redline | df99ffded671130a004acb37d537829c12c179679ec1f0c3d16d1332c5e08c95

General

Target

df99ffded671130a004acb37d537829c12c179679ec1f0c3d16d1332c5e08c95.exe
Size

491KB
MD5

b69b22db3b1bd42061c0b43a8b4c56fd
SHA1

04cb58877d703add816759bd83a5233590521115
SHA256

df99ffded671130a004acb37d537829c12c179679ec1f0c3d16d1332c5e08c95
SHA512

eb142a3f450edc1d8eccb94a3f7a76511b433eca05af691dc480fd2ea24ede9c9deedc406c7efda62408d6960ca9c874772187825cdca68264584ae1c31f95e8
SSDEEP

6144:Kyy+bnr+op0yN90QE0zFFreWEQZC6Awc8ZZLtKl1JiIfRiV5Bykl2DK6ADkkpuzM:2MrUy90+Pkxwc8Zcr5iVqQ2fPjVh4

Score

10^/10

redline lipo evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lipo

C2

217.196.96.101:4132

Attributes

auth_value
3183df2d03b17daa3c5ecc95e60086a5

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o3113083.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o3113083.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o3113083.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o3113083.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o3113083.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2332	z1492966.exe
2576	o3113083.exe
3540	r3120475.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o3113083.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o3113083.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	df99ffded671130a004acb37d537829c12c179679ec1f0c3d16d1332c5e08c95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	df99ffded671130a004acb37d537829c12c179679ec1f0c3d16d1332c5e08c95.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1492966.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1492966.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4744	3540	WerFault.exe	68

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2576	o3113083.exe
2576	o3113083.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	o3113083.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2332	2132	df99ffded671130a004acb37d537829c12c179679ec1f0c3d16d1332c5e08c95.exe	66
PID 2132 wrote to memory of 2332	2132	df99ffded671130a004acb37d537829c12c179679ec1f0c3d16d1332c5e08c95.exe	66
PID 2132 wrote to memory of 2332	2132	df99ffded671130a004acb37d537829c12c179679ec1f0c3d16d1332c5e08c95.exe	66
PID 2332 wrote to memory of 2576	2332	z1492966.exe	67
PID 2332 wrote to memory of 2576	2332	z1492966.exe	67
PID 2332 wrote to memory of 2576	2332	z1492966.exe	67
PID 2332 wrote to memory of 3540	2332	z1492966.exe	68
PID 2332 wrote to memory of 3540	2332	z1492966.exe	68
PID 2332 wrote to memory of 3540	2332	z1492966.exe	68

C:\Users\Admin\AppData\Local\Temp\df99ffded671130a004acb37d537829c12c179679ec1f0c3d16d1332c5e08c95.exe
"C:\Users\Admin\AppData\Local\Temp\df99ffded671130a004acb37d537829c12c179679ec1f0c3d16d1332c5e08c95.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1492966.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1492966.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3113083.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3113083.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3120475.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3120475.exe
    3⤵
    - Executes dropped EXE
    PID:3540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 956
      4⤵
      Program crash
      PID:4744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1492966.exe

Filesize
309KB

MD5
b9a990cb237dd9c8d010e1cb5c996da8

SHA1
96e950ed7b348bfb3c6c1b4c96aa3eed6bb593ab

SHA256
cae8d0f0d8c43bbbe3b1c9e3d03821b595c8baeffc476314ac449505b6eeb729

SHA512
37aa5923aed060bf26766005c2fdb5cde35be63859981f4d2f60b5a81d17dfa0d5b6a6ac89917bbe1d7490a6a309b910435eb2d6d407d9d789f337873f11713c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1492966.exe

Filesize
309KB

MD5
b9a990cb237dd9c8d010e1cb5c996da8

SHA1
96e950ed7b348bfb3c6c1b4c96aa3eed6bb593ab

SHA256
cae8d0f0d8c43bbbe3b1c9e3d03821b595c8baeffc476314ac449505b6eeb729

SHA512
37aa5923aed060bf26766005c2fdb5cde35be63859981f4d2f60b5a81d17dfa0d5b6a6ac89917bbe1d7490a6a309b910435eb2d6d407d9d789f337873f11713c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3113083.exe

Filesize
178KB

MD5
95c7e498c2d25edb397bdea1fd8ce313

SHA1
4aabd49de41bcb3156f384a451bdce27d3062323

SHA256
31b647b4208d8800d029056aa9b5c57189139f12ef33c19a368f362b55be376d

SHA512
7331a4c1c43a3d6d6a226836cdd3c2673b5afded82cd711d430cfbb55db36ecb7a2b3f7b3fdee84cde69f145cef7b4365a6f211c88f8e586cbe940c73822fd10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3113083.exe

Filesize
178KB

MD5
95c7e498c2d25edb397bdea1fd8ce313

SHA1
4aabd49de41bcb3156f384a451bdce27d3062323

SHA256
31b647b4208d8800d029056aa9b5c57189139f12ef33c19a368f362b55be376d

SHA512
7331a4c1c43a3d6d6a226836cdd3c2673b5afded82cd711d430cfbb55db36ecb7a2b3f7b3fdee84cde69f145cef7b4365a6f211c88f8e586cbe940c73822fd10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3120475.exe

Filesize
168KB

MD5
189f6a3fbdd517366d584e514842573a

SHA1
25e37e17cddfeb12b08c4c5ed4219c922066c7ab

SHA256
5376259dc59686c341284eb3132924c087dce4896da609599d8577f74917c4b9

SHA512
75120d2413d923d5eeb285a83511e0ff0a84c9c9f7852ccc7c8450e02284e93e4a45de0f1370834e7e191db52638cf51feb9443b115753889e04ea1722da33c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3120475.exe

Filesize
168KB

MD5
189f6a3fbdd517366d584e514842573a

SHA1
25e37e17cddfeb12b08c4c5ed4219c922066c7ab

SHA256
5376259dc59686c341284eb3132924c087dce4896da609599d8577f74917c4b9

SHA512
75120d2413d923d5eeb285a83511e0ff0a84c9c9f7852ccc7c8450e02284e93e4a45de0f1370834e7e191db52638cf51feb9443b115753889e04ea1722da33c1

Download Submit
memory/2576-148-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2576-158-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2576-140-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/2576-139-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/2576-141-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2576-142-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2576-144-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2576-146-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2576-137-0x00000000022A0000-0x00000000022B8000-memory.dmp

Filesize
96KB

Download
memory/2576-150-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2576-152-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2576-154-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2576-156-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2576-138-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/2576-160-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2576-162-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2576-164-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2576-166-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2576-168-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2576-169-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/2576-170-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/2576-171-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/2576-136-0x0000000004B60000-0x000000000505E000-memory.dmp

Filesize
5.0MB

Download
memory/2576-135-0x0000000002160000-0x000000000217A000-memory.dmp

Filesize
104KB

Download
memory/3540-176-0x00000000002D0000-0x00000000002FE000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads