redline | 97217a5450afdd09ee0db78400387d9eb7f156f54fed2f11e70acdf8d5f31a53

General

Target

97217a5450afdd09ee0db78400387d9eb7f156f54fed2f11e70acdf8d5f31a53.exe
Size

1.1MB
MD5

52011915594ab84d34be1739365728fa
SHA1

f9b7ac6bb1bccd282dbb5366c6770318e7bb5669
SHA256

97217a5450afdd09ee0db78400387d9eb7f156f54fed2f11e70acdf8d5f31a53
SHA512

5061dbee8887ec073c1dc17338206b4c26d79088ad50f4535c6174ea7d50d706fa825415e71c09bb4d1c90cd2e7e93bec4aee0fe1f1fd877d09602426b6f3f95
SSDEEP

24576:xygQGYQMBNzJXXbUe03yv3abn+3DNQN21yj1fhaMcqAUCb:kgRr4gJ3yQyNQN21Cf

Score

10^/10

redline luka evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

luka

C2

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o7449887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o7449887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o7449887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o7449887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o7449887.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4556	z8865803.exe
4752	z0256266.exe
4824	o7449887.exe
4448	p3949182.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o7449887.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o7449887.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0256266.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0256266.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	97217a5450afdd09ee0db78400387d9eb7f156f54fed2f11e70acdf8d5f31a53.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	97217a5450afdd09ee0db78400387d9eb7f156f54fed2f11e70acdf8d5f31a53.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z8865803.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8865803.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2816	4448	WerFault.exe	69

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4824	o7449887.exe
4824	o7449887.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4824	o7449887.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 4556	4188	97217a5450afdd09ee0db78400387d9eb7f156f54fed2f11e70acdf8d5f31a53.exe	66
PID 4188 wrote to memory of 4556	4188	97217a5450afdd09ee0db78400387d9eb7f156f54fed2f11e70acdf8d5f31a53.exe	66
PID 4188 wrote to memory of 4556	4188	97217a5450afdd09ee0db78400387d9eb7f156f54fed2f11e70acdf8d5f31a53.exe	66
PID 4556 wrote to memory of 4752	4556	z8865803.exe	67
PID 4556 wrote to memory of 4752	4556	z8865803.exe	67
PID 4556 wrote to memory of 4752	4556	z8865803.exe	67
PID 4752 wrote to memory of 4824	4752	z0256266.exe	68
PID 4752 wrote to memory of 4824	4752	z0256266.exe	68
PID 4752 wrote to memory of 4824	4752	z0256266.exe	68
PID 4752 wrote to memory of 4448	4752	z0256266.exe	69
PID 4752 wrote to memory of 4448	4752	z0256266.exe	69
PID 4752 wrote to memory of 4448	4752	z0256266.exe	69

C:\Users\Admin\AppData\Local\Temp\97217a5450afdd09ee0db78400387d9eb7f156f54fed2f11e70acdf8d5f31a53.exe
"C:\Users\Admin\AppData\Local\Temp\97217a5450afdd09ee0db78400387d9eb7f156f54fed2f11e70acdf8d5f31a53.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8865803.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8865803.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0256266.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0256266.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7449887.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7449887.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3949182.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3949182.exe
      4⤵
      Executes dropped EXE
      PID:4448
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 948
        5⤵
        Program crash
        
        PID:2816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8865803.exe

Filesize
703KB

MD5
022107558f35f5653c5388f3d3174cf4

SHA1
75ea16d8b2af1fc09c825089bd08eebac765dc29

SHA256
20a879ac180c627a7f579101133835f96eade395d822690070198eba2fb8a583

SHA512
de2286fb71298c6d7ae5b2b7311a95f380cdc7c8a569b1ebd231b497ab0a22ccd7c7be57d58f2c39304be5484b5328c44d9aa6888f0f2ee1dc64ef37d3a019c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8865803.exe

Filesize
703KB

MD5
022107558f35f5653c5388f3d3174cf4

SHA1
75ea16d8b2af1fc09c825089bd08eebac765dc29

SHA256
20a879ac180c627a7f579101133835f96eade395d822690070198eba2fb8a583

SHA512
de2286fb71298c6d7ae5b2b7311a95f380cdc7c8a569b1ebd231b497ab0a22ccd7c7be57d58f2c39304be5484b5328c44d9aa6888f0f2ee1dc64ef37d3a019c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0256266.exe

Filesize
306KB

MD5
62497e66408bb0894f11a133daa6f79c

SHA1
b6f3539c4a6abcbccac9ebe7d58dfd0a81016849

SHA256
8dfb32a646a7e5de05f8b32b97549b478bdbad75aedb8cd213f4e0f04bdff704

SHA512
f5d84388cb310702fe2d8b4d6e7723fc87aaee2545f437785b7a51c7647eaa02a520fbbe31fb01fe0ad9568f17b57d824743d65b06f18d868dd7100ee8f7dd10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0256266.exe

Filesize
306KB

MD5
62497e66408bb0894f11a133daa6f79c

SHA1
b6f3539c4a6abcbccac9ebe7d58dfd0a81016849

SHA256
8dfb32a646a7e5de05f8b32b97549b478bdbad75aedb8cd213f4e0f04bdff704

SHA512
f5d84388cb310702fe2d8b4d6e7723fc87aaee2545f437785b7a51c7647eaa02a520fbbe31fb01fe0ad9568f17b57d824743d65b06f18d868dd7100ee8f7dd10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7449887.exe

Filesize
185KB

MD5
edd7161848cd635d79bc9356e6907060

SHA1
b643c3291259a5ea6f672b977fcfd251d086fb86

SHA256
b7e795e55657eaee471605614bc1915edac3d3ee8464d7d15e9b8a1ec3feaf05

SHA512
38009538c4257824116011fd3371b90341f3407f33e81336672e4afe186bf3f526fafb00ddf84021cccaf3047d0909cf3e4db3ec4aa95222642152ebf04aaaec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7449887.exe

Filesize
185KB

MD5
edd7161848cd635d79bc9356e6907060

SHA1
b643c3291259a5ea6f672b977fcfd251d086fb86

SHA256
b7e795e55657eaee471605614bc1915edac3d3ee8464d7d15e9b8a1ec3feaf05

SHA512
38009538c4257824116011fd3371b90341f3407f33e81336672e4afe186bf3f526fafb00ddf84021cccaf3047d0909cf3e4db3ec4aa95222642152ebf04aaaec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3949182.exe

Filesize
145KB

MD5
11fed1c14e99c2cd2a85e3668cbb645f

SHA1
54f15b229313186d7aaebefb4d10c238053b894e

SHA256
aa3c034b7cf9e75f850722925edeb9900b4bf0d3a5c5d97c1bfb718a1457e98f

SHA512
b6b997db91d51ee72121b2004460bbd75634776fd5006a8cc79aaa5b653845013ff5b89b2e7aa469236880b2a2ab9e1f8a35267f14aec108c657c879ef5d2b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3949182.exe

Filesize
145KB

MD5
11fed1c14e99c2cd2a85e3668cbb645f

SHA1
54f15b229313186d7aaebefb4d10c238053b894e

SHA256
aa3c034b7cf9e75f850722925edeb9900b4bf0d3a5c5d97c1bfb718a1457e98f

SHA512
b6b997db91d51ee72121b2004460bbd75634776fd5006a8cc79aaa5b653845013ff5b89b2e7aa469236880b2a2ab9e1f8a35267f14aec108c657c879ef5d2b31

Download Submit
memory/4448-179-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/4824-153-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4824-165-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4824-147-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4824-149-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4824-151-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4824-144-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4824-155-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4824-157-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4824-159-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4824-161-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4824-163-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4824-145-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4824-167-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4824-169-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4824-171-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4824-172-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4824-173-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4824-174-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4824-143-0x0000000004A60000-0x0000000004A7C000-memory.dmp

Filesize
112KB

Download
memory/4824-142-0x0000000004B90000-0x000000000508E000-memory.dmp

Filesize
5.0MB

Download
memory/4824-141-0x0000000004A00000-0x0000000004A1E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads