redline | e0b4e38dc7f1d309c24bcbc7dcad8426e9714a081eeb75547436f276707285f2

General

Target

e0b4e38dc7f1d309c24bcbc7dcad8426e9714a081eeb75547436f276707285f2.exe
Size

1.1MB
MD5

3b28ad7a0995e2956b465f0981629aa0
SHA1

9a8c79a405cbd15e19ad930064d28ac931941e10
SHA256

e0b4e38dc7f1d309c24bcbc7dcad8426e9714a081eeb75547436f276707285f2
SHA512

44b4dd11cd8e1fd5c592c84ca0e372dda80a6e8f24db9ebfdd9cc3c65292c0357acdf8824fae44cec0f08a482fc8204dbe4105ae978183395eb0670438b47b7a
SSDEEP

24576:/yxx/wfTTZ8+VlbgF4QO3/v7cX9Yvfz4G39ia8lqyMiTZshMjEOmcL:Kxx/wfTTZFVl8qQapzjx8TMiTq2jEOmc

Score

10^/10

redline linda evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

linda

C2

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o5032205.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o5032205.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o5032205.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o5032205.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o5032205.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o5032205.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z2716584.exez7937917.exeo5032205.exep4771392.exe

pid process

3380 z2716584.exe
4268 z7937917.exe
4668 o5032205.exe
4812 p4771392.exe

pid	process
3380	z2716584.exe
4268	z7937917.exe
4668	o5032205.exe
4812	p4771392.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o5032205.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o5032205.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o5032205.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e0b4e38dc7f1d309c24bcbc7dcad8426e9714a081eeb75547436f276707285f2.exez2716584.exez7937917.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e0b4e38dc7f1d309c24bcbc7dcad8426e9714a081eeb75547436f276707285f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e0b4e38dc7f1d309c24bcbc7dcad8426e9714a081eeb75547436f276707285f2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2716584.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2716584.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7937917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7937917.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3700 4812 WerFault.exe p4771392.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o5032205.exe

pid process

4668 o5032205.exe
4668 o5032205.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o5032205.exe

description pid process

Token: SeDebugPrivilege 4668 o5032205.exe

pid	pid_target	process	target process
3700	4812	WerFault.exe	p4771392.exe

pid	process
4668	o5032205.exe
4668	o5032205.exe

description	pid	process
Token: SeDebugPrivilege	4668	o5032205.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e0b4e38dc7f1d309c24bcbc7dcad8426e9714a081eeb75547436f276707285f2.exez2716584.exez7937917.exe

description	pid	process	target process
PID 1600 wrote to memory of 3380	1600	e0b4e38dc7f1d309c24bcbc7dcad8426e9714a081eeb75547436f276707285f2.exe	z2716584.exe
PID 1600 wrote to memory of 3380	1600	e0b4e38dc7f1d309c24bcbc7dcad8426e9714a081eeb75547436f276707285f2.exe	z2716584.exe
PID 1600 wrote to memory of 3380	1600	e0b4e38dc7f1d309c24bcbc7dcad8426e9714a081eeb75547436f276707285f2.exe	z2716584.exe
PID 3380 wrote to memory of 4268	3380	z2716584.exe	z7937917.exe
PID 3380 wrote to memory of 4268	3380	z2716584.exe	z7937917.exe
PID 3380 wrote to memory of 4268	3380	z2716584.exe	z7937917.exe
PID 4268 wrote to memory of 4668	4268	z7937917.exe	o5032205.exe
PID 4268 wrote to memory of 4668	4268	z7937917.exe	o5032205.exe
PID 4268 wrote to memory of 4668	4268	z7937917.exe	o5032205.exe
PID 4268 wrote to memory of 4812	4268	z7937917.exe	p4771392.exe
PID 4268 wrote to memory of 4812	4268	z7937917.exe	p4771392.exe
PID 4268 wrote to memory of 4812	4268	z7937917.exe	p4771392.exe

C:\Users\Admin\AppData\Local\Temp\e0b4e38dc7f1d309c24bcbc7dcad8426e9714a081eeb75547436f276707285f2.exe
"C:\Users\Admin\AppData\Local\Temp\e0b4e38dc7f1d309c24bcbc7dcad8426e9714a081eeb75547436f276707285f2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2716584.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2716584.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3380

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7937917.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7937917.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5032205.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5032205.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4771392.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4771392.exe
4⤵
- Executes dropped EXE
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 948
5⤵
- Program crash
PID:3700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2716584.exe
Filesize
703KB

MD5
656b805986aedc4a47c1511e3a668eae

SHA1
6db7f873b5cca7c22f6ff7063ffa342f5e394a0f

SHA256
459d4f2f83e1a587c2c14b99fdfbc7cc1ed115e991cf77edc54230550a37ea82

SHA512
a6ceae784080acf54b467febe46c589a9b03d9767b5c4803ff4fb8013aa5310b915f01d28577368ed73454212618860f8c628bc2cce05d14432be4a8465a2813

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2716584.exe
Filesize
703KB

MD5
656b805986aedc4a47c1511e3a668eae

SHA1
6db7f873b5cca7c22f6ff7063ffa342f5e394a0f

SHA256
459d4f2f83e1a587c2c14b99fdfbc7cc1ed115e991cf77edc54230550a37ea82

SHA512
a6ceae784080acf54b467febe46c589a9b03d9767b5c4803ff4fb8013aa5310b915f01d28577368ed73454212618860f8c628bc2cce05d14432be4a8465a2813

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7937917.exe
Filesize
305KB

MD5
6fc88cacefc676c5472ad20e5fa677bc

SHA1
df8b79bada0681a4b0c337f1fc650c8c1693d274

SHA256
8de071971d524348e2db0189be2db0d3fffb04d5281c6c3dce2068974a9cdee3

SHA512
d6ab870f40a88dce5db43d4444c49ebaae60235f457cecec57190b02408017c693defa606758e5e8a4cdc72944086a5d3ede3d0ebf93fbcced5ab9fc3c11c1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7937917.exe
Filesize
305KB

MD5
6fc88cacefc676c5472ad20e5fa677bc

SHA1
df8b79bada0681a4b0c337f1fc650c8c1693d274

SHA256
8de071971d524348e2db0189be2db0d3fffb04d5281c6c3dce2068974a9cdee3

SHA512
d6ab870f40a88dce5db43d4444c49ebaae60235f457cecec57190b02408017c693defa606758e5e8a4cdc72944086a5d3ede3d0ebf93fbcced5ab9fc3c11c1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5032205.exe
Filesize
184KB

MD5
ab73cb171f3f11d41f2f96953ab07c3a

SHA1
a209bb0cce9c9f1fb1edb0d7dd1f623f6b56c332

SHA256
cf7dfb45f3ba7e92904680f8f8002acb9138a618b9a5f56ac954c2facf9245d5

SHA512
c27a76357d3dabbf0c32e9954a48f02f01985ed9d95f636355d8e6aebb9af1b65d55f8f885f1b9eb744cef7748a98c9c61003f1c15c4d9ce70e8fabc9501c150

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5032205.exe
Filesize
184KB

MD5
ab73cb171f3f11d41f2f96953ab07c3a

SHA1
a209bb0cce9c9f1fb1edb0d7dd1f623f6b56c332

SHA256
cf7dfb45f3ba7e92904680f8f8002acb9138a618b9a5f56ac954c2facf9245d5

SHA512
c27a76357d3dabbf0c32e9954a48f02f01985ed9d95f636355d8e6aebb9af1b65d55f8f885f1b9eb744cef7748a98c9c61003f1c15c4d9ce70e8fabc9501c150

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4771392.exe
Filesize
145KB

MD5
6fbb0ff65aa7af3d9b346ad2bc05ee93

SHA1
c9f6fc147f61e4a0008efbac0bc8077f5af2bad6

SHA256
16d834defd6de309f87462625c9a6b76684327581a93fb867f5a1c5db691d87d

SHA512
043955642ca14468258d6d751a33b26d01c929b1722310d6e7b3b9be6d5c00901d74a68e9535126ad7a817f7bc4eb3022b9832c5f3bbd5a67d01af199e761687

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4771392.exe
Filesize
145KB

MD5
6fbb0ff65aa7af3d9b346ad2bc05ee93

SHA1
c9f6fc147f61e4a0008efbac0bc8077f5af2bad6

SHA256
16d834defd6de309f87462625c9a6b76684327581a93fb867f5a1c5db691d87d

SHA512
043955642ca14468258d6d751a33b26d01c929b1722310d6e7b3b9be6d5c00901d74a68e9535126ad7a817f7bc4eb3022b9832c5f3bbd5a67d01af199e761687

Download Submit
memory/4668-151-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4668-161-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4668-146-0x0000000004940000-0x0000000004E3E000-memory.dmp

Filesize
5.0MB

Download
memory/4668-147-0x0000000004E40000-0x0000000004E5C000-memory.dmp

Filesize
112KB

Download
memory/4668-148-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4668-149-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4668-144-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/4668-153-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4668-155-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4668-157-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4668-159-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4668-145-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/4668-163-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4668-165-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4668-167-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4668-169-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4668-171-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4668-173-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4668-175-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4668-176-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/4668-143-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/4668-142-0x0000000002000000-0x000000000201E000-memory.dmp

Filesize
120KB

Download
memory/4812-181-0x0000000000680000-0x00000000006AA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads