redline | 900268a8cac3f01f0f4b9186b2d2faa5471006a66caf8fded6ed8e523f89b5f4

General

Target

900268a8cac3f01f0f4b9186b2d2faa5471006a66caf8fded6ed8e523f89b5f4.exe
Size

489KB
MD5

ea302b468f52e8485cd187c51d23df46
SHA1

38ca06bb11787e6c38a85dd49d26f9f7d108024e
SHA256

900268a8cac3f01f0f4b9186b2d2faa5471006a66caf8fded6ed8e523f89b5f4
SHA512

dca27ed47a664df113bd542a00873d13b5426ed9668e5dc794f473be42d5d6c40edb8ce4abef6a6036c02e215674b6663db6978559475cfa0afcc2e1baa6b95d
SSDEEP

12288:lMrAy90MlpkbQZuTzkVY0IswI3NBnelQ5GVDVJ4R5:JyfeMZuUqdsNXesODVU

Score

10^/10

redline lada evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lada

C2

217.196.96.101:4132

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o6502698.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o6502698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o6502698.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o6502698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o6502698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o6502698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o6502698.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 3 IoCs

Processes:

z5035744.exeo6502698.exer6294913.exe

pid process

4892 z5035744.exe
2496 o6502698.exe
3832 r6294913.exe

pid	process
4892	z5035744.exe
2496	o6502698.exe
3832	r6294913.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o6502698.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o6502698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o6502698.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

900268a8cac3f01f0f4b9186b2d2faa5471006a66caf8fded6ed8e523f89b5f4.exez5035744.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	900268a8cac3f01f0f4b9186b2d2faa5471006a66caf8fded6ed8e523f89b5f4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5035744.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5035744.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	900268a8cac3f01f0f4b9186b2d2faa5471006a66caf8fded6ed8e523f89b5f4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o6502698.exe

pid process

2496 o6502698.exe
2496 o6502698.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o6502698.exe

description pid process

Token: SeDebugPrivilege 2496 o6502698.exe

pid	process
2496	o6502698.exe
2496	o6502698.exe

description	pid	process
Token: SeDebugPrivilege	2496	o6502698.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

900268a8cac3f01f0f4b9186b2d2faa5471006a66caf8fded6ed8e523f89b5f4.exez5035744.exe

description	pid	process	target process
PID 3140 wrote to memory of 4892	3140	900268a8cac3f01f0f4b9186b2d2faa5471006a66caf8fded6ed8e523f89b5f4.exe	z5035744.exe
PID 3140 wrote to memory of 4892	3140	900268a8cac3f01f0f4b9186b2d2faa5471006a66caf8fded6ed8e523f89b5f4.exe	z5035744.exe
PID 3140 wrote to memory of 4892	3140	900268a8cac3f01f0f4b9186b2d2faa5471006a66caf8fded6ed8e523f89b5f4.exe	z5035744.exe
PID 4892 wrote to memory of 2496	4892	z5035744.exe	o6502698.exe
PID 4892 wrote to memory of 2496	4892	z5035744.exe	o6502698.exe
PID 4892 wrote to memory of 2496	4892	z5035744.exe	o6502698.exe
PID 4892 wrote to memory of 3832	4892	z5035744.exe	r6294913.exe
PID 4892 wrote to memory of 3832	4892	z5035744.exe	r6294913.exe
PID 4892 wrote to memory of 3832	4892	z5035744.exe	r6294913.exe

C:\Users\Admin\AppData\Local\Temp\900268a8cac3f01f0f4b9186b2d2faa5471006a66caf8fded6ed8e523f89b5f4.exe
"C:\Users\Admin\AppData\Local\Temp\900268a8cac3f01f0f4b9186b2d2faa5471006a66caf8fded6ed8e523f89b5f4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5035744.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5035744.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6502698.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6502698.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6294913.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6294913.exe
3⤵
- Executes dropped EXE
PID:3832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5035744.exe
Filesize
307KB

MD5
00338caa85bddce79e31be7f9b646169

SHA1
eca32bb97d5c020af5901031444a5e4aa59bd21d

SHA256
83340c8ddb358642d1b6567bc51ff9313e16a0e26359052590150ae9bef2a2de

SHA512
160db67d693d59b36f4112fdb750b8f89851c1daad834c3d997fc548298b589d232d89fb65ea9bfad999ea9b28ec217601f46e51a494bd4335cb0c9728780ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5035744.exe
Filesize
307KB

MD5
00338caa85bddce79e31be7f9b646169

SHA1
eca32bb97d5c020af5901031444a5e4aa59bd21d

SHA256
83340c8ddb358642d1b6567bc51ff9313e16a0e26359052590150ae9bef2a2de

SHA512
160db67d693d59b36f4112fdb750b8f89851c1daad834c3d997fc548298b589d232d89fb65ea9bfad999ea9b28ec217601f46e51a494bd4335cb0c9728780ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6502698.exe
Filesize
177KB

MD5
7c04b8f22fe200e74b49205dbaf18a59

SHA1
5ceb855d84b6953d2c2e825d55eab7d069ead993

SHA256
6455274698274d0f20b6705e57962ba507d7a4ce919494e460c575ac657951a1

SHA512
c32333c5b3f9b0da633429457e99f1c823af7fe4e7156440adaf9cac9bd27f32f46501314b46e4e4dde39dcf50062b8b1d95bc33f9b048e90567ba39cfc78dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o6502698.exe
Filesize
177KB

MD5
7c04b8f22fe200e74b49205dbaf18a59

SHA1
5ceb855d84b6953d2c2e825d55eab7d069ead993

SHA256
6455274698274d0f20b6705e57962ba507d7a4ce919494e460c575ac657951a1

SHA512
c32333c5b3f9b0da633429457e99f1c823af7fe4e7156440adaf9cac9bd27f32f46501314b46e4e4dde39dcf50062b8b1d95bc33f9b048e90567ba39cfc78dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6294913.exe
Filesize
168KB

MD5
618dfbf636eeb6530d0243af4867552c

SHA1
ef75a4ffd3355cfbb3dbfec17189082c9bb5263a

SHA256
0f9cc44e45eb02a92670599b9b406137fd1fe79c248c209409f8cd920caa3f82

SHA512
3e7a3349e89967d9dc9febc6580973adad554c2d3fb87fece6d65ebd3b26d61b8809cc4a9753a2096627f643b79f2b6893ef0aec7f23d9f892193595182099ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6294913.exe
Filesize
168KB

MD5
618dfbf636eeb6530d0243af4867552c

SHA1
ef75a4ffd3355cfbb3dbfec17189082c9bb5263a

SHA256
0f9cc44e45eb02a92670599b9b406137fd1fe79c248c209409f8cd920caa3f82

SHA512
3e7a3349e89967d9dc9febc6580973adad554c2d3fb87fece6d65ebd3b26d61b8809cc4a9753a2096627f643b79f2b6893ef0aec7f23d9f892193595182099ef

Download Submit
memory/2496-168-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2496-170-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2496-151-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2496-152-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2496-154-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2496-156-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2496-158-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2496-160-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2496-162-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2496-164-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2496-149-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2496-166-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2496-172-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2496-150-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2496-174-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2496-176-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2496-178-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/2496-179-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2496-180-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2496-181-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2496-148-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2496-147-0x0000000004980000-0x0000000004F24000-memory.dmp

Filesize
5.6MB

Download
memory/3832-186-0x0000000000BD0000-0x0000000000C00000-memory.dmp

Filesize
192KB

Download
memory/3832-187-0x000000000AEF0000-0x000000000B508000-memory.dmp

Filesize
6.1MB

Download
memory/3832-188-0x000000000AB50000-0x000000000AC5A000-memory.dmp

Filesize
1.0MB

Download
memory/3832-189-0x000000000AA80000-0x000000000AA92000-memory.dmp

Filesize
72KB

Download
memory/3832-190-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/3832-191-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads