redline | b1a8f084d4cda17a6f55c2b275bff96bc47f675c5d002c3a03e95b8606ad3436

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
03/07/2023, 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4f32508d3851dd25ba8efd1cd13c0ef.exe
Size

525KB
MD5

a4f32508d3851dd25ba8efd1cd13c0ef
SHA1

f418988838de20f32bd564cc5991cf9907a30350
SHA256

b1a8f084d4cda17a6f55c2b275bff96bc47f675c5d002c3a03e95b8606ad3436
SHA512

10d97c2b1e33bf7d1fdfcd1c0ed137a85eccd97d8957990db154c4964b88314af60f5cfb89fd3690453842718e370aa775b6d9a6fae9927e5983ae485d9c5fce
SSDEEP

12288:6/C+XQ2PBsKroZMb2Wob/gFnqhonmehGlB9oFn:6/C+pJRb76gl5phGlr6

Score

10^/10

redline andre discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

andre

77.91.124.49:19073

Attributes

auth_value
8e5522dc6bdb7e288797bc46c2687b12

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/580-83-0x0000000000020000-0x000000000002A000-memory.dmp	healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1063107.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1063107.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1063107.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1063107.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1063107.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k1063107.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
684	y9924995.exe
580	k1063107.exe
1336	l2507970.exe

Loads dropped DLL 8 IoCs

pid	Process
1716	a4f32508d3851dd25ba8efd1cd13c0ef.exe
684	y9924995.exe
684	y9924995.exe
684	y9924995.exe
580	k1063107.exe
684	y9924995.exe
684	y9924995.exe
1336	l2507970.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k1063107.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1063107.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a4f32508d3851dd25ba8efd1cd13c0ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a4f32508d3851dd25ba8efd1cd13c0ef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9924995.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9924995.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
580	k1063107.exe
580	k1063107.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	580	k1063107.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 684	1716	a4f32508d3851dd25ba8efd1cd13c0ef.exe	29
PID 1716 wrote to memory of 684	1716	a4f32508d3851dd25ba8efd1cd13c0ef.exe	29
PID 1716 wrote to memory of 684	1716	a4f32508d3851dd25ba8efd1cd13c0ef.exe	29
PID 1716 wrote to memory of 684	1716	a4f32508d3851dd25ba8efd1cd13c0ef.exe	29
PID 1716 wrote to memory of 684	1716	a4f32508d3851dd25ba8efd1cd13c0ef.exe	29
PID 1716 wrote to memory of 684	1716	a4f32508d3851dd25ba8efd1cd13c0ef.exe	29
PID 1716 wrote to memory of 684	1716	a4f32508d3851dd25ba8efd1cd13c0ef.exe	29
PID 684 wrote to memory of 580	684	y9924995.exe	30
PID 684 wrote to memory of 580	684	y9924995.exe	30
PID 684 wrote to memory of 580	684	y9924995.exe	30
PID 684 wrote to memory of 580	684	y9924995.exe	30
PID 684 wrote to memory of 580	684	y9924995.exe	30
PID 684 wrote to memory of 580	684	y9924995.exe	30
PID 684 wrote to memory of 580	684	y9924995.exe	30
PID 684 wrote to memory of 1336	684	y9924995.exe	32
PID 684 wrote to memory of 1336	684	y9924995.exe	32
PID 684 wrote to memory of 1336	684	y9924995.exe	32
PID 684 wrote to memory of 1336	684	y9924995.exe	32
PID 684 wrote to memory of 1336	684	y9924995.exe	32
PID 684 wrote to memory of 1336	684	y9924995.exe	32
PID 684 wrote to memory of 1336	684	y9924995.exe	32

C:\Users\Admin\AppData\Local\Temp\a4f32508d3851dd25ba8efd1cd13c0ef.exe
"C:\Users\Admin\AppData\Local\Temp\a4f32508d3851dd25ba8efd1cd13c0ef.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9924995.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9924995.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1063107.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1063107.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2507970.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2507970.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9924995.exe

Filesize
264KB

MD5
42ede662e6a480f0ae29dc55aae0c279

SHA1
f3cb57f4f1dd9cea661b572f849e638d71130691

SHA256
112673d38b0472bdf595b59139962f96309fc171171652ee3bed98722280e43d

SHA512
0c4930e0dad2be1d8f500d72043a51441182dba843314127a6b0f34cc57840acb7e61f6e48c42eb75219436b14c0bf94960ab506572abf247d1342308ac42982

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9924995.exe

Filesize
264KB

MD5
42ede662e6a480f0ae29dc55aae0c279

SHA1
f3cb57f4f1dd9cea661b572f849e638d71130691

SHA256
112673d38b0472bdf595b59139962f96309fc171171652ee3bed98722280e43d

SHA512
0c4930e0dad2be1d8f500d72043a51441182dba843314127a6b0f34cc57840acb7e61f6e48c42eb75219436b14c0bf94960ab506572abf247d1342308ac42982

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1063107.exe

Filesize
101KB

MD5
9d55d35e3c5335250f45f16310d2e3e5

SHA1
6822090d82ca7b1a7974eba21403f4e9287bcb04

SHA256
c5a081af0fc6a2753c73df382a1eecbc78b57ea5a9306e4b044f4f715c5553f3

SHA512
7aac6594412285f810d134467c5748d6971729cb095211fafe8a8c67e3507a961ec369ee2a0c9a042bd305eaf32ff7e1072ce6fb42a8fd2b3cb983149bb936a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1063107.exe

Filesize
101KB

MD5
9d55d35e3c5335250f45f16310d2e3e5

SHA1
6822090d82ca7b1a7974eba21403f4e9287bcb04

SHA256
c5a081af0fc6a2753c73df382a1eecbc78b57ea5a9306e4b044f4f715c5553f3

SHA512
7aac6594412285f810d134467c5748d6971729cb095211fafe8a8c67e3507a961ec369ee2a0c9a042bd305eaf32ff7e1072ce6fb42a8fd2b3cb983149bb936a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1063107.exe

Filesize
101KB

MD5
9d55d35e3c5335250f45f16310d2e3e5

SHA1
6822090d82ca7b1a7974eba21403f4e9287bcb04

SHA256
c5a081af0fc6a2753c73df382a1eecbc78b57ea5a9306e4b044f4f715c5553f3

SHA512
7aac6594412285f810d134467c5748d6971729cb095211fafe8a8c67e3507a961ec369ee2a0c9a042bd305eaf32ff7e1072ce6fb42a8fd2b3cb983149bb936a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2507970.exe

Filesize
262KB

MD5
219c9ff7d897bbf15105e2f19e420196

SHA1
3fc1bf231da690eee555c68d2fe4fb8fe0ff7be4

SHA256
4904fbf8e1153669e0ab0ad3e31767d46821001de80d7f66d08d9a03669fb2e2

SHA512
73efe2965da1490971bd40814f25abb3d925e47aaa9108ae874783789e50a776f5c27cb0417f1691639cc4c0f82dd75672b66ef4291c37e9998e77bd78fdcab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2507970.exe

Filesize
262KB

MD5
219c9ff7d897bbf15105e2f19e420196

SHA1
3fc1bf231da690eee555c68d2fe4fb8fe0ff7be4

SHA256
4904fbf8e1153669e0ab0ad3e31767d46821001de80d7f66d08d9a03669fb2e2

SHA512
73efe2965da1490971bd40814f25abb3d925e47aaa9108ae874783789e50a776f5c27cb0417f1691639cc4c0f82dd75672b66ef4291c37e9998e77bd78fdcab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2507970.exe

Filesize
262KB

MD5
219c9ff7d897bbf15105e2f19e420196

SHA1
3fc1bf231da690eee555c68d2fe4fb8fe0ff7be4

SHA256
4904fbf8e1153669e0ab0ad3e31767d46821001de80d7f66d08d9a03669fb2e2

SHA512
73efe2965da1490971bd40814f25abb3d925e47aaa9108ae874783789e50a776f5c27cb0417f1691639cc4c0f82dd75672b66ef4291c37e9998e77bd78fdcab9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9924995.exe

Filesize
264KB

MD5
42ede662e6a480f0ae29dc55aae0c279

SHA1
f3cb57f4f1dd9cea661b572f849e638d71130691

SHA256
112673d38b0472bdf595b59139962f96309fc171171652ee3bed98722280e43d

SHA512
0c4930e0dad2be1d8f500d72043a51441182dba843314127a6b0f34cc57840acb7e61f6e48c42eb75219436b14c0bf94960ab506572abf247d1342308ac42982

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9924995.exe

Filesize
264KB

MD5
42ede662e6a480f0ae29dc55aae0c279

SHA1
f3cb57f4f1dd9cea661b572f849e638d71130691

SHA256
112673d38b0472bdf595b59139962f96309fc171171652ee3bed98722280e43d

SHA512
0c4930e0dad2be1d8f500d72043a51441182dba843314127a6b0f34cc57840acb7e61f6e48c42eb75219436b14c0bf94960ab506572abf247d1342308ac42982

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1063107.exe

Filesize
101KB

MD5
9d55d35e3c5335250f45f16310d2e3e5

SHA1
6822090d82ca7b1a7974eba21403f4e9287bcb04

SHA256
c5a081af0fc6a2753c73df382a1eecbc78b57ea5a9306e4b044f4f715c5553f3

SHA512
7aac6594412285f810d134467c5748d6971729cb095211fafe8a8c67e3507a961ec369ee2a0c9a042bd305eaf32ff7e1072ce6fb42a8fd2b3cb983149bb936a8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1063107.exe

Filesize
101KB

MD5
9d55d35e3c5335250f45f16310d2e3e5

SHA1
6822090d82ca7b1a7974eba21403f4e9287bcb04

SHA256
c5a081af0fc6a2753c73df382a1eecbc78b57ea5a9306e4b044f4f715c5553f3

SHA512
7aac6594412285f810d134467c5748d6971729cb095211fafe8a8c67e3507a961ec369ee2a0c9a042bd305eaf32ff7e1072ce6fb42a8fd2b3cb983149bb936a8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1063107.exe

Filesize
101KB

MD5
9d55d35e3c5335250f45f16310d2e3e5

SHA1
6822090d82ca7b1a7974eba21403f4e9287bcb04

SHA256
c5a081af0fc6a2753c73df382a1eecbc78b57ea5a9306e4b044f4f715c5553f3

SHA512
7aac6594412285f810d134467c5748d6971729cb095211fafe8a8c67e3507a961ec369ee2a0c9a042bd305eaf32ff7e1072ce6fb42a8fd2b3cb983149bb936a8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2507970.exe

Filesize
262KB

MD5
219c9ff7d897bbf15105e2f19e420196

SHA1
3fc1bf231da690eee555c68d2fe4fb8fe0ff7be4

SHA256
4904fbf8e1153669e0ab0ad3e31767d46821001de80d7f66d08d9a03669fb2e2

SHA512
73efe2965da1490971bd40814f25abb3d925e47aaa9108ae874783789e50a776f5c27cb0417f1691639cc4c0f82dd75672b66ef4291c37e9998e77bd78fdcab9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2507970.exe

Filesize
262KB

MD5
219c9ff7d897bbf15105e2f19e420196

SHA1
3fc1bf231da690eee555c68d2fe4fb8fe0ff7be4

SHA256
4904fbf8e1153669e0ab0ad3e31767d46821001de80d7f66d08d9a03669fb2e2

SHA512
73efe2965da1490971bd40814f25abb3d925e47aaa9108ae874783789e50a776f5c27cb0417f1691639cc4c0f82dd75672b66ef4291c37e9998e77bd78fdcab9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2507970.exe

Filesize
262KB

MD5
219c9ff7d897bbf15105e2f19e420196

SHA1
3fc1bf231da690eee555c68d2fe4fb8fe0ff7be4

SHA256
4904fbf8e1153669e0ab0ad3e31767d46821001de80d7f66d08d9a03669fb2e2

SHA512
73efe2965da1490971bd40814f25abb3d925e47aaa9108ae874783789e50a776f5c27cb0417f1691639cc4c0f82dd75672b66ef4291c37e9998e77bd78fdcab9

Download Submit
memory/580-83-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/1336-97-0x0000000000310000-0x0000000000340000-memory.dmp

Filesize
192KB

Download
memory/1336-101-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/1336-102-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/1336-103-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/1716-54-0x0000000000320000-0x0000000000392000-memory.dmp

Filesize
456KB

Download