redline | c1e34258f9e3d808ab6f5c56674f023c915d7e1ffbe89b1d2f4cb0c4ff8b1ec6

Analysis

max time kernel
147s
max time network
155s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
02-09-2023 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1e34258f9e3d808ab6f5c56674f023c915d7e1ffbe89b1d2f4cb0c4ff8b1ec6.exe
Size

938KB
MD5

f10236bd69422aa2b1ccd2ea35f8fc3b
SHA1

71e3a5a6af892d59a6e057a8f73a34890fdc70f7
SHA256

c1e34258f9e3d808ab6f5c56674f023c915d7e1ffbe89b1d2f4cb0c4ff8b1ec6
SHA512

ef23fd1cba60161c762ad858ee4fb0f483a36d4980e5ae0ab561d6b7b73f578547565db97648c397bf7c0dcf48c19704d8bae7e59ecb84d4a8a4d5bb6ab8f211
SSDEEP

24576:/yID6AwFTPJIQGZB6i071NRLax/741sQryu1pQm:KhFTPJIQVi071NZax/74iQhpQ

Score

10^/10

redline narik evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

narik

77.91.124.82:19071

Attributes

auth_value
07924f5ef90576eb64faea857b8ba3e5

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9126653.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9126653.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9126653.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9126653.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9126653.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2028	v6740818.exe
4732	v6348687.exe
5116	v6123525.exe
1032	v9531676.exe
3572	a9126653.exe
4784	b2191504.exe
3964	c7641853.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a9126653.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9126653.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6123525.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v9531676.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1e34258f9e3d808ab6f5c56674f023c915d7e1ffbe89b1d2f4cb0c4ff8b1ec6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6740818.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6348687.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3572	a9126653.exe
3572	a9126653.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3572	a9126653.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2028	1544	c1e34258f9e3d808ab6f5c56674f023c915d7e1ffbe89b1d2f4cb0c4ff8b1ec6.exe	70
PID 1544 wrote to memory of 2028	1544	c1e34258f9e3d808ab6f5c56674f023c915d7e1ffbe89b1d2f4cb0c4ff8b1ec6.exe	70
PID 1544 wrote to memory of 2028	1544	c1e34258f9e3d808ab6f5c56674f023c915d7e1ffbe89b1d2f4cb0c4ff8b1ec6.exe	70
PID 2028 wrote to memory of 4732	2028	v6740818.exe	71
PID 2028 wrote to memory of 4732	2028	v6740818.exe	71
PID 2028 wrote to memory of 4732	2028	v6740818.exe	71
PID 4732 wrote to memory of 5116	4732	v6348687.exe	72
PID 4732 wrote to memory of 5116	4732	v6348687.exe	72
PID 4732 wrote to memory of 5116	4732	v6348687.exe	72
PID 5116 wrote to memory of 1032	5116	v6123525.exe	73
PID 5116 wrote to memory of 1032	5116	v6123525.exe	73
PID 5116 wrote to memory of 1032	5116	v6123525.exe	73
PID 1032 wrote to memory of 3572	1032	v9531676.exe	74
PID 1032 wrote to memory of 3572	1032	v9531676.exe	74
PID 1032 wrote to memory of 3572	1032	v9531676.exe	74
PID 1032 wrote to memory of 4784	1032	v9531676.exe	75
PID 1032 wrote to memory of 4784	1032	v9531676.exe	75
PID 1032 wrote to memory of 4784	1032	v9531676.exe	75
PID 5116 wrote to memory of 3964	5116	v6123525.exe	76
PID 5116 wrote to memory of 3964	5116	v6123525.exe	76
PID 5116 wrote to memory of 3964	5116	v6123525.exe	76

C:\Users\Admin\AppData\Local\Temp\c1e34258f9e3d808ab6f5c56674f023c915d7e1ffbe89b1d2f4cb0c4ff8b1ec6.exe
"C:\Users\Admin\AppData\Local\Temp\c1e34258f9e3d808ab6f5c56674f023c915d7e1ffbe89b1d2f4cb0c4ff8b1ec6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6740818.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6740818.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6348687.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6348687.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6123525.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6123525.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9531676.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9531676.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1032
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9126653.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9126653.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2191504.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2191504.exe
        6⤵
        Executes dropped EXE
        
        PID:4784
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7641853.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7641853.exe
        5⤵
        Executes dropped EXE
        
        PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6740818.exe

Filesize
833KB

MD5
c09529c37f58bf7ad89e7d5e1fe65f38

SHA1
13171f59b13ec784764d71bf67bf9c8439eb323d

SHA256
6d7b6c00d70aa6677461582b5f38bd0d46272c58a6086d2543183dfe41b93ebe

SHA512
6a63efdd4edbb8019843e358f437fdca2e3d0843c3806849608874f179dd0cc88546321a0b4ec5be04568f937730f56acd3e05c852c008247b44fcd31bdb3e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6740818.exe

Filesize
833KB

MD5
c09529c37f58bf7ad89e7d5e1fe65f38

SHA1
13171f59b13ec784764d71bf67bf9c8439eb323d

SHA256
6d7b6c00d70aa6677461582b5f38bd0d46272c58a6086d2543183dfe41b93ebe

SHA512
6a63efdd4edbb8019843e358f437fdca2e3d0843c3806849608874f179dd0cc88546321a0b4ec5be04568f937730f56acd3e05c852c008247b44fcd31bdb3e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6348687.exe

Filesize
606KB

MD5
47b3cc1c826474874638d7c8bd30b17b

SHA1
f4ca63239e931e6d230bb3ee22a36c3f45a2f897

SHA256
1ff4f1344289e7043900a094d38673cdd1b130a02385f07dca0883d9066393eb

SHA512
d8d153669b6b14fa6e8a59352f53ca81446b654cf283c0bcf08f27e10177b2fa2b194cb5bfca4d359a5f2fcdd5d0f8558f6faa4707ccfb6f11aca83c72fdeb11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6348687.exe

Filesize
606KB

MD5
47b3cc1c826474874638d7c8bd30b17b

SHA1
f4ca63239e931e6d230bb3ee22a36c3f45a2f897

SHA256
1ff4f1344289e7043900a094d38673cdd1b130a02385f07dca0883d9066393eb

SHA512
d8d153669b6b14fa6e8a59352f53ca81446b654cf283c0bcf08f27e10177b2fa2b194cb5bfca4d359a5f2fcdd5d0f8558f6faa4707ccfb6f11aca83c72fdeb11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6123525.exe

Filesize
482KB

MD5
47c1ee9b3cbfc17581c746cf406db98f

SHA1
9f699a79c13f425a7ce673c50a702da6b2d20335

SHA256
82fd1dc5e079c0f7b9508d6a2f63630bacb3e9896ab9b3eea70a2f3516b10eed

SHA512
c2bcda3e3479d367c9d0635852cbd7abf80beed9f63d2b9b87bc26772b64f360e7831908c7a022d39e00e1cc231ab76794f35167d8b509ec42081afbdc865522

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6123525.exe

Filesize
482KB

MD5
47c1ee9b3cbfc17581c746cf406db98f

SHA1
9f699a79c13f425a7ce673c50a702da6b2d20335

SHA256
82fd1dc5e079c0f7b9508d6a2f63630bacb3e9896ab9b3eea70a2f3516b10eed

SHA512
c2bcda3e3479d367c9d0635852cbd7abf80beed9f63d2b9b87bc26772b64f360e7831908c7a022d39e00e1cc231ab76794f35167d8b509ec42081afbdc865522

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7641853.exe

Filesize
174KB

MD5
505d199257b1bb38c602dbc2fa9c2699

SHA1
a94ffd6f16b11af89ae01201a5570eb3e402f9bb

SHA256
6979f49c0dc088f7cef529d15f951b72ba4b777b62352a4243a13a54561abb5c

SHA512
6aace5fcaf72c475bc87c18ac920bca734168b16e27d48d2383c8d1864fb673f4bdcc1fabf0cbc252b7fb8abc5cc6b3d9faad72d0d16356119b4514b9eef58fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7641853.exe

Filesize
174KB

MD5
505d199257b1bb38c602dbc2fa9c2699

SHA1
a94ffd6f16b11af89ae01201a5570eb3e402f9bb

SHA256
6979f49c0dc088f7cef529d15f951b72ba4b777b62352a4243a13a54561abb5c

SHA512
6aace5fcaf72c475bc87c18ac920bca734168b16e27d48d2383c8d1864fb673f4bdcc1fabf0cbc252b7fb8abc5cc6b3d9faad72d0d16356119b4514b9eef58fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9531676.exe

Filesize
325KB

MD5
a41d3e8f4ac9d535ce09ff0feae0c011

SHA1
a74c11c1d33c4baae4e901783e0c6749a4b4903a

SHA256
6c47d30cf0c69ce85d4ef1f37ee9a326caaa582ba3a75adf6ebe12b269690b2c

SHA512
3a18aee984c8278b81a7b08e5eadb958b743a8a71714a8e1959474fd0e397c7f124014387f407715742b24f59fd86388192ca414b5f079a9becccfd9a2582dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9531676.exe

Filesize
325KB

MD5
a41d3e8f4ac9d535ce09ff0feae0c011

SHA1
a74c11c1d33c4baae4e901783e0c6749a4b4903a

SHA256
6c47d30cf0c69ce85d4ef1f37ee9a326caaa582ba3a75adf6ebe12b269690b2c

SHA512
3a18aee984c8278b81a7b08e5eadb958b743a8a71714a8e1959474fd0e397c7f124014387f407715742b24f59fd86388192ca414b5f079a9becccfd9a2582dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9126653.exe

Filesize
184KB

MD5
d913b51729e8e5e169b428d0ac8a5491

SHA1
909a5acf60a24a423dc1828f902a942f1c6c37ef

SHA256
d10156924ce423b2d9283a3792c8273605693fe19f486c3594104ab09125a68a

SHA512
0d3d9509cdc5f910224501f1613bd66a6041a0ecc4a64eae42b7bcc46fc314dd10fa657bbb701eb48ee92c66e699c7ee1d01fc24d099ac5e790a7a4fffd0b69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9126653.exe

Filesize
184KB

MD5
d913b51729e8e5e169b428d0ac8a5491

SHA1
909a5acf60a24a423dc1828f902a942f1c6c37ef

SHA256
d10156924ce423b2d9283a3792c8273605693fe19f486c3594104ab09125a68a

SHA512
0d3d9509cdc5f910224501f1613bd66a6041a0ecc4a64eae42b7bcc46fc314dd10fa657bbb701eb48ee92c66e699c7ee1d01fc24d099ac5e790a7a4fffd0b69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2191504.exe

Filesize
141KB

MD5
8a1dc9ab14e0342fc714837662d1e9ef

SHA1
fbb9c0e0be3cc1f05c6e6e8473bd0c06c0d756d0

SHA256
0b53cbf085fbc7ed42a33559ecc3f67f418d60d25516bf1a56c683c70337c026

SHA512
2a811c2a3d4000f54c102af3a9fa598b7e6f3e892bd3def1d56c0485a86226d9029929e595e7677504330b9929a81d643f9ebd33fceda3e3b690a4eeba921399

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2191504.exe

Filesize
141KB

MD5
8a1dc9ab14e0342fc714837662d1e9ef

SHA1
fbb9c0e0be3cc1f05c6e6e8473bd0c06c0d756d0

SHA256
0b53cbf085fbc7ed42a33559ecc3f67f418d60d25516bf1a56c683c70337c026

SHA512
2a811c2a3d4000f54c102af3a9fa598b7e6f3e892bd3def1d56c0485a86226d9029929e595e7677504330b9929a81d643f9ebd33fceda3e3b690a4eeba921399

Download Submit
memory/3572-35-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download
memory/3572-67-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download
memory/3572-42-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/3572-44-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/3572-46-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/3572-48-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/3572-50-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/3572-52-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/3572-54-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/3572-56-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/3572-58-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/3572-60-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/3572-62-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/3572-64-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/3572-66-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/3572-40-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/3572-69-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download
memory/3572-39-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/3572-38-0x0000000004930000-0x000000000494C000-memory.dmp

Filesize
112KB

Download
memory/3572-37-0x0000000004960000-0x0000000004E5E000-memory.dmp

Filesize
5.0MB

Download
memory/3572-36-0x0000000002100000-0x000000000211E000-memory.dmp

Filesize
120KB

Download
memory/3964-76-0x0000000000760000-0x0000000000790000-memory.dmp

Filesize
192KB

Download
memory/3964-77-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/3964-78-0x0000000004F20000-0x0000000004F26000-memory.dmp

Filesize
24KB

Download
memory/3964-79-0x000000000AA40000-0x000000000B046000-memory.dmp

Filesize
6.0MB

Download
memory/3964-80-0x000000000A570000-0x000000000A67A000-memory.dmp

Filesize
1.0MB

Download
memory/3964-81-0x000000000A4A0000-0x000000000A4B2000-memory.dmp

Filesize
72KB

Download
memory/3964-82-0x000000000A500000-0x000000000A53E000-memory.dmp

Filesize
248KB

Download
memory/3964-83-0x000000000A680000-0x000000000A6CB000-memory.dmp

Filesize
300KB

Download
memory/3964-84-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download