redline | c8bedbff4bcfd3b957fe59850effbff156241785b86e41f621798a90dbaeaaf9

Analysis

max time kernel
128s
max time network
142s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
20/08/2023, 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8bedbff4bcfd3b957fe59850effbff156241785b86e41f621798a90dbaeaaf9.exe
Size

1012KB
MD5

ddd682d5a3cef873b9cf95ec21b13e85
SHA1

85a50e0f8d951bf09200cad7f0412c98b5898749
SHA256

c8bedbff4bcfd3b957fe59850effbff156241785b86e41f621798a90dbaeaaf9
SHA512

d14cb17eb9ffe06ccefa0f9e24dfe9b2b9a27e4d27fa2f6014bc98351de566631176398f32a8f6be7caad52fef351b2b136c7808277837ad2bcdb0677eb14051
SSDEEP

12288:1MrUy90tP38ikjoOYfyNdq2NPStzDLmVKvSUO7wOzQvZbTn05YVUi+okJI+CXiyM:pywcvYsdqEPuzDK8M7DzQlROe+CQeE

Score

10^/10

redline chang evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

chang

77.91.124.73:19071

Attributes

auth_value
92b880db64e691d6bb290d1536ce7688

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4742745.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4742745.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4742745.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4742745.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4742745.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
768	v2503561.exe
776	v2443669.exe
1896	v9636310.exe
4824	v5403072.exe
60	a4742745.exe
3296	b3337770.exe
3256	c9589161.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a4742745.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4742745.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c8bedbff4bcfd3b957fe59850effbff156241785b86e41f621798a90dbaeaaf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2503561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2443669.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9636310.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5403072.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
60	a4742745.exe
60	a4742745.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	60	a4742745.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 768	2444	c8bedbff4bcfd3b957fe59850effbff156241785b86e41f621798a90dbaeaaf9.exe	70
PID 2444 wrote to memory of 768	2444	c8bedbff4bcfd3b957fe59850effbff156241785b86e41f621798a90dbaeaaf9.exe	70
PID 2444 wrote to memory of 768	2444	c8bedbff4bcfd3b957fe59850effbff156241785b86e41f621798a90dbaeaaf9.exe	70
PID 768 wrote to memory of 776	768	v2503561.exe	71
PID 768 wrote to memory of 776	768	v2503561.exe	71
PID 768 wrote to memory of 776	768	v2503561.exe	71
PID 776 wrote to memory of 1896	776	v2443669.exe	72
PID 776 wrote to memory of 1896	776	v2443669.exe	72
PID 776 wrote to memory of 1896	776	v2443669.exe	72
PID 1896 wrote to memory of 4824	1896	v9636310.exe	73
PID 1896 wrote to memory of 4824	1896	v9636310.exe	73
PID 1896 wrote to memory of 4824	1896	v9636310.exe	73
PID 4824 wrote to memory of 60	4824	v5403072.exe	74
PID 4824 wrote to memory of 60	4824	v5403072.exe	74
PID 4824 wrote to memory of 60	4824	v5403072.exe	74
PID 4824 wrote to memory of 3296	4824	v5403072.exe	75
PID 4824 wrote to memory of 3296	4824	v5403072.exe	75
PID 4824 wrote to memory of 3296	4824	v5403072.exe	75
PID 1896 wrote to memory of 3256	1896	v9636310.exe	76
PID 1896 wrote to memory of 3256	1896	v9636310.exe	76
PID 1896 wrote to memory of 3256	1896	v9636310.exe	76

C:\Users\Admin\AppData\Local\Temp\c8bedbff4bcfd3b957fe59850effbff156241785b86e41f621798a90dbaeaaf9.exe
"C:\Users\Admin\AppData\Local\Temp\c8bedbff4bcfd3b957fe59850effbff156241785b86e41f621798a90dbaeaaf9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2503561.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2503561.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2443669.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2443669.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9636310.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9636310.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5403072.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5403072.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4742745.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4742745.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3337770.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3337770.exe
        6⤵
        Executes dropped EXE
        
        PID:3296
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9589161.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9589161.exe
        5⤵
        Executes dropped EXE
        
        PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2503561.exe

Filesize
899KB

MD5
f4b0363b089e34b5f49c4eaa32b12cd1

SHA1
1e5a9b8089213c94836ed5e2c7f19264d711b9e7

SHA256
05e8d0751b2e67c585fad82685e839aaeffbeb82491515ad2cc098bc986feb9f

SHA512
3dcfde6e2729e19a96c5e67f0ea50501fc95a50701eac344f8fc97a113c68e208d708f4ada0ab69bfe018a03051cceb4c45fbf02dac807b705b8d591d1fcb0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2503561.exe

Filesize
899KB

MD5
f4b0363b089e34b5f49c4eaa32b12cd1

SHA1
1e5a9b8089213c94836ed5e2c7f19264d711b9e7

SHA256
05e8d0751b2e67c585fad82685e839aaeffbeb82491515ad2cc098bc986feb9f

SHA512
3dcfde6e2729e19a96c5e67f0ea50501fc95a50701eac344f8fc97a113c68e208d708f4ada0ab69bfe018a03051cceb4c45fbf02dac807b705b8d591d1fcb0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2443669.exe

Filesize
673KB

MD5
660998c9534c2bb8b528ddc35de37b44

SHA1
9b7ca6a7f2d58d43b5fd4dc4f8d7f3c6a7c29c5c

SHA256
8a0a4c09b414daf270ba66ff444f5fe294f8d2bb9b81ea706a72c39c30157c04

SHA512
519332ac0bb1d15082a9d62cf7b01fde3d2fa918938d5a8672bec132e183f18183e81b00e46adaed72df58d19e63359493e4b8d1f17485654f001b8b76f0c251

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2443669.exe

Filesize
673KB

MD5
660998c9534c2bb8b528ddc35de37b44

SHA1
9b7ca6a7f2d58d43b5fd4dc4f8d7f3c6a7c29c5c

SHA256
8a0a4c09b414daf270ba66ff444f5fe294f8d2bb9b81ea706a72c39c30157c04

SHA512
519332ac0bb1d15082a9d62cf7b01fde3d2fa918938d5a8672bec132e183f18183e81b00e46adaed72df58d19e63359493e4b8d1f17485654f001b8b76f0c251

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9636310.exe

Filesize
548KB

MD5
e8acfd29f2bbfebb76797dd6e98f89e4

SHA1
fd8cc6c190ea053ddd0affbb08c23822b824fa3e

SHA256
ebac0a82679402c31e71eb0c7a9bb84b9c40aa4af8d64d44e84caf52cb5ca67d

SHA512
40041a445bb4afefe0f4f6f064888b94978372d3fe86cf9067833798f0e2c0edb22c2139e269f3a8709615e1afb620e592499de7a0fdf3ee4274068650c133b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9636310.exe

Filesize
548KB

MD5
e8acfd29f2bbfebb76797dd6e98f89e4

SHA1
fd8cc6c190ea053ddd0affbb08c23822b824fa3e

SHA256
ebac0a82679402c31e71eb0c7a9bb84b9c40aa4af8d64d44e84caf52cb5ca67d

SHA512
40041a445bb4afefe0f4f6f064888b94978372d3fe86cf9067833798f0e2c0edb22c2139e269f3a8709615e1afb620e592499de7a0fdf3ee4274068650c133b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9589161.exe

Filesize
174KB

MD5
ba7ccc72aa67637e5edb5af9bbe211ac

SHA1
929978860f7dd30263c428a305f532e3c3a5f2c6

SHA256
ea177be5cced9b3bf25d2680785cf51cfa6c53262082011af489d95128380638

SHA512
08bc55fb78a0e291a3af4d1dda50841e8c64869816a86c5c7db277d3057e5d3bf75aff829e4f6065ba3b10beab40d225a3950fcda531f2869ffde41559bac9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9589161.exe

Filesize
174KB

MD5
ba7ccc72aa67637e5edb5af9bbe211ac

SHA1
929978860f7dd30263c428a305f532e3c3a5f2c6

SHA256
ea177be5cced9b3bf25d2680785cf51cfa6c53262082011af489d95128380638

SHA512
08bc55fb78a0e291a3af4d1dda50841e8c64869816a86c5c7db277d3057e5d3bf75aff829e4f6065ba3b10beab40d225a3950fcda531f2869ffde41559bac9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5403072.exe

Filesize
392KB

MD5
2bbfdcaf650e184dd53bb0cc713840b6

SHA1
4fe33fa0d0f005d1e40fe1d24c45c26480958f03

SHA256
00302bb74e683696123f55f3bdca3c734e673982c5769fd3891de09ad380b2d2

SHA512
8da20c7235416e3fb92860ea45dc440f568b0bf5735cc1da6c7b8c0cf32393a315a082624d4a68840b49485c28676b828864c71d860a86fd20082761628e1b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5403072.exe

Filesize
392KB

MD5
2bbfdcaf650e184dd53bb0cc713840b6

SHA1
4fe33fa0d0f005d1e40fe1d24c45c26480958f03

SHA256
00302bb74e683696123f55f3bdca3c734e673982c5769fd3891de09ad380b2d2

SHA512
8da20c7235416e3fb92860ea45dc440f568b0bf5735cc1da6c7b8c0cf32393a315a082624d4a68840b49485c28676b828864c71d860a86fd20082761628e1b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4742745.exe

Filesize
273KB

MD5
3e8ad8e952127fb536700565cf01da31

SHA1
f053284396d23dff21e8015ac2f0e220dac74b74

SHA256
38c9cb75782fdd6e57f221d32af32518e82e099d9380c6ff3b25e5ee3a65ee24

SHA512
dc462ca91a704aa61d0c1a7a8d01e984c1950dbbea1fdbe3594100af9cda9dda969bedcb836e7e483e2bc50b31552a9a48e76455a9387e2fcc1ab61c035b5aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4742745.exe

Filesize
273KB

MD5
3e8ad8e952127fb536700565cf01da31

SHA1
f053284396d23dff21e8015ac2f0e220dac74b74

SHA256
38c9cb75782fdd6e57f221d32af32518e82e099d9380c6ff3b25e5ee3a65ee24

SHA512
dc462ca91a704aa61d0c1a7a8d01e984c1950dbbea1fdbe3594100af9cda9dda969bedcb836e7e483e2bc50b31552a9a48e76455a9387e2fcc1ab61c035b5aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3337770.exe

Filesize
140KB

MD5
04e54b20f2288875f129b2aa2852d11a

SHA1
55bab3e9fb5c2915e2800bdc677ea3faf4a2995d

SHA256
634cf5cf315542200f5fcd6b81a90eb67904fd7c45d8398efc5041ee60537270

SHA512
dadb03f8142d0d32f44254d74d772efa189b721c19e85792bc07bc64fc505cd54135805b8a90ec9caab63954bae6bc517d2b069e826a460d1ff71017d8f6b66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3337770.exe

Filesize
140KB

MD5
04e54b20f2288875f129b2aa2852d11a

SHA1
55bab3e9fb5c2915e2800bdc677ea3faf4a2995d

SHA256
634cf5cf315542200f5fcd6b81a90eb67904fd7c45d8398efc5041ee60537270

SHA512
dadb03f8142d0d32f44254d74d772efa189b721c19e85792bc07bc64fc505cd54135805b8a90ec9caab63954bae6bc517d2b069e826a460d1ff71017d8f6b66e

Download Submit
memory/60-155-0x00000000019A0000-0x00000000019C1000-memory.dmp

Filesize
132KB

Download
memory/60-156-0x00000000019D0000-0x00000000019FF000-memory.dmp

Filesize
188KB

Download
memory/60-157-0x0000000003540000-0x000000000355E000-memory.dmp

Filesize
120KB

Download
memory/60-158-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/60-159-0x0000000073840000-0x0000000073F2E000-memory.dmp

Filesize
6.9MB

Download
memory/60-160-0x0000000005F50000-0x000000000644E000-memory.dmp

Filesize
5.0MB

Download
memory/60-161-0x0000000003840000-0x000000000385C000-memory.dmp

Filesize
112KB

Download
memory/60-162-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/60-163-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/60-165-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/60-167-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/60-169-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/60-171-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/60-173-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/60-175-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/60-177-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/60-179-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/60-181-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/60-183-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/60-185-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/60-187-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/60-189-0x0000000003840000-0x0000000003856000-memory.dmp

Filesize
88KB

Download
memory/60-190-0x00000000019A0000-0x00000000019C1000-memory.dmp

Filesize
132KB

Download
memory/60-191-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/60-192-0x00000000019D0000-0x00000000019FF000-memory.dmp

Filesize
188KB

Download
memory/60-193-0x0000000073840000-0x0000000073F2E000-memory.dmp

Filesize
6.9MB

Download
memory/60-195-0x0000000000400000-0x00000000018C1000-memory.dmp

Filesize
20.8MB

Download
memory/60-196-0x0000000073840000-0x0000000073F2E000-memory.dmp

Filesize
6.9MB

Download
memory/3256-203-0x00000000002C0000-0x00000000002F0000-memory.dmp

Filesize
192KB

Download
memory/3256-204-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/3256-205-0x0000000000A40000-0x0000000000A46000-memory.dmp

Filesize
24KB

Download
memory/3256-206-0x000000000A740000-0x000000000AD46000-memory.dmp

Filesize
6.0MB

Download
memory/3256-207-0x000000000A280000-0x000000000A38A000-memory.dmp

Filesize
1.0MB

Download
memory/3256-208-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/3256-209-0x000000000A1B0000-0x000000000A1EE000-memory.dmp

Filesize
248KB

Download
memory/3256-210-0x000000000A1F0000-0x000000000A23B000-memory.dmp

Filesize
300KB

Download
memory/3256-211-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download