redline | 09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2023, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256.exe
Size

948KB
MD5

6cf78efc76477f55e90f505dfa51f387
SHA1

8e0dea09cd5ee342d2d4ecd96d6cce68c48417a0
SHA256

09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256
SHA512

80c45b20ac1de176e4c2e28c63df67df8e632a89e4e82c5c0d7cfee359431fe98909cd55d652c854955b533ad790c635b014488916e2f1d8597cb420e24ad06e
SSDEEP

24576:qyB1CZhsXzka/1K8t2s8ZO8rI6tdr9KPS8xrRJ8K86K:xiyp1KM2sHUhE1L8

Score

10^/10

redline chang evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

chang

77.91.124.73:19071

Attributes

auth_value
92b880db64e691d6bb290d1536ce7688

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a3697802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3697802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3697802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3697802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3697802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3697802.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2620	v6559205.exe
2056	v4136862.exe
1356	v6229893.exe
3064	v1099898.exe
3416	a3697802.exe
1772	b0998700.exe
3364	c2775452.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a3697802.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3697802.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6559205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4136862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6229893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1099898.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3416	a3697802.exe
3416	a3697802.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3416	a3697802.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2620	2856	09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256.exe	82
PID 2856 wrote to memory of 2620	2856	09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256.exe	82
PID 2856 wrote to memory of 2620	2856	09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256.exe	82
PID 2620 wrote to memory of 2056	2620	v6559205.exe	83
PID 2620 wrote to memory of 2056	2620	v6559205.exe	83
PID 2620 wrote to memory of 2056	2620	v6559205.exe	83
PID 2056 wrote to memory of 1356	2056	v4136862.exe	84
PID 2056 wrote to memory of 1356	2056	v4136862.exe	84
PID 2056 wrote to memory of 1356	2056	v4136862.exe	84
PID 1356 wrote to memory of 3064	1356	v6229893.exe	85
PID 1356 wrote to memory of 3064	1356	v6229893.exe	85
PID 1356 wrote to memory of 3064	1356	v6229893.exe	85
PID 3064 wrote to memory of 3416	3064	v1099898.exe	86
PID 3064 wrote to memory of 3416	3064	v1099898.exe	86
PID 3064 wrote to memory of 3416	3064	v1099898.exe	86
PID 3064 wrote to memory of 1772	3064	v1099898.exe	91
PID 3064 wrote to memory of 1772	3064	v1099898.exe	91
PID 3064 wrote to memory of 1772	3064	v1099898.exe	91
PID 1356 wrote to memory of 3364	1356	v6229893.exe	92
PID 1356 wrote to memory of 3364	1356	v6229893.exe	92
PID 1356 wrote to memory of 3364	1356	v6229893.exe	92

C:\Users\Admin\AppData\Local\Temp\09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256.exe
"C:\Users\Admin\AppData\Local\Temp\09e37b74aa60cbcc91af30fecaaa7ba5ea74d5bdc3f825fa5cd07d52217b6256.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6559205.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6559205.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4136862.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4136862.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6229893.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6229893.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1099898.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1099898.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3697802.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3697802.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0998700.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0998700.exe
        6⤵
        Executes dropped EXE
        
        PID:1772
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2775452.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2775452.exe
        5⤵
        Executes dropped EXE
        
        PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6559205.exe

Filesize
833KB

MD5
243d35decd783cfbf5b6433d224741c0

SHA1
55fadd8ffa2c8e6e7014eab7a16494f32bee7747

SHA256
ecab3b283931154768da2b0dbb1d957fba39f432e877204efffea6b2f71678ab

SHA512
d3f5cbd2d199353cd678d808e7466238795c52381bff3d6750348462f80a86dfad02d785fb0c69fcfd51ebfdbc1cdcc02edc54d8663a98ce6b2099e245e79643

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6559205.exe

Filesize
833KB

MD5
243d35decd783cfbf5b6433d224741c0

SHA1
55fadd8ffa2c8e6e7014eab7a16494f32bee7747

SHA256
ecab3b283931154768da2b0dbb1d957fba39f432e877204efffea6b2f71678ab

SHA512
d3f5cbd2d199353cd678d808e7466238795c52381bff3d6750348462f80a86dfad02d785fb0c69fcfd51ebfdbc1cdcc02edc54d8663a98ce6b2099e245e79643

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4136862.exe

Filesize
606KB

MD5
11493f583b0886e6349fcdf1524f5350

SHA1
39ed632950c5e33b9fe74167f6c09890b688d9d7

SHA256
7a7f0a929aede796b9ae209951695b762ddf725b29ecb48f09ae2b3421608ae6

SHA512
3ee40342b3c9bc85522ef61d190d7cda3c172ee417d22afdae4a85647899e7b366e7c99c5f03544a76127999142950b44802669348e2f11fbdbdccdf3710dd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4136862.exe

Filesize
606KB

MD5
11493f583b0886e6349fcdf1524f5350

SHA1
39ed632950c5e33b9fe74167f6c09890b688d9d7

SHA256
7a7f0a929aede796b9ae209951695b762ddf725b29ecb48f09ae2b3421608ae6

SHA512
3ee40342b3c9bc85522ef61d190d7cda3c172ee417d22afdae4a85647899e7b366e7c99c5f03544a76127999142950b44802669348e2f11fbdbdccdf3710dd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6229893.exe

Filesize
481KB

MD5
c8f45a41bb62845a06a283d5115e2243

SHA1
41508b9d655154222dbb02f2053b7b7d68eb3697

SHA256
14c426c0815e8eac2b78e625c45cc8f1bd56805abfcb2343f65e755d7a7ea733

SHA512
7f919aa6cd3e2f4e7eea7a52bb4f2d2ce02be5c4253f0714fca140cfd053c74ec209c4ed6d355aa5df30b257ab01d2019433871c7727356c8a3e876d2bd43fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6229893.exe

Filesize
481KB

MD5
c8f45a41bb62845a06a283d5115e2243

SHA1
41508b9d655154222dbb02f2053b7b7d68eb3697

SHA256
14c426c0815e8eac2b78e625c45cc8f1bd56805abfcb2343f65e755d7a7ea733

SHA512
7f919aa6cd3e2f4e7eea7a52bb4f2d2ce02be5c4253f0714fca140cfd053c74ec209c4ed6d355aa5df30b257ab01d2019433871c7727356c8a3e876d2bd43fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2775452.exe

Filesize
174KB

MD5
45adf5256312b4f5a61a5304b2b28b36

SHA1
7cb5f22b66871bf4e81b24077f5ae443a0b2ac29

SHA256
7ccab2bc70a7c5acb043a0bc534baaecf8299691bec5f3c7164f739c0602a608

SHA512
c6503b8b735f0ccfab94610394c36969c2b3d120c4bcc14fcbb588060ebc73e468d6fb0f21d78873dd38620f5ef90a1e4dcbd65ada3311a9e7ecedfa59b5092e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2775452.exe

Filesize
174KB

MD5
45adf5256312b4f5a61a5304b2b28b36

SHA1
7cb5f22b66871bf4e81b24077f5ae443a0b2ac29

SHA256
7ccab2bc70a7c5acb043a0bc534baaecf8299691bec5f3c7164f739c0602a608

SHA512
c6503b8b735f0ccfab94610394c36969c2b3d120c4bcc14fcbb588060ebc73e468d6fb0f21d78873dd38620f5ef90a1e4dcbd65ada3311a9e7ecedfa59b5092e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1099898.exe

Filesize
325KB

MD5
f8dc778f38c4464a520cf14b264fdad9

SHA1
d89ba5b8f4a3061009d3c76bef9c0873860e516f

SHA256
53b563d74f71bbfb941fc0e97f1e7f6c26af88fca49c8187f9b7d7662b83ec9f

SHA512
3a2eaf7dcc4c6549b67d71008406e8a59ad877cac1d73827edac07e7f512ea7eff68c06906433e0708a06c62858dc949cdf76464aad89e619237c5a8779e05e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1099898.exe

Filesize
325KB

MD5
f8dc778f38c4464a520cf14b264fdad9

SHA1
d89ba5b8f4a3061009d3c76bef9c0873860e516f

SHA256
53b563d74f71bbfb941fc0e97f1e7f6c26af88fca49c8187f9b7d7662b83ec9f

SHA512
3a2eaf7dcc4c6549b67d71008406e8a59ad877cac1d73827edac07e7f512ea7eff68c06906433e0708a06c62858dc949cdf76464aad89e619237c5a8779e05e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3697802.exe

Filesize
184KB

MD5
bc9f930787176216ca86986ec3dd3cba

SHA1
4bab2013cd14cf78cde598aba19aeedc19467cc5

SHA256
5b095aad0277509fde3cd03eb5de48d2dbbfd965f7021f3dc7395c1ea86c6b9d

SHA512
ac48a4799d8a0056cd3ea44bfe1974ec24a9ef49a955eaa3784f49162cdfc9a61489f9414ce779f837c7e1a758716c0f5b4bc110d2c0d8f3dc80b0ea1587d06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3697802.exe

Filesize
184KB

MD5
bc9f930787176216ca86986ec3dd3cba

SHA1
4bab2013cd14cf78cde598aba19aeedc19467cc5

SHA256
5b095aad0277509fde3cd03eb5de48d2dbbfd965f7021f3dc7395c1ea86c6b9d

SHA512
ac48a4799d8a0056cd3ea44bfe1974ec24a9ef49a955eaa3784f49162cdfc9a61489f9414ce779f837c7e1a758716c0f5b4bc110d2c0d8f3dc80b0ea1587d06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0998700.exe

Filesize
140KB

MD5
b4c4800bf9a2f90826a945639f277476

SHA1
0fabde291ce2708a497ecc04aa0e301bd2d751b9

SHA256
a7280e37edfd45235e1b9722111512213079a8b5277178b69460106434ce7b0d

SHA512
141c07798fe1bc4ffe7eff9ae485939ecc495e1d577cc90a93c6faf9f334374b5f61fe47943891ac4039cef92e09512295128aea5265f44cf263baa0d6f5775b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0998700.exe

Filesize
140KB

MD5
b4c4800bf9a2f90826a945639f277476

SHA1
0fabde291ce2708a497ecc04aa0e301bd2d751b9

SHA256
a7280e37edfd45235e1b9722111512213079a8b5277178b69460106434ce7b0d

SHA512
141c07798fe1bc4ffe7eff9ae485939ecc495e1d577cc90a93c6faf9f334374b5f61fe47943891ac4039cef92e09512295128aea5265f44cf263baa0d6f5775b

Download Submit
memory/3364-219-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3364-216-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3364-214-0x000000000A3F0000-0x000000000A4FA000-memory.dmp

Filesize
1.0MB

Download
memory/3364-213-0x000000000A880000-0x000000000AE98000-memory.dmp

Filesize
6.1MB

Download
memory/3364-212-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/3364-211-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/3364-215-0x000000000A330000-0x000000000A342000-memory.dmp

Filesize
72KB

Download
memory/3364-217-0x000000000A390000-0x000000000A3CC000-memory.dmp

Filesize
240KB

Download
memory/3364-218-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/3416-170-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3416-191-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/3416-193-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/3416-197-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/3416-195-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/3416-199-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/3416-200-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/3416-201-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3416-202-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3416-204-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/3416-189-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/3416-187-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/3416-185-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/3416-183-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/3416-181-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/3416-179-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/3416-177-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/3416-175-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/3416-173-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/3416-172-0x0000000004AE0000-0x0000000004AF6000-memory.dmp

Filesize
88KB

Download
memory/3416-171-0x0000000004C10000-0x00000000051B4000-memory.dmp

Filesize
5.6MB

Download
memory/3416-169-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3416-168-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download