redline | f7a68c5555f5dab14fede0136f1e779a598fd3872fa11be00d6b64900f80f76c

Analysis

max time kernel
54s
max time network
58s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

y5292044exe.exe
Size

272KB
MD5

66f5493784bf7e697580883a28f4aff6
SHA1

93df30e5e9cf1ef14b3c8c5849932a6fc92077c9
SHA256

f7a68c5555f5dab14fede0136f1e779a598fd3872fa11be00d6b64900f80f76c
SHA512

b86b981d3443fa665b68d0c7a29f03f30f4e09d778413ee96268e3784dcb2459aeea0b4744bc15a42dcf041dbc8f2a6780fc1797ad24900fc3865f01b0470224
SSDEEP

6144:KUy+bnr+Bp0yN90QENJ5ze2LzCxA8HgzaaKJZsWbNbhJN:YMrJy90f3zpLOxrguaUzNf

Score

10^/10

redline nowa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

nowa

77.91.124.49:19073

Attributes

auth_value
6bc6b0617aa32bcd971aef4a2cf49647

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/2172-67-0x0000000000020000-0x000000000002A000-memory.dmp	healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k9730505.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k9730505.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k9730505.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k9730505.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k9730505.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k9730505.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
2172	k9730505.exe
2144	l1126446.exe

Loads dropped DLL 6 IoCs

pid	Process
1192	y5292044exe.exe
1192	y5292044exe.exe
2172	k9730505.exe
1192	y5292044exe.exe
1192	y5292044exe.exe
2144	l1126446.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k9730505.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k9730505.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5292044exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	y5292044exe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2172	k9730505.exe
2172	k9730505.exe
2144	l1126446.exe
2144	l1126446.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	k9730505.exe
Token: SeDebugPrivilege	2144	l1126446.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2172	1192	y5292044exe.exe	29
PID 1192 wrote to memory of 2172	1192	y5292044exe.exe	29
PID 1192 wrote to memory of 2172	1192	y5292044exe.exe	29
PID 1192 wrote to memory of 2172	1192	y5292044exe.exe	29
PID 1192 wrote to memory of 2172	1192	y5292044exe.exe	29
PID 1192 wrote to memory of 2172	1192	y5292044exe.exe	29
PID 1192 wrote to memory of 2172	1192	y5292044exe.exe	29
PID 1192 wrote to memory of 2144	1192	y5292044exe.exe	31
PID 1192 wrote to memory of 2144	1192	y5292044exe.exe	31
PID 1192 wrote to memory of 2144	1192	y5292044exe.exe	31
PID 1192 wrote to memory of 2144	1192	y5292044exe.exe	31
PID 1192 wrote to memory of 2144	1192	y5292044exe.exe	31
PID 1192 wrote to memory of 2144	1192	y5292044exe.exe	31
PID 1192 wrote to memory of 2144	1192	y5292044exe.exe	31

C:\Users\Admin\AppData\Local\Temp\y5292044exe.exe
"C:\Users\Admin\AppData\Local\Temp\y5292044exe.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9730505.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9730505.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1126446.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1126446.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9730505.exe

Filesize
112KB

MD5
feefbe687f610339c720591344b39baf

SHA1
9ba251e0cce6d22822079b577b24df0edc412127

SHA256
ba77486fc3a98b2ca9e860aa70bf19e512c989420ce31f9afcd721c1d7498c87

SHA512
29c3cb9bb3ddeb16698db07f050d15882182078163925ce0fe8586e65991d012463bbc910073c7690d14cbc88baf824148398bd8f6d251e967b4e0ea33fc3741

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9730505.exe

Filesize
112KB

MD5
feefbe687f610339c720591344b39baf

SHA1
9ba251e0cce6d22822079b577b24df0edc412127

SHA256
ba77486fc3a98b2ca9e860aa70bf19e512c989420ce31f9afcd721c1d7498c87

SHA512
29c3cb9bb3ddeb16698db07f050d15882182078163925ce0fe8586e65991d012463bbc910073c7690d14cbc88baf824148398bd8f6d251e967b4e0ea33fc3741

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9730505.exe

Filesize
112KB

MD5
feefbe687f610339c720591344b39baf

SHA1
9ba251e0cce6d22822079b577b24df0edc412127

SHA256
ba77486fc3a98b2ca9e860aa70bf19e512c989420ce31f9afcd721c1d7498c87

SHA512
29c3cb9bb3ddeb16698db07f050d15882182078163925ce0fe8586e65991d012463bbc910073c7690d14cbc88baf824148398bd8f6d251e967b4e0ea33fc3741

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1126446.exe

Filesize
274KB

MD5
eff52ed1c6e68227cffc8f87f36ea30c

SHA1
cea693147b16f29d1d8ed3ba8a25c46f081dade2

SHA256
b6c77bc7f645110e2fd7f3dbf2e9330c7bd1d62dad0b61c778db199dbab20c42

SHA512
839e6e6915b341569d9bdc6ad69894027dcc81a9bb2a762946663f843190049f9ce608e1c4975061e556b866b18a1ff814dd01f9b97f5dec510e1185ad4e4d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1126446.exe

Filesize
274KB

MD5
eff52ed1c6e68227cffc8f87f36ea30c

SHA1
cea693147b16f29d1d8ed3ba8a25c46f081dade2

SHA256
b6c77bc7f645110e2fd7f3dbf2e9330c7bd1d62dad0b61c778db199dbab20c42

SHA512
839e6e6915b341569d9bdc6ad69894027dcc81a9bb2a762946663f843190049f9ce608e1c4975061e556b866b18a1ff814dd01f9b97f5dec510e1185ad4e4d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1126446.exe

Filesize
274KB

MD5
eff52ed1c6e68227cffc8f87f36ea30c

SHA1
cea693147b16f29d1d8ed3ba8a25c46f081dade2

SHA256
b6c77bc7f645110e2fd7f3dbf2e9330c7bd1d62dad0b61c778db199dbab20c42

SHA512
839e6e6915b341569d9bdc6ad69894027dcc81a9bb2a762946663f843190049f9ce608e1c4975061e556b866b18a1ff814dd01f9b97f5dec510e1185ad4e4d5e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9730505.exe

Filesize
112KB

MD5
feefbe687f610339c720591344b39baf

SHA1
9ba251e0cce6d22822079b577b24df0edc412127

SHA256
ba77486fc3a98b2ca9e860aa70bf19e512c989420ce31f9afcd721c1d7498c87

SHA512
29c3cb9bb3ddeb16698db07f050d15882182078163925ce0fe8586e65991d012463bbc910073c7690d14cbc88baf824148398bd8f6d251e967b4e0ea33fc3741

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9730505.exe

Filesize
112KB

MD5
feefbe687f610339c720591344b39baf

SHA1
9ba251e0cce6d22822079b577b24df0edc412127

SHA256
ba77486fc3a98b2ca9e860aa70bf19e512c989420ce31f9afcd721c1d7498c87

SHA512
29c3cb9bb3ddeb16698db07f050d15882182078163925ce0fe8586e65991d012463bbc910073c7690d14cbc88baf824148398bd8f6d251e967b4e0ea33fc3741

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9730505.exe

Filesize
112KB

MD5
feefbe687f610339c720591344b39baf

SHA1
9ba251e0cce6d22822079b577b24df0edc412127

SHA256
ba77486fc3a98b2ca9e860aa70bf19e512c989420ce31f9afcd721c1d7498c87

SHA512
29c3cb9bb3ddeb16698db07f050d15882182078163925ce0fe8586e65991d012463bbc910073c7690d14cbc88baf824148398bd8f6d251e967b4e0ea33fc3741

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1126446.exe

Filesize
274KB

MD5
eff52ed1c6e68227cffc8f87f36ea30c

SHA1
cea693147b16f29d1d8ed3ba8a25c46f081dade2

SHA256
b6c77bc7f645110e2fd7f3dbf2e9330c7bd1d62dad0b61c778db199dbab20c42

SHA512
839e6e6915b341569d9bdc6ad69894027dcc81a9bb2a762946663f843190049f9ce608e1c4975061e556b866b18a1ff814dd01f9b97f5dec510e1185ad4e4d5e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1126446.exe

Filesize
274KB

MD5
eff52ed1c6e68227cffc8f87f36ea30c

SHA1
cea693147b16f29d1d8ed3ba8a25c46f081dade2

SHA256
b6c77bc7f645110e2fd7f3dbf2e9330c7bd1d62dad0b61c778db199dbab20c42

SHA512
839e6e6915b341569d9bdc6ad69894027dcc81a9bb2a762946663f843190049f9ce608e1c4975061e556b866b18a1ff814dd01f9b97f5dec510e1185ad4e4d5e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\l1126446.exe

Filesize
274KB

MD5
eff52ed1c6e68227cffc8f87f36ea30c

SHA1
cea693147b16f29d1d8ed3ba8a25c46f081dade2

SHA256
b6c77bc7f645110e2fd7f3dbf2e9330c7bd1d62dad0b61c778db199dbab20c42

SHA512
839e6e6915b341569d9bdc6ad69894027dcc81a9bb2a762946663f843190049f9ce608e1c4975061e556b866b18a1ff814dd01f9b97f5dec510e1185ad4e4d5e

Download Submit
memory/2144-81-0x0000000000320000-0x0000000000350000-memory.dmp

Filesize
192KB

Download
memory/2144-85-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download
memory/2144-86-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/2144-87-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/2172-67-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download