redline | ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2023, 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe
Size

724KB
MD5

423682e315eb041dfca823f9258107cf
SHA1

8ae794b5765505b06d6a07166c697733a322d924
SHA256

ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2
SHA512

68f6df97f88c63604f16902b4fb53918a8e70380bf42a04ab203404eebbe7989c202421b37b713b6525206825c8d974fd6231736782916ccf9166fdc1f851a9d
SSDEEP

12288:iMrjy90WHZXBLd4Gm3SaannWR0/r55K8ziePqOzeMszP3gfsOjOUUyMlAtYxS:pyFZXNds3twnWR0zW8ujMs73gJOUU1E

Score

10^/10

redline doxa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

doxa

83.97.73.129:19068

Attributes

auth_value
8cf5ba009458c73b014353d79d8422c6

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k5291378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k5291378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k5291378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k5291378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k5291378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k5291378.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
2692	y0513192.exe
1436	y6441693.exe
1184	y8231201.exe
2004	j7455522.exe
3488	k5291378.exe
4284	l0182589.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k5291378.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8231201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y8231201.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0513192.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0513192.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6441693.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y6441693.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 1740	2004	j7455522.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1884	2004	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1740	AppLaunch.exe
1740	AppLaunch.exe
3488	k5291378.exe
3488	k5291378.exe
4284	l0182589.exe
4284	l0182589.exe
4284	l0182589.exe
4284	l0182589.exe
4284	l0182589.exe
4284	l0182589.exe
4284	l0182589.exe
4284	l0182589.exe
4284	l0182589.exe
4284	l0182589.exe
4284	l0182589.exe
4284	l0182589.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	AppLaunch.exe
Token: SeDebugPrivilege	3488	k5291378.exe
Token: SeDebugPrivilege	4284	l0182589.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2692	2580	ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe	83
PID 2580 wrote to memory of 2692	2580	ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe	83
PID 2580 wrote to memory of 2692	2580	ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe	83
PID 2692 wrote to memory of 1436	2692	y0513192.exe	84
PID 2692 wrote to memory of 1436	2692	y0513192.exe	84
PID 2692 wrote to memory of 1436	2692	y0513192.exe	84
PID 1436 wrote to memory of 1184	1436	y6441693.exe	85
PID 1436 wrote to memory of 1184	1436	y6441693.exe	85
PID 1436 wrote to memory of 1184	1436	y6441693.exe	85
PID 1184 wrote to memory of 2004	1184	y8231201.exe	86
PID 1184 wrote to memory of 2004	1184	y8231201.exe	86
PID 1184 wrote to memory of 2004	1184	y8231201.exe	86
PID 2004 wrote to memory of 1740	2004	j7455522.exe	88
PID 2004 wrote to memory of 1740	2004	j7455522.exe	88
PID 2004 wrote to memory of 1740	2004	j7455522.exe	88
PID 2004 wrote to memory of 1740	2004	j7455522.exe	88
PID 2004 wrote to memory of 1740	2004	j7455522.exe	88
PID 1184 wrote to memory of 3488	1184	y8231201.exe	91
PID 1184 wrote to memory of 3488	1184	y8231201.exe	91
PID 1436 wrote to memory of 4284	1436	y6441693.exe	92
PID 1436 wrote to memory of 4284	1436	y6441693.exe	92
PID 1436 wrote to memory of 4284	1436	y6441693.exe	92

C:\Users\Admin\AppData\Local\Temp\ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe
"C:\Users\Admin\AppData\Local\Temp\ca63e07f39a9fb9edbdff2fdbc00a9a16c36929c789f167f8caaa312044caba2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0513192.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0513192.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6441693.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6441693.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y8231201.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y8231201.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7455522.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7455522.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 564
        6⤵
        Program crash
        
        PID:1884
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5291378.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5291378.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0182589.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0182589.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 2004 -ip 2004
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0513192.exe

Filesize
524KB

MD5
9910b6b0350d3b3fa92110b1d6e78117

SHA1
917c42b74a662b27d7d3cfd585ce98662afae34e

SHA256
830d822d0b895b7ce1ca4140b6545f9e26ea0c6b5acff9cae7edbddd520e0fd1

SHA512
a3d73a1f2aabd1c25c26b46d6331a57c5171fd86ced6c1fe95b3ebd802712c497d712e580e09990570edf7bc172e804f6ce95bd7fc99f8d7bb8e0d56ccb7cd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0513192.exe

Filesize
524KB

MD5
9910b6b0350d3b3fa92110b1d6e78117

SHA1
917c42b74a662b27d7d3cfd585ce98662afae34e

SHA256
830d822d0b895b7ce1ca4140b6545f9e26ea0c6b5acff9cae7edbddd520e0fd1

SHA512
a3d73a1f2aabd1c25c26b46d6331a57c5171fd86ced6c1fe95b3ebd802712c497d712e580e09990570edf7bc172e804f6ce95bd7fc99f8d7bb8e0d56ccb7cd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6441693.exe

Filesize
352KB

MD5
f2fc0c7346084a8912876e69cd9f2ce9

SHA1
14406274a6f6f927475d6841a764f539d3dcbb94

SHA256
95bc711783c0a98d713802175b10de60ab4431ba0204ee1f586e995a2197520e

SHA512
28b1740db2a5825563efac914934cd02246bef0baf2c64281da4f933736ceda5af6c0fd9b28ec8d69d637ea079c388c50c268a981030a8821465223983100ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6441693.exe

Filesize
352KB

MD5
f2fc0c7346084a8912876e69cd9f2ce9

SHA1
14406274a6f6f927475d6841a764f539d3dcbb94

SHA256
95bc711783c0a98d713802175b10de60ab4431ba0204ee1f586e995a2197520e

SHA512
28b1740db2a5825563efac914934cd02246bef0baf2c64281da4f933736ceda5af6c0fd9b28ec8d69d637ea079c388c50c268a981030a8821465223983100ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0182589.exe

Filesize
172KB

MD5
009477343b1f81d84ddc357ea019b1d2

SHA1
0b567aa93ee45f24b1657e79409827b3edff2013

SHA256
cd33da8532ec9cf3fbfa586e7e16f1510b11440f109609bf36c3a670067cd516

SHA512
8525fe57a4227cbdd0dcbe8b9fe182d3dff81ae0f65a2433a2e2c040d3fe3eb467d0f4e1b5f59c18e4833786568f674939501d187ffc8361315514f7a1d92397

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0182589.exe

Filesize
172KB

MD5
009477343b1f81d84ddc357ea019b1d2

SHA1
0b567aa93ee45f24b1657e79409827b3edff2013

SHA256
cd33da8532ec9cf3fbfa586e7e16f1510b11440f109609bf36c3a670067cd516

SHA512
8525fe57a4227cbdd0dcbe8b9fe182d3dff81ae0f65a2433a2e2c040d3fe3eb467d0f4e1b5f59c18e4833786568f674939501d187ffc8361315514f7a1d92397

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y8231201.exe

Filesize
197KB

MD5
b0ecef42201eb7907790106e83d725f2

SHA1
b0a5a4efc5fe9014162f1aa9fee07cb75a096e92

SHA256
526709f6aee4d182bc6bd02bb30afffcb79cf9f832ab2427d13582104119dcf1

SHA512
a8f59a76bb3f0aa84f5b28dcf56b61537b2b1946fb9b0a85539bb0e327c1f4cc6ec8d64a354b60acb9edc80a031116ba4e219ab6acf5c88efa163417b1113cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y8231201.exe

Filesize
197KB

MD5
b0ecef42201eb7907790106e83d725f2

SHA1
b0a5a4efc5fe9014162f1aa9fee07cb75a096e92

SHA256
526709f6aee4d182bc6bd02bb30afffcb79cf9f832ab2427d13582104119dcf1

SHA512
a8f59a76bb3f0aa84f5b28dcf56b61537b2b1946fb9b0a85539bb0e327c1f4cc6ec8d64a354b60acb9edc80a031116ba4e219ab6acf5c88efa163417b1113cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7455522.exe

Filesize
101KB

MD5
9c76360c27b381804631f92f39737179

SHA1
6d90d26554f7f51107b2d14e2b2466211c3716e0

SHA256
4b2f29e95ff34cf5eee19ba92fbad48c6432e3a13146bda1ff64e9a9882bba5b

SHA512
eb3cfc1a40bbb705de0bd7368181315365ee9752cc16e44a78875e32a2692df8d3eb707189198cb0e30a0904348f61c7cb977166c5638a5f566e5253681ec379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7455522.exe

Filesize
101KB

MD5
9c76360c27b381804631f92f39737179

SHA1
6d90d26554f7f51107b2d14e2b2466211c3716e0

SHA256
4b2f29e95ff34cf5eee19ba92fbad48c6432e3a13146bda1ff64e9a9882bba5b

SHA512
eb3cfc1a40bbb705de0bd7368181315365ee9752cc16e44a78875e32a2692df8d3eb707189198cb0e30a0904348f61c7cb977166c5638a5f566e5253681ec379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5291378.exe

Filesize
11KB

MD5
737ccf7aa996c8ec3f836263aeff8b52

SHA1
8a5c7cd0d0bf936ba20d281b0e04afa5c2e7b1f2

SHA256
31c12a2ed1ded9c08ce0874d125b17673f1320e45812a4dd0e9cc171f68cbe3a

SHA512
d405673f3a79b5d00b03f2183e557538cad5dc3da164c6878c88d2c80bc597ed5cfed6e060ef782395d4197d87fb0631f5904de2b715e50ebe7a9100a5580142

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k5291378.exe

Filesize
11KB

MD5
737ccf7aa996c8ec3f836263aeff8b52

SHA1
8a5c7cd0d0bf936ba20d281b0e04afa5c2e7b1f2

SHA256
31c12a2ed1ded9c08ce0874d125b17673f1320e45812a4dd0e9cc171f68cbe3a

SHA512
d405673f3a79b5d00b03f2183e557538cad5dc3da164c6878c88d2c80bc597ed5cfed6e060ef782395d4197d87fb0631f5904de2b715e50ebe7a9100a5580142

Download Submit
memory/1740-162-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3488-170-0x00000000009F0000-0x00000000009FA000-memory.dmp

Filesize
40KB

Download
memory/4284-176-0x0000000000D80000-0x0000000000DB0000-memory.dmp

Filesize
192KB

Download
memory/4284-177-0x000000000B1B0000-0x000000000B7C8000-memory.dmp

Filesize
6.1MB

Download
memory/4284-178-0x000000000AD00000-0x000000000AE0A000-memory.dmp

Filesize
1.0MB

Download
memory/4284-179-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/4284-180-0x000000000AC40000-0x000000000AC52000-memory.dmp

Filesize
72KB

Download
memory/4284-181-0x000000000ACA0000-0x000000000ACDC000-memory.dmp

Filesize
240KB

Download
memory/4284-182-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/4284-183-0x000000000B970000-0x000000000B9E6000-memory.dmp

Filesize
472KB

Download
memory/4284-184-0x000000000BA90000-0x000000000BB22000-memory.dmp

Filesize
584KB

Download
memory/4284-185-0x000000000C0E0000-0x000000000C684000-memory.dmp

Filesize
5.6MB

Download
memory/4284-186-0x00000000013D0000-0x0000000001436000-memory.dmp

Filesize
408KB

Download
memory/4284-187-0x000000000B9F0000-0x000000000BA40000-memory.dmp

Filesize
320KB

Download
memory/4284-188-0x000000000BE70000-0x000000000C032000-memory.dmp

Filesize
1.8MB

Download
memory/4284-189-0x000000000CBC0000-0x000000000D0EC000-memory.dmp

Filesize
5.2MB

Download