redline | 7be94813669601adf1c2486a165dbf5f3317bbcadad72272509b5820f2a20dff

General

Target

7be94813669601adf1c2486a165dbf5f3317bbcadad72272509b5820f2a20dff.exe
Size

478KB
MD5

3ab12afc1a30cbdb0c3da2d84ab1bbcb
SHA1

ab0725be45a171e263d27771aa56193545b66464
SHA256

7be94813669601adf1c2486a165dbf5f3317bbcadad72272509b5820f2a20dff
SHA512

6cd7d8e4dc7be9a318c51d01cbcd57797cae017f37e92dea304987e114a226e5787de46b587cdbab49619b0fbe35db3b645fdaaf28a01b383ee09553aa0af799
SSDEEP

6144:KZy+bnr+Lp0yN90QEwvlRj1yuwT2vUnDHSybHW/FweEGePQZJAm2qpza88+kpC:DMrjy90Stp1yulm3HW/eYyU2q88BMC

Score

10^/10

redline fusa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes

auth_value
a08b2f01bd2af756e38c5dd60e87e697

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	lpn76Wh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	lpn76Wh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	lpn76Wh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	bHj10yq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bHj10yq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bHj10yq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	lpn76Wh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	lpn76Wh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	lpn76Wh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bHj10yq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bHj10yq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bHj10yq.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
5020	nQb70dX.exe
5000	bHj10yq.exe
316	dbV49wp.exe
2080	lpn76Wh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	bHj10yq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	lpn76Wh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	bHj10yq.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7be94813669601adf1c2486a165dbf5f3317bbcadad72272509b5820f2a20dff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	nQb70dX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nQb70dX.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7be94813669601adf1c2486a165dbf5f3317bbcadad72272509b5820f2a20dff.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1868	5000	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5000	bHj10yq.exe
5000	bHj10yq.exe
316	dbV49wp.exe
316	dbV49wp.exe
2080	lpn76Wh.exe
2080	lpn76Wh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	bHj10yq.exe
Token: SeDebugPrivilege	316	dbV49wp.exe
Token: SeDebugPrivilege	2080	lpn76Wh.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 5020	1276	7be94813669601adf1c2486a165dbf5f3317bbcadad72272509b5820f2a20dff.exe	81
PID 1276 wrote to memory of 5020	1276	7be94813669601adf1c2486a165dbf5f3317bbcadad72272509b5820f2a20dff.exe	81
PID 1276 wrote to memory of 5020	1276	7be94813669601adf1c2486a165dbf5f3317bbcadad72272509b5820f2a20dff.exe	81
PID 5020 wrote to memory of 5000	5020	nQb70dX.exe	82
PID 5020 wrote to memory of 5000	5020	nQb70dX.exe	82
PID 5020 wrote to memory of 5000	5020	nQb70dX.exe	82
PID 5020 wrote to memory of 316	5020	nQb70dX.exe	91
PID 5020 wrote to memory of 316	5020	nQb70dX.exe	91
PID 5020 wrote to memory of 316	5020	nQb70dX.exe	91
PID 1276 wrote to memory of 2080	1276	7be94813669601adf1c2486a165dbf5f3317bbcadad72272509b5820f2a20dff.exe	93
PID 1276 wrote to memory of 2080	1276	7be94813669601adf1c2486a165dbf5f3317bbcadad72272509b5820f2a20dff.exe	93

C:\Users\Admin\AppData\Local\Temp\7be94813669601adf1c2486a165dbf5f3317bbcadad72272509b5820f2a20dff.exe
"C:\Users\Admin\AppData\Local\Temp\7be94813669601adf1c2486a165dbf5f3317bbcadad72272509b5820f2a20dff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nQb70dX.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nQb70dX.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bHj10yq.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bHj10yq.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1008
      4⤵
      Program crash
      PID:1868
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dbV49wp.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dbV49wp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lpn76Wh.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lpn76Wh.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5000 -ip 5000
1⤵
PID:2676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lpn76Wh.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lpn76Wh.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nQb70dX.exe

Filesize
375KB

MD5
fd0b41eed48fd57e156b5b20e51f1642

SHA1
b25ccc6c159d4a5f1ef66e4c0e770349cf8146cf

SHA256
aab8ef2a9108a9df8c25e0b6d775ce7809c483de6927c9622cdf63775cf7ead3

SHA512
058c17aa7fd6c3051650c87e96352566feba15471e582a2fe1910dbe8eb441dcb2cdb364904ca4d4c786ef83255dc1801562eccde42f588496ba3ba9ae0e37d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nQb70dX.exe

Filesize
375KB

MD5
fd0b41eed48fd57e156b5b20e51f1642

SHA1
b25ccc6c159d4a5f1ef66e4c0e770349cf8146cf

SHA256
aab8ef2a9108a9df8c25e0b6d775ce7809c483de6927c9622cdf63775cf7ead3

SHA512
058c17aa7fd6c3051650c87e96352566feba15471e582a2fe1910dbe8eb441dcb2cdb364904ca4d4c786ef83255dc1801562eccde42f588496ba3ba9ae0e37d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bHj10yq.exe

Filesize
235KB

MD5
ea2af715b2c17a763c05bffc5669ded5

SHA1
876295abbc668533e3629c38e5b4db50776f969a

SHA256
b639725c9da4eecd879a811d1f643a2d7cef7b15079547c075f3f380f2e83e29

SHA512
1f42bf7bed7a87b2da22af31b6c0f3afe844eac6949e2f9379290ff6548259431f6f55c3d5a3de2f408889e0f3cb67898e1e26050b87408a10937902df0b0c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bHj10yq.exe

Filesize
235KB

MD5
ea2af715b2c17a763c05bffc5669ded5

SHA1
876295abbc668533e3629c38e5b4db50776f969a

SHA256
b639725c9da4eecd879a811d1f643a2d7cef7b15079547c075f3f380f2e83e29

SHA512
1f42bf7bed7a87b2da22af31b6c0f3afe844eac6949e2f9379290ff6548259431f6f55c3d5a3de2f408889e0f3cb67898e1e26050b87408a10937902df0b0c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dbV49wp.exe

Filesize
175KB

MD5
da6f3bef8abc85bd09f50783059964e3

SHA1
a0f25f60ec1896c4c920ea397f40e6ce29724322

SHA256
e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

SHA512
4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dbV49wp.exe

Filesize
175KB

MD5
da6f3bef8abc85bd09f50783059964e3

SHA1
a0f25f60ec1896c4c920ea397f40e6ce29724322

SHA256
e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

SHA512
4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

Download Submit
memory/316-156-0x0000000006A70000-0x0000000006F9C000-memory.dmp

Filesize
5.2MB

Download
memory/316-152-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/316-158-0x0000000006540000-0x0000000006590000-memory.dmp

Filesize
320KB

Download
memory/316-157-0x0000000005D30000-0x0000000005DA6000-memory.dmp

Filesize
472KB

Download
memory/316-155-0x0000000006370000-0x0000000006532000-memory.dmp

Filesize
1.8MB

Download
memory/316-145-0x0000000000000000-mapping.dmp

Download
memory/316-154-0x00000000058B0000-0x0000000005942000-memory.dmp

Filesize
584KB

Download
memory/316-153-0x0000000004CB0000-0x0000000004D16000-memory.dmp

Filesize
408KB

Download
memory/316-148-0x00000000000B0000-0x00000000000E2000-memory.dmp

Filesize
200KB

Download
memory/316-149-0x0000000004EF0000-0x0000000005508000-memory.dmp

Filesize
6.1MB

Download
memory/316-150-0x0000000004A10000-0x0000000004B1A000-memory.dmp

Filesize
1.0MB

Download
memory/316-151-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2080-159-0x0000000000000000-mapping.dmp

Download
memory/2080-162-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/2080-163-0x00007FFAB1160000-0x00007FFAB1C21000-memory.dmp

Filesize
10.8MB

Download
memory/2080-164-0x00007FFAB1160000-0x00007FFAB1C21000-memory.dmp

Filesize
10.8MB

Download
memory/5000-139-0x0000000004CA0000-0x0000000005244000-memory.dmp

Filesize
5.6MB

Download
memory/5000-140-0x0000000000570000-0x000000000059D000-memory.dmp

Filesize
180KB

Download
memory/5000-144-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/5000-143-0x0000000000701000-0x0000000000721000-memory.dmp

Filesize
128KB

Download
memory/5000-142-0x0000000000701000-0x0000000000721000-memory.dmp

Filesize
128KB

Download
memory/5000-141-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/5000-138-0x0000000000701000-0x0000000000721000-memory.dmp

Filesize
128KB

Download
memory/5000-135-0x0000000000000000-mapping.dmp

Download
memory/5020-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads