redline | 344001607b731363eab1147cf764cc20a541198b89ad0ed664cfbd833d223099

Analysis

max time kernel
146s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
02-09-2023 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

344001607b731363eab1147cf764cc20a541198b89ad0ed664cfbd833d223099.exe
Size

938KB
MD5

5c42ddfbd1f00c0929eaca384250bdea
SHA1

3b806394a6f7a960383ad1caef17c5ec16150738
SHA256

344001607b731363eab1147cf764cc20a541198b89ad0ed664cfbd833d223099
SHA512

cbcd9f0652874908c4d9482ce93605eae0cba5516aa42b662ca34fc5aa6e2dfab4751f85a0dbb555e51d5e24c2659048cb2aa73014b669750deee541d797307c
SSDEEP

24576:Ey94NXa0aCop02lw8HQSQpWzglbuYhK9:TOg7DfFHK44yL

Score

10^/10

redline narik evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

narik

77.91.124.82:19071

Attributes

auth_value
07924f5ef90576eb64faea857b8ba3e5

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7960842.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7960842.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7960842.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7960842.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7960842.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4224	v8481644.exe
192	v0750851.exe
4632	v8944586.exe
4940	v3491342.exe
4328	a7960842.exe
4616	b9796465.exe
3540	c0914482.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a7960842.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7960842.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	344001607b731363eab1147cf764cc20a541198b89ad0ed664cfbd833d223099.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8481644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0750851.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8944586.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3491342.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4328	a7960842.exe
4328	a7960842.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4328	a7960842.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 4224	1916	344001607b731363eab1147cf764cc20a541198b89ad0ed664cfbd833d223099.exe	70
PID 1916 wrote to memory of 4224	1916	344001607b731363eab1147cf764cc20a541198b89ad0ed664cfbd833d223099.exe	70
PID 1916 wrote to memory of 4224	1916	344001607b731363eab1147cf764cc20a541198b89ad0ed664cfbd833d223099.exe	70
PID 4224 wrote to memory of 192	4224	v8481644.exe	71
PID 4224 wrote to memory of 192	4224	v8481644.exe	71
PID 4224 wrote to memory of 192	4224	v8481644.exe	71
PID 192 wrote to memory of 4632	192	v0750851.exe	72
PID 192 wrote to memory of 4632	192	v0750851.exe	72
PID 192 wrote to memory of 4632	192	v0750851.exe	72
PID 4632 wrote to memory of 4940	4632	v8944586.exe	73
PID 4632 wrote to memory of 4940	4632	v8944586.exe	73
PID 4632 wrote to memory of 4940	4632	v8944586.exe	73
PID 4940 wrote to memory of 4328	4940	v3491342.exe	74
PID 4940 wrote to memory of 4328	4940	v3491342.exe	74
PID 4940 wrote to memory of 4328	4940	v3491342.exe	74
PID 4940 wrote to memory of 4616	4940	v3491342.exe	75
PID 4940 wrote to memory of 4616	4940	v3491342.exe	75
PID 4940 wrote to memory of 4616	4940	v3491342.exe	75
PID 4632 wrote to memory of 3540	4632	v8944586.exe	76
PID 4632 wrote to memory of 3540	4632	v8944586.exe	76
PID 4632 wrote to memory of 3540	4632	v8944586.exe	76

C:\Users\Admin\AppData\Local\Temp\344001607b731363eab1147cf764cc20a541198b89ad0ed664cfbd833d223099.exe
"C:\Users\Admin\AppData\Local\Temp\344001607b731363eab1147cf764cc20a541198b89ad0ed664cfbd833d223099.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8481644.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8481644.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0750851.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0750851.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:192
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8944586.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8944586.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3491342.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3491342.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4940
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7960842.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7960842.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9796465.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9796465.exe
        6⤵
        Executes dropped EXE
        
        PID:4616
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0914482.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0914482.exe
        5⤵
        Executes dropped EXE
        
        PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8481644.exe

Filesize
832KB

MD5
41f3fb3a3878363a96b0f1914ace1bb0

SHA1
5830ec1cf9f741ddfed3d9e4de89574f5347b0e4

SHA256
684b468f2909c94cac74ad541f24753241bfe3c2e5981a682b27ecab5140de20

SHA512
0ee6a45cc9416dd31e4b2c9f343e04198d5bedd98a929d2b4c098c7a0ef148a64e5d1c1151af53a12e0d15c7e8e21ce35cfee149b7567e5cfd0b87672dd20bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8481644.exe

Filesize
832KB

MD5
41f3fb3a3878363a96b0f1914ace1bb0

SHA1
5830ec1cf9f741ddfed3d9e4de89574f5347b0e4

SHA256
684b468f2909c94cac74ad541f24753241bfe3c2e5981a682b27ecab5140de20

SHA512
0ee6a45cc9416dd31e4b2c9f343e04198d5bedd98a929d2b4c098c7a0ef148a64e5d1c1151af53a12e0d15c7e8e21ce35cfee149b7567e5cfd0b87672dd20bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0750851.exe

Filesize
606KB

MD5
aa493106b6dcacd5b58881762c8c7984

SHA1
291796bcdf5ff1d3422d2ed5b9af831cd196c366

SHA256
536dc40269043bbfb5e0cb422770eee5533b2d3bd09178366884ea851e993ba1

SHA512
a9094915a1b1730c27ecdbe7c9e58815dac1af92f9114f73fc4f5dc0e8dd6aeb05f347dee8fffe0fddd23c8440e951d3bc5614c965f18bf8ede76a35fea28c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0750851.exe

Filesize
606KB

MD5
aa493106b6dcacd5b58881762c8c7984

SHA1
291796bcdf5ff1d3422d2ed5b9af831cd196c366

SHA256
536dc40269043bbfb5e0cb422770eee5533b2d3bd09178366884ea851e993ba1

SHA512
a9094915a1b1730c27ecdbe7c9e58815dac1af92f9114f73fc4f5dc0e8dd6aeb05f347dee8fffe0fddd23c8440e951d3bc5614c965f18bf8ede76a35fea28c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8944586.exe

Filesize
482KB

MD5
c85e165089285f38c564c65c43bd6b5b

SHA1
3077cf2cdf68ff3e36ec3c5ba75ee55161ee7d23

SHA256
6c3992fa0a76da88f51f851fc51957d28831e20cc82b80e904ccd44e5b7eaa19

SHA512
12de3fe402cbea57229609339f929d32d157af732a7f128ad5a1a4910da8f5e88fba53282bdd3c3bf02843ee7b64a8c0dd3d6957f7e71985d2fc2f8990449201

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8944586.exe

Filesize
482KB

MD5
c85e165089285f38c564c65c43bd6b5b

SHA1
3077cf2cdf68ff3e36ec3c5ba75ee55161ee7d23

SHA256
6c3992fa0a76da88f51f851fc51957d28831e20cc82b80e904ccd44e5b7eaa19

SHA512
12de3fe402cbea57229609339f929d32d157af732a7f128ad5a1a4910da8f5e88fba53282bdd3c3bf02843ee7b64a8c0dd3d6957f7e71985d2fc2f8990449201

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0914482.exe

Filesize
174KB

MD5
5eb0acbbfc29c2bb2d9081ef9641007a

SHA1
6457a36bbc94b7a0c865ef65f1fb7756ada7f1f1

SHA256
458246bda04e0983317dceb479c54e87221d7cbef3d89e16bbbb6d9c6646580b

SHA512
294d3e5b20a7003bfbc9eb43feb42b7d13e324004c094e54db3653725babbb1ae6b7a0f897e2b1c200069a02aa5dd8466eaf1abb9a4c8c13550a48737924933c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0914482.exe

Filesize
174KB

MD5
5eb0acbbfc29c2bb2d9081ef9641007a

SHA1
6457a36bbc94b7a0c865ef65f1fb7756ada7f1f1

SHA256
458246bda04e0983317dceb479c54e87221d7cbef3d89e16bbbb6d9c6646580b

SHA512
294d3e5b20a7003bfbc9eb43feb42b7d13e324004c094e54db3653725babbb1ae6b7a0f897e2b1c200069a02aa5dd8466eaf1abb9a4c8c13550a48737924933c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3491342.exe

Filesize
325KB

MD5
07d6dd5e0af387eee03c6525276c1bac

SHA1
abe1e095703e3748b428db7dbd310d668a16ae68

SHA256
9e631122a64c7f76ef991ef51fbf9c0766c5dc074ca911b8c934bf395d7870a1

SHA512
d6723b98523cf0641d833750e400e9e658f5ec608eccbb13a14efb25c366cdb55bbb329a463c86682824f4e9f2de9f2d39f3d9ec6284b3ff12aa6035d85bf09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3491342.exe

Filesize
325KB

MD5
07d6dd5e0af387eee03c6525276c1bac

SHA1
abe1e095703e3748b428db7dbd310d668a16ae68

SHA256
9e631122a64c7f76ef991ef51fbf9c0766c5dc074ca911b8c934bf395d7870a1

SHA512
d6723b98523cf0641d833750e400e9e658f5ec608eccbb13a14efb25c366cdb55bbb329a463c86682824f4e9f2de9f2d39f3d9ec6284b3ff12aa6035d85bf09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7960842.exe

Filesize
184KB

MD5
9d499a0732e47cc9734b7885d11c5f86

SHA1
d4de0315ccf3be1f87804a37e3ace9951dea2d58

SHA256
9687504646ab230ef5db78a6727661569a0434f1a7aa0935c25556cf02831ce3

SHA512
63f6ea37dea8f5391643d22e540ee80667488e82ef302a7f4f7346eebba939ff2bdc98405bac41934a4b9eb259392ef00febe75457151cd9eb08f54d49881cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7960842.exe

Filesize
184KB

MD5
9d499a0732e47cc9734b7885d11c5f86

SHA1
d4de0315ccf3be1f87804a37e3ace9951dea2d58

SHA256
9687504646ab230ef5db78a6727661569a0434f1a7aa0935c25556cf02831ce3

SHA512
63f6ea37dea8f5391643d22e540ee80667488e82ef302a7f4f7346eebba939ff2bdc98405bac41934a4b9eb259392ef00febe75457151cd9eb08f54d49881cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9796465.exe

Filesize
141KB

MD5
fd5d73de2f7390f3752daf3c1bb48356

SHA1
b3074147888cdf682a96b55be4d92e44dcf86bef

SHA256
922c41c73fbf6777a005d7ccd0fe9921c6bb6fcdcedbe7504cb760171d38b18b

SHA512
ef5b3296c661e4c1ca9d0ea0d1f4ebfdf5caa07912ea910330653c5315f1db56743a07f2f36f1ab32e7c72337e8a2f9917563b46f001f349cf48a63bdfb8bcbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9796465.exe

Filesize
141KB

MD5
fd5d73de2f7390f3752daf3c1bb48356

SHA1
b3074147888cdf682a96b55be4d92e44dcf86bef

SHA256
922c41c73fbf6777a005d7ccd0fe9921c6bb6fcdcedbe7504cb760171d38b18b

SHA512
ef5b3296c661e4c1ca9d0ea0d1f4ebfdf5caa07912ea910330653c5315f1db56743a07f2f36f1ab32e7c72337e8a2f9917563b46f001f349cf48a63bdfb8bcbd

Download Submit
memory/3540-84-0x0000000072E60000-0x000000007354E000-memory.dmp

Filesize
6.9MB

Download
memory/3540-80-0x0000000009F30000-0x000000000A03A000-memory.dmp

Filesize
1.0MB

Download
memory/3540-79-0x000000000A3C0000-0x000000000A9C6000-memory.dmp

Filesize
6.0MB

Download
memory/3540-78-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/3540-77-0x0000000072E60000-0x000000007354E000-memory.dmp

Filesize
6.9MB

Download
memory/3540-76-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/3540-81-0x0000000009E60000-0x0000000009E72000-memory.dmp

Filesize
72KB

Download
memory/3540-82-0x0000000009EC0000-0x0000000009EFE000-memory.dmp

Filesize
248KB

Download
memory/3540-83-0x000000000A040000-0x000000000A08B000-memory.dmp

Filesize
300KB

Download
memory/4328-36-0x00000000023E0000-0x00000000023FE000-memory.dmp

Filesize
120KB

Download
memory/4328-58-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4328-60-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4328-62-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4328-64-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4328-66-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4328-67-0x0000000072DE0000-0x00000000734CE000-memory.dmp

Filesize
6.9MB

Download
memory/4328-69-0x0000000072DE0000-0x00000000734CE000-memory.dmp

Filesize
6.9MB

Download
memory/4328-56-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4328-54-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4328-52-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4328-50-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4328-48-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4328-46-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4328-44-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4328-42-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4328-40-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4328-39-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4328-38-0x0000000004A70000-0x0000000004A8C000-memory.dmp

Filesize
112KB

Download
memory/4328-37-0x0000000004BF0000-0x00000000050EE000-memory.dmp

Filesize
5.0MB

Download
memory/4328-35-0x0000000072DE0000-0x00000000734CE000-memory.dmp

Filesize
6.9MB

Download