redline | 48e8b0f87078121912097ca78e486a124e9c2d26804236f0056976db41117556

General

Target

48e8b0f87078121912097ca78e486a124e9c2d26804236f0056976db41117556.exe
Size

1.1MB
MD5

f76d177f5e3bb193bb125847cc01b666
SHA1

9b5976c773c732291078b1517875df71350622b7
SHA256

48e8b0f87078121912097ca78e486a124e9c2d26804236f0056976db41117556
SHA512

353b22432186f1e4bb849167c1745be4383f2588551262387da0b1a4a8c4d7b580bd8d12d2c94ab53861762496b4de67b68caf57b9623b14ef5f8df182f9f648
SSDEEP

24576:0yhieNYM9l23siBhN3Yqv5qwHzwLkpqTOmV+MK9YX8fxWuoqUcg1:DhiezO35BzII00zppLmUM6eaxWuGJ

Score

10^/10

redline luka evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

luka

C2

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o6743327.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o6743327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o6743327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o6743327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o6743327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o6743327.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z0141642.exez8647142.exeo6743327.exep2614124.exe

pid process

3620 z0141642.exe
3940 z8647142.exe
4184 o6743327.exe
1564 p2614124.exe

pid	process
3620	z0141642.exe
3940	z8647142.exe
4184	o6743327.exe
1564	p2614124.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o6743327.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o6743327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o6743327.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

48e8b0f87078121912097ca78e486a124e9c2d26804236f0056976db41117556.exez0141642.exez8647142.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	48e8b0f87078121912097ca78e486a124e9c2d26804236f0056976db41117556.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0141642.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0141642.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z8647142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8647142.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	48e8b0f87078121912097ca78e486a124e9c2d26804236f0056976db41117556.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1976 1564 WerFault.exe p2614124.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o6743327.exe

pid process

4184 o6743327.exe
4184 o6743327.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o6743327.exe

description pid process

Token: SeDebugPrivilege 4184 o6743327.exe

pid	pid_target	process	target process
1976	1564	WerFault.exe	p2614124.exe

pid	process
4184	o6743327.exe
4184	o6743327.exe

description	pid	process
Token: SeDebugPrivilege	4184	o6743327.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

48e8b0f87078121912097ca78e486a124e9c2d26804236f0056976db41117556.exez0141642.exez8647142.exe

description	pid	process	target process
PID 3644 wrote to memory of 3620	3644	48e8b0f87078121912097ca78e486a124e9c2d26804236f0056976db41117556.exe	z0141642.exe
PID 3644 wrote to memory of 3620	3644	48e8b0f87078121912097ca78e486a124e9c2d26804236f0056976db41117556.exe	z0141642.exe
PID 3644 wrote to memory of 3620	3644	48e8b0f87078121912097ca78e486a124e9c2d26804236f0056976db41117556.exe	z0141642.exe
PID 3620 wrote to memory of 3940	3620	z0141642.exe	z8647142.exe
PID 3620 wrote to memory of 3940	3620	z0141642.exe	z8647142.exe
PID 3620 wrote to memory of 3940	3620	z0141642.exe	z8647142.exe
PID 3940 wrote to memory of 4184	3940	z8647142.exe	o6743327.exe
PID 3940 wrote to memory of 4184	3940	z8647142.exe	o6743327.exe
PID 3940 wrote to memory of 4184	3940	z8647142.exe	o6743327.exe
PID 3940 wrote to memory of 1564	3940	z8647142.exe	p2614124.exe
PID 3940 wrote to memory of 1564	3940	z8647142.exe	p2614124.exe
PID 3940 wrote to memory of 1564	3940	z8647142.exe	p2614124.exe

C:\Users\Admin\AppData\Local\Temp\48e8b0f87078121912097ca78e486a124e9c2d26804236f0056976db41117556.exe
"C:\Users\Admin\AppData\Local\Temp\48e8b0f87078121912097ca78e486a124e9c2d26804236f0056976db41117556.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0141642.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0141642.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3620

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8647142.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8647142.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3940

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6743327.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6743327.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2614124.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2614124.exe
4⤵
- Executes dropped EXE
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 948
5⤵
- Program crash
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0141642.exe
Filesize
703KB

MD5
b869bc1161b8a736bc5e5e7db1f3033b

SHA1
ed7acea69f8ce3a8ef6d17bbb8de0c194c3eb1b6

SHA256
50e3ee4977cd206e57bed9b0cb02ea7a9cf83c09713f678641087b0a76ec53df

SHA512
7c8ea7d0583a9346e83b79c703c055d3edae46fac98dfb900da8e2e97d956e075f426c572e8aee78c8b8c94ca3140e6cdf868812a31c9da84a06b48a69e0d483

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0141642.exe
Filesize
703KB

MD5
b869bc1161b8a736bc5e5e7db1f3033b

SHA1
ed7acea69f8ce3a8ef6d17bbb8de0c194c3eb1b6

SHA256
50e3ee4977cd206e57bed9b0cb02ea7a9cf83c09713f678641087b0a76ec53df

SHA512
7c8ea7d0583a9346e83b79c703c055d3edae46fac98dfb900da8e2e97d956e075f426c572e8aee78c8b8c94ca3140e6cdf868812a31c9da84a06b48a69e0d483

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8647142.exe
Filesize
306KB

MD5
a4f53bf0a001c19840cb010c5db5659a

SHA1
c6ccbaa8fd1ee6e0b021278bc2ea3358c74ce4ac

SHA256
355542b6f2394d4e95d2bb59bb8e0c73e732f9a54c2649255da7c433eac694b2

SHA512
5c57797822f75785a7d5e7b837520b557216e35adb1ec9730d0213c1ecaead1e3294a718f6e62757c88b0f943cddab4c4c525fd69ac5e4a434cb3a642f57a81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8647142.exe
Filesize
306KB

MD5
a4f53bf0a001c19840cb010c5db5659a

SHA1
c6ccbaa8fd1ee6e0b021278bc2ea3358c74ce4ac

SHA256
355542b6f2394d4e95d2bb59bb8e0c73e732f9a54c2649255da7c433eac694b2

SHA512
5c57797822f75785a7d5e7b837520b557216e35adb1ec9730d0213c1ecaead1e3294a718f6e62757c88b0f943cddab4c4c525fd69ac5e4a434cb3a642f57a81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6743327.exe
Filesize
185KB

MD5
90447743d656682dfaef9e78c4e1a20a

SHA1
5c4fff1896062de496f3af03b79833b6f5b18de4

SHA256
1c629f4d91e21debf2821b23f6dab175e6759101368c7d8b479c930d89775f66

SHA512
2f65de40b3b7b14878fed705191d17d91b6ce0bc18c84d62829a687b1151e6dd12ccb50bbe57893acd6710fcb1c122c37fa388e47170027870582857fef909df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6743327.exe
Filesize
185KB

MD5
90447743d656682dfaef9e78c4e1a20a

SHA1
5c4fff1896062de496f3af03b79833b6f5b18de4

SHA256
1c629f4d91e21debf2821b23f6dab175e6759101368c7d8b479c930d89775f66

SHA512
2f65de40b3b7b14878fed705191d17d91b6ce0bc18c84d62829a687b1151e6dd12ccb50bbe57893acd6710fcb1c122c37fa388e47170027870582857fef909df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2614124.exe
Filesize
145KB

MD5
ea30b7e08f47c102df1c205e813d2fe3

SHA1
a7f6e54dea48bcb41c29330bd5fa3eff60612c6e

SHA256
221858cc24d61d6e0f10f7e2e7a2e290c0807cbe2ea6122208b87b546a26662b

SHA512
9c7f6a7e96b888db91cbc7648c072fefa78c6c6b45ff244b77b656f9a9ae846e45933c7cd74e453210fdf65897d3deb2180c89770cf0bccf86a350d8776fc857

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2614124.exe
Filesize
145KB

MD5
ea30b7e08f47c102df1c205e813d2fe3

SHA1
a7f6e54dea48bcb41c29330bd5fa3eff60612c6e

SHA256
221858cc24d61d6e0f10f7e2e7a2e290c0807cbe2ea6122208b87b546a26662b

SHA512
9c7f6a7e96b888db91cbc7648c072fefa78c6c6b45ff244b77b656f9a9ae846e45933c7cd74e453210fdf65897d3deb2180c89770cf0bccf86a350d8776fc857

Download Submit
memory/1564-179-0x0000000000060000-0x000000000008A000-memory.dmp

Filesize
168KB

Download
memory/4184-154-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/4184-162-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/4184-144-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/4184-146-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/4184-148-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/4184-150-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/4184-152-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/4184-141-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/4184-156-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/4184-158-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/4184-160-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/4184-142-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/4184-164-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/4184-165-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4184-169-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4184-168-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/4184-166-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4184-171-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/4184-172-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4184-173-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4184-175-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4184-140-0x0000000004A80000-0x0000000004A9C000-memory.dmp

Filesize
112KB

Download
memory/4184-139-0x0000000004BC0000-0x00000000050BE000-memory.dmp

Filesize
5.0MB

Download
memory/4184-138-0x00000000023C0000-0x00000000023DE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads