4f758849cc2c1a02baf4c275ea8fc9cc2fd9a380c157d066a984162fd43cbfe3

Analysis

max time kernel
15s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 16:47

Target

Redline Stealer/OpenPort.bat
Size

94B
MD5

cf1cc90281e28cee22dce7ed013c2678
SHA1

2f213a71b76db3e51ad2d659f84dc1f3f90725fb
SHA256

84399f8bccefa404e156a5351b1de75a2d5290b4fddd1754efb16401ed7218ef
SHA512

2b61c1da7cc66506537719cedab82f172d2ac1af4df69513ba64507a5ed67989974f81791faf08c5855580df53f564600381be34c340b825f1f01919948921e1

Score

8^/10

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

Disable or Modify System Firewall

pid	Process
2456	netsh.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2456	2344	cmd.exe	31
PID 2344 wrote to memory of 2456	2344	cmd.exe	31
PID 2344 wrote to memory of 2456	2344	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Redline Stealer\OpenPort.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name="RLS" dir=in action=allow protocol=TCP localport=6677
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2456