redline | ae29634c421e7fae872a93c040b896ad770641124691367109255096c87422ba

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86c5796c0950cc5611c0777bec2a9966b39703a3c842019bb54b92d008bf3091.exe
Size

769KB
MD5

2192e78e226ded3e90153939253bb995
SHA1

eae212316fa4f120c7e25b8e7160d2c1a4dc8dca
SHA256

86c5796c0950cc5611c0777bec2a9966b39703a3c842019bb54b92d008bf3091
SHA512

aff8c63b8d61d4b0a2cca130272529c63dd8061169072e7d85e790ee392a1e245e60a360b3e6eb1b27bed2b70e69efb4b8f78ce2d24c1e8f9935c7877b9ccbfa
SSDEEP

12288:MMrIy90UKF36qwIwHydHGTk/KrONXaTKnqReJaT/S3pI27JsPKqxc:cygAdKnNXaTpwm63SSmPzS

Score

10^/10

redline debro evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

debro

185.161.248.75:4132

Attributes

auth_value
18c2c191aebfde5d1787ec8d805a01a8

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

k8957027.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8957027.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8957027.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8957027.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8957027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k8957027.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8957027.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral12/files/0x000700000002342c-54.dat	family_redline
behavioral12/memory/3176-56-0x0000000000170000-0x000000000019E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

y3894204.exey9946722.exek8957027.exel6489218.exe

pid	Process
60	y3894204.exe
4748	y9946722.exe
4220	k8957027.exe
3176	l6489218.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

k8957027.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8957027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k8957027.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

86c5796c0950cc5611c0777bec2a9966b39703a3c842019bb54b92d008bf3091.exey3894204.exey9946722.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	86c5796c0950cc5611c0777bec2a9966b39703a3c842019bb54b92d008bf3091.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3894204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9946722.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

k8957027.exe

pid	Process
4220	k8957027.exe
4220	k8957027.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

k8957027.exe

description	pid	Process
Token: SeDebugPrivilege	4220	k8957027.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

86c5796c0950cc5611c0777bec2a9966b39703a3c842019bb54b92d008bf3091.exey3894204.exey9946722.exe

description	pid	Process	procid_target
PID 4456 wrote to memory of 60	4456	86c5796c0950cc5611c0777bec2a9966b39703a3c842019bb54b92d008bf3091.exe	82
PID 4456 wrote to memory of 60	4456	86c5796c0950cc5611c0777bec2a9966b39703a3c842019bb54b92d008bf3091.exe	82
PID 4456 wrote to memory of 60	4456	86c5796c0950cc5611c0777bec2a9966b39703a3c842019bb54b92d008bf3091.exe	82
PID 60 wrote to memory of 4748	60	y3894204.exe	83
PID 60 wrote to memory of 4748	60	y3894204.exe	83
PID 60 wrote to memory of 4748	60	y3894204.exe	83
PID 4748 wrote to memory of 4220	4748	y9946722.exe	85
PID 4748 wrote to memory of 4220	4748	y9946722.exe	85
PID 4748 wrote to memory of 4220	4748	y9946722.exe	85
PID 4748 wrote to memory of 3176	4748	y9946722.exe	91
PID 4748 wrote to memory of 3176	4748	y9946722.exe	91
PID 4748 wrote to memory of 3176	4748	y9946722.exe	91

C:\Users\Admin\AppData\Local\Temp\86c5796c0950cc5611c0777bec2a9966b39703a3c842019bb54b92d008bf3091.exe
"C:\Users\Admin\AppData\Local\Temp\86c5796c0950cc5611c0777bec2a9966b39703a3c842019bb54b92d008bf3091.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3894204.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3894204.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9946722.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9946722.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8957027.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8957027.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4220
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6489218.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6489218.exe
      4⤵
      Executes dropped EXE
      PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3894204.exe

Filesize
488KB

MD5
a9ee14bcd39847959d6c3afcf70eb1a9

SHA1
af1f6313b1cf46e3f68097b95ad89e2db179d696

SHA256
d5fab2df2573b325234d7158536a2632bfebcbd8c116b7e4784114559f5702eb

SHA512
f138d2244af4e462d49ac3aeffc53beaa411906fcf90de7ad3910f422b715d846e84ac703793a09be0e36d6f9c5b7682f21c8bc4502ec3447c97d84fbad12fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9946722.exe

Filesize
316KB

MD5
5fa9a8098d8a4d37b2811af28500e66c

SHA1
8e7bea1a73324e5461840dbfaa63b7a367787546

SHA256
20276930169d1f5f2be1909a6aec73b2d5390a94ca12cc5905d2a288977e550e

SHA512
3040af283f72bda26069950e98f7bafcd7b6ef6e652bb4cab1ad4d908bc72a502fcb2390d3e468c00cb6054a70f56b87b0b14ad7e449728838bc3beb36cb2fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8957027.exe

Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6489218.exe

Filesize
168KB

MD5
9fdf4cb988db07bc0ef13b61a6e79b6e

SHA1
b69fbab8c64eb201e84324f5e1aadfd5d763d13f

SHA256
5139ee6e80a7f899d463d1a2b8f1e6828ddbf666bc50b1a92b44ca3d77d5e1be

SHA512
b1c416d189be8578f8bdc92d00fecdd3b50c347e1ec6680bd5a66a066ad25c7d7dd18d153953f74fc60e13307eabac407ac7b98b045be7472e0beeefd01b07c2

Download Submit
memory/3176-62-0x00000000044E0000-0x000000000452C000-memory.dmp

Filesize
304KB

Download
memory/3176-61-0x000000000A0B0000-0x000000000A0EC000-memory.dmp

Filesize
240KB

Download
memory/3176-60-0x000000000A050000-0x000000000A062000-memory.dmp

Filesize
72KB

Download
memory/3176-59-0x000000000A120000-0x000000000A22A000-memory.dmp

Filesize
1.0MB

Download
memory/3176-58-0x000000000A600000-0x000000000AC18000-memory.dmp

Filesize
6.1MB

Download
memory/3176-57-0x00000000023A0000-0x00000000023A6000-memory.dmp

Filesize
24KB

Download
memory/3176-56-0x0000000000170000-0x000000000019E000-memory.dmp

Filesize
184KB

Download
memory/4220-29-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4220-43-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4220-37-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4220-36-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4220-33-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4220-31-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4220-27-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4220-25-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4220-47-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4220-39-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4220-41-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4220-45-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4220-49-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4220-51-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4220-24-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4220-23-0x0000000004F50000-0x0000000004F6C000-memory.dmp

Filesize
112KB

Download
memory/4220-22-0x0000000004950000-0x0000000004EF4000-memory.dmp

Filesize
5.6MB

Download
memory/4220-21-0x0000000002020000-0x000000000203E000-memory.dmp

Filesize
120KB

Download