redline | bf099b7aae78cbe094f65bab062e7a21bb99afcca765971de66cda78fffc5786

Analysis

max time kernel
147s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
02-09-2023 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf099b7aae78cbe094f65bab062e7a21bb99afcca765971de66cda78fffc5786.exe
Size

1.0MB
MD5

10e8346eb7cd98635ea3ce6274677745
SHA1

7f798a781384597725943e133521567725a1853b
SHA256

bf099b7aae78cbe094f65bab062e7a21bb99afcca765971de66cda78fffc5786
SHA512

5ebda2e3f0b205b9b2211374f592785bfb0ea530ba9cde5e6ba7eb69ed836ec5129c7f6232700cf0a677758c62ce593f6df8f54e85bc5d6bc372ff29067668c3
SSDEEP

24576:byx6r5GqFo9Zq4JagSvUbx/FlAi2iFdrnZUA:OxAQqO9AIal4doNidU

Score

10^/10

redline narik evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

narik

77.91.124.82:19071

Attributes

auth_value
07924f5ef90576eb64faea857b8ba3e5

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q1340451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q1340451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q1340451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q1340451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q1340451.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3856	z1611271.exe
4536	z1359321.exe
3068	z1973366.exe
208	z2087890.exe
3008	q1340451.exe
2196	r6646479.exe
1496	s9329710.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	q1340451.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	q1340451.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z1973366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z2087890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bf099b7aae78cbe094f65bab062e7a21bb99afcca765971de66cda78fffc5786.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1611271.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1359321.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3008	q1340451.exe
3008	q1340451.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	q1340451.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 3856	4104	bf099b7aae78cbe094f65bab062e7a21bb99afcca765971de66cda78fffc5786.exe	70
PID 4104 wrote to memory of 3856	4104	bf099b7aae78cbe094f65bab062e7a21bb99afcca765971de66cda78fffc5786.exe	70
PID 4104 wrote to memory of 3856	4104	bf099b7aae78cbe094f65bab062e7a21bb99afcca765971de66cda78fffc5786.exe	70
PID 3856 wrote to memory of 4536	3856	z1611271.exe	71
PID 3856 wrote to memory of 4536	3856	z1611271.exe	71
PID 3856 wrote to memory of 4536	3856	z1611271.exe	71
PID 4536 wrote to memory of 3068	4536	z1359321.exe	72
PID 4536 wrote to memory of 3068	4536	z1359321.exe	72
PID 4536 wrote to memory of 3068	4536	z1359321.exe	72
PID 3068 wrote to memory of 208	3068	z1973366.exe	73
PID 3068 wrote to memory of 208	3068	z1973366.exe	73
PID 3068 wrote to memory of 208	3068	z1973366.exe	73
PID 208 wrote to memory of 3008	208	z2087890.exe	74
PID 208 wrote to memory of 3008	208	z2087890.exe	74
PID 208 wrote to memory of 3008	208	z2087890.exe	74
PID 208 wrote to memory of 2196	208	z2087890.exe	75
PID 208 wrote to memory of 2196	208	z2087890.exe	75
PID 208 wrote to memory of 2196	208	z2087890.exe	75
PID 3068 wrote to memory of 1496	3068	z1973366.exe	76
PID 3068 wrote to memory of 1496	3068	z1973366.exe	76
PID 3068 wrote to memory of 1496	3068	z1973366.exe	76

C:\Users\Admin\AppData\Local\Temp\bf099b7aae78cbe094f65bab062e7a21bb99afcca765971de66cda78fffc5786.exe
"C:\Users\Admin\AppData\Local\Temp\bf099b7aae78cbe094f65bab062e7a21bb99afcca765971de66cda78fffc5786.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1611271.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1611271.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1359321.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1359321.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1973366.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1973366.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2087890.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2087890.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:208
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1340451.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1340451.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6646479.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6646479.exe
        6⤵
        Executes dropped EXE
        
        PID:2196
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9329710.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9329710.exe
        5⤵
        Executes dropped EXE
        
        PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1611271.exe

Filesize
934KB

MD5
4922b564d61af060049d9c8d41437888

SHA1
539d1746843495095168292b0e87e05f8f2ef1f3

SHA256
b751acbccb76fda2cd037fd9854c5a8b27f804a652355d6ac92c861d5ef70883

SHA512
a8d4c65069bff78d598d8252d0dbea28677c945c0ef9b70c74dcc97aeb3306c96644a93d5bdc90b336a2b3ff1fe0de8eacc5e4449d56d3ffc30f8dd2149db551

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1611271.exe

Filesize
934KB

MD5
4922b564d61af060049d9c8d41437888

SHA1
539d1746843495095168292b0e87e05f8f2ef1f3

SHA256
b751acbccb76fda2cd037fd9854c5a8b27f804a652355d6ac92c861d5ef70883

SHA512
a8d4c65069bff78d598d8252d0dbea28677c945c0ef9b70c74dcc97aeb3306c96644a93d5bdc90b336a2b3ff1fe0de8eacc5e4449d56d3ffc30f8dd2149db551

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1359321.exe

Filesize
708KB

MD5
2e561bdf9a07e78487ce5561a671089c

SHA1
1855408fb52fc397094faea1ca3748a8e3c3796f

SHA256
5d47095332efaf95d9e6a1307eb8f6456dc7b663a4719e29c0c8265a70a82369

SHA512
937a8e8a6463882778b36b4e4550c595694f99195bb9931804029343c5a16a1ee72e16f75bf7e42e89caaf5e2997d0b3c6142903fae2d229bd61305febbadd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1359321.exe

Filesize
708KB

MD5
2e561bdf9a07e78487ce5561a671089c

SHA1
1855408fb52fc397094faea1ca3748a8e3c3796f

SHA256
5d47095332efaf95d9e6a1307eb8f6456dc7b663a4719e29c0c8265a70a82369

SHA512
937a8e8a6463882778b36b4e4550c595694f99195bb9931804029343c5a16a1ee72e16f75bf7e42e89caaf5e2997d0b3c6142903fae2d229bd61305febbadd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1973366.exe

Filesize
482KB

MD5
22453f375b3eb34b1dd5bfd960144b32

SHA1
3f6bbe079b0f4c263cff9ab4cab6ced44b49fc14

SHA256
4ce1096201c7b1d0d83d15ba7ff748c4533776538fdbdb4270650477366305fa

SHA512
a45da525b3f144879eeaf49431aae96300164b19dbf88750956703fa78056c1fe3f32effae490fb3ca474161fc83a26e94470a971b4e1d6626a9a19b224644ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1973366.exe

Filesize
482KB

MD5
22453f375b3eb34b1dd5bfd960144b32

SHA1
3f6bbe079b0f4c263cff9ab4cab6ced44b49fc14

SHA256
4ce1096201c7b1d0d83d15ba7ff748c4533776538fdbdb4270650477366305fa

SHA512
a45da525b3f144879eeaf49431aae96300164b19dbf88750956703fa78056c1fe3f32effae490fb3ca474161fc83a26e94470a971b4e1d6626a9a19b224644ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9329710.exe

Filesize
174KB

MD5
baaa94707add4f6021150b3ccb139d89

SHA1
ed52ce4403d7d6bddb093e82634e44837dfc08de

SHA256
2f947fae4d2fd4c5d8b3cb62394e9c378a3a1db54ce7a9c5756f4829dd829d6b

SHA512
7f0f9db897818d42733fc4ee4b1a0d998f5dae34220b526b8ee0ee40e1bba7aad68b888c6d090d0fb7188d8289d9e98c7d56ed5e62d08fffa29c36dd9f705405

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9329710.exe

Filesize
174KB

MD5
baaa94707add4f6021150b3ccb139d89

SHA1
ed52ce4403d7d6bddb093e82634e44837dfc08de

SHA256
2f947fae4d2fd4c5d8b3cb62394e9c378a3a1db54ce7a9c5756f4829dd829d6b

SHA512
7f0f9db897818d42733fc4ee4b1a0d998f5dae34220b526b8ee0ee40e1bba7aad68b888c6d090d0fb7188d8289d9e98c7d56ed5e62d08fffa29c36dd9f705405

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2087890.exe

Filesize
325KB

MD5
dfcd8e79e99f8d7a59930bcb7a7685aa

SHA1
489a98da029012d0dc5c30947def1d3e9e089bee

SHA256
9726086c092b7c60c3b4b713e6f89955ffc5297a8e68c4a50e0b3215c4dd829e

SHA512
f1468423ce9beec230303e7758f0d5bc581d4f3154149f7b5f30d55c824d58208dfa78f746ed042ae01cb6c1404c2be225273b80c2e96f655adcfbf6df968faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2087890.exe

Filesize
325KB

MD5
dfcd8e79e99f8d7a59930bcb7a7685aa

SHA1
489a98da029012d0dc5c30947def1d3e9e089bee

SHA256
9726086c092b7c60c3b4b713e6f89955ffc5297a8e68c4a50e0b3215c4dd829e

SHA512
f1468423ce9beec230303e7758f0d5bc581d4f3154149f7b5f30d55c824d58208dfa78f746ed042ae01cb6c1404c2be225273b80c2e96f655adcfbf6df968faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1340451.exe

Filesize
184KB

MD5
49c9e13352ce04b5836be01236b851cd

SHA1
41846feb72daa105d4437fb4ff39f4d0e667876c

SHA256
70080e5171cdcd096a9c9494e00c392a31e676deb53a0190a91887c504aacd1f

SHA512
b198fe9caaa3c7dd30d1fa8acd4481f15cc080546ec65b39b4371148f451b752667d06d31a9fb30c3b8560c90c5a9f9a19e7b86fdb58b1cbf02f224665a3f1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1340451.exe

Filesize
184KB

MD5
49c9e13352ce04b5836be01236b851cd

SHA1
41846feb72daa105d4437fb4ff39f4d0e667876c

SHA256
70080e5171cdcd096a9c9494e00c392a31e676deb53a0190a91887c504aacd1f

SHA512
b198fe9caaa3c7dd30d1fa8acd4481f15cc080546ec65b39b4371148f451b752667d06d31a9fb30c3b8560c90c5a9f9a19e7b86fdb58b1cbf02f224665a3f1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6646479.exe

Filesize
140KB

MD5
b658d2c87494d8927f89b3cb691e1c31

SHA1
54525e4019512f62b520fd09f53c94fb66d6c193

SHA256
6c24f5af9a5c7bb7e4b892c4695bf9faa7bf0996fdd8eba1d1f16e6a87c4165a

SHA512
68094a5918013b6105c8f2839cedc232c039597fff03108ade88ecc6a370026feff98bd609f2825faca769c667f367908e925bb8f3e31f5f42458e47c0564786

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6646479.exe

Filesize
140KB

MD5
b658d2c87494d8927f89b3cb691e1c31

SHA1
54525e4019512f62b520fd09f53c94fb66d6c193

SHA256
6c24f5af9a5c7bb7e4b892c4695bf9faa7bf0996fdd8eba1d1f16e6a87c4165a

SHA512
68094a5918013b6105c8f2839cedc232c039597fff03108ade88ecc6a370026feff98bd609f2825faca769c667f367908e925bb8f3e31f5f42458e47c0564786

Download Submit
memory/1496-84-0x0000000072C20000-0x000000007330E000-memory.dmp

Filesize
6.9MB

Download
memory/1496-80-0x000000000AD90000-0x000000000AE9A000-memory.dmp

Filesize
1.0MB

Download
memory/1496-79-0x000000000B290000-0x000000000B896000-memory.dmp

Filesize
6.0MB

Download
memory/1496-78-0x00000000031B0000-0x00000000031B6000-memory.dmp

Filesize
24KB

Download
memory/1496-76-0x0000000000F20000-0x0000000000F50000-memory.dmp

Filesize
192KB

Download
memory/1496-77-0x0000000072C20000-0x000000007330E000-memory.dmp

Filesize
6.9MB

Download
memory/1496-81-0x00000000057D0000-0x00000000057E2000-memory.dmp

Filesize
72KB

Download
memory/1496-82-0x000000000ACC0000-0x000000000ACFE000-memory.dmp

Filesize
248KB

Download
memory/1496-83-0x000000000AD10000-0x000000000AD5B000-memory.dmp

Filesize
300KB

Download
memory/3008-36-0x00000000022E0000-0x00000000022FE000-memory.dmp

Filesize
120KB

Download
memory/3008-58-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/3008-60-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/3008-62-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/3008-64-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/3008-66-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/3008-67-0x0000000072BA0000-0x000000007328E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-69-0x0000000072BA0000-0x000000007328E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-56-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/3008-54-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/3008-52-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/3008-50-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/3008-48-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/3008-46-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/3008-44-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/3008-42-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/3008-40-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/3008-39-0x0000000002540000-0x0000000002556000-memory.dmp

Filesize
88KB

Download
memory/3008-38-0x0000000002540000-0x000000000255C000-memory.dmp

Filesize
112KB

Download
memory/3008-37-0x0000000004AE0000-0x0000000004FDE000-memory.dmp

Filesize
5.0MB

Download
memory/3008-35-0x0000000072BA0000-0x000000007328E000-memory.dmp

Filesize
6.9MB

Download