redline | cfa1778bf7193d3369e688ebced275d4974d6b4950777ae4076da97214f217ed

Analysis

max time kernel
147s
max time network
150s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
21/08/2023, 01:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cfa1778bf7193d3369e688ebced275d4974d6b4950777ae4076da97214f217ed.exe
Size

823KB
MD5

7592d73fa48c86a9c6305fb07a0798f6
SHA1

ff8fff8efb167e5da5333f7afbdef5cb3538f7e8
SHA256

cfa1778bf7193d3369e688ebced275d4974d6b4950777ae4076da97214f217ed
SHA512

912d01ede7704b8c41692905fe793469374a086307a2a5b903c780cc56321a870491bc527ef670f15089349890a2949b413f8c7aa39bdc62910643843e2af901
SSDEEP

12288:gMrty90a721Zz2Fit/jCKklih1je6X4dgzAdy+td9SNzOUB8:dy572TzJ/OKkU3jeFdJy+L2z3S

Score

10^/10

redline chang evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

chang

77.91.124.73:19071

Attributes

auth_value
92b880db64e691d6bb290d1536ce7688

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	r6059649.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	r6059649.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	r6059649.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	r6059649.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	r6059649.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
3108	z5625090.exe
4908	z9666033.exe
824	z6042808.exe
4244	r6059649.exe
1548	s1477806.exe
5100	t6755356.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	r6059649.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	r6059649.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cfa1778bf7193d3369e688ebced275d4974d6b4950777ae4076da97214f217ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5625090.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9666033.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z6042808.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4244	r6059649.exe
4244	r6059649.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4244	r6059649.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3108	1712	cfa1778bf7193d3369e688ebced275d4974d6b4950777ae4076da97214f217ed.exe	70
PID 1712 wrote to memory of 3108	1712	cfa1778bf7193d3369e688ebced275d4974d6b4950777ae4076da97214f217ed.exe	70
PID 1712 wrote to memory of 3108	1712	cfa1778bf7193d3369e688ebced275d4974d6b4950777ae4076da97214f217ed.exe	70
PID 3108 wrote to memory of 4908	3108	z5625090.exe	71
PID 3108 wrote to memory of 4908	3108	z5625090.exe	71
PID 3108 wrote to memory of 4908	3108	z5625090.exe	71
PID 4908 wrote to memory of 824	4908	z9666033.exe	72
PID 4908 wrote to memory of 824	4908	z9666033.exe	72
PID 4908 wrote to memory of 824	4908	z9666033.exe	72
PID 824 wrote to memory of 4244	824	z6042808.exe	73
PID 824 wrote to memory of 4244	824	z6042808.exe	73
PID 824 wrote to memory of 4244	824	z6042808.exe	73
PID 824 wrote to memory of 1548	824	z6042808.exe	74
PID 824 wrote to memory of 1548	824	z6042808.exe	74
PID 824 wrote to memory of 1548	824	z6042808.exe	74
PID 4908 wrote to memory of 5100	4908	z9666033.exe	75
PID 4908 wrote to memory of 5100	4908	z9666033.exe	75
PID 4908 wrote to memory of 5100	4908	z9666033.exe	75

C:\Users\Admin\AppData\Local\Temp\cfa1778bf7193d3369e688ebced275d4974d6b4950777ae4076da97214f217ed.exe
"C:\Users\Admin\AppData\Local\Temp\cfa1778bf7193d3369e688ebced275d4974d6b4950777ae4076da97214f217ed.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5625090.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5625090.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9666033.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9666033.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6042808.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6042808.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:824
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6059649.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6059649.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1477806.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1477806.exe
        5⤵
        Executes dropped EXE
        
        PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6755356.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6755356.exe
      4⤵
      Executes dropped EXE
      PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5625090.exe

Filesize
707KB

MD5
eb7142084265ab177db8b289b6ca7b9c

SHA1
9890376bfde4486f48b7020b3fc4c48382fa3ef0

SHA256
b7eb84dbdaff58971f4698c057e22c7d1b4f3d410a527f551fbc647d0fa5ae11

SHA512
0088793cb8d87e28e6af71c40e8883314ba9cff5d62e395b6af2e2cd189ce75e3a37c3ec5a582392695f1f35bb1b60a62a5c2b4e98fea947b44f09764e54d9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5625090.exe

Filesize
707KB

MD5
eb7142084265ab177db8b289b6ca7b9c

SHA1
9890376bfde4486f48b7020b3fc4c48382fa3ef0

SHA256
b7eb84dbdaff58971f4698c057e22c7d1b4f3d410a527f551fbc647d0fa5ae11

SHA512
0088793cb8d87e28e6af71c40e8883314ba9cff5d62e395b6af2e2cd189ce75e3a37c3ec5a582392695f1f35bb1b60a62a5c2b4e98fea947b44f09764e54d9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9666033.exe

Filesize
481KB

MD5
3a60a1d09650d371a3aa469bb71c4553

SHA1
cf25df576fc2ec0c00359c946014b87a8b99743f

SHA256
ec1ceb75ea577e6c38a08fd0230ca554304eeb7fa520ad09154440193fdd6a47

SHA512
3bf25e4a7b2f922c3448147eb097c5e840f603d1541fd89f288d3730438e16af33451084bfdd70ffb78bda608ff2d268c6296f42a0a673ab48c9c69781911886

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9666033.exe

Filesize
481KB

MD5
3a60a1d09650d371a3aa469bb71c4553

SHA1
cf25df576fc2ec0c00359c946014b87a8b99743f

SHA256
ec1ceb75ea577e6c38a08fd0230ca554304eeb7fa520ad09154440193fdd6a47

SHA512
3bf25e4a7b2f922c3448147eb097c5e840f603d1541fd89f288d3730438e16af33451084bfdd70ffb78bda608ff2d268c6296f42a0a673ab48c9c69781911886

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6755356.exe

Filesize
174KB

MD5
d6025360a9e9a7a2ab7893d0a4fdb465

SHA1
5d1c74c32eccc74502a2dc90aa8c28807f45b340

SHA256
0f0582e08029829ba476a875e2b055ef05e2e49b0d93d1be8f231c2b741a9618

SHA512
0c65bfad2f191a41fdc0481482b86626b08faff096d513ca964a679f2e9f6289fa83e65a2ee268bd1c4d3b11108a07392d7adedeb998ae97c00d26937f1e8c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6755356.exe

Filesize
174KB

MD5
d6025360a9e9a7a2ab7893d0a4fdb465

SHA1
5d1c74c32eccc74502a2dc90aa8c28807f45b340

SHA256
0f0582e08029829ba476a875e2b055ef05e2e49b0d93d1be8f231c2b741a9618

SHA512
0c65bfad2f191a41fdc0481482b86626b08faff096d513ca964a679f2e9f6289fa83e65a2ee268bd1c4d3b11108a07392d7adedeb998ae97c00d26937f1e8c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6042808.exe

Filesize
325KB

MD5
81bedad97a3baf59bdd1c7e5061f1425

SHA1
756971590e27279eb2ccd3628e3ba8ae7bdf2bdb

SHA256
94faf553d2f877ce2e3b0584d4fcbf4e8b24e170634eb5ceb8acb510cdf8b45b

SHA512
90e8a144c1d301965b7b81d597f240e5ca6adcc75bdbbb3cf2e8203c7ee0cbd3eba94ece4574f6fc246a130b59fa7406762ae3cc8ccc3841a1ee119d6e042798

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6042808.exe

Filesize
325KB

MD5
81bedad97a3baf59bdd1c7e5061f1425

SHA1
756971590e27279eb2ccd3628e3ba8ae7bdf2bdb

SHA256
94faf553d2f877ce2e3b0584d4fcbf4e8b24e170634eb5ceb8acb510cdf8b45b

SHA512
90e8a144c1d301965b7b81d597f240e5ca6adcc75bdbbb3cf2e8203c7ee0cbd3eba94ece4574f6fc246a130b59fa7406762ae3cc8ccc3841a1ee119d6e042798

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6059649.exe

Filesize
184KB

MD5
88a148ad703c2d5acc5d0bc3c3480431

SHA1
a0846f190c84515a4a4f4a5fad91a76b3b2686ea

SHA256
baee6a19b4f303f6b4b3da28297b73535bd2cae302c7177061495a85f9f62407

SHA512
0bd6f21430f7a2aa6b3f404b3202244c37a19d783501ac488a22ea0316ac4738d26943fcc56d8fb4013083de7843ad7005c5b7b1e8f27d06d365195c0d8c2ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6059649.exe

Filesize
184KB

MD5
88a148ad703c2d5acc5d0bc3c3480431

SHA1
a0846f190c84515a4a4f4a5fad91a76b3b2686ea

SHA256
baee6a19b4f303f6b4b3da28297b73535bd2cae302c7177061495a85f9f62407

SHA512
0bd6f21430f7a2aa6b3f404b3202244c37a19d783501ac488a22ea0316ac4738d26943fcc56d8fb4013083de7843ad7005c5b7b1e8f27d06d365195c0d8c2ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1477806.exe

Filesize
140KB

MD5
3c69ad02a28383f154a5528b616e95f1

SHA1
d09d7d67e10f4818e3564eae903e563335d81715

SHA256
2107fc1e224c1108ab7c613815d35174d1c81a7236e865304c487979bbfe100b

SHA512
7ff3a9f5d625896ff3cc949f0aaa28fb7f54d6835e8069a8888b4b5be820732880af07b28e4f86695b5f530df6783d2a34c14723f20423c8d97caf772dd6fe3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1477806.exe

Filesize
140KB

MD5
3c69ad02a28383f154a5528b616e95f1

SHA1
d09d7d67e10f4818e3564eae903e563335d81715

SHA256
2107fc1e224c1108ab7c613815d35174d1c81a7236e865304c487979bbfe100b

SHA512
7ff3a9f5d625896ff3cc949f0aaa28fb7f54d6835e8069a8888b4b5be820732880af07b28e4f86695b5f530df6783d2a34c14723f20423c8d97caf772dd6fe3e

Download Submit
memory/4244-147-0x0000000004900000-0x0000000004DFE000-memory.dmp

Filesize
5.0MB

Download
memory/4244-177-0x0000000072E90000-0x000000007357E000-memory.dmp

Filesize
6.9MB

Download
memory/4244-152-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4244-154-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4244-156-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4244-158-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4244-160-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4244-162-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4244-164-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4244-166-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4244-168-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4244-170-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4244-172-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4244-174-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4244-176-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4244-150-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4244-179-0x0000000072E90000-0x000000007357E000-memory.dmp

Filesize
6.9MB

Download
memory/4244-149-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4244-148-0x0000000004E40000-0x0000000004E5C000-memory.dmp

Filesize
112KB

Download
memory/4244-146-0x0000000002560000-0x000000000257E000-memory.dmp

Filesize
120KB

Download
memory/4244-145-0x0000000072E90000-0x000000007357E000-memory.dmp

Filesize
6.9MB

Download
memory/5100-187-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/5100-186-0x0000000000110000-0x0000000000140000-memory.dmp

Filesize
192KB

Download
memory/5100-188-0x00000000023A0000-0x00000000023A6000-memory.dmp

Filesize
24KB

Download
memory/5100-189-0x000000000A3E0000-0x000000000A9E6000-memory.dmp

Filesize
6.0MB

Download
memory/5100-190-0x0000000009F20000-0x000000000A02A000-memory.dmp

Filesize
1.0MB

Download
memory/5100-191-0x0000000009E50000-0x0000000009E62000-memory.dmp

Filesize
72KB

Download
memory/5100-192-0x0000000009EB0000-0x0000000009EEE000-memory.dmp

Filesize
248KB

Download
memory/5100-193-0x000000000A030000-0x000000000A07B000-memory.dmp

Filesize
300KB

Download
memory/5100-194-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download