redline | 6614f7613a18e25ada1b998f969e03e884df5589c9f516b40de5c7533f550d0b

General

Target

6614f7613a18e25ada1b998f969e03e884df5589c9f516b40de5c7533f550d0b.exe
Size

538KB
MD5

842d05c3298aad4c99f4257f2c6033c0
SHA1

58312a3e1a94bb13d78d2fbd15f244b7084e082d
SHA256

6614f7613a18e25ada1b998f969e03e884df5589c9f516b40de5c7533f550d0b
SHA512

7e20562d44aed0daf8fce228899a1e8556b66d90e31a59e24e100ea74a25d218b485389c25901d44122abedf3a7dc743b1c99fcabec8d0dcf1243dd0f7b4fb5d
SSDEEP

12288:5Mrby90wudYzr+lL7HV1kjsUARY2XKVP:Oy2+zraL71TUn2X0P

Score

10^/10

redline dubka discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dubka

C2

193.233.20.13:4136

Attributes

auth_value
e5a9421183a033f283b2f23139b471f0

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	rdc5523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	rdc5523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	rdc5523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	rdc5523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	rdc5523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	rdc5523.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
616	vMx9729.exe
2948	rdc5523.exe
2116	tPT62gL.exe
860	uCZ04vn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	rdc5523.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6614f7613a18e25ada1b998f969e03e884df5589c9f516b40de5c7533f550d0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6614f7613a18e25ada1b998f969e03e884df5589c9f516b40de5c7533f550d0b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vMx9729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vMx9729.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4960	860	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2948	rdc5523.exe
2948	rdc5523.exe
2116	tPT62gL.exe
2116	tPT62gL.exe
860	uCZ04vn.exe
860	uCZ04vn.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	rdc5523.exe
Token: SeDebugPrivilege	2116	tPT62gL.exe
Token: SeDebugPrivilege	860	uCZ04vn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 616	2728	6614f7613a18e25ada1b998f969e03e884df5589c9f516b40de5c7533f550d0b.exe	82
PID 2728 wrote to memory of 616	2728	6614f7613a18e25ada1b998f969e03e884df5589c9f516b40de5c7533f550d0b.exe	82
PID 2728 wrote to memory of 616	2728	6614f7613a18e25ada1b998f969e03e884df5589c9f516b40de5c7533f550d0b.exe	82
PID 616 wrote to memory of 2948	616	vMx9729.exe	83
PID 616 wrote to memory of 2948	616	vMx9729.exe	83
PID 616 wrote to memory of 2116	616	vMx9729.exe	84
PID 616 wrote to memory of 2116	616	vMx9729.exe	84
PID 616 wrote to memory of 2116	616	vMx9729.exe	84
PID 2728 wrote to memory of 860	2728	6614f7613a18e25ada1b998f969e03e884df5589c9f516b40de5c7533f550d0b.exe	85
PID 2728 wrote to memory of 860	2728	6614f7613a18e25ada1b998f969e03e884df5589c9f516b40de5c7533f550d0b.exe	85
PID 2728 wrote to memory of 860	2728	6614f7613a18e25ada1b998f969e03e884df5589c9f516b40de5c7533f550d0b.exe	85

C:\Users\Admin\AppData\Local\Temp\6614f7613a18e25ada1b998f969e03e884df5589c9f516b40de5c7533f550d0b.exe
"C:\Users\Admin\AppData\Local\Temp\6614f7613a18e25ada1b998f969e03e884df5589c9f516b40de5c7533f550d0b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vMx9729.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vMx9729.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rdc5523.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rdc5523.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPT62gL.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPT62gL.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uCZ04vn.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uCZ04vn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1328
    3⤵
    - Program crash
    PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 860 -ip 860
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uCZ04vn.exe

Filesize
316KB

MD5
753b93eb4d121b0f8b3857f3fa62c0e0

SHA1
85334de6acb05bd068cefeeed8a8e96a8e726e53

SHA256
786dea480d6889cb752be418a8892f506f9708fadcc809cc9dc509bf7893a873

SHA512
e62f9dfdaed0e5e7204794ea03529d570a0392e1e8dbbd3dc56a277ef1d1cdffd2a5d0ec481d89db853a2aecd146d7b14fe36596cb342122f504618f9ca76927

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uCZ04vn.exe

Filesize
316KB

MD5
753b93eb4d121b0f8b3857f3fa62c0e0

SHA1
85334de6acb05bd068cefeeed8a8e96a8e726e53

SHA256
786dea480d6889cb752be418a8892f506f9708fadcc809cc9dc509bf7893a873

SHA512
e62f9dfdaed0e5e7204794ea03529d570a0392e1e8dbbd3dc56a277ef1d1cdffd2a5d0ec481d89db853a2aecd146d7b14fe36596cb342122f504618f9ca76927

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vMx9729.exe

Filesize
202KB

MD5
ad4e02af8820784a84177ed393dce7cd

SHA1
ed9ddb69ab5cce7bb371f73222c2319f6a4b5b43

SHA256
b1b9627673dd5b1ef27282f70bd42003d91ff81dc59857584ef1f1050f34de89

SHA512
afbcd3090e8f794400472d3cb76fa567fc93fc2a20e9af2c21f909c7e5df1283a3429ed3eff5bf75b2f4a609f67e6618534642558858724e0eae1bd3acc52fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vMx9729.exe

Filesize
202KB

MD5
ad4e02af8820784a84177ed393dce7cd

SHA1
ed9ddb69ab5cce7bb371f73222c2319f6a4b5b43

SHA256
b1b9627673dd5b1ef27282f70bd42003d91ff81dc59857584ef1f1050f34de89

SHA512
afbcd3090e8f794400472d3cb76fa567fc93fc2a20e9af2c21f909c7e5df1283a3429ed3eff5bf75b2f4a609f67e6618534642558858724e0eae1bd3acc52fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rdc5523.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rdc5523.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPT62gL.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPT62gL.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
memory/860-163-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/860-159-0x00000000007D1000-0x00000000007FF000-memory.dmp

Filesize
184KB

Download
memory/860-160-0x00000000006A0000-0x00000000006EB000-memory.dmp

Filesize
300KB

Download
memory/860-161-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/860-162-0x00000000007D1000-0x00000000007FF000-memory.dmp

Filesize
184KB

Download
memory/2116-148-0x0000000004E20000-0x0000000004E5C000-memory.dmp

Filesize
240KB

Download
memory/2116-146-0x0000000004E90000-0x0000000004F9A000-memory.dmp

Filesize
1.0MB

Download
memory/2116-149-0x0000000005160000-0x00000000051F2000-memory.dmp

Filesize
584KB

Download
memory/2116-150-0x0000000005EE0000-0x0000000006484000-memory.dmp

Filesize
5.6MB

Download
memory/2116-151-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/2116-152-0x0000000006660000-0x0000000006822000-memory.dmp

Filesize
1.8MB

Download
memory/2116-153-0x0000000006D60000-0x000000000728C000-memory.dmp

Filesize
5.2MB

Download
memory/2116-154-0x0000000006510000-0x0000000006586000-memory.dmp

Filesize
472KB

Download
memory/2116-155-0x0000000006590000-0x00000000065E0000-memory.dmp

Filesize
320KB

Download
memory/2116-147-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2116-145-0x0000000005310000-0x0000000005928000-memory.dmp

Filesize
6.1MB

Download
memory/2116-144-0x00000000003F0000-0x0000000000422000-memory.dmp

Filesize
200KB

Download
memory/2948-140-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

Filesize
10.8MB

Download
memory/2948-139-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

Filesize
10.8MB

Download
memory/2948-138-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads