redline | e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d

General

Target

e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe
Size

1.1MB
MD5

92333496a04a90cdc78725940436c319
SHA1

38132e6460af6b22928fe8d43eb653232dd43b94
SHA256

e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d
SHA512

8d6bc40014928a6574e31c6a0c1f908d23b25462eeb6d82538d0a71cb587bfe3d147b8ece9a82e8d675e20f5211bd7ec23ddb4571912fc78ef17960d2b228c96
SSDEEP

24576:Vyec8IdrNr5B+GCL/Yz0jFn1MPVM/QN9JCSozZy9rIxq0:wKIdZNB+Ge+MSPaYpW29

Score

10^/10

redline luka evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

luka

C2

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o4321671.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o4321671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o4321671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o4321671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o4321671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o4321671.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z0678849.exez4726281.exeo4321671.exep3637470.exe

pid process

2252 z0678849.exe
2516 z4726281.exe
2832 o4321671.exe
4588 p3637470.exe

pid	process
2252	z0678849.exe
2516	z4726281.exe
2832	o4321671.exe
4588	p3637470.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o4321671.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o4321671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o4321671.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exez0678849.exez4726281.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0678849.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0678849.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4726281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4726281.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2848 4588 WerFault.exe p3637470.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o4321671.exe

pid process

2832 o4321671.exe
2832 o4321671.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o4321671.exe

description pid process

Token: SeDebugPrivilege 2832 o4321671.exe

pid	pid_target	process	target process
2848	4588	WerFault.exe	p3637470.exe

pid	process
2832	o4321671.exe
2832	o4321671.exe

description	pid	process
Token: SeDebugPrivilege	2832	o4321671.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exez0678849.exez4726281.exe

description	pid	process	target process
PID 1688 wrote to memory of 2252	1688	e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe	z0678849.exe
PID 1688 wrote to memory of 2252	1688	e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe	z0678849.exe
PID 1688 wrote to memory of 2252	1688	e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe	z0678849.exe
PID 2252 wrote to memory of 2516	2252	z0678849.exe	z4726281.exe
PID 2252 wrote to memory of 2516	2252	z0678849.exe	z4726281.exe
PID 2252 wrote to memory of 2516	2252	z0678849.exe	z4726281.exe
PID 2516 wrote to memory of 2832	2516	z4726281.exe	o4321671.exe
PID 2516 wrote to memory of 2832	2516	z4726281.exe	o4321671.exe
PID 2516 wrote to memory of 2832	2516	z4726281.exe	o4321671.exe
PID 2516 wrote to memory of 4588	2516	z4726281.exe	p3637470.exe
PID 2516 wrote to memory of 4588	2516	z4726281.exe	p3637470.exe
PID 2516 wrote to memory of 4588	2516	z4726281.exe	p3637470.exe

C:\Users\Admin\AppData\Local\Temp\e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe
"C:\Users\Admin\AppData\Local\Temp\e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0678849.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0678849.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4726281.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4726281.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2516

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4321671.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4321671.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3637470.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3637470.exe
4⤵
- Executes dropped EXE
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 948
5⤵
- Program crash
PID:2848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0678849.exe
Filesize
702KB

MD5
c4bd8a665f2c6dd16977ad90944efae0

SHA1
d54c42228ba38fa055bcaf72961cf8d725bf9ee0

SHA256
c6e2ab60c1385e08ec042b030839d7a046d616a9fb4a1de3aec4e2cad34c215c

SHA512
b6a2291b3d475ab3568b72dfcb2d6de6ef2597433d2e8be77f90e4c3a6c732a5f2d60a2667dd3ca5e1a7a175d67d2c84bb22fc0505bad47ef77780ac3b7ab822

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0678849.exe
Filesize
702KB

MD5
c4bd8a665f2c6dd16977ad90944efae0

SHA1
d54c42228ba38fa055bcaf72961cf8d725bf9ee0

SHA256
c6e2ab60c1385e08ec042b030839d7a046d616a9fb4a1de3aec4e2cad34c215c

SHA512
b6a2291b3d475ab3568b72dfcb2d6de6ef2597433d2e8be77f90e4c3a6c732a5f2d60a2667dd3ca5e1a7a175d67d2c84bb22fc0505bad47ef77780ac3b7ab822

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4726281.exe
Filesize
306KB

MD5
334d673a6767ea02c040a4d37da1b089

SHA1
1119351b47e7c762216e85e80512782afac3610c

SHA256
2c41a58a3e1e1644d00b993cf741bcb9814e032eef050d153b373171915af911

SHA512
793aa3695042cb8876d1ed5400eafbea0eb22f0f42d235ae3648ecaa4991f02e6c461c02eea9461d042cf186fee7a2bf4c3e31ba331c7c9ab52321a2405ed561

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4726281.exe
Filesize
306KB

MD5
334d673a6767ea02c040a4d37da1b089

SHA1
1119351b47e7c762216e85e80512782afac3610c

SHA256
2c41a58a3e1e1644d00b993cf741bcb9814e032eef050d153b373171915af911

SHA512
793aa3695042cb8876d1ed5400eafbea0eb22f0f42d235ae3648ecaa4991f02e6c461c02eea9461d042cf186fee7a2bf4c3e31ba331c7c9ab52321a2405ed561

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4321671.exe
Filesize
185KB

MD5
51f2c8701086c796f01308be159fae64

SHA1
6d277b1c1766d3a3e197325247d347f14bcdaa2b

SHA256
7130b298bc12b47fd0a0563602b5035890b16a73374b1fe1e74caf3670a820fe

SHA512
ec06af118718de591cb9527b0a18bb2ddd821695c547d090d5e0ae806ed2de3d4615bfd8201cbdf28ddf3bcc761df5c1907e871c5a7aea281b4a4094e2f597aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4321671.exe
Filesize
185KB

MD5
51f2c8701086c796f01308be159fae64

SHA1
6d277b1c1766d3a3e197325247d347f14bcdaa2b

SHA256
7130b298bc12b47fd0a0563602b5035890b16a73374b1fe1e74caf3670a820fe

SHA512
ec06af118718de591cb9527b0a18bb2ddd821695c547d090d5e0ae806ed2de3d4615bfd8201cbdf28ddf3bcc761df5c1907e871c5a7aea281b4a4094e2f597aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3637470.exe
Filesize
145KB

MD5
5506641729e767e3d2127db747714ab6

SHA1
db0f4a753735b7b79707021e6a3c90cc08155bea

SHA256
3fd94b81867a04ea381630c667b21790dfa737d031ee6196fe85e33febd252ee

SHA512
03152aaa4ce485e14579d152b59d17e4e8ed52b070e7e3dd68c7ffa9cb1f75093d61791d831eb8bd6fd2c84c1e42420064d0494e57e52388c07eb367d5162637

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3637470.exe
Filesize
145KB

MD5
5506641729e767e3d2127db747714ab6

SHA1
db0f4a753735b7b79707021e6a3c90cc08155bea

SHA256
3fd94b81867a04ea381630c667b21790dfa737d031ee6196fe85e33febd252ee

SHA512
03152aaa4ce485e14579d152b59d17e4e8ed52b070e7e3dd68c7ffa9cb1f75093d61791d831eb8bd6fd2c84c1e42420064d0494e57e52388c07eb367d5162637

Download Submit
memory/2832-151-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2832-161-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2832-146-0x0000000004930000-0x000000000494C000-memory.dmp

Filesize
112KB

Download
memory/2832-147-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/2832-148-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2832-149-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2832-144-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/2832-153-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2832-155-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2832-157-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2832-159-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2832-145-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/2832-163-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2832-165-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2832-167-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2832-169-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2832-171-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2832-173-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2832-175-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2832-176-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/2832-143-0x0000000004AA0000-0x0000000004F9E000-memory.dmp

Filesize
5.0MB

Download
memory/2832-142-0x0000000002350000-0x000000000236E000-memory.dmp

Filesize
120KB

Download
memory/4588-181-0x0000000000F70000-0x0000000000F9A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads