redline | eddd2ce50fd470b5308ac5edf9ce13d965e3ad9a6ed0d2ef4b477c6e96897bfa

General

Target

eddd2ce50fd470b5308ac5edf9ce13d965e3ad9a6ed0d2ef4b477c6e96897bfa.exe
Size

468KB
MD5

c21c085f3df17c8871ac91b55d294122
SHA1

b3fe7196b8c8d0000fd41319c47a8f803e36c342
SHA256

eddd2ce50fd470b5308ac5edf9ce13d965e3ad9a6ed0d2ef4b477c6e96897bfa
SHA512

0b670732f40907160db2fde711e85f07273ea4583e8079de24f9cc624cd401c9fa48216455ec04aa2586e95194cad57d4c0c3fac64efb8d811a44ca50ac0cae1
SSDEEP

12288:BMrry90FYohvaesrM4ozQ5zBS/b19iIm0PRlC8:CyoY0ae35MFS/b1dmYRlC8

Score

10^/10

redline cr10n fukia discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes

auth_value
e5783636fbd9e4f0cf9a017bce02e67e

Extracted

Family

redline

Botnet

cr10n

C2

176.113.115.17:4132

Attributes

auth_value
6016c19179aa1044c369adb0ec1f363b

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	dYx17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	dYx17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	dYx17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	dYx17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	dYx17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	dYx17.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3388	nEx30.exe
2004	beX39.exe
4784	cII26ER.exe
4380	dYx17.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	dYx17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	dYx17.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eddd2ce50fd470b5308ac5edf9ce13d965e3ad9a6ed0d2ef4b477c6e96897bfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eddd2ce50fd470b5308ac5edf9ce13d965e3ad9a6ed0d2ef4b477c6e96897bfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	nEx30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nEx30.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4128	4380	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2004	beX39.exe
2004	beX39.exe
4784	cII26ER.exe
4784	cII26ER.exe
4380	dYx17.exe
4380	dYx17.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	beX39.exe
Token: SeDebugPrivilege	4784	cII26ER.exe
Token: SeDebugPrivilege	4380	dYx17.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 3388	2600	eddd2ce50fd470b5308ac5edf9ce13d965e3ad9a6ed0d2ef4b477c6e96897bfa.exe	81
PID 2600 wrote to memory of 3388	2600	eddd2ce50fd470b5308ac5edf9ce13d965e3ad9a6ed0d2ef4b477c6e96897bfa.exe	81
PID 2600 wrote to memory of 3388	2600	eddd2ce50fd470b5308ac5edf9ce13d965e3ad9a6ed0d2ef4b477c6e96897bfa.exe	81
PID 3388 wrote to memory of 2004	3388	nEx30.exe	82
PID 3388 wrote to memory of 2004	3388	nEx30.exe	82
PID 3388 wrote to memory of 2004	3388	nEx30.exe	82
PID 3388 wrote to memory of 4784	3388	nEx30.exe	83
PID 3388 wrote to memory of 4784	3388	nEx30.exe	83
PID 3388 wrote to memory of 4784	3388	nEx30.exe	83
PID 2600 wrote to memory of 4380	2600	eddd2ce50fd470b5308ac5edf9ce13d965e3ad9a6ed0d2ef4b477c6e96897bfa.exe	84
PID 2600 wrote to memory of 4380	2600	eddd2ce50fd470b5308ac5edf9ce13d965e3ad9a6ed0d2ef4b477c6e96897bfa.exe	84
PID 2600 wrote to memory of 4380	2600	eddd2ce50fd470b5308ac5edf9ce13d965e3ad9a6ed0d2ef4b477c6e96897bfa.exe	84

C:\Users\Admin\AppData\Local\Temp\eddd2ce50fd470b5308ac5edf9ce13d965e3ad9a6ed0d2ef4b477c6e96897bfa.exe
"C:\Users\Admin\AppData\Local\Temp\eddd2ce50fd470b5308ac5edf9ce13d965e3ad9a6ed0d2ef4b477c6e96897bfa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nEx30.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nEx30.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beX39.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beX39.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cII26ER.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cII26ER.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dYx17.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dYx17.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1080
    3⤵
    - Program crash
    PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4380 -ip 4380
1⤵
PID:2836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dYx17.exe

Filesize
220KB

MD5
fd815ed5f97b5a0c8091f3f8d5125673

SHA1
8e062e61dc7fb58a3301741aa4c34b259e3e9b25

SHA256
7f2e56fcc1d09a924faf8e9fd38f4781aa79d6d895e8d068d093b4201a3f08e7

SHA512
e47b639e4692101ea444ee22b99d638c521ae5c5e8f27b16f9c2f335ab3a242bf0deb51f52a9e75ccb40edffa8bbaaa6cf8915ff74e10be79fbd697fe8ee96b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dYx17.exe

Filesize
220KB

MD5
fd815ed5f97b5a0c8091f3f8d5125673

SHA1
8e062e61dc7fb58a3301741aa4c34b259e3e9b25

SHA256
7f2e56fcc1d09a924faf8e9fd38f4781aa79d6d895e8d068d093b4201a3f08e7

SHA512
e47b639e4692101ea444ee22b99d638c521ae5c5e8f27b16f9c2f335ab3a242bf0deb51f52a9e75ccb40edffa8bbaaa6cf8915ff74e10be79fbd697fe8ee96b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nEx30.exe

Filesize
202KB

MD5
8f375a9e5d652192848785717039eb46

SHA1
4759853d28ec3aa85d46eee15fd76e02d22eea96

SHA256
9134ff311be224e401fdef045dcdce2db6767b11f1987383bc12972f982a4676

SHA512
6bf6d5ee66991a01cc83c63dfcfabc5517c23a1358a330a9820f30ffca585f0fdcc21203f0388af3bf33f2d2d9eac8e820d75ce4656157bcb5ed7ebdc52e321d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nEx30.exe

Filesize
202KB

MD5
8f375a9e5d652192848785717039eb46

SHA1
4759853d28ec3aa85d46eee15fd76e02d22eea96

SHA256
9134ff311be224e401fdef045dcdce2db6767b11f1987383bc12972f982a4676

SHA512
6bf6d5ee66991a01cc83c63dfcfabc5517c23a1358a330a9820f30ffca585f0fdcc21203f0388af3bf33f2d2d9eac8e820d75ce4656157bcb5ed7ebdc52e321d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beX39.exe

Filesize
175KB

MD5
a5f5c5d6291c7ae9e1d1b7ed1e551490

SHA1
3d06413341893b838549939e15f8f1eec423d71a

SHA256
1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

SHA512
d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\beX39.exe

Filesize
175KB

MD5
a5f5c5d6291c7ae9e1d1b7ed1e551490

SHA1
3d06413341893b838549939e15f8f1eec423d71a

SHA256
1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

SHA512
d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cII26ER.exe

Filesize
175KB

MD5
ce5ef6aac94fdb2af40da676f6cab58f

SHA1
c393f24b1550955a686ee39067f20813415af95f

SHA256
ce360295ca7fcc1a1c2b47a604305c67ab41358770edbd769a6a44aa635c2fd0

SHA512
2cc98869cba6a962129c57fb7e3ff0b64623c94903bfbf9a2648e191b633fbe73f8e7b9d8fea348e30cc88bc44d27454fd880c81a55a6b795170fa804e6cda65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cII26ER.exe

Filesize
175KB

MD5
ce5ef6aac94fdb2af40da676f6cab58f

SHA1
c393f24b1550955a686ee39067f20813415af95f

SHA256
ce360295ca7fcc1a1c2b47a604305c67ab41358770edbd769a6a44aa635c2fd0

SHA512
2cc98869cba6a962129c57fb7e3ff0b64623c94903bfbf9a2648e191b633fbe73f8e7b9d8fea348e30cc88bc44d27454fd880c81a55a6b795170fa804e6cda65

Download Submit
memory/2004-146-0x0000000006230000-0x00000000062A6000-memory.dmp

Filesize
472KB

Download
memory/2004-142-0x0000000005390000-0x00000000053CC000-memory.dmp

Filesize
240KB

Download
memory/2004-143-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/2004-144-0x0000000006360000-0x0000000006904000-memory.dmp

Filesize
5.6MB

Download
memory/2004-145-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/2004-141-0x00000000051B0000-0x00000000051C2000-memory.dmp

Filesize
72KB

Download
memory/2004-147-0x00000000062B0000-0x0000000006300000-memory.dmp

Filesize
320KB

Download
memory/2004-148-0x0000000006BE0000-0x0000000006DA2000-memory.dmp

Filesize
1.8MB

Download
memory/2004-149-0x00000000072E0000-0x000000000780C000-memory.dmp

Filesize
5.2MB

Download
memory/2004-138-0x00000000007E0000-0x0000000000812000-memory.dmp

Filesize
200KB

Download
memory/2004-140-0x0000000005280000-0x000000000538A000-memory.dmp

Filesize
1.0MB

Download
memory/2004-139-0x0000000005790000-0x0000000005DA8000-memory.dmp

Filesize
6.1MB

Download
memory/4380-157-0x0000000000A24000-0x0000000000A44000-memory.dmp

Filesize
128KB

Download
memory/4380-158-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/4380-159-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/4380-160-0x0000000000400000-0x0000000000754000-memory.dmp

Filesize
3.3MB

Download
memory/4784-153-0x0000000000310000-0x0000000000342000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads