redline | d929db0b4de9bed4c0750ad10440c81484f64e1f308689c0c56cdbe1bfe63b39

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a.exe
Size

479KB
MD5

1f9ac4a621d3726993ba2f185215879a
SHA1

e412c6fce79cee62a7b2c806be2c85c1386010a1
SHA256

dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a
SHA512

9d6dba40bcb85fa4209ac33f45c1c2b36e714a3438827f45effb3fce1f8110e2b015ee5d6df9d80afa9baced1af0dd486e14ff6cd2c30cbf67d9e705f6802be1
SSDEEP

12288:RMriy90lIiKadmmqiVkFpziI3NM0oPiiimcr:DyEZKIzoZNM0oPii/W

Score

10^/10

redline dimas evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dimas

185.161.248.75:4132

Attributes

auth_value
a5db9b1c53c704e612bccc93ccdb5539

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k4110454.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k4110454.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k4110454.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k4110454.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k4110454.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k4110454.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral21/files/0x0007000000023450-53.dat	family_redline
behavioral21/memory/4392-55-0x00000000008F0000-0x000000000091A000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4692	y6764497.exe
4856	k4110454.exe
4392	l4715928.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k4110454.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k4110454.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6764497.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4856	k4110454.exe
4856	k4110454.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	k4110454.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 4692	4492	dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a.exe	83
PID 4492 wrote to memory of 4692	4492	dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a.exe	83
PID 4492 wrote to memory of 4692	4492	dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a.exe	83
PID 4692 wrote to memory of 4856	4692	y6764497.exe	84
PID 4692 wrote to memory of 4856	4692	y6764497.exe	84
PID 4692 wrote to memory of 4856	4692	y6764497.exe	84
PID 4692 wrote to memory of 4392	4692	y6764497.exe	97
PID 4692 wrote to memory of 4392	4692	y6764497.exe	97
PID 4692 wrote to memory of 4392	4692	y6764497.exe	97

C:\Users\Admin\AppData\Local\Temp\dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a.exe
"C:\Users\Admin\AppData\Local\Temp\dffc83be30add96232b3b63c25cbfc4874904cd04fd2658d0ecd5979a7caa40a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6764497.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6764497.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4110454.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4110454.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4715928.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4715928.exe
    3⤵
    - Executes dropped EXE
    PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6764497.exe

Filesize
307KB

MD5
12592ef02a0a48445396dddaf91aee0a

SHA1
e8296de6882bdb50624b825fbde434ad4a991804

SHA256
b1bd17b0e046bec70c0b94d5cb6e46b39d031f5acc9dc26fa2740b13af75812a

SHA512
9655d14e85c2ba788a935a2d9029f3c25ab0410e6ab778a52b8369f017652b50a25474c8f981753876e43b6d168f477ce04f916703d7088286c7aa77262e3b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4110454.exe

Filesize
185KB

MD5
3e630811e041742e84b8ea3e59c277d1

SHA1
8a9c6d88e0d8ce0bd9e03658fa832d238a5eccd1

SHA256
960b92763e28e9b1ff62f7b8774351557c3abbf50adf9255ab5767b2851dd20b

SHA512
8d8c4d270f3c4ed32a0dbd0d07e5bd67c8cee508870a8b0a814b17e3c6255e9439054b62cde1d9b293ac50ab37fc10c63cdeccb33f65e6197fd5e7327432685e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4715928.exe

Filesize
145KB

MD5
8db0f10af9ce05079ff035fa7cf73c32

SHA1
0bdec117579e905f21013f7fd0a9ec6532e8cc16

SHA256
655e588b3f08e12286257b63c7b283c7ae12076473de7c22a8a327ca80fd50c7

SHA512
41be1385b8febcc577c3ab6eee8baa644e6451286e66b840710dc381ca51be0500b780840423c3e8051795a9d31820a7d59f6f035d6501ab0e46e61f26abd7b9

Download Submit
memory/4392-60-0x00000000054D0000-0x000000000551C000-memory.dmp

Filesize
304KB

Download
memory/4392-59-0x0000000005350000-0x000000000538C000-memory.dmp

Filesize
240KB

Download
memory/4392-58-0x00000000052F0000-0x0000000005302000-memory.dmp

Filesize
72KB

Download
memory/4392-57-0x00000000053C0000-0x00000000054CA000-memory.dmp

Filesize
1.0MB

Download
memory/4392-56-0x0000000005870000-0x0000000005E88000-memory.dmp

Filesize
6.1MB

Download
memory/4392-55-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/4856-41-0x00000000049B0000-0x00000000049C7000-memory.dmp

Filesize
92KB

Download
memory/4856-33-0x00000000049B0000-0x00000000049C7000-memory.dmp

Filesize
92KB

Download
memory/4856-29-0x00000000049B0000-0x00000000049C7000-memory.dmp

Filesize
92KB

Download
memory/4856-49-0x00000000049B0000-0x00000000049C7000-memory.dmp

Filesize
92KB

Download
memory/4856-47-0x00000000049B0000-0x00000000049C7000-memory.dmp

Filesize
92KB

Download
memory/4856-45-0x00000000049B0000-0x00000000049C7000-memory.dmp

Filesize
92KB

Download
memory/4856-43-0x00000000049B0000-0x00000000049C7000-memory.dmp

Filesize
92KB

Download
memory/4856-21-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download
memory/4856-39-0x00000000049B0000-0x00000000049C7000-memory.dmp

Filesize
92KB

Download
memory/4856-37-0x00000000049B0000-0x00000000049C7000-memory.dmp

Filesize
92KB

Download
memory/4856-35-0x00000000049B0000-0x00000000049C7000-memory.dmp

Filesize
92KB

Download
memory/4856-25-0x00000000049B0000-0x00000000049C7000-memory.dmp

Filesize
92KB

Download
memory/4856-31-0x00000000049B0000-0x00000000049C7000-memory.dmp

Filesize
92KB

Download
memory/4856-27-0x00000000049B0000-0x00000000049C7000-memory.dmp

Filesize
92KB

Download
memory/4856-23-0x00000000049B0000-0x00000000049C7000-memory.dmp

Filesize
92KB

Download
memory/4856-22-0x00000000049B0000-0x00000000049C7000-memory.dmp

Filesize
92KB

Download
memory/4856-51-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4856-20-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4856-19-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4856-18-0x00000000049B0000-0x00000000049CC000-memory.dmp

Filesize
112KB

Download
memory/4856-16-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4856-17-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/4856-15-0x00000000023D0000-0x00000000023EE000-memory.dmp

Filesize
120KB

Download
memory/4856-14-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download