redline | 0865a79156e8aba94b0cdf71d1591fb77440978e6d5f25d081295cf73f289c3b

General

Target

0865a79156e8aba94b0cdf71d1591fb77440978e6d5f25d081295cf73f289c3b.exe
Size

1.1MB
MD5

52e2ba600f2f79ba0195280b8b3affc0
SHA1

325c33cf51f02929b057cea2ed5b46226dbc094a
SHA256

0865a79156e8aba94b0cdf71d1591fb77440978e6d5f25d081295cf73f289c3b
SHA512

023d77cc9abf0c8556afe31bd82c7bc1e8a763ed3de890e40ca848b97f5368268617a4c48e4fb5ee1494522d1f83d8e7848a8748e3888f8df3c97d3da95f7bba
SSDEEP

24576:AySRg6AY6JdkaBWIK7SPqRiK0iMHxMwFLLa39GwnRfazVQNQSF:HSpNceaAFWAiK0Ta6L1wMcQ

Score

10^/10

redline luka evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

luka

C2

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o6907283.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o6907283.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o6907283.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o6907283.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o6907283.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o6907283.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z8725304.exez4362033.exeo6907283.exep0001990.exe

pid process

3932 z8725304.exe
3748 z4362033.exe
4148 o6907283.exe
2104 p0001990.exe

pid	process
3932	z8725304.exe
3748	z4362033.exe
4148	o6907283.exe
2104	p0001990.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o6907283.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o6907283.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o6907283.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z8725304.exez4362033.exe0865a79156e8aba94b0cdf71d1591fb77440978e6d5f25d081295cf73f289c3b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8725304.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4362033.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4362033.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0865a79156e8aba94b0cdf71d1591fb77440978e6d5f25d081295cf73f289c3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0865a79156e8aba94b0cdf71d1591fb77440978e6d5f25d081295cf73f289c3b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z8725304.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4608 2104 WerFault.exe p0001990.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o6907283.exe

pid process

4148 o6907283.exe
4148 o6907283.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o6907283.exe

description pid process

Token: SeDebugPrivilege 4148 o6907283.exe

pid	pid_target	process	target process
4608	2104	WerFault.exe	p0001990.exe

pid	process
4148	o6907283.exe
4148	o6907283.exe

description	pid	process
Token: SeDebugPrivilege	4148	o6907283.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0865a79156e8aba94b0cdf71d1591fb77440978e6d5f25d081295cf73f289c3b.exez8725304.exez4362033.exe

description	pid	process	target process
PID 3076 wrote to memory of 3932	3076	0865a79156e8aba94b0cdf71d1591fb77440978e6d5f25d081295cf73f289c3b.exe	z8725304.exe
PID 3076 wrote to memory of 3932	3076	0865a79156e8aba94b0cdf71d1591fb77440978e6d5f25d081295cf73f289c3b.exe	z8725304.exe
PID 3076 wrote to memory of 3932	3076	0865a79156e8aba94b0cdf71d1591fb77440978e6d5f25d081295cf73f289c3b.exe	z8725304.exe
PID 3932 wrote to memory of 3748	3932	z8725304.exe	z4362033.exe
PID 3932 wrote to memory of 3748	3932	z8725304.exe	z4362033.exe
PID 3932 wrote to memory of 3748	3932	z8725304.exe	z4362033.exe
PID 3748 wrote to memory of 4148	3748	z4362033.exe	o6907283.exe
PID 3748 wrote to memory of 4148	3748	z4362033.exe	o6907283.exe
PID 3748 wrote to memory of 4148	3748	z4362033.exe	o6907283.exe
PID 3748 wrote to memory of 2104	3748	z4362033.exe	p0001990.exe
PID 3748 wrote to memory of 2104	3748	z4362033.exe	p0001990.exe
PID 3748 wrote to memory of 2104	3748	z4362033.exe	p0001990.exe

C:\Users\Admin\AppData\Local\Temp\0865a79156e8aba94b0cdf71d1591fb77440978e6d5f25d081295cf73f289c3b.exe
"C:\Users\Admin\AppData\Local\Temp\0865a79156e8aba94b0cdf71d1591fb77440978e6d5f25d081295cf73f289c3b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3076

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8725304.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8725304.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4362033.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4362033.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6907283.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6907283.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0001990.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0001990.exe
4⤵
- Executes dropped EXE
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 948
5⤵
- Program crash
PID:4608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8725304.exe
Filesize
702KB

MD5
8f9a118ff02d5702d31fab604b5d1984

SHA1
0b318dab85a289c8de70704e4a02aff8b220d722

SHA256
4a656a50f31400dc53366e5e22ba047fbe620de8636ee9ef54a073f6fb005aea

SHA512
3f0b08a2f1f92f7d9ff29f9a65688f16c27fbf785b829da6ffd09eafcf90b8f43d14d59b44525dbd43d3c881edb2c741eb0da01b26b8f3949335da3301872546

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8725304.exe
Filesize
702KB

MD5
8f9a118ff02d5702d31fab604b5d1984

SHA1
0b318dab85a289c8de70704e4a02aff8b220d722

SHA256
4a656a50f31400dc53366e5e22ba047fbe620de8636ee9ef54a073f6fb005aea

SHA512
3f0b08a2f1f92f7d9ff29f9a65688f16c27fbf785b829da6ffd09eafcf90b8f43d14d59b44525dbd43d3c881edb2c741eb0da01b26b8f3949335da3301872546

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4362033.exe
Filesize
306KB

MD5
c0d18c1f020d4083d35ca5872fbd4066

SHA1
de132bf2609156b5601b3997a871f8609a473cb7

SHA256
b506a1dec26a715e44f2b59a126694d6c7b9e90a19bc2fa7db691327920f1cd5

SHA512
23680b8a888ee0217f1df48527a7b83ffc3661a4da575431226b772984eb53c3fcb1166a4f6c23dcd47d8842d963c7a21fa3a46cf282ac3c3a46d5773eba03ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4362033.exe
Filesize
306KB

MD5
c0d18c1f020d4083d35ca5872fbd4066

SHA1
de132bf2609156b5601b3997a871f8609a473cb7

SHA256
b506a1dec26a715e44f2b59a126694d6c7b9e90a19bc2fa7db691327920f1cd5

SHA512
23680b8a888ee0217f1df48527a7b83ffc3661a4da575431226b772984eb53c3fcb1166a4f6c23dcd47d8842d963c7a21fa3a46cf282ac3c3a46d5773eba03ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6907283.exe
Filesize
185KB

MD5
cad8923643394ac3bb67b7bcf8e60ec6

SHA1
291572445c20b8419407f0fed52411dc4fb75f96

SHA256
989bdf6f6fcf1c4cfb1f091ad05508041bc2488ded4a97501a29356c948426da

SHA512
6b288bbe32afa2a654336012b1c0217cf0230ef20db332911e6f893c26455cffd85b5526809b8e9c40e099b1498d8c49b008bd6da008790575c8a436d4e0ec96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6907283.exe
Filesize
185KB

MD5
cad8923643394ac3bb67b7bcf8e60ec6

SHA1
291572445c20b8419407f0fed52411dc4fb75f96

SHA256
989bdf6f6fcf1c4cfb1f091ad05508041bc2488ded4a97501a29356c948426da

SHA512
6b288bbe32afa2a654336012b1c0217cf0230ef20db332911e6f893c26455cffd85b5526809b8e9c40e099b1498d8c49b008bd6da008790575c8a436d4e0ec96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0001990.exe
Filesize
145KB

MD5
11b605c935f1568b81c5b1a7685a1f3a

SHA1
6b866df87a7d52868f9b14b087ef0823787261e6

SHA256
8bb284b8ede4eb656f818119d38783a6fcde00e3df28e3b53763ce552730e860

SHA512
b4f67f58d78111039bc5fa9832d2e3c6bc9a3bf050ba621ed18664dd33084b454a152ec6dc4fd334476dc96c529cfa8247307c864208cd2abb30bfa10069fbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0001990.exe
Filesize
145KB

MD5
11b605c935f1568b81c5b1a7685a1f3a

SHA1
6b866df87a7d52868f9b14b087ef0823787261e6

SHA256
8bb284b8ede4eb656f818119d38783a6fcde00e3df28e3b53763ce552730e860

SHA512
b4f67f58d78111039bc5fa9832d2e3c6bc9a3bf050ba621ed18664dd33084b454a152ec6dc4fd334476dc96c529cfa8247307c864208cd2abb30bfa10069fbbd

Download Submit
memory/2104-182-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/4148-154-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4148-162-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4148-147-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4148-149-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4148-151-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4148-153-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4148-157-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4148-144-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4148-156-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4148-160-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4148-158-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4148-145-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4148-164-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4148-166-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4148-168-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4148-170-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4148-172-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4148-174-0x0000000002610000-0x0000000002626000-memory.dmp

Filesize
88KB

Download
memory/4148-175-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4148-176-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4148-177-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4148-143-0x0000000002610000-0x000000000262C000-memory.dmp

Filesize
112KB

Download
memory/4148-142-0x0000000004C60000-0x000000000515E000-memory.dmp

Filesize
5.0MB

Download
memory/4148-141-0x0000000002160000-0x000000000217E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads