redline | 388edd10201d59010c41d7277ff39ce840a19ba896093552abd2654623aa2dcb

General

Target

388edd10201d59010c41d7277ff39ce840a19ba896093552abd2654623aa2dcb.exe
Size

489KB
MD5

47eeb1a39c27ac86010ca64627e96fde
SHA1

eba4f9f6dda015c0602590d48fff887ba483d2c5
SHA256

388edd10201d59010c41d7277ff39ce840a19ba896093552abd2654623aa2dcb
SHA512

b1ce635c776b8c71062ac573bb7b728ce4795a674f6cf99e9fc8eef19cf7baa0916f9eff3d65539c029ccf770a5e0ceb2992b9e7005cdc6a283825d9e9df2acd
SSDEEP

12288:DMrgy902iaexOW9QYQ07+ZnebzhL8DKU8u:HyuokwVe/hwB

Score

10^/10

redline lada evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lada

C2

217.196.96.101:4132

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o1002609.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o1002609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o1002609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o1002609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o1002609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o1002609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o1002609.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 3 IoCs

Processes:

z3529279.exeo1002609.exer1440433.exe

pid process

3376 z3529279.exe
3316 o1002609.exe
5108 r1440433.exe

pid	process
3376	z3529279.exe
3316	o1002609.exe
5108	r1440433.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o1002609.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o1002609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o1002609.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

388edd10201d59010c41d7277ff39ce840a19ba896093552abd2654623aa2dcb.exez3529279.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	388edd10201d59010c41d7277ff39ce840a19ba896093552abd2654623aa2dcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	388edd10201d59010c41d7277ff39ce840a19ba896093552abd2654623aa2dcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3529279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3529279.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o1002609.exe

pid process

3316 o1002609.exe
3316 o1002609.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o1002609.exe

description pid process

Token: SeDebugPrivilege 3316 o1002609.exe

pid	process
3316	o1002609.exe
3316	o1002609.exe

description	pid	process
Token: SeDebugPrivilege	3316	o1002609.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

388edd10201d59010c41d7277ff39ce840a19ba896093552abd2654623aa2dcb.exez3529279.exe

description	pid	process	target process
PID 4668 wrote to memory of 3376	4668	388edd10201d59010c41d7277ff39ce840a19ba896093552abd2654623aa2dcb.exe	z3529279.exe
PID 4668 wrote to memory of 3376	4668	388edd10201d59010c41d7277ff39ce840a19ba896093552abd2654623aa2dcb.exe	z3529279.exe
PID 4668 wrote to memory of 3376	4668	388edd10201d59010c41d7277ff39ce840a19ba896093552abd2654623aa2dcb.exe	z3529279.exe
PID 3376 wrote to memory of 3316	3376	z3529279.exe	o1002609.exe
PID 3376 wrote to memory of 3316	3376	z3529279.exe	o1002609.exe
PID 3376 wrote to memory of 3316	3376	z3529279.exe	o1002609.exe
PID 3376 wrote to memory of 5108	3376	z3529279.exe	r1440433.exe
PID 3376 wrote to memory of 5108	3376	z3529279.exe	r1440433.exe
PID 3376 wrote to memory of 5108	3376	z3529279.exe	r1440433.exe

C:\Users\Admin\AppData\Local\Temp\388edd10201d59010c41d7277ff39ce840a19ba896093552abd2654623aa2dcb.exe
"C:\Users\Admin\AppData\Local\Temp\388edd10201d59010c41d7277ff39ce840a19ba896093552abd2654623aa2dcb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3529279.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3529279.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1002609.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1002609.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3316
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1440433.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1440433.exe
    3⤵
    - Executes dropped EXE
    PID:5108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3529279.exe

Filesize
307KB

MD5
3ff4a4799aec15b31b7c9656dde5cc13

SHA1
d22fb6a02cfc6c7e7a9d4b346cb529c75b59c1d2

SHA256
0eed12c73495c731a95815ae228e778a4d8515d01c6eb5c76da9af82689ab52b

SHA512
6f14c575c789266121bad8ccbad6fb8e642b83743b2b405f44ae820b80935f821d053f32765d9b4712441d49fe828f9eea5b24412fd358e5050615e271b8e48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3529279.exe

Filesize
307KB

MD5
3ff4a4799aec15b31b7c9656dde5cc13

SHA1
d22fb6a02cfc6c7e7a9d4b346cb529c75b59c1d2

SHA256
0eed12c73495c731a95815ae228e778a4d8515d01c6eb5c76da9af82689ab52b

SHA512
6f14c575c789266121bad8ccbad6fb8e642b83743b2b405f44ae820b80935f821d053f32765d9b4712441d49fe828f9eea5b24412fd358e5050615e271b8e48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1002609.exe

Filesize
177KB

MD5
b046a0c2017eafdfc923667d1355d334

SHA1
5bdff5be90d72e282fc57461d2ff4405403525e1

SHA256
435219923ffcacf93c0b14e9e69b98bae52735bd08dffa5da1ea11af7a7a3197

SHA512
ca907d80bf9ce53958e40df5780ad14c92ef70e8eedd3b84c10219aa9096984d347bcc14ab4fd4f1687ab4692acc135bc77f3e03793b181b30434752c99412d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1002609.exe

Filesize
177KB

MD5
b046a0c2017eafdfc923667d1355d334

SHA1
5bdff5be90d72e282fc57461d2ff4405403525e1

SHA256
435219923ffcacf93c0b14e9e69b98bae52735bd08dffa5da1ea11af7a7a3197

SHA512
ca907d80bf9ce53958e40df5780ad14c92ef70e8eedd3b84c10219aa9096984d347bcc14ab4fd4f1687ab4692acc135bc77f3e03793b181b30434752c99412d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1440433.exe

Filesize
168KB

MD5
00d5a227016e37e81cf4a1c51892bade

SHA1
4a3bfa9fd33951c75d96f2fda3ae5bdd10ad7fd6

SHA256
79d76e1f3aef52c1016bf8071043d10a02e68a51fc28b16c07770f7c4e6b8446

SHA512
472fc3dce308de619bc28d51247347426ea188bcf75f86e547fc9d32249761453c8c04855aceb27ced458323304b37305786e1f82bac2044a38efb4d1640837c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1440433.exe

Filesize
168KB

MD5
00d5a227016e37e81cf4a1c51892bade

SHA1
4a3bfa9fd33951c75d96f2fda3ae5bdd10ad7fd6

SHA256
79d76e1f3aef52c1016bf8071043d10a02e68a51fc28b16c07770f7c4e6b8446

SHA512
472fc3dce308de619bc28d51247347426ea188bcf75f86e547fc9d32249761453c8c04855aceb27ced458323304b37305786e1f82bac2044a38efb4d1640837c

Download Submit
memory/3316-165-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3316-171-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3316-155-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3316-153-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3316-157-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3316-159-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3316-161-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3316-163-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3316-148-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3316-167-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3316-169-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3316-151-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3316-173-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3316-175-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3316-176-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3316-178-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3316-177-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3316-179-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3316-180-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3316-181-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3316-149-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/3316-147-0x0000000004990000-0x0000000004F34000-memory.dmp

Filesize
5.6MB

Download
memory/5108-186-0x0000000000D50000-0x0000000000D80000-memory.dmp

Filesize
192KB

Download
memory/5108-187-0x000000000B200000-0x000000000B818000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads