redline | 1213fe64ca885b18b1f35a21da195e25761cc5715445bc1577558a3db096d6d5

General

Target

1213fe64ca885b18b1f35a21da195e25761cc5715445bc1577558a3db096d6d5.exe
Size

1.1MB
MD5

421203943ce2889b54f0aeb6d0cef015
SHA1

2b370fadd4a1f28332f06d13821b52390b1d4733
SHA256

1213fe64ca885b18b1f35a21da195e25761cc5715445bc1577558a3db096d6d5
SHA512

9b23e229e397591dd30bee05853ae9dd0c95a1e07acff666dbc55281b700d7f3677af58240502fee6743f3e0841c990b5f62eac5b02502deb01b0f05f8b56c68
SSDEEP

24576:3yrLzZTZT2n/LKgiflsGgc6YjM3AeoFD12lh5C2otWWEw38:Crr6jKZK5/qGqFR2fA2oso

Score

10^/10

redline linda evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

linda

C2

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o0924294.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o0924294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o0924294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o0924294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o0924294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o0924294.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z4467210.exez1716493.exeo0924294.exep2266688.exe

pid process

3996 z4467210.exe
3544 z1716493.exe
64 o0924294.exe
4256 p2266688.exe

pid	process
3996	z4467210.exe
3544	z1716493.exe
64	o0924294.exe
4256	p2266688.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o0924294.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o0924294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o0924294.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1213fe64ca885b18b1f35a21da195e25761cc5715445bc1577558a3db096d6d5.exez4467210.exez1716493.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1213fe64ca885b18b1f35a21da195e25761cc5715445bc1577558a3db096d6d5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4467210.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4467210.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1716493.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1716493.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1213fe64ca885b18b1f35a21da195e25761cc5715445bc1577558a3db096d6d5.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2720 4256 WerFault.exe p2266688.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o0924294.exe

pid process

64 o0924294.exe
64 o0924294.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o0924294.exe

description pid process

Token: SeDebugPrivilege 64 o0924294.exe

pid	pid_target	process	target process
2720	4256	WerFault.exe	p2266688.exe

pid	process
64	o0924294.exe
64	o0924294.exe

description	pid	process
Token: SeDebugPrivilege	64	o0924294.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1213fe64ca885b18b1f35a21da195e25761cc5715445bc1577558a3db096d6d5.exez4467210.exez1716493.exe

description	pid	process	target process
PID 3532 wrote to memory of 3996	3532	1213fe64ca885b18b1f35a21da195e25761cc5715445bc1577558a3db096d6d5.exe	z4467210.exe
PID 3532 wrote to memory of 3996	3532	1213fe64ca885b18b1f35a21da195e25761cc5715445bc1577558a3db096d6d5.exe	z4467210.exe
PID 3532 wrote to memory of 3996	3532	1213fe64ca885b18b1f35a21da195e25761cc5715445bc1577558a3db096d6d5.exe	z4467210.exe
PID 3996 wrote to memory of 3544	3996	z4467210.exe	z1716493.exe
PID 3996 wrote to memory of 3544	3996	z4467210.exe	z1716493.exe
PID 3996 wrote to memory of 3544	3996	z4467210.exe	z1716493.exe
PID 3544 wrote to memory of 64	3544	z1716493.exe	o0924294.exe
PID 3544 wrote to memory of 64	3544	z1716493.exe	o0924294.exe
PID 3544 wrote to memory of 64	3544	z1716493.exe	o0924294.exe
PID 3544 wrote to memory of 4256	3544	z1716493.exe	p2266688.exe
PID 3544 wrote to memory of 4256	3544	z1716493.exe	p2266688.exe
PID 3544 wrote to memory of 4256	3544	z1716493.exe	p2266688.exe

C:\Users\Admin\AppData\Local\Temp\1213fe64ca885b18b1f35a21da195e25761cc5715445bc1577558a3db096d6d5.exe
"C:\Users\Admin\AppData\Local\Temp\1213fe64ca885b18b1f35a21da195e25761cc5715445bc1577558a3db096d6d5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4467210.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4467210.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1716493.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1716493.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3544

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0924294.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0924294.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2266688.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2266688.exe
4⤵
- Executes dropped EXE
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 948
5⤵
- Program crash
PID:2720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4467210.exe
Filesize
702KB

MD5
77f2b357d4af72c195aa03c9f75d3054

SHA1
7d540590298e0a4e3e98f268c9485d1c0baa2b2c

SHA256
1cd00022d943ceead087e390fd4fecafab785cd3911b43779c191f9140f4954e

SHA512
5083ed06e829a77cf175e0bb914e677da01209c3357aa7d41ee9fbe4c6667682c3824a1da61ce1f3c94d38bc4227d19ee9add86e8a7ca4f72eab659c8f853176

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4467210.exe
Filesize
702KB

MD5
77f2b357d4af72c195aa03c9f75d3054

SHA1
7d540590298e0a4e3e98f268c9485d1c0baa2b2c

SHA256
1cd00022d943ceead087e390fd4fecafab785cd3911b43779c191f9140f4954e

SHA512
5083ed06e829a77cf175e0bb914e677da01209c3357aa7d41ee9fbe4c6667682c3824a1da61ce1f3c94d38bc4227d19ee9add86e8a7ca4f72eab659c8f853176

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1716493.exe
Filesize
305KB

MD5
54949383e5008387267318adade5b113

SHA1
6817c7e8c51df0c89d865a181d75b5a066ab34ee

SHA256
b04a74b5463555c63eee6cfe85d9af0e43bf1d3c715eb0b255a8be4b717d6f7d

SHA512
580177771fe62178aa6a333f61a210e72aae663c142fce7e3b99782d89822b7d68b685c1217398d6920cf54ea346b24965600c0e41d31f0a44e778e2fc6efcad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1716493.exe
Filesize
305KB

MD5
54949383e5008387267318adade5b113

SHA1
6817c7e8c51df0c89d865a181d75b5a066ab34ee

SHA256
b04a74b5463555c63eee6cfe85d9af0e43bf1d3c715eb0b255a8be4b717d6f7d

SHA512
580177771fe62178aa6a333f61a210e72aae663c142fce7e3b99782d89822b7d68b685c1217398d6920cf54ea346b24965600c0e41d31f0a44e778e2fc6efcad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0924294.exe
Filesize
184KB

MD5
f4e9234da0742f6aeb82ce6a303734d2

SHA1
657dae275b6f3663d9519a60264fbd24f353fcb5

SHA256
38d90bda4bee3b48e15bdebb59e7acea051b1137de29655ceaa8186ac074f624

SHA512
60ffe49ec77752ac48148e13a83782e81655d215ca0f51a9a63e4925894cf655ad8ea5c1fba8b87d8711866d49046757c522292c14b7c59bdc45338503983aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0924294.exe
Filesize
184KB

MD5
f4e9234da0742f6aeb82ce6a303734d2

SHA1
657dae275b6f3663d9519a60264fbd24f353fcb5

SHA256
38d90bda4bee3b48e15bdebb59e7acea051b1137de29655ceaa8186ac074f624

SHA512
60ffe49ec77752ac48148e13a83782e81655d215ca0f51a9a63e4925894cf655ad8ea5c1fba8b87d8711866d49046757c522292c14b7c59bdc45338503983aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2266688.exe
Filesize
145KB

MD5
20df2940335874390b79383d7aeb18ca

SHA1
98398663d607ec17768c99e909bf68b6c613ad7f

SHA256
53ee2563862819e4e03323875394e3ee71c5f79f06e9aa40c835025e4a5ede50

SHA512
ea21e3605b3b87725705f5b891b7303d7e235784e0c33a54b6f1eac73e3b1130b6b3359cc5bc529c77e0d331cc6a3d9bdafd0a9e4ae78ef0f6fd821ee9fb4d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2266688.exe
Filesize
145KB

MD5
20df2940335874390b79383d7aeb18ca

SHA1
98398663d607ec17768c99e909bf68b6c613ad7f

SHA256
53ee2563862819e4e03323875394e3ee71c5f79f06e9aa40c835025e4a5ede50

SHA512
ea21e3605b3b87725705f5b891b7303d7e235784e0c33a54b6f1eac73e3b1130b6b3359cc5bc529c77e0d331cc6a3d9bdafd0a9e4ae78ef0f6fd821ee9fb4d53

Download Submit
memory/64-151-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/64-161-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/64-142-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/64-143-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/64-144-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/64-145-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/64-147-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/64-149-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/64-140-0x00000000025D0000-0x00000000025EC000-memory.dmp

Filesize
112KB

Download
memory/64-153-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/64-155-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/64-157-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/64-159-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/64-141-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/64-163-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/64-165-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/64-167-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/64-169-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/64-171-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/64-172-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/64-173-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/64-174-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/64-139-0x0000000004BD0000-0x00000000050CE000-memory.dmp

Filesize
5.0MB

Download
memory/64-138-0x0000000002150000-0x000000000216E000-memory.dmp

Filesize
120KB

Download
memory/4256-179-0x00000000006D0000-0x00000000006FA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads