redline | 36a33e7da8ad27ce449d6bc53c6ca650bc283b8f96d5fe797187aea40e0dcc68

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a26df59e48ff80e63c4ae80b1ca4da56cf0629cdcaaa173b3f510b0b20722f78.exe
Size

876KB
MD5

c4f94db419675a2bd6a16b83fe8c381a
SHA1

9df4ba3bf6ec393244a8c765e463e597bb64b217
SHA256

a26df59e48ff80e63c4ae80b1ca4da56cf0629cdcaaa173b3f510b0b20722f78
SHA512

564e7abd509ee71988cd0550846eb241fddd44fb7557a4c76c520a14d1f88f9b2464083f86fe3d8cb6660e2526536e4ea37800d1d957d7ea3a191425eab35855
SSDEEP

24576:yyrZFRyjL8oVVYRBh7I21NQxRXsNeo6BP:Z/MjInz1SxR+e

Score

10^/10

redline dimas evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dimas

185.161.248.75:4132

Attributes

auth_value
a5db9b1c53c704e612bccc93ccdb5539

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k3532406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k3532406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k3532406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k3532406.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k3532406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k3532406.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral24/files/0x0007000000023420-55.dat	family_redline
behavioral24/memory/3248-57-0x00000000008E0000-0x000000000090A000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
5056	y3890167.exe
1388	y8339271.exe
4496	k3532406.exe
3248	l8874809.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k3532406.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k3532406.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a26df59e48ff80e63c4ae80b1ca4da56cf0629cdcaaa173b3f510b0b20722f78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3890167.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8339271.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4496	k3532406.exe
4496	k3532406.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4496	k3532406.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 5056	3948	a26df59e48ff80e63c4ae80b1ca4da56cf0629cdcaaa173b3f510b0b20722f78.exe	83
PID 3948 wrote to memory of 5056	3948	a26df59e48ff80e63c4ae80b1ca4da56cf0629cdcaaa173b3f510b0b20722f78.exe	83
PID 3948 wrote to memory of 5056	3948	a26df59e48ff80e63c4ae80b1ca4da56cf0629cdcaaa173b3f510b0b20722f78.exe	83
PID 5056 wrote to memory of 1388	5056	y3890167.exe	85
PID 5056 wrote to memory of 1388	5056	y3890167.exe	85
PID 5056 wrote to memory of 1388	5056	y3890167.exe	85
PID 1388 wrote to memory of 4496	1388	y8339271.exe	86
PID 1388 wrote to memory of 4496	1388	y8339271.exe	86
PID 1388 wrote to memory of 4496	1388	y8339271.exe	86
PID 1388 wrote to memory of 3248	1388	y8339271.exe	92
PID 1388 wrote to memory of 3248	1388	y8339271.exe	92
PID 1388 wrote to memory of 3248	1388	y8339271.exe	92

C:\Users\Admin\AppData\Local\Temp\a26df59e48ff80e63c4ae80b1ca4da56cf0629cdcaaa173b3f510b0b20722f78.exe
"C:\Users\Admin\AppData\Local\Temp\a26df59e48ff80e63c4ae80b1ca4da56cf0629cdcaaa173b3f510b0b20722f78.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3890167.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3890167.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8339271.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8339271.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3532406.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3532406.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8874809.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8874809.exe
      4⤵
      Executes dropped EXE
      PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3890167.exe

Filesize
479KB

MD5
869d623180dff73397b5f34058e106f2

SHA1
1af73065d328029ee3d82ddd8f625ad3a9d9bcff

SHA256
9b9cb00d14cf7c8d3f4e64b8dd4573bad195ee266c5cffcf820f398e5a51ae04

SHA512
bc8a1c93dea8662be47d3737435605efca351a80803e3b41f71da9914153eb0c320d572085e1b2671875951c3311634beae8002e984c1a69f7e98a7258c90498

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8339271.exe

Filesize
307KB

MD5
a28b1e892c10ba5e054b20faf5519263

SHA1
d9988318cdfbb97edaa2712790cc35f3181ff7b4

SHA256
8bd2da3bdd49625487058350b98633f194eeda83697690c729fefcefc188b07e

SHA512
fe5ef2074e8f98a066568c6ecd35bae22a556c41f5546820b1e078c0e1fe5458b15e422b9cc4c8459d307e50a0c28b9256c497f47a9fdf5e6aa6de2496c5f3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3532406.exe

Filesize
185KB

MD5
3e630811e041742e84b8ea3e59c277d1

SHA1
8a9c6d88e0d8ce0bd9e03658fa832d238a5eccd1

SHA256
960b92763e28e9b1ff62f7b8774351557c3abbf50adf9255ab5767b2851dd20b

SHA512
8d8c4d270f3c4ed32a0dbd0d07e5bd67c8cee508870a8b0a814b17e3c6255e9439054b62cde1d9b293ac50ab37fc10c63cdeccb33f65e6197fd5e7327432685e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8874809.exe

Filesize
145KB

MD5
8cbdb1bc227685c0b07cf0022188ca55

SHA1
db385aabb4a08bcabfcaba8606eb4ea20ab61609

SHA256
4d916a161e438b629309131ba9510f57158456d5484925161561089db28b227d

SHA512
3960c636f656a7e731d0215a9959adc9bad017cf9fe1b0a208da70155a694544a64744d7724ba534ac0fcd0b7208a99adde90b195fdde2ef19710258f95a47ea

Download Submit
memory/3248-62-0x00000000054C0000-0x000000000550C000-memory.dmp

Filesize
304KB

Download
memory/3248-61-0x0000000005340000-0x000000000537C000-memory.dmp

Filesize
240KB

Download
memory/3248-60-0x00000000052E0000-0x00000000052F2000-memory.dmp

Filesize
72KB

Download
memory/3248-59-0x00000000053B0000-0x00000000054BA000-memory.dmp

Filesize
1.0MB

Download
memory/3248-58-0x0000000005830000-0x0000000005E48000-memory.dmp

Filesize
6.1MB

Download
memory/3248-57-0x00000000008E0000-0x000000000090A000-memory.dmp

Filesize
168KB

Download
memory/4496-42-0x00000000049A0000-0x00000000049B7000-memory.dmp

Filesize
92KB

Download
memory/4496-30-0x00000000049A0000-0x00000000049B7000-memory.dmp

Filesize
92KB

Download
memory/4496-46-0x00000000049A0000-0x00000000049B7000-memory.dmp

Filesize
92KB

Download
memory/4496-44-0x00000000049A0000-0x00000000049B7000-memory.dmp

Filesize
92KB

Download
memory/4496-50-0x00000000049A0000-0x00000000049B7000-memory.dmp

Filesize
92KB

Download
memory/4496-40-0x00000000049A0000-0x00000000049B7000-memory.dmp

Filesize
92KB

Download
memory/4496-36-0x00000000049A0000-0x00000000049B7000-memory.dmp

Filesize
92KB

Download
memory/4496-34-0x00000000049A0000-0x00000000049B7000-memory.dmp

Filesize
92KB

Download
memory/4496-32-0x00000000049A0000-0x00000000049B7000-memory.dmp

Filesize
92KB

Download
memory/4496-48-0x00000000049A0000-0x00000000049B7000-memory.dmp

Filesize
92KB

Download
memory/4496-28-0x00000000049A0000-0x00000000049B7000-memory.dmp

Filesize
92KB

Download
memory/4496-26-0x00000000049A0000-0x00000000049B7000-memory.dmp

Filesize
92KB

Download
memory/4496-52-0x00000000049A0000-0x00000000049B7000-memory.dmp

Filesize
92KB

Download
memory/4496-38-0x00000000049A0000-0x00000000049B7000-memory.dmp

Filesize
92KB

Download
memory/4496-25-0x00000000049A0000-0x00000000049B7000-memory.dmp

Filesize
92KB

Download
memory/4496-24-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/4496-23-0x00000000049A0000-0x00000000049BC000-memory.dmp

Filesize
112KB

Download
memory/4496-22-0x0000000004A40000-0x0000000004FE4000-memory.dmp

Filesize
5.6MB

Download
memory/4496-21-0x00000000023C0000-0x00000000023DE000-memory.dmp

Filesize
120KB

Download