redline | e99c9c9d19c2c23059f2ad8364d57324f58088017d4b2edf440760b4b2613f9a

General

Target

e99c9c9d19c2c23059f2ad8364d57324f58088017d4b2edf440760b4b2613f9a.exe
Size

1.1MB
MD5

8e0ce3a73c56a5f119554a66bfc779cf
SHA1

a386c778371a2c8ce9af5d0d82d1134a9b04006c
SHA256

e99c9c9d19c2c23059f2ad8364d57324f58088017d4b2edf440760b4b2613f9a
SHA512

a85eef9bfdbbd9cb6e613381b4dbdd0fa3a3bf21ffbba6ca341b051e67ee1c36b0aa273754c08ea1d1a012580d7864a88c672e4f166bd96c9e65dd8f4b0eac11
SSDEEP

24576:MyvgC6cCVwVeZ3oiEI3HxvCbF0uDfrrXtF+snVm5c62:7qcCVwV23jh3QJ0uvLGsgb

Score

10^/10

redline linda evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

linda

C2

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o3345162.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o3345162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o3345162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o3345162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o3345162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o3345162.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z0918503.exez9944907.exeo3345162.exep4392008.exe

pid process

4456 z0918503.exe
3148 z9944907.exe
4268 o3345162.exe
2848 p4392008.exe

pid	process
4456	z0918503.exe
3148	z9944907.exe
4268	o3345162.exe
2848	p4392008.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o3345162.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o3345162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o3345162.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e99c9c9d19c2c23059f2ad8364d57324f58088017d4b2edf440760b4b2613f9a.exez0918503.exez9944907.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e99c9c9d19c2c23059f2ad8364d57324f58088017d4b2edf440760b4b2613f9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e99c9c9d19c2c23059f2ad8364d57324f58088017d4b2edf440760b4b2613f9a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0918503.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0918503.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9944907.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9944907.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4936 2848 WerFault.exe p4392008.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o3345162.exe

pid process

4268 o3345162.exe
4268 o3345162.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o3345162.exe

description pid process

Token: SeDebugPrivilege 4268 o3345162.exe

pid	pid_target	process	target process
4936	2848	WerFault.exe	p4392008.exe

pid	process
4268	o3345162.exe
4268	o3345162.exe

description	pid	process
Token: SeDebugPrivilege	4268	o3345162.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e99c9c9d19c2c23059f2ad8364d57324f58088017d4b2edf440760b4b2613f9a.exez0918503.exez9944907.exe

description	pid	process	target process
PID 4116 wrote to memory of 4456	4116	e99c9c9d19c2c23059f2ad8364d57324f58088017d4b2edf440760b4b2613f9a.exe	z0918503.exe
PID 4116 wrote to memory of 4456	4116	e99c9c9d19c2c23059f2ad8364d57324f58088017d4b2edf440760b4b2613f9a.exe	z0918503.exe
PID 4116 wrote to memory of 4456	4116	e99c9c9d19c2c23059f2ad8364d57324f58088017d4b2edf440760b4b2613f9a.exe	z0918503.exe
PID 4456 wrote to memory of 3148	4456	z0918503.exe	z9944907.exe
PID 4456 wrote to memory of 3148	4456	z0918503.exe	z9944907.exe
PID 4456 wrote to memory of 3148	4456	z0918503.exe	z9944907.exe
PID 3148 wrote to memory of 4268	3148	z9944907.exe	o3345162.exe
PID 3148 wrote to memory of 4268	3148	z9944907.exe	o3345162.exe
PID 3148 wrote to memory of 4268	3148	z9944907.exe	o3345162.exe
PID 3148 wrote to memory of 2848	3148	z9944907.exe	p4392008.exe
PID 3148 wrote to memory of 2848	3148	z9944907.exe	p4392008.exe
PID 3148 wrote to memory of 2848	3148	z9944907.exe	p4392008.exe

C:\Users\Admin\AppData\Local\Temp\e99c9c9d19c2c23059f2ad8364d57324f58088017d4b2edf440760b4b2613f9a.exe
"C:\Users\Admin\AppData\Local\Temp\e99c9c9d19c2c23059f2ad8364d57324f58088017d4b2edf440760b4b2613f9a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0918503.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0918503.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9944907.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9944907.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3345162.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3345162.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4392008.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4392008.exe
4⤵
- Executes dropped EXE
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 948
5⤵
- Program crash
PID:4936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0918503.exe
Filesize
703KB

MD5
cb67a7619e99d462902412b2c5d10d1c

SHA1
8fb725c9f80415509f3ca5b322c8fd49887cb012

SHA256
3a1fe0de474a38c193b2dceaed58571da4a538426ac10af62b32a2875028cc4a

SHA512
4bd297565e1f09f94d69d67800802ba0b63706e3971c7e744883788f5bdfe8f57572817a8967959ea16739973ef3103caa936678637da78b81a6cd98b58318c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0918503.exe
Filesize
703KB

MD5
cb67a7619e99d462902412b2c5d10d1c

SHA1
8fb725c9f80415509f3ca5b322c8fd49887cb012

SHA256
3a1fe0de474a38c193b2dceaed58571da4a538426ac10af62b32a2875028cc4a

SHA512
4bd297565e1f09f94d69d67800802ba0b63706e3971c7e744883788f5bdfe8f57572817a8967959ea16739973ef3103caa936678637da78b81a6cd98b58318c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9944907.exe
Filesize
305KB

MD5
fd84d05f151b05c5b0406f5240d369e1

SHA1
33ff8fd2651f9bc2cfb0db7d1a4af56ded072e77

SHA256
cb99c7179c72c0b33cf92a6bc6a7b618bc1494e784c49987aa1a21af97ea4dc7

SHA512
8d8507e77ba6f9a50a4cf3a2d2648d7e9336eed903b139be07ee263990e8d63c7ffb127c22078c75646b68228248f115ae8e0fcc5de80f89b33afe3f729fe2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9944907.exe
Filesize
305KB

MD5
fd84d05f151b05c5b0406f5240d369e1

SHA1
33ff8fd2651f9bc2cfb0db7d1a4af56ded072e77

SHA256
cb99c7179c72c0b33cf92a6bc6a7b618bc1494e784c49987aa1a21af97ea4dc7

SHA512
8d8507e77ba6f9a50a4cf3a2d2648d7e9336eed903b139be07ee263990e8d63c7ffb127c22078c75646b68228248f115ae8e0fcc5de80f89b33afe3f729fe2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3345162.exe
Filesize
184KB

MD5
5808edf23f28d845cff0c7d802de8558

SHA1
b0921d42c3cd67c09961a2232ddb5cd769c0d133

SHA256
ecb1f5002ee137d4c44b615d57c10972ab00ebaaa30aa37c87d2b970748cba02

SHA512
d8c604468c788831366952db987d56491c960c48a422717231bab7c6336953dd32bf203186d6fab86850d06f1b3ed4102b1928c053ebb673d7d50f56b9f60db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3345162.exe
Filesize
184KB

MD5
5808edf23f28d845cff0c7d802de8558

SHA1
b0921d42c3cd67c09961a2232ddb5cd769c0d133

SHA256
ecb1f5002ee137d4c44b615d57c10972ab00ebaaa30aa37c87d2b970748cba02

SHA512
d8c604468c788831366952db987d56491c960c48a422717231bab7c6336953dd32bf203186d6fab86850d06f1b3ed4102b1928c053ebb673d7d50f56b9f60db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4392008.exe
Filesize
145KB

MD5
d7927cff852f309c96dcd1554f0e814b

SHA1
623705d52070ddb1dc1d6717c11865236d3163ae

SHA256
3e6e811201ba6cd40fcbe72344616e306e477e002762834080331f39121857ab

SHA512
387c5a8eb575b79e7cfba7819290fbe8321c0d3a8d3da2d7acf7c6ca1ae194a2cb148432b185a8575eb68774babb69a31cc5e3d9fc527a515b4ce092628cdfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4392008.exe
Filesize
145KB

MD5
d7927cff852f309c96dcd1554f0e814b

SHA1
623705d52070ddb1dc1d6717c11865236d3163ae

SHA256
3e6e811201ba6cd40fcbe72344616e306e477e002762834080331f39121857ab

SHA512
387c5a8eb575b79e7cfba7819290fbe8321c0d3a8d3da2d7acf7c6ca1ae194a2cb148432b185a8575eb68774babb69a31cc5e3d9fc527a515b4ce092628cdfa7

Download Submit
memory/2848-182-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/4268-158-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4268-162-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4268-147-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4268-149-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4268-151-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4268-153-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4268-154-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4268-144-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4268-157-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4268-155-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4268-160-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4268-145-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4268-164-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4268-166-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4268-168-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4268-170-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4268-172-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4268-174-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4268-175-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4268-176-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4268-177-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/4268-143-0x0000000004A60000-0x0000000004A7C000-memory.dmp

Filesize
112KB

Download
memory/4268-142-0x0000000004AF0000-0x0000000004FEE000-memory.dmp

Filesize
5.0MB

Download
memory/4268-141-0x00000000021B0000-0x00000000021CE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads