redline | b20d3b5caab986390a57d9b858c330d6fa12fa368809dfc94b90991735dc89d1

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0.exe
Size

488KB
MD5

f43eefd57a11c5a5596c3eefb9898432
SHA1

0af5c7a3ba4038a905aa626808bfa60fc3ec11de
SHA256

f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0
SHA512

d458d3dc0c997f929c5b26f34f9a2ca5df0996aec6ccf907819f711d65d747433bfbe7f0d52b59a0562b528008b2e92c32b3e84ea05471bc53519cc1de158957
SSDEEP

6144:KVy+bnr+sp0yN90QEBSK3101Hn8GH7dyN4Xa6yVrJCae0Kb1E8OB/QKaJlo6LVtC:DMr8y90DSaY8i7MxVwazKlOZLa8CDAj

Score

10^/10

redline debro evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

debro

185.161.248.75:4132

Attributes

auth_value
18c2c191aebfde5d1787ec8d805a01a8

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k5289717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k5289717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k5289717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k5289717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k5289717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k5289717.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral22/memory/2300-53-0x00000000006A0000-0x00000000006CE000-memory.dmp	family_redline
behavioral22/files/0x0007000000023457-52.dat	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4376	y9098696.exe
1908	k5289717.exe
2300	l4940133.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k5289717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k5289717.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9098696.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1908	k5289717.exe
1908	k5289717.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	k5289717.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 4376	3132	f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0.exe	85
PID 3132 wrote to memory of 4376	3132	f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0.exe	85
PID 3132 wrote to memory of 4376	3132	f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0.exe	85
PID 4376 wrote to memory of 1908	4376	y9098696.exe	86
PID 4376 wrote to memory of 1908	4376	y9098696.exe	86
PID 4376 wrote to memory of 1908	4376	y9098696.exe	86
PID 4376 wrote to memory of 2300	4376	y9098696.exe	98
PID 4376 wrote to memory of 2300	4376	y9098696.exe	98
PID 4376 wrote to memory of 2300	4376	y9098696.exe	98

C:\Users\Admin\AppData\Local\Temp\f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0.exe
"C:\Users\Admin\AppData\Local\Temp\f7dfe59831b88cf2cf291d2b9f3ccd94964abeb10a6e137c4bc2206c9a9346a0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9098696.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9098696.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5289717.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5289717.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4940133.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4940133.exe
    3⤵
    - Executes dropped EXE
    PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9098696.exe

Filesize
316KB

MD5
3f28a220d555d7f84763f4fe14c5e30e

SHA1
6844171e7db3af8480e85c49732e8e26c0fea7fc

SHA256
a467111c1a7dd3af8188b3fd8536d689b84b136a58f62e8366f78d309b1bad4b

SHA512
7ede895705631dfabdf2fb5a700495ed6aa265328c9d51edabbccaf8e1ed60661dfabba15c2e667191e02ec9694299fbb88a0a5c236b5590f28c0ec648aef08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5289717.exe

Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4940133.exe

Filesize
168KB

MD5
aae32866ea7168f696bbf5708e1f34b3

SHA1
ea4bae2e6d032dd41693f6b0816be1bdf5ab0530

SHA256
936ad9a6d9ad9debf5b12515698968901e4601066119d668b8cba558d9ccd56c

SHA512
85cfbf84831de3ce667f267896c9803eb4a81fcfc0d961ca364f85a237b28aee29e345bed3b6bad8626000045a264db023464da0d79ed3f75a2c5f5461363066

Download Submit
memory/1908-31-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-19-0x0000000004AD0000-0x0000000004AEC000-memory.dmp

Filesize
112KB

Download
memory/1908-29-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-17-0x0000000004B50000-0x00000000050F4000-memory.dmp

Filesize
5.6MB

Download
memory/1908-27-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-47-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-45-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-44-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-41-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-39-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-38-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-25-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-33-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-15-0x0000000004A00000-0x0000000004A1E000-memory.dmp

Filesize
120KB

Download
memory/1908-16-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/1908-18-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/1908-36-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-23-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-21-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-20-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1908-49-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/1908-14-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download
memory/2300-54-0x0000000002880000-0x0000000002886000-memory.dmp

Filesize
24KB

Download
memory/2300-53-0x00000000006A0000-0x00000000006CE000-memory.dmp

Filesize
184KB

Download
memory/2300-55-0x000000000AB90000-0x000000000B1A8000-memory.dmp

Filesize
6.1MB

Download
memory/2300-57-0x000000000A590000-0x000000000A5A2000-memory.dmp

Filesize
72KB

Download
memory/2300-58-0x000000000A5F0000-0x000000000A62C000-memory.dmp

Filesize
240KB

Download
memory/2300-59-0x0000000004A50000-0x0000000004A9C000-memory.dmp

Filesize
304KB

Download
memory/2300-56-0x000000000A680000-0x000000000A78A000-memory.dmp

Filesize
1.0MB

Download