redline | 2fb8f83d368cb91a603bae613bf0c684d53ede3ff15e2eb3e427abe435d90559

General

Target

2fb8f83d368cb91a603bae613bf0c684d53ede3ff15e2eb3e427abe435d90559.exe
Size

1.1MB
MD5

3d6668537621ba44ddb60f1c8dc6acc7
SHA1

c26e1a33b19d5ccb179e3b4c1000af9f5f123ed1
SHA256

2fb8f83d368cb91a603bae613bf0c684d53ede3ff15e2eb3e427abe435d90559
SHA512

295ea4533ac3e3ee14349ab183d618bcb0b00e725cd14662004f133587b91b0930d22869a0e62991fee4d7da8a1612b76abdfe77d199b7f19002cf46194ee443
SSDEEP

24576:tyZ5sYsFyDk04iGabrODQcT8RtG8tjDkUzV4gJ0:IZ1ayDkjq3mTv8tjPhR

Score

10^/10

redline linda evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

linda

C2

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o4187849.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o4187849.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o4187849.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o4187849.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o4187849.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o4187849.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z5822908.exez8740117.exeo4187849.exep2780638.exe

pid process

1812 z5822908.exe
1372 z8740117.exe
448 o4187849.exe
1072 p2780638.exe

pid	process
1812	z5822908.exe
1372	z8740117.exe
448	o4187849.exe
1072	p2780638.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o4187849.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o4187849.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o4187849.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2fb8f83d368cb91a603bae613bf0c684d53ede3ff15e2eb3e427abe435d90559.exez5822908.exez8740117.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2fb8f83d368cb91a603bae613bf0c684d53ede3ff15e2eb3e427abe435d90559.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2fb8f83d368cb91a603bae613bf0c684d53ede3ff15e2eb3e427abe435d90559.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5822908.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5822908.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z8740117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8740117.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2772 1072 WerFault.exe p2780638.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o4187849.exe

pid process

448 o4187849.exe
448 o4187849.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o4187849.exe

description pid process

Token: SeDebugPrivilege 448 o4187849.exe

pid	pid_target	process	target process
2772	1072	WerFault.exe	p2780638.exe

pid	process
448	o4187849.exe
448	o4187849.exe

description	pid	process
Token: SeDebugPrivilege	448	o4187849.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2fb8f83d368cb91a603bae613bf0c684d53ede3ff15e2eb3e427abe435d90559.exez5822908.exez8740117.exe

description	pid	process	target process
PID 3712 wrote to memory of 1812	3712	2fb8f83d368cb91a603bae613bf0c684d53ede3ff15e2eb3e427abe435d90559.exe	z5822908.exe
PID 3712 wrote to memory of 1812	3712	2fb8f83d368cb91a603bae613bf0c684d53ede3ff15e2eb3e427abe435d90559.exe	z5822908.exe
PID 3712 wrote to memory of 1812	3712	2fb8f83d368cb91a603bae613bf0c684d53ede3ff15e2eb3e427abe435d90559.exe	z5822908.exe
PID 1812 wrote to memory of 1372	1812	z5822908.exe	z8740117.exe
PID 1812 wrote to memory of 1372	1812	z5822908.exe	z8740117.exe
PID 1812 wrote to memory of 1372	1812	z5822908.exe	z8740117.exe
PID 1372 wrote to memory of 448	1372	z8740117.exe	o4187849.exe
PID 1372 wrote to memory of 448	1372	z8740117.exe	o4187849.exe
PID 1372 wrote to memory of 448	1372	z8740117.exe	o4187849.exe
PID 1372 wrote to memory of 1072	1372	z8740117.exe	p2780638.exe
PID 1372 wrote to memory of 1072	1372	z8740117.exe	p2780638.exe
PID 1372 wrote to memory of 1072	1372	z8740117.exe	p2780638.exe

C:\Users\Admin\AppData\Local\Temp\2fb8f83d368cb91a603bae613bf0c684d53ede3ff15e2eb3e427abe435d90559.exe
"C:\Users\Admin\AppData\Local\Temp\2fb8f83d368cb91a603bae613bf0c684d53ede3ff15e2eb3e427abe435d90559.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3712

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5822908.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5822908.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8740117.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8740117.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4187849.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4187849.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2780638.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2780638.exe
4⤵
- Executes dropped EXE
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 948
5⤵
- Program crash
PID:2772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5822908.exe
Filesize
701KB

MD5
79646768a0ce6ebc1045e4d776c7ab63

SHA1
898b96225d3922c2489dd928adc99815f43257cd

SHA256
7be8f67d6aa24e6b54dd9d8665f9c048bcde2c4b2c2ff8efa0e5b8163b4e041a

SHA512
86d27ea77dc26e6867331382ad9e8d3b489494bfcf42e883f68c94d5f06b1b25a60f1f959d58f87637ae74a4a0eb31339805209501055aeb9ad5ec477fe3ba4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5822908.exe
Filesize
701KB

MD5
79646768a0ce6ebc1045e4d776c7ab63

SHA1
898b96225d3922c2489dd928adc99815f43257cd

SHA256
7be8f67d6aa24e6b54dd9d8665f9c048bcde2c4b2c2ff8efa0e5b8163b4e041a

SHA512
86d27ea77dc26e6867331382ad9e8d3b489494bfcf42e883f68c94d5f06b1b25a60f1f959d58f87637ae74a4a0eb31339805209501055aeb9ad5ec477fe3ba4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8740117.exe
Filesize
305KB

MD5
1f9cee815b3c8b0717db93f15655fdab

SHA1
400b7da092c126d2b56d76fcb1e395aa15912d88

SHA256
eb25823d0943e0d9e604ce2c8a7b4bf0a9716e12b80e4bb9a03a9a819df27c08

SHA512
36fe878a16f2d6dd51cc5b27cf373724b0207b7b1eaf26a8d99fe7d6758dc6f811e497d6d065f2ed7dec24fc6cf93ad7b6cf485225e52ecdb3b1f98a4e907a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8740117.exe
Filesize
305KB

MD5
1f9cee815b3c8b0717db93f15655fdab

SHA1
400b7da092c126d2b56d76fcb1e395aa15912d88

SHA256
eb25823d0943e0d9e604ce2c8a7b4bf0a9716e12b80e4bb9a03a9a819df27c08

SHA512
36fe878a16f2d6dd51cc5b27cf373724b0207b7b1eaf26a8d99fe7d6758dc6f811e497d6d065f2ed7dec24fc6cf93ad7b6cf485225e52ecdb3b1f98a4e907a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4187849.exe
Filesize
184KB

MD5
192c9ce9cbff1be5b949bc068439a3c7

SHA1
d1c29c90d07d0c2e9d2bfaa6ccfc4a7214b558e5

SHA256
f38175fe08e0fada118a394107d870d5c2b38f1979193b9d499446ba5a9660f6

SHA512
b19f11e66ae2c6b69610d75351c0c5eac059a35179f97159e1cc53b4eb2b54c063df94c10eec45af4a26369c2ef18792b2bc6f65add353b98557fad225b642cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4187849.exe
Filesize
184KB

MD5
192c9ce9cbff1be5b949bc068439a3c7

SHA1
d1c29c90d07d0c2e9d2bfaa6ccfc4a7214b558e5

SHA256
f38175fe08e0fada118a394107d870d5c2b38f1979193b9d499446ba5a9660f6

SHA512
b19f11e66ae2c6b69610d75351c0c5eac059a35179f97159e1cc53b4eb2b54c063df94c10eec45af4a26369c2ef18792b2bc6f65add353b98557fad225b642cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2780638.exe
Filesize
145KB

MD5
0b710a8b134511a693ca2cb0a1a7e7c0

SHA1
d18afa05d6fa321802a8390efc2ed7c4b8089201

SHA256
019faab547134500b2483f7b33906700696cee7425bfad9491af736b87fdd089

SHA512
ee43495accf58912567f74d7037e7cc24fac9ab7b70c335c8d16040721edb7f3584f21eb5f3ac7a1574158ecadef486ad243c35916a812892c04754353317ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2780638.exe
Filesize
145KB

MD5
0b710a8b134511a693ca2cb0a1a7e7c0

SHA1
d18afa05d6fa321802a8390efc2ed7c4b8089201

SHA256
019faab547134500b2483f7b33906700696cee7425bfad9491af736b87fdd089

SHA512
ee43495accf58912567f74d7037e7cc24fac9ab7b70c335c8d16040721edb7f3584f21eb5f3ac7a1574158ecadef486ad243c35916a812892c04754353317ac2

Download Submit
memory/448-150-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/448-160-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/448-141-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/448-142-0x00000000023D0000-0x00000000023EC000-memory.dmp

Filesize
112KB

Download
memory/448-143-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/448-144-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/448-146-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/448-148-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/448-139-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/448-152-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/448-154-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/448-156-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/448-158-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/448-140-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/448-162-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/448-164-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/448-166-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/448-168-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/448-170-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/448-171-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/448-172-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/448-173-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/448-138-0x0000000004960000-0x0000000004E5E000-memory.dmp

Filesize
5.0MB

Download
memory/448-137-0x00000000006B0000-0x00000000006CE000-memory.dmp

Filesize
120KB

Download
memory/1072-178-0x00000000005D0000-0x00000000005FA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads