redline | 12455cae9af9c264db3f442cea9cd2d98fbd4dbfc848cf057c2d1887b096a4ad

General

Target

12455cae9af9c264db3f442cea9cd2d98fbd4dbfc848cf057c2d1887b096a4ad.exe
Size

1.1MB
MD5

ee4858b7695196b59c69b07af1dfe581
SHA1

2441ca84794e25c5bc1abcef519f127290960ed4
SHA256

12455cae9af9c264db3f442cea9cd2d98fbd4dbfc848cf057c2d1887b096a4ad
SHA512

1f42e2445e3ffb7ae8a31f06d10c79097d7336d1e502ce627fe106ee0f0d66ad63fa61e0c1b7d332c62e63d31fecd2d5671899d5635af390c28edefee27c3c4e
SSDEEP

24576:jyaXcn0DJrSo6+5oNdY6Fypw9LRHxNP0JvPJ2RYT:2aXXDJ36fNlGwHHnmP

Score

10^/10

redline linda evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

linda

C2

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o1719170.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o1719170.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o1719170.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o1719170.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o1719170.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o1719170.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z9104309.exez6978076.exeo1719170.exep3331935.exe

pid process

3320 z9104309.exe
3572 z6978076.exe
304 o1719170.exe
4180 p3331935.exe

pid	process
3320	z9104309.exe
3572	z6978076.exe
304	o1719170.exe
4180	p3331935.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o1719170.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o1719170.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o1719170.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z6978076.exe12455cae9af9c264db3f442cea9cd2d98fbd4dbfc848cf057c2d1887b096a4ad.exez9104309.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6978076.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	12455cae9af9c264db3f442cea9cd2d98fbd4dbfc848cf057c2d1887b096a4ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	12455cae9af9c264db3f442cea9cd2d98fbd4dbfc848cf057c2d1887b096a4ad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9104309.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9104309.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6978076.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4720 4180 WerFault.exe p3331935.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o1719170.exe

pid process

304 o1719170.exe
304 o1719170.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o1719170.exe

description pid process

Token: SeDebugPrivilege 304 o1719170.exe

pid	pid_target	process	target process
4720	4180	WerFault.exe	p3331935.exe

pid	process
304	o1719170.exe
304	o1719170.exe

description	pid	process
Token: SeDebugPrivilege	304	o1719170.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

12455cae9af9c264db3f442cea9cd2d98fbd4dbfc848cf057c2d1887b096a4ad.exez9104309.exez6978076.exe

description	pid	process	target process
PID 3228 wrote to memory of 3320	3228	12455cae9af9c264db3f442cea9cd2d98fbd4dbfc848cf057c2d1887b096a4ad.exe	z9104309.exe
PID 3228 wrote to memory of 3320	3228	12455cae9af9c264db3f442cea9cd2d98fbd4dbfc848cf057c2d1887b096a4ad.exe	z9104309.exe
PID 3228 wrote to memory of 3320	3228	12455cae9af9c264db3f442cea9cd2d98fbd4dbfc848cf057c2d1887b096a4ad.exe	z9104309.exe
PID 3320 wrote to memory of 3572	3320	z9104309.exe	z6978076.exe
PID 3320 wrote to memory of 3572	3320	z9104309.exe	z6978076.exe
PID 3320 wrote to memory of 3572	3320	z9104309.exe	z6978076.exe
PID 3572 wrote to memory of 304	3572	z6978076.exe	o1719170.exe
PID 3572 wrote to memory of 304	3572	z6978076.exe	o1719170.exe
PID 3572 wrote to memory of 304	3572	z6978076.exe	o1719170.exe
PID 3572 wrote to memory of 4180	3572	z6978076.exe	p3331935.exe
PID 3572 wrote to memory of 4180	3572	z6978076.exe	p3331935.exe
PID 3572 wrote to memory of 4180	3572	z6978076.exe	p3331935.exe

C:\Users\Admin\AppData\Local\Temp\12455cae9af9c264db3f442cea9cd2d98fbd4dbfc848cf057c2d1887b096a4ad.exe
"C:\Users\Admin\AppData\Local\Temp\12455cae9af9c264db3f442cea9cd2d98fbd4dbfc848cf057c2d1887b096a4ad.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3228

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9104309.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9104309.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3320

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6978076.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6978076.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1719170.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1719170.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3331935.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3331935.exe
4⤵
- Executes dropped EXE
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 948
5⤵
- Program crash
PID:4720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9104309.exe
Filesize
702KB

MD5
d05236908d1e391ce78261c051611e8a

SHA1
32aba3b80a390916116134f25c060171064b3407

SHA256
468f4b35f751709a6a9cdf65137eb68ac2548136223be524cabf37efdadbc454

SHA512
63df616e43f93676872088500f1097557767130b576b0a42d0f629392a441c4dc711ad86356c9b0334860d64b198b6d0d0770c680b05a47a0f6d1922ed267cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9104309.exe
Filesize
702KB

MD5
d05236908d1e391ce78261c051611e8a

SHA1
32aba3b80a390916116134f25c060171064b3407

SHA256
468f4b35f751709a6a9cdf65137eb68ac2548136223be524cabf37efdadbc454

SHA512
63df616e43f93676872088500f1097557767130b576b0a42d0f629392a441c4dc711ad86356c9b0334860d64b198b6d0d0770c680b05a47a0f6d1922ed267cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6978076.exe
Filesize
305KB

MD5
3324aa3c05a95797854dd6ff8e422988

SHA1
904943a9dd27889ab93e4054a2cbf444dfd4c195

SHA256
344eb883378f5fd9a40dc0cd44a0867509b749c87af41032262799083c806710

SHA512
d9d468186bc927f6438aadd646c58c3154f199bd48d2146cfaa12850dc3ac5c1f7305d8f9c554f1ee6e2307c1884afc50eeea61ff6e3cec8c24ba93d9f65601d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6978076.exe
Filesize
305KB

MD5
3324aa3c05a95797854dd6ff8e422988

SHA1
904943a9dd27889ab93e4054a2cbf444dfd4c195

SHA256
344eb883378f5fd9a40dc0cd44a0867509b749c87af41032262799083c806710

SHA512
d9d468186bc927f6438aadd646c58c3154f199bd48d2146cfaa12850dc3ac5c1f7305d8f9c554f1ee6e2307c1884afc50eeea61ff6e3cec8c24ba93d9f65601d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1719170.exe
Filesize
184KB

MD5
e5bc81908e3a074591141dbcac50e7be

SHA1
89adb97da8bede6e399db14403ee5c6c0301c02e

SHA256
ce1a31f50fd5d35c239fd74c3af27e9f598b9f11494841a183dce06019525bcf

SHA512
6aaeb5023132de18677441593613df9e2e387ea3081b92a56d4a89fef369a6c2e8fe9a9ec93baf1ecc80a97db0c395855f5b98755811a5a018579c5fe0741326

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1719170.exe
Filesize
184KB

MD5
e5bc81908e3a074591141dbcac50e7be

SHA1
89adb97da8bede6e399db14403ee5c6c0301c02e

SHA256
ce1a31f50fd5d35c239fd74c3af27e9f598b9f11494841a183dce06019525bcf

SHA512
6aaeb5023132de18677441593613df9e2e387ea3081b92a56d4a89fef369a6c2e8fe9a9ec93baf1ecc80a97db0c395855f5b98755811a5a018579c5fe0741326

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3331935.exe
Filesize
145KB

MD5
14c285308b87ebac4aee954e2de4515f

SHA1
17dec2f13a9cd490e04c91c227034ac45759a70d

SHA256
e885e41eec2c23af3fb579789ea431a87cec523e4dddf106168f7c37435c7c8a

SHA512
54aebd04a372763afa6f9754756df86bb8b8c101e9928b0998278dbd0bafaf18eae5b696eb6c4a26b7c5997be158952dcd79b0be865393128e28f22e5792f757

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3331935.exe
Filesize
145KB

MD5
14c285308b87ebac4aee954e2de4515f

SHA1
17dec2f13a9cd490e04c91c227034ac45759a70d

SHA256
e885e41eec2c23af3fb579789ea431a87cec523e4dddf106168f7c37435c7c8a

SHA512
54aebd04a372763afa6f9754756df86bb8b8c101e9928b0998278dbd0bafaf18eae5b696eb6c4a26b7c5997be158952dcd79b0be865393128e28f22e5792f757

Download Submit
memory/304-155-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/304-161-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/304-146-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/304-147-0x0000000004930000-0x000000000494C000-memory.dmp

Filesize
112KB

Download
memory/304-148-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/304-149-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/304-151-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/304-153-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/304-144-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/304-157-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/304-159-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/304-145-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/304-163-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/304-165-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/304-167-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/304-169-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/304-171-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/304-173-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/304-175-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/304-176-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/304-177-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/304-143-0x0000000004AF0000-0x0000000004FEE000-memory.dmp

Filesize
5.0MB

Download
memory/304-142-0x00000000020F0000-0x000000000210E000-memory.dmp

Filesize
120KB

Download
memory/4180-182-0x0000000000630000-0x000000000065A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads