redline | 266fb387a48ec60f5e7ae3554a8b505c49858f34b91651167dc59526b5c5468d

General

Target

266fb387a48ec60f5e7ae3554a8b505c49858f34b91651167dc59526b5c5468d.exe
Size

1.1MB
MD5

fa4e8be86ac07119d6f4add2421f240e
SHA1

372e43313f62ccc145cb18711f411c8eef0220e8
SHA256

266fb387a48ec60f5e7ae3554a8b505c49858f34b91651167dc59526b5c5468d
SHA512

e2fa9e0b250362a784419e7f75997791749e060343e482781f47e597b842b87d62225ac6fe0c6c5e1160e6fcc17dbff1a4f4bacde49a04f3ddfc22f22f112c14
SSDEEP

24576:byyFz5jTTuoR7ac2j+iGPtQB2ZP3Dv423JjZePfW7eboCf:OyVhuop92S3PeUZPTzN17ebo

Score

10^/10

redline luka evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

luka

C2

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o0445205.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o0445205.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o0445205.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o0445205.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o0445205.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o0445205.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z9638163.exez7953067.exeo0445205.exep0039204.exe

pid process

4436 z9638163.exe
4252 z7953067.exe
1996 o0445205.exe
1896 p0039204.exe

pid	process
4436	z9638163.exe
4252	z7953067.exe
1996	o0445205.exe
1896	p0039204.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o0445205.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o0445205.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o0445205.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z7953067.exe266fb387a48ec60f5e7ae3554a8b505c49858f34b91651167dc59526b5c5468d.exez9638163.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7953067.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7953067.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	266fb387a48ec60f5e7ae3554a8b505c49858f34b91651167dc59526b5c5468d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	266fb387a48ec60f5e7ae3554a8b505c49858f34b91651167dc59526b5c5468d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9638163.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9638163.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3080 1896 WerFault.exe p0039204.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o0445205.exe

pid process

1996 o0445205.exe
1996 o0445205.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o0445205.exe

description pid process

Token: SeDebugPrivilege 1996 o0445205.exe

pid	pid_target	process	target process
3080	1896	WerFault.exe	p0039204.exe

pid	process
1996	o0445205.exe
1996	o0445205.exe

description	pid	process
Token: SeDebugPrivilege	1996	o0445205.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

266fb387a48ec60f5e7ae3554a8b505c49858f34b91651167dc59526b5c5468d.exez9638163.exez7953067.exe

description	pid	process	target process
PID 4052 wrote to memory of 4436	4052	266fb387a48ec60f5e7ae3554a8b505c49858f34b91651167dc59526b5c5468d.exe	z9638163.exe
PID 4052 wrote to memory of 4436	4052	266fb387a48ec60f5e7ae3554a8b505c49858f34b91651167dc59526b5c5468d.exe	z9638163.exe
PID 4052 wrote to memory of 4436	4052	266fb387a48ec60f5e7ae3554a8b505c49858f34b91651167dc59526b5c5468d.exe	z9638163.exe
PID 4436 wrote to memory of 4252	4436	z9638163.exe	z7953067.exe
PID 4436 wrote to memory of 4252	4436	z9638163.exe	z7953067.exe
PID 4436 wrote to memory of 4252	4436	z9638163.exe	z7953067.exe
PID 4252 wrote to memory of 1996	4252	z7953067.exe	o0445205.exe
PID 4252 wrote to memory of 1996	4252	z7953067.exe	o0445205.exe
PID 4252 wrote to memory of 1996	4252	z7953067.exe	o0445205.exe
PID 4252 wrote to memory of 1896	4252	z7953067.exe	p0039204.exe
PID 4252 wrote to memory of 1896	4252	z7953067.exe	p0039204.exe
PID 4252 wrote to memory of 1896	4252	z7953067.exe	p0039204.exe

C:\Users\Admin\AppData\Local\Temp\266fb387a48ec60f5e7ae3554a8b505c49858f34b91651167dc59526b5c5468d.exe
"C:\Users\Admin\AppData\Local\Temp\266fb387a48ec60f5e7ae3554a8b505c49858f34b91651167dc59526b5c5468d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9638163.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9638163.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7953067.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7953067.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0445205.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0445205.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0039204.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0039204.exe
      4⤵
      Executes dropped EXE
      PID:1896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 948
        5⤵
        Program crash
        
        PID:3080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9638163.exe

Filesize
703KB

MD5
aaeaf69d31a0f0e042a850bc71a7507e

SHA1
078801dddb193765494f0513243a1f0d8939985e

SHA256
3f2dfe461da9bce4943da0f4f145647917fb042efd8d60af54833720e3fc6c8d

SHA512
5d4446acf79d1c6b33d5892d5c5649dd5927633914089cba13705501cfdf2e4f2fa70b004b31c6506e137cbb10f4508f3888273f34206786b7f890c4222fb376

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9638163.exe

Filesize
703KB

MD5
aaeaf69d31a0f0e042a850bc71a7507e

SHA1
078801dddb193765494f0513243a1f0d8939985e

SHA256
3f2dfe461da9bce4943da0f4f145647917fb042efd8d60af54833720e3fc6c8d

SHA512
5d4446acf79d1c6b33d5892d5c5649dd5927633914089cba13705501cfdf2e4f2fa70b004b31c6506e137cbb10f4508f3888273f34206786b7f890c4222fb376

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7953067.exe

Filesize
306KB

MD5
74f46397c91572e30f295e25898f8bad

SHA1
dffa25465b9280c2bd6ddae83f34425a7aa72e10

SHA256
517d62a769d6f74fe8e6cdfb63e51a507b5e931526dc80c4b36fb87b4abf5f9a

SHA512
3c3c313ae1d2e86a8ba84b5bea19c6906249d777aa496f1e632e28a6b77602159a0edc6ad5171ea5afe1deb0e38d8feba1a7158e99a53e091f9ed135aae1247b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7953067.exe

Filesize
306KB

MD5
74f46397c91572e30f295e25898f8bad

SHA1
dffa25465b9280c2bd6ddae83f34425a7aa72e10

SHA256
517d62a769d6f74fe8e6cdfb63e51a507b5e931526dc80c4b36fb87b4abf5f9a

SHA512
3c3c313ae1d2e86a8ba84b5bea19c6906249d777aa496f1e632e28a6b77602159a0edc6ad5171ea5afe1deb0e38d8feba1a7158e99a53e091f9ed135aae1247b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0445205.exe

Filesize
185KB

MD5
dcf70c7fe6c9ee364f71d631e4f33879

SHA1
56ad54b6bfeb995e156be7c4a3cfef8dfcbb8f8a

SHA256
93d7d840c379974a7a57c992c46589e827a83617f04a4544b9c513b16ff83c38

SHA512
7784fc4fce14d5a3fb23f967cbc36d29cf74ceaace6b94974b39c924cd1ea7be9e83284d9a3733626511e8bb361799b3e1dc439d962eacd0ea3fbac27b333118

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0445205.exe

Filesize
185KB

MD5
dcf70c7fe6c9ee364f71d631e4f33879

SHA1
56ad54b6bfeb995e156be7c4a3cfef8dfcbb8f8a

SHA256
93d7d840c379974a7a57c992c46589e827a83617f04a4544b9c513b16ff83c38

SHA512
7784fc4fce14d5a3fb23f967cbc36d29cf74ceaace6b94974b39c924cd1ea7be9e83284d9a3733626511e8bb361799b3e1dc439d962eacd0ea3fbac27b333118

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0039204.exe

Filesize
145KB

MD5
0919c1e0bd491763b58757d26424342e

SHA1
621db58ae4ba0a3ae015b19287cbbc6a6c5aca5d

SHA256
aa11647d20bf6a9f95bd8594c1338256a30221bcff874dee3647533c833fa459

SHA512
edb140c6f4ee292034eab21626e250c160a251eb47729ec259886967674267c4ce9ccd9627b331e72cb279bebf57719b0ec0b2c5666de80947d66c1322ce2e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0039204.exe

Filesize
145KB

MD5
0919c1e0bd491763b58757d26424342e

SHA1
621db58ae4ba0a3ae015b19287cbbc6a6c5aca5d

SHA256
aa11647d20bf6a9f95bd8594c1338256a30221bcff874dee3647533c833fa459

SHA512
edb140c6f4ee292034eab21626e250c160a251eb47729ec259886967674267c4ce9ccd9627b331e72cb279bebf57719b0ec0b2c5666de80947d66c1322ce2e58

Download Submit
memory/1896-178-0x0000000000980000-0x00000000009AA000-memory.dmp

Filesize
168KB

Download
memory/1996-152-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/1996-164-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/1996-146-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/1996-148-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/1996-150-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/1996-143-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/1996-154-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/1996-156-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/1996-158-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/1996-160-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/1996-162-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/1996-144-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/1996-166-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/1996-168-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/1996-170-0x0000000002340000-0x0000000002356000-memory.dmp

Filesize
88KB

Download
memory/1996-171-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/1996-172-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/1996-173-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/1996-142-0x0000000002340000-0x000000000235C000-memory.dmp

Filesize
112KB

Download
memory/1996-141-0x0000000004A00000-0x0000000004EFE000-memory.dmp

Filesize
5.0MB

Download
memory/1996-140-0x0000000002170000-0x000000000218E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads