redline | a0c7b6c2f67ec7f2af88253d585ca89ecce7d15e67a3c8aee148a306d954b4d9

General

Target

a0c7b6c2f67ec7f2af88253d585ca89ecce7d15e67a3c8aee148a306d954b4d9.exe
Size

1.1MB
MD5

853ecd6b699d3bdef75ba5d943867379
SHA1

267dfac5f010530ae88d421e4f23966a7044f68c
SHA256

a0c7b6c2f67ec7f2af88253d585ca89ecce7d15e67a3c8aee148a306d954b4d9
SHA512

ba5f12e54312c2a381517053dd7c6a65c450a41ad1de4127ce0c294c427b43214f95d7481ec2d4e271aa4d025738f3567195bfd3bfe4dd2b7813044ac3f1e5df
SSDEEP

24576:JyZzafrCv2Qs8wOyukig0M1k+NcdjCxrgPKFSoK:8NwnQBwFudIrUCxrh8o

Score

10^/10

redline linda evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

linda

C2

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o3306843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o3306843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o3306843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o3306843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o3306843.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1684	z7388881.exe
4256	z4179574.exe
3068	o3306843.exe
952	p3796038.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o3306843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o3306843.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4179574.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4179574.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a0c7b6c2f67ec7f2af88253d585ca89ecce7d15e67a3c8aee148a306d954b4d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a0c7b6c2f67ec7f2af88253d585ca89ecce7d15e67a3c8aee148a306d954b4d9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7388881.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7388881.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3584	952	WerFault.exe	69

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3068	o3306843.exe
3068	o3306843.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	o3306843.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1684	1480	a0c7b6c2f67ec7f2af88253d585ca89ecce7d15e67a3c8aee148a306d954b4d9.exe	66
PID 1480 wrote to memory of 1684	1480	a0c7b6c2f67ec7f2af88253d585ca89ecce7d15e67a3c8aee148a306d954b4d9.exe	66
PID 1480 wrote to memory of 1684	1480	a0c7b6c2f67ec7f2af88253d585ca89ecce7d15e67a3c8aee148a306d954b4d9.exe	66
PID 1684 wrote to memory of 4256	1684	z7388881.exe	67
PID 1684 wrote to memory of 4256	1684	z7388881.exe	67
PID 1684 wrote to memory of 4256	1684	z7388881.exe	67
PID 4256 wrote to memory of 3068	4256	z4179574.exe	68
PID 4256 wrote to memory of 3068	4256	z4179574.exe	68
PID 4256 wrote to memory of 3068	4256	z4179574.exe	68
PID 4256 wrote to memory of 952	4256	z4179574.exe	69
PID 4256 wrote to memory of 952	4256	z4179574.exe	69
PID 4256 wrote to memory of 952	4256	z4179574.exe	69

C:\Users\Admin\AppData\Local\Temp\a0c7b6c2f67ec7f2af88253d585ca89ecce7d15e67a3c8aee148a306d954b4d9.exe
"C:\Users\Admin\AppData\Local\Temp\a0c7b6c2f67ec7f2af88253d585ca89ecce7d15e67a3c8aee148a306d954b4d9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7388881.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7388881.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4179574.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4179574.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3306843.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3306843.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3796038.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3796038.exe
      4⤵
      Executes dropped EXE
      PID:952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 948
        5⤵
        Program crash
        
        PID:3584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7388881.exe

Filesize
702KB

MD5
48da9a60265390ab7ae3e05edde07c9d

SHA1
c9237d1a715927e89c9c79d3e58811f22d953d1f

SHA256
d8ef96abd8b41defacf3621721875f6c64823aefe3f08514f7cb4211ae78b509

SHA512
1e8ede23da788b72983b2d65283a45dfad624e9eb2a4340694b8b7149c8824ee0b78d22610c80c7dc7bd125e16661ac6ddf809aca663f54a5f75f1b09a439105

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7388881.exe

Filesize
702KB

MD5
48da9a60265390ab7ae3e05edde07c9d

SHA1
c9237d1a715927e89c9c79d3e58811f22d953d1f

SHA256
d8ef96abd8b41defacf3621721875f6c64823aefe3f08514f7cb4211ae78b509

SHA512
1e8ede23da788b72983b2d65283a45dfad624e9eb2a4340694b8b7149c8824ee0b78d22610c80c7dc7bd125e16661ac6ddf809aca663f54a5f75f1b09a439105

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4179574.exe

Filesize
305KB

MD5
b3a539a8410b0941c888e41a849011f5

SHA1
a597564857411ed1fa08fe5441ae19c436ea94de

SHA256
1ae166997a0e57e9a2bdb536a81d5d16676fd8c9d9115d345e27215489f02552

SHA512
b91149eda6aad181058e24a33b7ae30d77ce76dd00262b2edc251111b0bff1d6241a43f85e1326a0124af30284556fcfa688b5f81e61e4aaef3d5c5882b10787

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4179574.exe

Filesize
305KB

MD5
b3a539a8410b0941c888e41a849011f5

SHA1
a597564857411ed1fa08fe5441ae19c436ea94de

SHA256
1ae166997a0e57e9a2bdb536a81d5d16676fd8c9d9115d345e27215489f02552

SHA512
b91149eda6aad181058e24a33b7ae30d77ce76dd00262b2edc251111b0bff1d6241a43f85e1326a0124af30284556fcfa688b5f81e61e4aaef3d5c5882b10787

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3306843.exe

Filesize
184KB

MD5
e4e852e2ff905387102681bcd0b8ab9e

SHA1
72e5a8791486c936f4f7c63af9d694807e8a70ef

SHA256
d480e001b66d3374b2298e4af994822542099945e5c6724b346fa94e2393b5e1

SHA512
901bfcc5983d36168d71bd21d7d44bbfb6b9e613fb7e778b62bb04488368a3fc4fe618ee504d00a48ff8ad8cf62ab03984e03f76fb0a5b1efd637e89bfd63c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3306843.exe

Filesize
184KB

MD5
e4e852e2ff905387102681bcd0b8ab9e

SHA1
72e5a8791486c936f4f7c63af9d694807e8a70ef

SHA256
d480e001b66d3374b2298e4af994822542099945e5c6724b346fa94e2393b5e1

SHA512
901bfcc5983d36168d71bd21d7d44bbfb6b9e613fb7e778b62bb04488368a3fc4fe618ee504d00a48ff8ad8cf62ab03984e03f76fb0a5b1efd637e89bfd63c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3796038.exe

Filesize
145KB

MD5
b774b26ddaff329ea136d1f096d66e6a

SHA1
6651888c411db7563a1076faa9d159ee03564567

SHA256
bca379abfcd5cedb487f42ab050d0193c6d4ac96e5cfe19d5fef8257ca8baa42

SHA512
34a4075589faaca603504e4b94cb436f2e20cd43212526b37f6b392b67d76b1485f058877ef9fa4050e5f3011d558e7ccf3e305af24c7ba13e095c151d12e394

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3796038.exe

Filesize
145KB

MD5
b774b26ddaff329ea136d1f096d66e6a

SHA1
6651888c411db7563a1076faa9d159ee03564567

SHA256
bca379abfcd5cedb487f42ab050d0193c6d4ac96e5cfe19d5fef8257ca8baa42

SHA512
34a4075589faaca603504e4b94cb436f2e20cd43212526b37f6b392b67d76b1485f058877ef9fa4050e5f3011d558e7ccf3e305af24c7ba13e095c151d12e394

Download Submit
memory/952-182-0x0000000000B20000-0x0000000000B4A000-memory.dmp

Filesize
168KB

Download
memory/3068-155-0x00000000024D0000-0x00000000024E6000-memory.dmp

Filesize
88KB

Download
memory/3068-163-0x00000000024D0000-0x00000000024E6000-memory.dmp

Filesize
88KB

Download
memory/3068-147-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3068-148-0x00000000024D0000-0x00000000024E6000-memory.dmp

Filesize
88KB

Download
memory/3068-149-0x00000000024D0000-0x00000000024E6000-memory.dmp

Filesize
88KB

Download
memory/3068-151-0x00000000024D0000-0x00000000024E6000-memory.dmp

Filesize
88KB

Download
memory/3068-153-0x00000000024D0000-0x00000000024E6000-memory.dmp

Filesize
88KB

Download
memory/3068-145-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3068-157-0x00000000024D0000-0x00000000024E6000-memory.dmp

Filesize
88KB

Download
memory/3068-159-0x00000000024D0000-0x00000000024E6000-memory.dmp

Filesize
88KB

Download
memory/3068-161-0x00000000024D0000-0x00000000024E6000-memory.dmp

Filesize
88KB

Download
memory/3068-146-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3068-165-0x00000000024D0000-0x00000000024E6000-memory.dmp

Filesize
88KB

Download
memory/3068-167-0x00000000024D0000-0x00000000024E6000-memory.dmp

Filesize
88KB

Download
memory/3068-169-0x00000000024D0000-0x00000000024E6000-memory.dmp

Filesize
88KB

Download
memory/3068-171-0x00000000024D0000-0x00000000024E6000-memory.dmp

Filesize
88KB

Download
memory/3068-173-0x00000000024D0000-0x00000000024E6000-memory.dmp

Filesize
88KB

Download
memory/3068-175-0x00000000024D0000-0x00000000024E6000-memory.dmp

Filesize
88KB

Download
memory/3068-176-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3068-177-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3068-144-0x00000000024D0000-0x00000000024EC000-memory.dmp

Filesize
112KB

Download
memory/3068-143-0x0000000004B40000-0x000000000503E000-memory.dmp

Filesize
5.0MB

Download
memory/3068-142-0x0000000002070000-0x000000000208E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads