redline | e5028d37c24353a2ad038c0aa2a69e5f5759e7eb2d108becf89b1ac6f7b666cb

General

Target

e5028d37c24353a2ad038c0aa2a69e5f5759e7eb2d108becf89b1ac6f7b666cb.exe
Size

1.1MB
MD5

db6b799ef46cc50e581d1a3c84b98586
SHA1

99cf354fe230f8753528700887cd5e4f45e20c27
SHA256

e5028d37c24353a2ad038c0aa2a69e5f5759e7eb2d108becf89b1ac6f7b666cb
SHA512

5e1d7f64009aa8ba03b4399d403e874f27e61421accce29e878414de5183eb375533a6bbcee10109cc57e3dc9b7f253f0e87bdc66114d4b4baf3ee63f6acd15b
SSDEEP

24576:EyPYmAL2eEHRmDnY0Njpr6KcWqKlgKAls/DcO9inGKn1:TPYmPWDDBcWd4ocOEJn

Score

10^/10

redline linda evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

linda

C2

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o7057820.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o7057820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o7057820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o7057820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o7057820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o7057820.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z4023631.exez3622119.exeo7057820.exep9982747.exe

pid process

4048 z4023631.exe
4120 z3622119.exe
4236 o7057820.exe
3840 p9982747.exe

pid	process
4048	z4023631.exe
4120	z3622119.exe
4236	o7057820.exe
3840	p9982747.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o7057820.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o7057820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o7057820.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e5028d37c24353a2ad038c0aa2a69e5f5759e7eb2d108becf89b1ac6f7b666cb.exez4023631.exez3622119.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e5028d37c24353a2ad038c0aa2a69e5f5759e7eb2d108becf89b1ac6f7b666cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e5028d37c24353a2ad038c0aa2a69e5f5759e7eb2d108becf89b1ac6f7b666cb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4023631.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4023631.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3622119.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z3622119.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2136 3840 WerFault.exe p9982747.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o7057820.exe

pid process

4236 o7057820.exe
4236 o7057820.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o7057820.exe

description pid process

Token: SeDebugPrivilege 4236 o7057820.exe

pid	pid_target	process	target process
2136	3840	WerFault.exe	p9982747.exe

pid	process
4236	o7057820.exe
4236	o7057820.exe

description	pid	process
Token: SeDebugPrivilege	4236	o7057820.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e5028d37c24353a2ad038c0aa2a69e5f5759e7eb2d108becf89b1ac6f7b666cb.exez4023631.exez3622119.exe

description	pid	process	target process
PID 3476 wrote to memory of 4048	3476	e5028d37c24353a2ad038c0aa2a69e5f5759e7eb2d108becf89b1ac6f7b666cb.exe	z4023631.exe
PID 3476 wrote to memory of 4048	3476	e5028d37c24353a2ad038c0aa2a69e5f5759e7eb2d108becf89b1ac6f7b666cb.exe	z4023631.exe
PID 3476 wrote to memory of 4048	3476	e5028d37c24353a2ad038c0aa2a69e5f5759e7eb2d108becf89b1ac6f7b666cb.exe	z4023631.exe
PID 4048 wrote to memory of 4120	4048	z4023631.exe	z3622119.exe
PID 4048 wrote to memory of 4120	4048	z4023631.exe	z3622119.exe
PID 4048 wrote to memory of 4120	4048	z4023631.exe	z3622119.exe
PID 4120 wrote to memory of 4236	4120	z3622119.exe	o7057820.exe
PID 4120 wrote to memory of 4236	4120	z3622119.exe	o7057820.exe
PID 4120 wrote to memory of 4236	4120	z3622119.exe	o7057820.exe
PID 4120 wrote to memory of 3840	4120	z3622119.exe	p9982747.exe
PID 4120 wrote to memory of 3840	4120	z3622119.exe	p9982747.exe
PID 4120 wrote to memory of 3840	4120	z3622119.exe	p9982747.exe

C:\Users\Admin\AppData\Local\Temp\e5028d37c24353a2ad038c0aa2a69e5f5759e7eb2d108becf89b1ac6f7b666cb.exe
"C:\Users\Admin\AppData\Local\Temp\e5028d37c24353a2ad038c0aa2a69e5f5759e7eb2d108becf89b1ac6f7b666cb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3476

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4023631.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4023631.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3622119.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3622119.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4120

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7057820.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7057820.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9982747.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9982747.exe
4⤵
- Executes dropped EXE
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 956
5⤵
- Program crash
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4023631.exe
Filesize
703KB

MD5
d135286ebcbbc91993fe632f29a315aa

SHA1
b5083a87b7af2889a993bce3f390cb422cfa78ce

SHA256
31d6a9376aff180575b3651d047504a79111c1696bbbfe0f3e0b1e46709d0e1f

SHA512
3976d1ed09151b96aeb85ee9ad747bc7c3b1dc2bb31258e497b74c0cab792164e1274227291748a8f873d8af2447fae1a2069f2d3ad33262aa592001e4da3f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4023631.exe
Filesize
703KB

MD5
d135286ebcbbc91993fe632f29a315aa

SHA1
b5083a87b7af2889a993bce3f390cb422cfa78ce

SHA256
31d6a9376aff180575b3651d047504a79111c1696bbbfe0f3e0b1e46709d0e1f

SHA512
3976d1ed09151b96aeb85ee9ad747bc7c3b1dc2bb31258e497b74c0cab792164e1274227291748a8f873d8af2447fae1a2069f2d3ad33262aa592001e4da3f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3622119.exe
Filesize
305KB

MD5
c0f9e915a545f3d44454578eb3ed5ddd

SHA1
050b7c6da67a09fd9e21acb35151f6adb290b05a

SHA256
b37514e5ca99e32196410ec87fb84308426ffc18b7be7d45f141ef907873a5a4

SHA512
8e3c87762da9cddc266a448aac9c6ab0cc0e93a69ce2cbc429005661edcdd5331aebdb1d2906e453983b1051ec9fe1d3905fdabb6bc237a35b7098d41ea491d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3622119.exe
Filesize
305KB

MD5
c0f9e915a545f3d44454578eb3ed5ddd

SHA1
050b7c6da67a09fd9e21acb35151f6adb290b05a

SHA256
b37514e5ca99e32196410ec87fb84308426ffc18b7be7d45f141ef907873a5a4

SHA512
8e3c87762da9cddc266a448aac9c6ab0cc0e93a69ce2cbc429005661edcdd5331aebdb1d2906e453983b1051ec9fe1d3905fdabb6bc237a35b7098d41ea491d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7057820.exe
Filesize
184KB

MD5
cbf3562ad2c59d4902fd1f35195d1cf4

SHA1
33c9ff765e9333af2b7f5140e20a5b6a082f3b97

SHA256
cd74fd48ab90681e14a6fd9c371299ec5f156e12e2086ac56233cab1b5b0f174

SHA512
5609651b1d1cb09c7eba1717e63dd77bc5335d77aa736e81ed523546dfc5da9ee4fcdbc79aaae6de48b1c1ca5b84412a14eccd2fe377820aff0797adf3f37a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7057820.exe
Filesize
184KB

MD5
cbf3562ad2c59d4902fd1f35195d1cf4

SHA1
33c9ff765e9333af2b7f5140e20a5b6a082f3b97

SHA256
cd74fd48ab90681e14a6fd9c371299ec5f156e12e2086ac56233cab1b5b0f174

SHA512
5609651b1d1cb09c7eba1717e63dd77bc5335d77aa736e81ed523546dfc5da9ee4fcdbc79aaae6de48b1c1ca5b84412a14eccd2fe377820aff0797adf3f37a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9982747.exe
Filesize
145KB

MD5
8c69f8a200aecf824e1d535ce2155984

SHA1
07e2e1e603786188d375475bd02e7de0b3cf748b

SHA256
15c7c4841474daeb5e57b5cd0ffc6111307649de7178378be2d82f0fc2571b0f

SHA512
10ecbfe081d7be1bbf3687f473c0d43724691a341c82bd6d7d712a31a22927705ae95bdf47a4a2568375905a01d3d992fd876afd548aec1ebd964bb2a8f4b31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9982747.exe
Filesize
145KB

MD5
8c69f8a200aecf824e1d535ce2155984

SHA1
07e2e1e603786188d375475bd02e7de0b3cf748b

SHA256
15c7c4841474daeb5e57b5cd0ffc6111307649de7178378be2d82f0fc2571b0f

SHA512
10ecbfe081d7be1bbf3687f473c0d43724691a341c82bd6d7d712a31a22927705ae95bdf47a4a2568375905a01d3d992fd876afd548aec1ebd964bb2a8f4b31a

Download Submit
memory/3840-175-0x0000000000780000-0x00000000007AA000-memory.dmp

Filesize
168KB

Download
memory/4236-150-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/4236-158-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/4236-144-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/4236-146-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/4236-148-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/4236-141-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/4236-152-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/4236-154-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/4236-156-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/4236-142-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/4236-160-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/4236-162-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/4236-164-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/4236-166-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/4236-168-0x00000000025D0000-0x00000000025E6000-memory.dmp

Filesize
88KB

Download
memory/4236-169-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/4236-170-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/4236-140-0x00000000025D0000-0x00000000025EC000-memory.dmp

Filesize
112KB

Download
memory/4236-139-0x0000000004A90000-0x0000000004F8E000-memory.dmp

Filesize
5.0MB

Download
memory/4236-138-0x0000000002280000-0x000000000229E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads