redline | bcc002ad34a101e769e44a8c7beb2f3ddb4baa021ad98fcfa6fe8537ddd7e88b

General

Target

bcc002ad34a101e769e44a8c7beb2f3ddb4baa021ad98fcfa6fe8537ddd7e88b.exe
Size

1.1MB
MD5

5db6ea10b4754c85ee84f142ee2c0195
SHA1

337e48bf1dda272c9111ea7d746f976db82b38cd
SHA256

bcc002ad34a101e769e44a8c7beb2f3ddb4baa021ad98fcfa6fe8537ddd7e88b
SHA512

595c4f24e0c1c3a1d4e63a77a8a8841cd59197fe21ce0125f5a1eba89bfd9de99e5fa7cecaa1dd3bfd01d86da9f71aea7d1eaac644202bbb79eca568e91c70d2
SSDEEP

24576:UyNI4pqAVhCwpzOgDXLapdubemm9y2OBvI9E2JTi7g2EYgAsf5A:jNvqAmwTXGpdYrmYpw93TUZfgAs

Score

10^/10

redline linda evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

linda

C2

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o4835179.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o4835179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o4835179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o4835179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o4835179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o4835179.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z5690285.exez4388864.exeo4835179.exep0620241.exe

pid process

4436 z5690285.exe
4252 z4388864.exe
1996 o4835179.exe
2196 p0620241.exe

pid	process
4436	z5690285.exe
4252	z4388864.exe
1996	o4835179.exe
2196	p0620241.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o4835179.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o4835179.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o4835179.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bcc002ad34a101e769e44a8c7beb2f3ddb4baa021ad98fcfa6fe8537ddd7e88b.exez5690285.exez4388864.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bcc002ad34a101e769e44a8c7beb2f3ddb4baa021ad98fcfa6fe8537ddd7e88b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bcc002ad34a101e769e44a8c7beb2f3ddb4baa021ad98fcfa6fe8537ddd7e88b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5690285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5690285.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4388864.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4388864.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4608 2196 WerFault.exe p0620241.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o4835179.exe

pid process

1996 o4835179.exe
1996 o4835179.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o4835179.exe

description pid process

Token: SeDebugPrivilege 1996 o4835179.exe

pid	pid_target	process	target process
4608	2196	WerFault.exe	p0620241.exe

pid	process
1996	o4835179.exe
1996	o4835179.exe

description	pid	process
Token: SeDebugPrivilege	1996	o4835179.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bcc002ad34a101e769e44a8c7beb2f3ddb4baa021ad98fcfa6fe8537ddd7e88b.exez5690285.exez4388864.exe

description	pid	process	target process
PID 4052 wrote to memory of 4436	4052	bcc002ad34a101e769e44a8c7beb2f3ddb4baa021ad98fcfa6fe8537ddd7e88b.exe	z5690285.exe
PID 4052 wrote to memory of 4436	4052	bcc002ad34a101e769e44a8c7beb2f3ddb4baa021ad98fcfa6fe8537ddd7e88b.exe	z5690285.exe
PID 4052 wrote to memory of 4436	4052	bcc002ad34a101e769e44a8c7beb2f3ddb4baa021ad98fcfa6fe8537ddd7e88b.exe	z5690285.exe
PID 4436 wrote to memory of 4252	4436	z5690285.exe	z4388864.exe
PID 4436 wrote to memory of 4252	4436	z5690285.exe	z4388864.exe
PID 4436 wrote to memory of 4252	4436	z5690285.exe	z4388864.exe
PID 4252 wrote to memory of 1996	4252	z4388864.exe	o4835179.exe
PID 4252 wrote to memory of 1996	4252	z4388864.exe	o4835179.exe
PID 4252 wrote to memory of 1996	4252	z4388864.exe	o4835179.exe
PID 4252 wrote to memory of 2196	4252	z4388864.exe	p0620241.exe
PID 4252 wrote to memory of 2196	4252	z4388864.exe	p0620241.exe
PID 4252 wrote to memory of 2196	4252	z4388864.exe	p0620241.exe

C:\Users\Admin\AppData\Local\Temp\bcc002ad34a101e769e44a8c7beb2f3ddb4baa021ad98fcfa6fe8537ddd7e88b.exe
"C:\Users\Admin\AppData\Local\Temp\bcc002ad34a101e769e44a8c7beb2f3ddb4baa021ad98fcfa6fe8537ddd7e88b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5690285.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5690285.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4436

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4388864.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4388864.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4252

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4835179.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4835179.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0620241.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0620241.exe
4⤵
- Executes dropped EXE
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 948
5⤵
- Program crash
PID:4608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5690285.exe
Filesize
702KB

MD5
5c13da90a1329d7922b5c82a4a5697c2

SHA1
6f5b6ebc3c7fc750b355272cd46e37e6ac7afab4

SHA256
af9338138f5d2d5df8d29a3282194221c344f87df4f9cabb5ecbc437e64da264

SHA512
93c05861c8864799ff605749816aeb72400dee70dcd0b8f229081ee779f48d9664f709e20ed0aa3beb57e1fe75b003844e8e96edc2f430c24a0888120edfb534

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5690285.exe
Filesize
702KB

MD5
5c13da90a1329d7922b5c82a4a5697c2

SHA1
6f5b6ebc3c7fc750b355272cd46e37e6ac7afab4

SHA256
af9338138f5d2d5df8d29a3282194221c344f87df4f9cabb5ecbc437e64da264

SHA512
93c05861c8864799ff605749816aeb72400dee70dcd0b8f229081ee779f48d9664f709e20ed0aa3beb57e1fe75b003844e8e96edc2f430c24a0888120edfb534

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4388864.exe
Filesize
305KB

MD5
17ab7becb17944bf35b6dc788fd623ba

SHA1
3f5c7516522aa5ad8c0a20760b56f6f6fd984647

SHA256
081623704d516520a64c2e09cb14b44d36ad6ad5b21545a3405edadc9856f3ea

SHA512
8afd6344ea286527e6e175eef0c5c3627301fb835f9cd6d4696645757ca6b3da0b718819ad4983da9c942ee7c969a796cd5ed8a37a87f1ca9c103d91dfbb9530

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4388864.exe
Filesize
305KB

MD5
17ab7becb17944bf35b6dc788fd623ba

SHA1
3f5c7516522aa5ad8c0a20760b56f6f6fd984647

SHA256
081623704d516520a64c2e09cb14b44d36ad6ad5b21545a3405edadc9856f3ea

SHA512
8afd6344ea286527e6e175eef0c5c3627301fb835f9cd6d4696645757ca6b3da0b718819ad4983da9c942ee7c969a796cd5ed8a37a87f1ca9c103d91dfbb9530

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4835179.exe
Filesize
184KB

MD5
3623aa2880ae46319ccb7204ee2d466b

SHA1
f67d070dec30f3d2f67bdac5fe51ebc8a599b112

SHA256
012acfa69b96e37a2ab2ac787ea23f9fd55bf03a901bc1519b5f09834ffb8ccc

SHA512
5b0fba69e72b3dd78eb13c00cba350276f516ea97d385bd979ee09b35d9f972136d5f30f33aec86334d03b2f8125e4d7d8ad8bef2d5a28ad170b2dd781208be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4835179.exe
Filesize
184KB

MD5
3623aa2880ae46319ccb7204ee2d466b

SHA1
f67d070dec30f3d2f67bdac5fe51ebc8a599b112

SHA256
012acfa69b96e37a2ab2ac787ea23f9fd55bf03a901bc1519b5f09834ffb8ccc

SHA512
5b0fba69e72b3dd78eb13c00cba350276f516ea97d385bd979ee09b35d9f972136d5f30f33aec86334d03b2f8125e4d7d8ad8bef2d5a28ad170b2dd781208be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0620241.exe
Filesize
145KB

MD5
c62766cb659aa60c4837e746955e7c3f

SHA1
e9e760310fd835effe77a194a71eb45e1658cefc

SHA256
805a551c167148f388aec843c62ed53e3ee3e51c7165d9a92e91197560c309ed

SHA512
deca3d51df067a049f978deb1a632285b3ff3af6d563ff4243fb94072cb3abed0a196eb28f23ad30f554fb26452cfb2be86eea8eff921cb118331678b43689d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0620241.exe
Filesize
145KB

MD5
c62766cb659aa60c4837e746955e7c3f

SHA1
e9e760310fd835effe77a194a71eb45e1658cefc

SHA256
805a551c167148f388aec843c62ed53e3ee3e51c7165d9a92e91197560c309ed

SHA512
deca3d51df067a049f978deb1a632285b3ff3af6d563ff4243fb94072cb3abed0a196eb28f23ad30f554fb26452cfb2be86eea8eff921cb118331678b43689d2

Download Submit
memory/1996-156-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1996-163-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1996-144-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1996-146-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1996-148-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1996-150-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1996-152-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1996-154-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1996-142-0x0000000002100000-0x000000000211C000-memory.dmp

Filesize
112KB

Download
memory/1996-158-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1996-160-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1996-157-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1996-161-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1996-143-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1996-165-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1996-167-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1996-169-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1996-171-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1996-173-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/1996-174-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1996-175-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1996-176-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1996-141-0x0000000004B60000-0x000000000505E000-memory.dmp

Filesize
5.0MB

Download
memory/1996-140-0x00000000006D0000-0x00000000006EE000-memory.dmp

Filesize
120KB

Download
memory/2196-181-0x0000000000D60000-0x0000000000D8A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads