redline | f169ebda36849fb0f45a80b941b05085dda39aede7c657684d0b877e42a28081

General

Target

f169ebda36849fb0f45a80b941b05085dda39aede7c657684d0b877e42a28081.exe
Size

474KB
MD5

81ab25f21bf7576b5fbcc86a6da5fe74
SHA1

3ab2c40ff41f8e69533ed32a8c9caad6481e3a8b
SHA256

f169ebda36849fb0f45a80b941b05085dda39aede7c657684d0b877e42a28081
SHA512

d45bf983a4f44db7ff118eb5d3a059b30aedf8128f78feb48af9a72c6807efa0471bba79e653e68d99b72e36ce9eac5ce00a22b957bfc24bae1ee39e513e076c
SSDEEP

12288:lMray90mqCFTefCtlWzskRqn8x+gWoWKR34:XyEClxtlwsRK+gJtx4

Score

10^/10

redline crnn fusa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes

auth_value
a08b2f01bd2af756e38c5dd60e87e697

Extracted

Family

redline

Botnet

crnn

C2

176.113.115.17:4132

Attributes

auth_value
6dfbf5eac3db7046d55dfd3f6608be3f

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	dyB78.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	dyB78.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	dyB78.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	dyB78.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	dyB78.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	dyB78.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3172	nLS45.exe
1360	baL11.exe
4864	cvO34xk.exe
3452	dyB78.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	dyB78.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	dyB78.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f169ebda36849fb0f45a80b941b05085dda39aede7c657684d0b877e42a28081.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f169ebda36849fb0f45a80b941b05085dda39aede7c657684d0b877e42a28081.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	nLS45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nLS45.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4168	3452	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1360	baL11.exe
1360	baL11.exe
4864	cvO34xk.exe
4864	cvO34xk.exe
3452	dyB78.exe
3452	dyB78.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1360	baL11.exe
Token: SeDebugPrivilege	4864	cvO34xk.exe
Token: SeDebugPrivilege	3452	dyB78.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 3172	1400	f169ebda36849fb0f45a80b941b05085dda39aede7c657684d0b877e42a28081.exe	81
PID 1400 wrote to memory of 3172	1400	f169ebda36849fb0f45a80b941b05085dda39aede7c657684d0b877e42a28081.exe	81
PID 1400 wrote to memory of 3172	1400	f169ebda36849fb0f45a80b941b05085dda39aede7c657684d0b877e42a28081.exe	81
PID 3172 wrote to memory of 1360	3172	nLS45.exe	82
PID 3172 wrote to memory of 1360	3172	nLS45.exe	82
PID 3172 wrote to memory of 1360	3172	nLS45.exe	82
PID 3172 wrote to memory of 4864	3172	nLS45.exe	86
PID 3172 wrote to memory of 4864	3172	nLS45.exe	86
PID 3172 wrote to memory of 4864	3172	nLS45.exe	86
PID 1400 wrote to memory of 3452	1400	f169ebda36849fb0f45a80b941b05085dda39aede7c657684d0b877e42a28081.exe	91
PID 1400 wrote to memory of 3452	1400	f169ebda36849fb0f45a80b941b05085dda39aede7c657684d0b877e42a28081.exe	91
PID 1400 wrote to memory of 3452	1400	f169ebda36849fb0f45a80b941b05085dda39aede7c657684d0b877e42a28081.exe	91

C:\Users\Admin\AppData\Local\Temp\f169ebda36849fb0f45a80b941b05085dda39aede7c657684d0b877e42a28081.exe
"C:\Users\Admin\AppData\Local\Temp\f169ebda36849fb0f45a80b941b05085dda39aede7c657684d0b877e42a28081.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nLS45.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nLS45.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\baL11.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\baL11.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvO34xk.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvO34xk.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dyB78.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dyB78.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1080
    3⤵
    - Program crash
    PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3452 -ip 3452
1⤵
PID:4052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dyB78.exe

Filesize
235KB

MD5
ea2af715b2c17a763c05bffc5669ded5

SHA1
876295abbc668533e3629c38e5b4db50776f969a

SHA256
b639725c9da4eecd879a811d1f643a2d7cef7b15079547c075f3f380f2e83e29

SHA512
1f42bf7bed7a87b2da22af31b6c0f3afe844eac6949e2f9379290ff6548259431f6f55c3d5a3de2f408889e0f3cb67898e1e26050b87408a10937902df0b0c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dyB78.exe

Filesize
235KB

MD5
ea2af715b2c17a763c05bffc5669ded5

SHA1
876295abbc668533e3629c38e5b4db50776f969a

SHA256
b639725c9da4eecd879a811d1f643a2d7cef7b15079547c075f3f380f2e83e29

SHA512
1f42bf7bed7a87b2da22af31b6c0f3afe844eac6949e2f9379290ff6548259431f6f55c3d5a3de2f408889e0f3cb67898e1e26050b87408a10937902df0b0c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nLS45.exe

Filesize
200KB

MD5
f7e7a2ebd38ec2f267cf8c4183e0789f

SHA1
a72484caea0a972046dc747b2c5768a3aa0c2185

SHA256
52d00ac8e74c23a61bb7189501ad762603575979e86a531af0d1a8c02b1c0f0f

SHA512
fee47d6ccee76898dbae72d737cc95b5c06c7e53ca4762b601eb78ed63bea403c6425a2dcdaf4262cc5042343bd02447b311912d9822abcdeed8a4e42e57eb99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nLS45.exe

Filesize
200KB

MD5
f7e7a2ebd38ec2f267cf8c4183e0789f

SHA1
a72484caea0a972046dc747b2c5768a3aa0c2185

SHA256
52d00ac8e74c23a61bb7189501ad762603575979e86a531af0d1a8c02b1c0f0f

SHA512
fee47d6ccee76898dbae72d737cc95b5c06c7e53ca4762b601eb78ed63bea403c6425a2dcdaf4262cc5042343bd02447b311912d9822abcdeed8a4e42e57eb99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\baL11.exe

Filesize
175KB

MD5
da6f3bef8abc85bd09f50783059964e3

SHA1
a0f25f60ec1896c4c920ea397f40e6ce29724322

SHA256
e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

SHA512
4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\baL11.exe

Filesize
175KB

MD5
da6f3bef8abc85bd09f50783059964e3

SHA1
a0f25f60ec1896c4c920ea397f40e6ce29724322

SHA256
e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

SHA512
4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvO34xk.exe

Filesize
175KB

MD5
062a3c73b1aaf076abefd71633b66de5

SHA1
e4b7e004c32d673fd61b1669c797dc4b207d8445

SHA256
f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881

SHA512
6bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cvO34xk.exe

Filesize
175KB

MD5
062a3c73b1aaf076abefd71633b66de5

SHA1
e4b7e004c32d673fd61b1669c797dc4b207d8445

SHA256
f281aafa876847194d635feddb06b11295249cc4bcf940d5246bdb5938410881

SHA512
6bee4020fa8e4955b3028a71037f78ec922132009942283e071b3acdeea375300cef092fd692e9463d625065d5ef57e5e1ebd98f72e801ffc2178c071d645ec3

Download Submit
memory/1360-146-0x0000000006830000-0x00000000069F2000-memory.dmp

Filesize
1.8MB

Download
memory/1360-142-0x0000000004FC0000-0x0000000004FFC000-memory.dmp

Filesize
240KB

Download
memory/1360-143-0x00000000060B0000-0x0000000006654000-memory.dmp

Filesize
5.6MB

Download
memory/1360-144-0x0000000005400000-0x0000000005492000-memory.dmp

Filesize
584KB

Download
memory/1360-145-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/1360-141-0x0000000004F30000-0x0000000004F42000-memory.dmp

Filesize
72KB

Download
memory/1360-147-0x0000000006F30000-0x000000000745C000-memory.dmp

Filesize
5.2MB

Download
memory/1360-148-0x0000000006B00000-0x0000000006B76000-memory.dmp

Filesize
472KB

Download
memory/1360-149-0x00000000067B0000-0x0000000006800000-memory.dmp

Filesize
320KB

Download
memory/1360-138-0x00000000006A0000-0x00000000006D2000-memory.dmp

Filesize
200KB

Download
memory/1360-140-0x0000000005000000-0x000000000510A000-memory.dmp

Filesize
1.0MB

Download
memory/1360-139-0x00000000054E0000-0x0000000005AF8000-memory.dmp

Filesize
6.1MB

Download
memory/3452-157-0x0000000000761000-0x0000000000781000-memory.dmp

Filesize
128KB

Download
memory/3452-158-0x00000000005A0000-0x00000000005CD000-memory.dmp

Filesize
180KB

Download
memory/3452-159-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3452-160-0x0000000000761000-0x0000000000781000-memory.dmp

Filesize
128KB

Download
memory/3452-161-0x0000000000761000-0x0000000000781000-memory.dmp

Filesize
128KB

Download
memory/3452-162-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4864-153-0x0000000000B80000-0x0000000000BB2000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads