac4ebff6166c087fe183674963f6c0a96a9161a854e1756f28672befd16b2e6e814b8462428f87bf240bb740a40cb3fd41ed8a96dd90dd3c31ced0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7336512.exe

Filesize
196KB

MD5
c479dfdd44e35d9d33d1195f4adf2fde

SHA1
914879d9bbeb0df8d5bdfec74d89f0432a9a70f3

SHA256
11cac9de2abb3ff745ba406ccd0cb80c452899e849c2542d73813e84199ccfeb

SHA512
bd4f47f9302e093f821a46021354dcf569063e132feb43c6cead60eb7ceebe74e8f020c2b7bab1b9e494a2d17cce8483a8f421fcd55e0b9fabf2cc3fbb5e6455

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7336512.exe

Filesize
196KB

MD5
c479dfdd44e35d9d33d1195f4adf2fde

SHA1
914879d9bbeb0df8d5bdfec74d89f0432a9a70f3

SHA256
11cac9de2abb3ff745ba406ccd0cb80c452899e849c2542d73813e84199ccfeb

SHA512
bd4f47f9302e093f821a46021354dcf569063e132feb43c6cead60eb7ceebe74e8f020c2b7bab1b9e494a2d17cce8483a8f421fcd55e0b9fabf2cc3fbb5e6455

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9882693.exe

Filesize
11KB

MD5
d40c769953ee308a88d266bb661e3017

SHA1
2c05ea6cda81ee967f5e4213818ebcd2c5a0514e

SHA256
7e2a82148f949370bda9706a40b6a919fe8d7785d25851566d9b0c23d6b623bf

SHA512
27bded72309ac501a34baf4595f34c28e5a4b9f46f5fd01a37c2e4560a4a8b0186df897b913175d4ea7d86fc0c56619e382eea8540f3b7eff4b3860947574ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9882693.exe

Filesize
11KB

MD5
d40c769953ee308a88d266bb661e3017

SHA1
2c05ea6cda81ee967f5e4213818ebcd2c5a0514e

SHA256
7e2a82148f949370bda9706a40b6a919fe8d7785d25851566d9b0c23d6b623bf

SHA512
27bded72309ac501a34baf4595f34c28e5a4b9f46f5fd01a37c2e4560a4a8b0186df897b913175d4ea7d86fc0c56619e382eea8540f3b7eff4b3860947574ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0590108.exe

Filesize
101KB

MD5
b6ca9f9409c55c868e1060c6ed244045

SHA1
f1f65fac8fabda7f29fd839e7db40ad985b3db90

SHA256
fb4db023b3c81442fa2890b89f52bccaddcd9ed471e007769ce508b5858cb755

SHA512
a3602c9af5cc7abe2a4a7bbbc4ac88e387225f141202ce2c1e1bdd3c15bd5755e738571603f576e86c7572f27ad2b99ba30680d4594bfb6971d4fe4bce9e9cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0590108.exe

Filesize
101KB

MD5
b6ca9f9409c55c868e1060c6ed244045

SHA1
f1f65fac8fabda7f29fd839e7db40ad985b3db90

SHA256
fb4db023b3c81442fa2890b89f52bccaddcd9ed471e007769ce508b5858cb755

SHA512
a3602c9af5cc7abe2a4a7bbbc4ac88e387225f141202ce2c1e1bdd3c15bd5755e738571603f576e86c7572f27ad2b99ba30680d4594bfb6971d4fe4bce9e9cfb

Download Submit
memory/1264-161-0x0000000000C30000-0x0000000000C3A000-memory.dmp

Filesize
40KB

Download
memory/2612-167-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4220-175-0x0000000000210000-0x0000000000240000-memory.dmp

Filesize
192KB

Download
memory/4220-176-0x0000000005290000-0x00000000058A8000-memory.dmp

Filesize
6.1MB

Download
memory/4220-177-0x0000000004D80000-0x0000000004E8A000-memory.dmp

Filesize
1.0MB

Download
memory/4220-178-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/4220-179-0x0000000004D10000-0x0000000004D4C000-memory.dmp

Filesize
240KB

Download
memory/4220-180-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/4220-181-0x0000000005020000-0x0000000005096000-memory.dmp

Filesize
472KB

Download
memory/4220-182-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/4220-183-0x0000000006250000-0x00000000067F4000-memory.dmp

Filesize
5.6MB

Download
memory/4220-184-0x00000000051E0000-0x0000000005246000-memory.dmp

Filesize
408KB

Download
memory/4220-186-0x0000000006800000-0x00000000069C2000-memory.dmp

Filesize
1.8MB

Download
memory/4220-187-0x0000000008420000-0x000000000894C000-memory.dmp

Filesize
5.2MB

Download
memory/4220-188-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/4220-189-0x0000000006100000-0x0000000006150000-memory.dmp

Filesize
320KB

Download