redline | d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52

General

Target

d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52.exe
Size

1.1MB
MD5

5c51a19c54196bb266d70735afe651c0
SHA1

a2a4a327d1380aeba4cfe7926eec06d05d448881
SHA256

d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52
SHA512

141c0ceca4fc549030acfeccdd3f4961a3467ad4321410383d26508e89ec34a28f41a422405c0b0a5d663ebdd083976387581beb624aa043e3124fb709b8864c
SSDEEP

24576:oyjZs64DIXxjM9/2zlSRYmkErDTcRmjZMcX1j05:vj2RGYlsIRY08PcF

Score

10^/10

redline luka evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

luka

C2

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o0032900.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o0032900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o0032900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o0032900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o0032900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o0032900.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z7174647.exez3556973.exeo0032900.exep7410412.exe

pid process

1448 z7174647.exe
1776 z3556973.exe
976 o0032900.exe
4476 p7410412.exe

pid	process
1448	z7174647.exe
1776	z3556973.exe
976	o0032900.exe
4476	p7410412.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o0032900.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o0032900.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o0032900.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52.exez7174647.exez3556973.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7174647.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7174647.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3556973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z3556973.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1956 4476 WerFault.exe p7410412.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o0032900.exe

pid process

976 o0032900.exe
976 o0032900.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o0032900.exe

description pid process

Token: SeDebugPrivilege 976 o0032900.exe

pid	pid_target	process	target process
1956	4476	WerFault.exe	p7410412.exe

pid	process
976	o0032900.exe
976	o0032900.exe

description	pid	process
Token: SeDebugPrivilege	976	o0032900.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52.exez7174647.exez3556973.exe

description	pid	process	target process
PID 1220 wrote to memory of 1448	1220	d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52.exe	z7174647.exe
PID 1220 wrote to memory of 1448	1220	d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52.exe	z7174647.exe
PID 1220 wrote to memory of 1448	1220	d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52.exe	z7174647.exe
PID 1448 wrote to memory of 1776	1448	z7174647.exe	z3556973.exe
PID 1448 wrote to memory of 1776	1448	z7174647.exe	z3556973.exe
PID 1448 wrote to memory of 1776	1448	z7174647.exe	z3556973.exe
PID 1776 wrote to memory of 976	1776	z3556973.exe	o0032900.exe
PID 1776 wrote to memory of 976	1776	z3556973.exe	o0032900.exe
PID 1776 wrote to memory of 976	1776	z3556973.exe	o0032900.exe
PID 1776 wrote to memory of 4476	1776	z3556973.exe	p7410412.exe
PID 1776 wrote to memory of 4476	1776	z3556973.exe	p7410412.exe
PID 1776 wrote to memory of 4476	1776	z3556973.exe	p7410412.exe

C:\Users\Admin\AppData\Local\Temp\d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52.exe
"C:\Users\Admin\AppData\Local\Temp\d2588dacdad3a98e0860815d179a3b1a3db3f0eb2f6d8c96a1bbb72ad6746c52.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7174647.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7174647.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3556973.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3556973.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0032900.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0032900.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7410412.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7410412.exe
4⤵
- Executes dropped EXE
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 948
5⤵
- Program crash
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7174647.exe
Filesize
702KB

MD5
001c355006c9a9157d88c7dd4c85b9c4

SHA1
ab8251aa051c30192732e47d94a6d5f5910dfa62

SHA256
01517f7559ceb8f95fccb128b8acf953b729b528aacf70af3871ea928a90d6f5

SHA512
bbc038fdfe0c783baac07c1944c45c02dac6b441804da48a6e16c9413b34570bd04cd3ea44d2bdb1e3f393e9b7d0dbd949f7a8599aa76a6245eb72fcaa6cb2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7174647.exe
Filesize
702KB

MD5
001c355006c9a9157d88c7dd4c85b9c4

SHA1
ab8251aa051c30192732e47d94a6d5f5910dfa62

SHA256
01517f7559ceb8f95fccb128b8acf953b729b528aacf70af3871ea928a90d6f5

SHA512
bbc038fdfe0c783baac07c1944c45c02dac6b441804da48a6e16c9413b34570bd04cd3ea44d2bdb1e3f393e9b7d0dbd949f7a8599aa76a6245eb72fcaa6cb2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3556973.exe
Filesize
306KB

MD5
3530f6b8cb560507fc713f2a40dbcd18

SHA1
39b501ca0a8b7027c11acfbc985e42ffd3182b03

SHA256
e453155f0a6be80262b2b024b8dbb8b817e091b1176cfb5f85fb6cf1a8dd2231

SHA512
9e6f650b2958fc1adb04176437eec2452024855e88ebc44798349305192905f3167cb294f1d5e810757d464479d44ea497a7b083e686ad431a92e78a5f933e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3556973.exe
Filesize
306KB

MD5
3530f6b8cb560507fc713f2a40dbcd18

SHA1
39b501ca0a8b7027c11acfbc985e42ffd3182b03

SHA256
e453155f0a6be80262b2b024b8dbb8b817e091b1176cfb5f85fb6cf1a8dd2231

SHA512
9e6f650b2958fc1adb04176437eec2452024855e88ebc44798349305192905f3167cb294f1d5e810757d464479d44ea497a7b083e686ad431a92e78a5f933e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0032900.exe
Filesize
185KB

MD5
3bda43df96826c796e5c54d96d7c812f

SHA1
1d5668cc4f8ae4f22425a266401ec1e2ac6627c2

SHA256
4cc8902e5d3d0383f9e37ad0e46c68601b8c3caf82f8f320bca1dbc49b603225

SHA512
ea5811d11b49ce033d220f388606169e2483fb605e202ee82f0d6b8e810a8ebf101ac0e0a75a5bdf0f7c101187de326a03537114f8a0efcaf65bb7eebeecbda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0032900.exe
Filesize
185KB

MD5
3bda43df96826c796e5c54d96d7c812f

SHA1
1d5668cc4f8ae4f22425a266401ec1e2ac6627c2

SHA256
4cc8902e5d3d0383f9e37ad0e46c68601b8c3caf82f8f320bca1dbc49b603225

SHA512
ea5811d11b49ce033d220f388606169e2483fb605e202ee82f0d6b8e810a8ebf101ac0e0a75a5bdf0f7c101187de326a03537114f8a0efcaf65bb7eebeecbda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7410412.exe
Filesize
145KB

MD5
e56bfcd348129c65142c9336e3822e12

SHA1
e599d143a6918bf902aebe8e69de1722c9bead7c

SHA256
69be87b037b69db1b97c2bef2beba4316efd85dcd64e1b4545db5cf1abe41a66

SHA512
bdba6e4e5f42ac8d4a09d2e40141b781f30a20050b90c62e701338205964a0f4d19e54ae3350d7bc40d384a6862827e97d7f30bc2c38fc315ee46d3a77d995e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7410412.exe
Filesize
145KB

MD5
e56bfcd348129c65142c9336e3822e12

SHA1
e599d143a6918bf902aebe8e69de1722c9bead7c

SHA256
69be87b037b69db1b97c2bef2beba4316efd85dcd64e1b4545db5cf1abe41a66

SHA512
bdba6e4e5f42ac8d4a09d2e40141b781f30a20050b90c62e701338205964a0f4d19e54ae3350d7bc40d384a6862827e97d7f30bc2c38fc315ee46d3a77d995e7

Download Submit
memory/976-155-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/976-165-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/976-146-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/976-147-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/976-149-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/976-148-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/976-151-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/976-153-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/976-144-0x0000000004930000-0x000000000494C000-memory.dmp

Filesize
112KB

Download
memory/976-157-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/976-159-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/976-161-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/976-163-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/976-145-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/976-167-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/976-169-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/976-171-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/976-173-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/976-175-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/976-176-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/976-177-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/976-178-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/976-143-0x0000000004AF0000-0x0000000004FEE000-memory.dmp

Filesize
5.0MB

Download
memory/976-142-0x0000000002220000-0x000000000223E000-memory.dmp

Filesize
120KB

Download
memory/4476-183-0x0000000000BE0000-0x0000000000C0A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads