redline | 0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35

Analysis

max time kernel
137s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35.exe
Size

938KB
MD5

712dc53f8f5ce26b3ad87268c5c54e65
SHA1

ecfa8c500b07f77ca9283e77954cb337341f7393
SHA256

0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35
SHA512

1029b058248160cc0c24d0c6d9f8895d10be3300a0b3fb3e79579651bdd78c9d8fde22048182530d30a24b40971f55d7d088e5d51b3b9956a8bb93da817d01ed
SSDEEP

12288:sMrYy901kqURGhyPgvvF4UgxYDW6UsOsvfmeoR1OA3yR39cNdMc+Ckke2e0yvTO:UyOUg+UlWAeLToNWFNe2efvTO

Score

10^/10

redline narik evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

narik

77.91.124.82:19071

Attributes

auth_value
07924f5ef90576eb64faea857b8ba3e5

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7407967.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7407967.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7407967.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a7407967.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7407967.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7407967.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3768	v3819941.exe
3244	v7145599.exe
1884	v8563003.exe
2808	v1604771.exe
3132	a7407967.exe
3420	b3047556.exe
2544	c1030060.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a7407967.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7407967.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1604771.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3819941.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7145599.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8563003.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3132	a7407967.exe
3132	a7407967.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3132	a7407967.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 3768	3872	0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35.exe	87
PID 3872 wrote to memory of 3768	3872	0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35.exe	87
PID 3872 wrote to memory of 3768	3872	0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35.exe	87
PID 3768 wrote to memory of 3244	3768	v3819941.exe	88
PID 3768 wrote to memory of 3244	3768	v3819941.exe	88
PID 3768 wrote to memory of 3244	3768	v3819941.exe	88
PID 3244 wrote to memory of 1884	3244	v7145599.exe	89
PID 3244 wrote to memory of 1884	3244	v7145599.exe	89
PID 3244 wrote to memory of 1884	3244	v7145599.exe	89
PID 1884 wrote to memory of 2808	1884	v8563003.exe	90
PID 1884 wrote to memory of 2808	1884	v8563003.exe	90
PID 1884 wrote to memory of 2808	1884	v8563003.exe	90
PID 2808 wrote to memory of 3132	2808	v1604771.exe	91
PID 2808 wrote to memory of 3132	2808	v1604771.exe	91
PID 2808 wrote to memory of 3132	2808	v1604771.exe	91
PID 2808 wrote to memory of 3420	2808	v1604771.exe	92
PID 2808 wrote to memory of 3420	2808	v1604771.exe	92
PID 2808 wrote to memory of 3420	2808	v1604771.exe	92
PID 1884 wrote to memory of 2544	1884	v8563003.exe	93
PID 1884 wrote to memory of 2544	1884	v8563003.exe	93
PID 1884 wrote to memory of 2544	1884	v8563003.exe	93

C:\Users\Admin\AppData\Local\Temp\0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35.exe
"C:\Users\Admin\AppData\Local\Temp\0132577e4df07ffbf3ee14034deba6422ebebf6f89387cc54203bc3d19335f35.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3819941.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3819941.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7145599.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7145599.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8563003.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8563003.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1884
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1604771.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1604771.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7407967.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7407967.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3047556.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3047556.exe
        6⤵
        Executes dropped EXE
        
        PID:3420
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1030060.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1030060.exe
        5⤵
        Executes dropped EXE
        
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3819941.exe

Filesize
832KB

MD5
e010bbd7f9f00b7d1f8da08927170946

SHA1
36d7272d79a8053959bdf8d4eee82178b5a6b94a

SHA256
18f129ffeb3dd30a7738a4bd144586f78edd7cef926fc9c25c45e4a58d5baf78

SHA512
2c11c02bc6fc121fb5431e57f87ae297d698952afe24b6ba46e2d2a58c152043f65d45065058673d33b04ff7fd8c7983874ce3e13879f4e422c02a13d169f10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3819941.exe

Filesize
832KB

MD5
e010bbd7f9f00b7d1f8da08927170946

SHA1
36d7272d79a8053959bdf8d4eee82178b5a6b94a

SHA256
18f129ffeb3dd30a7738a4bd144586f78edd7cef926fc9c25c45e4a58d5baf78

SHA512
2c11c02bc6fc121fb5431e57f87ae297d698952afe24b6ba46e2d2a58c152043f65d45065058673d33b04ff7fd8c7983874ce3e13879f4e422c02a13d169f10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7145599.exe

Filesize
606KB

MD5
ff42b45c470b8acd756a2fa18be7aabb

SHA1
0f9f64a6c651849371bd4b9e863c40bd907d2043

SHA256
3c2d4cb980f5d726119782aeecb078ba761f17cd2fa27b637d241745782e0197

SHA512
ec5adae56a1c13bbda0b1d2d995d2500c7f6d40d80bbe95b4a4339e51f7d31b9428520b1d995e27e89753dac7c8f0a861a5f36bd14a4f5521dec67c5f13260a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7145599.exe

Filesize
606KB

MD5
ff42b45c470b8acd756a2fa18be7aabb

SHA1
0f9f64a6c651849371bd4b9e863c40bd907d2043

SHA256
3c2d4cb980f5d726119782aeecb078ba761f17cd2fa27b637d241745782e0197

SHA512
ec5adae56a1c13bbda0b1d2d995d2500c7f6d40d80bbe95b4a4339e51f7d31b9428520b1d995e27e89753dac7c8f0a861a5f36bd14a4f5521dec67c5f13260a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8563003.exe

Filesize
481KB

MD5
27ac0b432340327e5bc2fb7e546f903d

SHA1
621f6b81ffc0b2022d46dccaca1ea9151bf1f71f

SHA256
77186eff3a3f6d89a41cfef466257da6bd0a5c5b1a902564954938a6cf4794f3

SHA512
5c863f2fe6f98a86363fea05004626cc5c9d23398aaa1f7fb7ffca13e253f3bd86c3c6ff0aef2e09e2eb4aacda256b20bc0956cc86f63bfb9eb39dca6491dae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8563003.exe

Filesize
481KB

MD5
27ac0b432340327e5bc2fb7e546f903d

SHA1
621f6b81ffc0b2022d46dccaca1ea9151bf1f71f

SHA256
77186eff3a3f6d89a41cfef466257da6bd0a5c5b1a902564954938a6cf4794f3

SHA512
5c863f2fe6f98a86363fea05004626cc5c9d23398aaa1f7fb7ffca13e253f3bd86c3c6ff0aef2e09e2eb4aacda256b20bc0956cc86f63bfb9eb39dca6491dae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1030060.exe

Filesize
174KB

MD5
0f477beb21e5332cd47dda614a63e61e

SHA1
1a6f907e7d3898d377cc3c0c8111290514254c35

SHA256
01e83488253ae2becf830e690bea7f559e9df7fc93742f33863e45592d2e2c5e

SHA512
5053a84c278950f012b751f8eba245f15d869507724309aa5ea5bbf9cb7a88f3da078c302f6e77d733dff196f4126c94cae903ed1fee3249394694df0c151853

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1030060.exe

Filesize
174KB

MD5
0f477beb21e5332cd47dda614a63e61e

SHA1
1a6f907e7d3898d377cc3c0c8111290514254c35

SHA256
01e83488253ae2becf830e690bea7f559e9df7fc93742f33863e45592d2e2c5e

SHA512
5053a84c278950f012b751f8eba245f15d869507724309aa5ea5bbf9cb7a88f3da078c302f6e77d733dff196f4126c94cae903ed1fee3249394694df0c151853

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1604771.exe

Filesize
325KB

MD5
d3b9213f634018ac51a239b5648bd775

SHA1
9d6648d0d33898a994aac5c4dcff0136faf0c3f8

SHA256
9481a6ae0b09bef153666063bccbb6b6a1dbca1f218cfe0b1464f33a0d13fe7d

SHA512
bb34114b711f7fed17bb57d2db0b8360fd792084448ca7aeada39ee3caaa144e97e25e1e7f505c25358b4106da4009e526f00584106d99b492a211d7f7c1ecad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1604771.exe

Filesize
325KB

MD5
d3b9213f634018ac51a239b5648bd775

SHA1
9d6648d0d33898a994aac5c4dcff0136faf0c3f8

SHA256
9481a6ae0b09bef153666063bccbb6b6a1dbca1f218cfe0b1464f33a0d13fe7d

SHA512
bb34114b711f7fed17bb57d2db0b8360fd792084448ca7aeada39ee3caaa144e97e25e1e7f505c25358b4106da4009e526f00584106d99b492a211d7f7c1ecad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7407967.exe

Filesize
184KB

MD5
5160ef552476ef55422ed01c93f10a3b

SHA1
ed5fc8f46102382dc2366966ea7efb27f56d1f22

SHA256
f8b26d2172a42f3975fdaa5fcf307a6826ae68e930fc24d0c44d05d6a3540c8a

SHA512
e92ac7f1a56027270499c1529d515e8c06de9567f26719fcfe546435e454b0c53718fa2235ac0c31391021a10167dc09e2edabb816afdb1ee6b19757072c6856

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7407967.exe

Filesize
184KB

MD5
5160ef552476ef55422ed01c93f10a3b

SHA1
ed5fc8f46102382dc2366966ea7efb27f56d1f22

SHA256
f8b26d2172a42f3975fdaa5fcf307a6826ae68e930fc24d0c44d05d6a3540c8a

SHA512
e92ac7f1a56027270499c1529d515e8c06de9567f26719fcfe546435e454b0c53718fa2235ac0c31391021a10167dc09e2edabb816afdb1ee6b19757072c6856

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3047556.exe

Filesize
141KB

MD5
1566622a00baec0d3783f6cb52d07537

SHA1
d98724d0eefda57b9cb24533acd5c9abd11429db

SHA256
e3a30402bcc3aa7a6dde9e9ee60fffc98c9ff891c0952b398346dfe6fb0236b5

SHA512
2db17f5fbbb3554f6eccd29823d50ba89f81a00898642f1dd8dcaf8d8323a89375329c19dbcf7c3a734cf7d675e6de2223a3396926971dddd3b837c3cf287cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3047556.exe

Filesize
141KB

MD5
1566622a00baec0d3783f6cb52d07537

SHA1
d98724d0eefda57b9cb24533acd5c9abd11429db

SHA256
e3a30402bcc3aa7a6dde9e9ee60fffc98c9ff891c0952b398346dfe6fb0236b5

SHA512
2db17f5fbbb3554f6eccd29823d50ba89f81a00898642f1dd8dcaf8d8323a89375329c19dbcf7c3a734cf7d675e6de2223a3396926971dddd3b837c3cf287cc4

Download Submit
memory/2544-86-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/2544-82-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/2544-81-0x0000000004B50000-0x0000000004C5A000-memory.dmp

Filesize
1.0MB

Download
memory/2544-80-0x0000000005060000-0x0000000005678000-memory.dmp

Filesize
6.1MB

Download
memory/2544-79-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download
memory/2544-78-0x0000000000010000-0x0000000000040000-memory.dmp

Filesize
192KB

Download
memory/2544-83-0x0000000004890000-0x00000000048A2000-memory.dmp

Filesize
72KB

Download
memory/2544-84-0x00000000048F0000-0x000000000492C000-memory.dmp

Filesize
240KB

Download
memory/2544-85-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download
memory/3132-36-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/3132-64-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/3132-62-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/3132-60-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/3132-58-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/3132-50-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/3132-67-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3132-68-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/3132-69-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/3132-71-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3132-66-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/3132-54-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/3132-56-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/3132-52-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/3132-48-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/3132-46-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/3132-44-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/3132-42-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/3132-40-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/3132-39-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/3132-38-0x00000000049B0000-0x0000000004F54000-memory.dmp

Filesize
5.6MB

Download
memory/3132-37-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/3132-35-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download