redline | 09e148a390e7e504a16b68177f076a9c7f0b7b3bddb34d319a7a534a7ba0aed1

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2023, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09e148a390e7e504a16b68177f076a9c7f0b7b3bddb34d319a7a534a7ba0aed1.exe
Size

823KB
MD5

518f0ed5a5fb0affd243f17820ff9daf
SHA1

713884f771ed469091f0ff492d993c55ac04cac4
SHA256

09e148a390e7e504a16b68177f076a9c7f0b7b3bddb34d319a7a534a7ba0aed1
SHA512

1ad6ab6dcf99b4aa6bed4c87e76c1bb0cd63efa848c5e1a1ce432a2f07275db137654822ba57328320b5771354e2184c8ad0b8cf37773633353ea7bae83610c0
SSDEEP

12288:dMrHy90GYbFfNluw400uhhOjSjuQNv6tBKJyCZiUOK1oab2KK6gVDAFI90:KyfAQR0R0jypCBmytUZ1B2lrDAFI90

Score

10^/10

redline chang evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

chang

77.91.124.73:19071

Attributes

auth_value
92b880db64e691d6bb290d1536ce7688

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	r9134785.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	r9134785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	r9134785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	r9134785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	r9134785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	r9134785.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
712	z3247757.exe
5028	z1936523.exe
4768	z5054176.exe
868	r9134785.exe
4200	s6948536.exe
1832	t8290100.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	r9134785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	r9134785.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3247757.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1936523.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5054176.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	09e148a390e7e504a16b68177f076a9c7f0b7b3bddb34d319a7a534a7ba0aed1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
868	r9134785.exe
868	r9134785.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	r9134785.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 712	876	09e148a390e7e504a16b68177f076a9c7f0b7b3bddb34d319a7a534a7ba0aed1.exe	82
PID 876 wrote to memory of 712	876	09e148a390e7e504a16b68177f076a9c7f0b7b3bddb34d319a7a534a7ba0aed1.exe	82
PID 876 wrote to memory of 712	876	09e148a390e7e504a16b68177f076a9c7f0b7b3bddb34d319a7a534a7ba0aed1.exe	82
PID 712 wrote to memory of 5028	712	z3247757.exe	83
PID 712 wrote to memory of 5028	712	z3247757.exe	83
PID 712 wrote to memory of 5028	712	z3247757.exe	83
PID 5028 wrote to memory of 4768	5028	z1936523.exe	84
PID 5028 wrote to memory of 4768	5028	z1936523.exe	84
PID 5028 wrote to memory of 4768	5028	z1936523.exe	84
PID 4768 wrote to memory of 868	4768	z5054176.exe	85
PID 4768 wrote to memory of 868	4768	z5054176.exe	85
PID 4768 wrote to memory of 868	4768	z5054176.exe	85
PID 4768 wrote to memory of 4200	4768	z5054176.exe	91
PID 4768 wrote to memory of 4200	4768	z5054176.exe	91
PID 4768 wrote to memory of 4200	4768	z5054176.exe	91
PID 5028 wrote to memory of 1832	5028	z1936523.exe	92
PID 5028 wrote to memory of 1832	5028	z1936523.exe	92
PID 5028 wrote to memory of 1832	5028	z1936523.exe	92

C:\Users\Admin\AppData\Local\Temp\09e148a390e7e504a16b68177f076a9c7f0b7b3bddb34d319a7a534a7ba0aed1.exe
"C:\Users\Admin\AppData\Local\Temp\09e148a390e7e504a16b68177f076a9c7f0b7b3bddb34d319a7a534a7ba0aed1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3247757.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3247757.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:712
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1936523.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1936523.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5054176.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5054176.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r9134785.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r9134785.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6948536.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6948536.exe
        5⤵
        Executes dropped EXE
        
        PID:4200
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t8290100.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t8290100.exe
      4⤵
      Executes dropped EXE
      PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3247757.exe

Filesize
707KB

MD5
7927ad2571ee151e719282edbd2458cc

SHA1
2d56fccb26b895c5114bdebbd845b930c488cf17

SHA256
a4aca7c99565ca6aa70b65dcc3b7deb5cc677cbed163e104428949a3da10c818

SHA512
f5ddfcb24425fcc337800b5f3819b558ba12f3d20af3542af2dcce435d8f14b5b91a34a41b7bec2052335c67afe3498790d7868b66a159c477f3f7a59ee14deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3247757.exe

Filesize
707KB

MD5
7927ad2571ee151e719282edbd2458cc

SHA1
2d56fccb26b895c5114bdebbd845b930c488cf17

SHA256
a4aca7c99565ca6aa70b65dcc3b7deb5cc677cbed163e104428949a3da10c818

SHA512
f5ddfcb24425fcc337800b5f3819b558ba12f3d20af3542af2dcce435d8f14b5b91a34a41b7bec2052335c67afe3498790d7868b66a159c477f3f7a59ee14deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1936523.exe

Filesize
481KB

MD5
ef513038c10c441231df5b78db86cae9

SHA1
9f4dd8e29d38abf408a1bc5a9842e5b45ffb2e68

SHA256
9efe89f05778ef3c43f22b63cd2d788b0ad6cb79e770ead51ddba98eb3a36d2b

SHA512
c0d73ecc3595928ef483375b39a8ee8e03f51fb58b4a7c803fb8dc0dd5f190a132ff7422647dc4e576dd721d7a99bbc8460f8ef8e8e72a066287ecd2434c62c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1936523.exe

Filesize
481KB

MD5
ef513038c10c441231df5b78db86cae9

SHA1
9f4dd8e29d38abf408a1bc5a9842e5b45ffb2e68

SHA256
9efe89f05778ef3c43f22b63cd2d788b0ad6cb79e770ead51ddba98eb3a36d2b

SHA512
c0d73ecc3595928ef483375b39a8ee8e03f51fb58b4a7c803fb8dc0dd5f190a132ff7422647dc4e576dd721d7a99bbc8460f8ef8e8e72a066287ecd2434c62c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t8290100.exe

Filesize
174KB

MD5
b46fe6193104956c6d09bf9ef4b8f8b6

SHA1
e3da2884b4c77e79d724dd7b32c8b668e001e624

SHA256
96048617de3496479bae310308147d15b9c1c5e17b1b5851d7f269ce1cb82ae8

SHA512
2ee096f0d594cf69fe0af327daaabb767cf79752b55bbaca0771217cd95e548689da37b471befe0f8ec004c08bcaddfaa240bc94c1f4ec8c0fdcb6b44c7cf109

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t8290100.exe

Filesize
174KB

MD5
b46fe6193104956c6d09bf9ef4b8f8b6

SHA1
e3da2884b4c77e79d724dd7b32c8b668e001e624

SHA256
96048617de3496479bae310308147d15b9c1c5e17b1b5851d7f269ce1cb82ae8

SHA512
2ee096f0d594cf69fe0af327daaabb767cf79752b55bbaca0771217cd95e548689da37b471befe0f8ec004c08bcaddfaa240bc94c1f4ec8c0fdcb6b44c7cf109

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5054176.exe

Filesize
325KB

MD5
00588a191b2caaf55649f016c233aa91

SHA1
a87bdeb861974c87679e4a602b5fa44f0cbef029

SHA256
f12cbb20df47a8ffd882f3e16e77b827b5c12ea046050875a4574aa9b78b868b

SHA512
7ad92c1e9f10c8a986b02f74dbd073e862e81ec1101a1652db7a056c32e0c9f89b04c752f693525fe4c5855efe41446968426ae293f83d67e66a17f322535a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5054176.exe

Filesize
325KB

MD5
00588a191b2caaf55649f016c233aa91

SHA1
a87bdeb861974c87679e4a602b5fa44f0cbef029

SHA256
f12cbb20df47a8ffd882f3e16e77b827b5c12ea046050875a4574aa9b78b868b

SHA512
7ad92c1e9f10c8a986b02f74dbd073e862e81ec1101a1652db7a056c32e0c9f89b04c752f693525fe4c5855efe41446968426ae293f83d67e66a17f322535a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r9134785.exe

Filesize
184KB

MD5
0e84681bbe354c5dd0f4c3699aaee45a

SHA1
3bcff93f45e3829076c1112e96f18b6d9c442990

SHA256
ad60d5d23315b133eaba4449fab335bd8b1de5fc402be006cd9f120e042252ed

SHA512
3478fd1476336bc89807753b913c82247ee640ddc4184c1904cb653a5a75b553324cfcaa6894f3629afc1032b447ac36850576da3f9014bdb1cdacfe827f65dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r9134785.exe

Filesize
184KB

MD5
0e84681bbe354c5dd0f4c3699aaee45a

SHA1
3bcff93f45e3829076c1112e96f18b6d9c442990

SHA256
ad60d5d23315b133eaba4449fab335bd8b1de5fc402be006cd9f120e042252ed

SHA512
3478fd1476336bc89807753b913c82247ee640ddc4184c1904cb653a5a75b553324cfcaa6894f3629afc1032b447ac36850576da3f9014bdb1cdacfe827f65dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6948536.exe

Filesize
140KB

MD5
d72c309217fda594191502466d14bf93

SHA1
45787757b2e95339c5f3078896d5a1d822cd93b1

SHA256
244eecef8e469634f0da412a2a60b485748185d6886f87fef90e0fdcb2b0d658

SHA512
c9b88f65512396d6a65f7424b62497a9f6c88a39c5ce3f780f346d9412bf28d1dd545a261e8cb432a4c64354a53f3dfafe0f8cb68a028d8fcc7f43f91213ddee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6948536.exe

Filesize
140KB

MD5
d72c309217fda594191502466d14bf93

SHA1
45787757b2e95339c5f3078896d5a1d822cd93b1

SHA256
244eecef8e469634f0da412a2a60b485748185d6886f87fef90e0fdcb2b0d658

SHA512
c9b88f65512396d6a65f7424b62497a9f6c88a39c5ce3f780f346d9412bf28d1dd545a261e8cb432a4c64354a53f3dfafe0f8cb68a028d8fcc7f43f91213ddee

Download Submit
memory/868-163-0x00000000049D0000-0x0000000004F74000-memory.dmp

Filesize
5.6MB

Download
memory/868-193-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/868-171-0x0000000004F80000-0x0000000004F96000-memory.dmp

Filesize
88KB

Download
memory/868-169-0x0000000004F80000-0x0000000004F96000-memory.dmp

Filesize
88KB

Download
memory/868-173-0x0000000004F80000-0x0000000004F96000-memory.dmp

Filesize
88KB

Download
memory/868-175-0x0000000004F80000-0x0000000004F96000-memory.dmp

Filesize
88KB

Download
memory/868-177-0x0000000004F80000-0x0000000004F96000-memory.dmp

Filesize
88KB

Download
memory/868-179-0x0000000004F80000-0x0000000004F96000-memory.dmp

Filesize
88KB

Download
memory/868-181-0x0000000004F80000-0x0000000004F96000-memory.dmp

Filesize
88KB

Download
memory/868-183-0x0000000004F80000-0x0000000004F96000-memory.dmp

Filesize
88KB

Download
memory/868-185-0x0000000004F80000-0x0000000004F96000-memory.dmp

Filesize
88KB

Download
memory/868-187-0x0000000004F80000-0x0000000004F96000-memory.dmp

Filesize
88KB

Download
memory/868-189-0x0000000004F80000-0x0000000004F96000-memory.dmp

Filesize
88KB

Download
memory/868-191-0x0000000004F80000-0x0000000004F96000-memory.dmp

Filesize
88KB

Download
memory/868-192-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/868-167-0x0000000004F80000-0x0000000004F96000-memory.dmp

Filesize
88KB

Download
memory/868-195-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/868-165-0x0000000004F80000-0x0000000004F96000-memory.dmp

Filesize
88KB

Download
memory/868-164-0x0000000004F80000-0x0000000004F96000-memory.dmp

Filesize
88KB

Download
memory/868-162-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/868-161-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/1832-203-0x0000000074280000-0x0000000074A30000-memory.dmp

Filesize
7.7MB

Download
memory/1832-202-0x0000000000690000-0x00000000006C0000-memory.dmp

Filesize
192KB

Download
memory/1832-204-0x00000000056A0000-0x0000000005CB8000-memory.dmp

Filesize
6.1MB

Download
memory/1832-205-0x0000000005210000-0x000000000531A000-memory.dmp

Filesize
1.0MB

Download
memory/1832-207-0x0000000005150000-0x0000000005162000-memory.dmp

Filesize
72KB

Download
memory/1832-206-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/1832-208-0x00000000051B0000-0x00000000051EC000-memory.dmp

Filesize
240KB

Download
memory/1832-209-0x0000000074280000-0x0000000074A30000-memory.dmp

Filesize
7.7MB

Download
memory/1832-210-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download