redline | 67532ec7a72645439005b3d7c0c4027cd1b88713ec3b05cec01c476f73bce69e

General

Target

67532ec7a72645439005b3d7c0c4027cd1b88713ec3b05cec01c476f73bce69e.exe
Size

1.1MB
MD5

9577a0ac86c27c7e3f39d3ed12ca0199
SHA1

d9554d7be8cc881838dc561f74ab1726a9ec5498
SHA256

67532ec7a72645439005b3d7c0c4027cd1b88713ec3b05cec01c476f73bce69e
SHA512

c46d26439b75ad51b69b449d9cfeb38d8ed058034bd119845cbb100b218312088fac12c1a82ca149a70ddc86a987ab5b0ae942f211ba0eb68182013c1ccf8fac
SSDEEP

24576:6yjWEn1IYDmzPjqDBL37Eo6PPCixWHPwbgh5S2+Q4+sS4SF:BjWE1IYazODBj0CiYH42fC9dS

Score

10^/10

redline linda evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

linda

C2

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o0358651.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o0358651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o0358651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o0358651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o0358651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o0358651.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z0421098.exez5175313.exeo0358651.exep0266699.exe

pid process

2600 z0421098.exe
3896 z5175313.exe
4064 o0358651.exe
1884 p0266699.exe

pid	process
2600	z0421098.exe
3896	z5175313.exe
4064	o0358651.exe
1884	p0266699.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o0358651.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o0358651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o0358651.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

67532ec7a72645439005b3d7c0c4027cd1b88713ec3b05cec01c476f73bce69e.exez0421098.exez5175313.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	67532ec7a72645439005b3d7c0c4027cd1b88713ec3b05cec01c476f73bce69e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	67532ec7a72645439005b3d7c0c4027cd1b88713ec3b05cec01c476f73bce69e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0421098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0421098.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5175313.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5175313.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3636 1884 WerFault.exe p0266699.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o0358651.exe

pid process

4064 o0358651.exe
4064 o0358651.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o0358651.exe

description pid process

Token: SeDebugPrivilege 4064 o0358651.exe

pid	pid_target	process	target process
3636	1884	WerFault.exe	p0266699.exe

pid	process
4064	o0358651.exe
4064	o0358651.exe

description	pid	process
Token: SeDebugPrivilege	4064	o0358651.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

67532ec7a72645439005b3d7c0c4027cd1b88713ec3b05cec01c476f73bce69e.exez0421098.exez5175313.exe

description	pid	process	target process
PID 2408 wrote to memory of 2600	2408	67532ec7a72645439005b3d7c0c4027cd1b88713ec3b05cec01c476f73bce69e.exe	z0421098.exe
PID 2408 wrote to memory of 2600	2408	67532ec7a72645439005b3d7c0c4027cd1b88713ec3b05cec01c476f73bce69e.exe	z0421098.exe
PID 2408 wrote to memory of 2600	2408	67532ec7a72645439005b3d7c0c4027cd1b88713ec3b05cec01c476f73bce69e.exe	z0421098.exe
PID 2600 wrote to memory of 3896	2600	z0421098.exe	z5175313.exe
PID 2600 wrote to memory of 3896	2600	z0421098.exe	z5175313.exe
PID 2600 wrote to memory of 3896	2600	z0421098.exe	z5175313.exe
PID 3896 wrote to memory of 4064	3896	z5175313.exe	o0358651.exe
PID 3896 wrote to memory of 4064	3896	z5175313.exe	o0358651.exe
PID 3896 wrote to memory of 4064	3896	z5175313.exe	o0358651.exe
PID 3896 wrote to memory of 1884	3896	z5175313.exe	p0266699.exe
PID 3896 wrote to memory of 1884	3896	z5175313.exe	p0266699.exe
PID 3896 wrote to memory of 1884	3896	z5175313.exe	p0266699.exe

C:\Users\Admin\AppData\Local\Temp\67532ec7a72645439005b3d7c0c4027cd1b88713ec3b05cec01c476f73bce69e.exe
"C:\Users\Admin\AppData\Local\Temp\67532ec7a72645439005b3d7c0c4027cd1b88713ec3b05cec01c476f73bce69e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0421098.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0421098.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5175313.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5175313.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3896

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0358651.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0358651.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0266699.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0266699.exe
4⤵
- Executes dropped EXE
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 948
5⤵
- Program crash
PID:3636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0421098.exe
Filesize
703KB

MD5
d8a436552f8b6eb78ba22492287182e4

SHA1
3b915e62e7306d973404bea6fb9f5d412dc1b3e2

SHA256
d03ff5154f496ad25ffd8588bd577e5b68a17c752e9f71d0d97d9736d86c2b5a

SHA512
37c4a295b19d5017fffd527cf90f37d3fb82a5e9a99c44919dc318d44930a356e18a63c969de308ff39ea231b649bddb9999c734fd67525e5f0690c38f9d1011

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0421098.exe
Filesize
703KB

MD5
d8a436552f8b6eb78ba22492287182e4

SHA1
3b915e62e7306d973404bea6fb9f5d412dc1b3e2

SHA256
d03ff5154f496ad25ffd8588bd577e5b68a17c752e9f71d0d97d9736d86c2b5a

SHA512
37c4a295b19d5017fffd527cf90f37d3fb82a5e9a99c44919dc318d44930a356e18a63c969de308ff39ea231b649bddb9999c734fd67525e5f0690c38f9d1011

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5175313.exe
Filesize
305KB

MD5
d2d3f00bb810e9f72ae7655b625ab5f5

SHA1
c447350fc06061931cb6d7666b203af5d3f5d026

SHA256
660cfadf86ca7b058368aab836fc89845b92d0bb8c9b20b7f0552773d8c06f1a

SHA512
01bd7d1b7a3367fd6f5f0b2869f4abb020a027d4d8599f96c95b23f8b31e51693f273326733b7f82d6ecf88b1e8305de75eb0736c836e0d07942597f24ce2917

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5175313.exe
Filesize
305KB

MD5
d2d3f00bb810e9f72ae7655b625ab5f5

SHA1
c447350fc06061931cb6d7666b203af5d3f5d026

SHA256
660cfadf86ca7b058368aab836fc89845b92d0bb8c9b20b7f0552773d8c06f1a

SHA512
01bd7d1b7a3367fd6f5f0b2869f4abb020a027d4d8599f96c95b23f8b31e51693f273326733b7f82d6ecf88b1e8305de75eb0736c836e0d07942597f24ce2917

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0358651.exe
Filesize
184KB

MD5
8174af7efb074f9a29cdff87c0f4f2cd

SHA1
20b92ae670bc65348bf09d839e40574455f4ff3f

SHA256
a020cd3de744de6a63b773d12f89a0188859e2348cf27287e200ec0eb42817c7

SHA512
2c402b919ff4320852d17415eb32053413fc6a71d3db9a572115a3416bd218e3f2b6c07a7515619bcf5329c69344ebeeafbb61ce33c9d921fb3de7959f1b5a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0358651.exe
Filesize
184KB

MD5
8174af7efb074f9a29cdff87c0f4f2cd

SHA1
20b92ae670bc65348bf09d839e40574455f4ff3f

SHA256
a020cd3de744de6a63b773d12f89a0188859e2348cf27287e200ec0eb42817c7

SHA512
2c402b919ff4320852d17415eb32053413fc6a71d3db9a572115a3416bd218e3f2b6c07a7515619bcf5329c69344ebeeafbb61ce33c9d921fb3de7959f1b5a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0266699.exe
Filesize
145KB

MD5
c3b939b5adb510842c161c395e9852aa

SHA1
111c5a22750356c6c1f4534780bd7882059118ca

SHA256
dd87d848c55f024177c735f66b85534f027c2e33a4efba7ee0d94bc9488d949d

SHA512
800e26c43eeeaaab0a389190cb6221656c46e765fc02716fdafadf72f64827b250985ea7a5d769201f22ed0059e86b2bbc6ffb52822bb229edecc871d428bd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0266699.exe
Filesize
145KB

MD5
c3b939b5adb510842c161c395e9852aa

SHA1
111c5a22750356c6c1f4534780bd7882059118ca

SHA256
dd87d848c55f024177c735f66b85534f027c2e33a4efba7ee0d94bc9488d949d

SHA512
800e26c43eeeaaab0a389190cb6221656c46e765fc02716fdafadf72f64827b250985ea7a5d769201f22ed0059e86b2bbc6ffb52822bb229edecc871d428bd87

Download Submit
memory/1884-181-0x0000000000A90000-0x0000000000ABA000-memory.dmp

Filesize
168KB

Download
memory/4064-151-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4064-163-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4064-146-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4064-148-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4064-149-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4064-144-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4064-153-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4064-155-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4064-157-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4064-159-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4064-161-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4064-147-0x0000000004A70000-0x0000000004A8C000-memory.dmp

Filesize
112KB

Download
memory/4064-165-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4064-167-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4064-169-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4064-171-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4064-173-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4064-175-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/4064-176-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4064-145-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/4064-143-0x0000000004B20000-0x000000000501E000-memory.dmp

Filesize
5.0MB

Download
memory/4064-142-0x0000000002130000-0x000000000214E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads