redline | b788d2df71b8c09104ab54df9662745fe688034a2c0255131280dae7256ce5c8

General

Target

b788d2df71b8c09104ab54df9662745fe688034a2c0255131280dae7256ce5c8.exe
Size

1.1MB
MD5

8064456e7e67b4d92d285c27ae6fa3c6
SHA1

ff268f2c11e7a6bf66420cc4721ce3514bf0d9ce
SHA256

b788d2df71b8c09104ab54df9662745fe688034a2c0255131280dae7256ce5c8
SHA512

cc69c76962007fc43f73f9edaa074150ed2a58966685c7e672f26f16ae639089d98f96f2333cdd0c75f2d62a63ae8bf6a7c424e0fa79d862babb078e794195da
SSDEEP

24576:ZyMW8QayiBd56TQrzYQmzntrJWGQQePZKOhTIP:M+QodgUrUnntdWbQKZKC

Score

10^/10

redline luka evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

luka

C2

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o1035381.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o1035381.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o1035381.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o1035381.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o1035381.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o1035381.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z4090940.exez4751546.exeo1035381.exep1349633.exe

pid process

1720 z4090940.exe
1488 z4751546.exe
4372 o1035381.exe
4640 p1349633.exe

pid	process
1720	z4090940.exe
1488	z4751546.exe
4372	o1035381.exe
4640	p1349633.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o1035381.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o1035381.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o1035381.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z4090940.exez4751546.exeb788d2df71b8c09104ab54df9662745fe688034a2c0255131280dae7256ce5c8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4090940.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4090940.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4751546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4751546.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b788d2df71b8c09104ab54df9662745fe688034a2c0255131280dae7256ce5c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b788d2df71b8c09104ab54df9662745fe688034a2c0255131280dae7256ce5c8.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4108 4640 WerFault.exe p1349633.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o1035381.exe

pid process

4372 o1035381.exe
4372 o1035381.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o1035381.exe

description pid process

Token: SeDebugPrivilege 4372 o1035381.exe

pid	pid_target	process	target process
4108	4640	WerFault.exe	p1349633.exe

pid	process
4372	o1035381.exe
4372	o1035381.exe

description	pid	process
Token: SeDebugPrivilege	4372	o1035381.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b788d2df71b8c09104ab54df9662745fe688034a2c0255131280dae7256ce5c8.exez4090940.exez4751546.exe

description	pid	process	target process
PID 4228 wrote to memory of 1720	4228	b788d2df71b8c09104ab54df9662745fe688034a2c0255131280dae7256ce5c8.exe	z4090940.exe
PID 4228 wrote to memory of 1720	4228	b788d2df71b8c09104ab54df9662745fe688034a2c0255131280dae7256ce5c8.exe	z4090940.exe
PID 4228 wrote to memory of 1720	4228	b788d2df71b8c09104ab54df9662745fe688034a2c0255131280dae7256ce5c8.exe	z4090940.exe
PID 1720 wrote to memory of 1488	1720	z4090940.exe	z4751546.exe
PID 1720 wrote to memory of 1488	1720	z4090940.exe	z4751546.exe
PID 1720 wrote to memory of 1488	1720	z4090940.exe	z4751546.exe
PID 1488 wrote to memory of 4372	1488	z4751546.exe	o1035381.exe
PID 1488 wrote to memory of 4372	1488	z4751546.exe	o1035381.exe
PID 1488 wrote to memory of 4372	1488	z4751546.exe	o1035381.exe
PID 1488 wrote to memory of 4640	1488	z4751546.exe	p1349633.exe
PID 1488 wrote to memory of 4640	1488	z4751546.exe	p1349633.exe
PID 1488 wrote to memory of 4640	1488	z4751546.exe	p1349633.exe

C:\Users\Admin\AppData\Local\Temp\b788d2df71b8c09104ab54df9662745fe688034a2c0255131280dae7256ce5c8.exe
"C:\Users\Admin\AppData\Local\Temp\b788d2df71b8c09104ab54df9662745fe688034a2c0255131280dae7256ce5c8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4228

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4090940.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4090940.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4751546.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4751546.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1035381.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1035381.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1349633.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1349633.exe
4⤵
- Executes dropped EXE
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 948
5⤵
- Program crash
PID:4108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4090940.exe
Filesize
702KB

MD5
6aac45d874764be19b98c99de2607cc5

SHA1
ec48346dba3f4b045109445cd28873befb4f2375

SHA256
bd79ead930cd969c19edcb9a39a9bf8d000271b059c2e189db19fdbd90add63a

SHA512
e00e9264a4d66034ef4f1a7d58933e31393e4921b78c57d8e7a07b9bc84a8787a9d43466a72e676d506d38cc18c73a7b4952453be8a013677b654a2d072e968c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4090940.exe
Filesize
702KB

MD5
6aac45d874764be19b98c99de2607cc5

SHA1
ec48346dba3f4b045109445cd28873befb4f2375

SHA256
bd79ead930cd969c19edcb9a39a9bf8d000271b059c2e189db19fdbd90add63a

SHA512
e00e9264a4d66034ef4f1a7d58933e31393e4921b78c57d8e7a07b9bc84a8787a9d43466a72e676d506d38cc18c73a7b4952453be8a013677b654a2d072e968c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4751546.exe
Filesize
306KB

MD5
a61d9545c2a80311d50b94d75b934ccf

SHA1
863c0727015c0c70e3fe8b98857b1089ee25685f

SHA256
993fc8da79d22c606ec3b1db01fb4d68b335282f2ff6425e8d2dc58a68de0942

SHA512
a723affbb98582ac90ea680be49d671a63d9f87d39a3977fb32732eb7b1e98bcddeb48e30b4d286ae4c933570857a3ff79e941108255f3aae31c3eea5245f73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4751546.exe
Filesize
306KB

MD5
a61d9545c2a80311d50b94d75b934ccf

SHA1
863c0727015c0c70e3fe8b98857b1089ee25685f

SHA256
993fc8da79d22c606ec3b1db01fb4d68b335282f2ff6425e8d2dc58a68de0942

SHA512
a723affbb98582ac90ea680be49d671a63d9f87d39a3977fb32732eb7b1e98bcddeb48e30b4d286ae4c933570857a3ff79e941108255f3aae31c3eea5245f73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1035381.exe
Filesize
185KB

MD5
76da10c0598437f1a221a57a4a76df5e

SHA1
e5162fc7cc22804c50e472405f2951e24591de33

SHA256
5ce1a2ea2dc1b54938fb2dd28e45bff8132c34b85bf18517d2410dbc88f80514

SHA512
10d346b3286b253f05c65b44c107a08fec7f22eceb4ed8f89d91f1be9f61f2f032993dbf33e4ff31487b851e41e73b5216528c99427723f638b143cdf18262fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1035381.exe
Filesize
185KB

MD5
76da10c0598437f1a221a57a4a76df5e

SHA1
e5162fc7cc22804c50e472405f2951e24591de33

SHA256
5ce1a2ea2dc1b54938fb2dd28e45bff8132c34b85bf18517d2410dbc88f80514

SHA512
10d346b3286b253f05c65b44c107a08fec7f22eceb4ed8f89d91f1be9f61f2f032993dbf33e4ff31487b851e41e73b5216528c99427723f638b143cdf18262fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1349633.exe
Filesize
145KB

MD5
eb9ddad0a545ea65e8f4439e9e7e3033

SHA1
2c47474fc7891bb8383a7762cda7e606513a99c4

SHA256
2b79e345af40c7142002b372c3ffe4c9f36c5b58e98ca50e575255d2a27c59ab

SHA512
95ca0d4ecb94d2649331d772650cb375d9ecca862d1252d13b5fca249102e664a321f11ec44703b91937d81d9a1ac9813d9d849ddab58935a265b259924bfde0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1349633.exe
Filesize
145KB

MD5
eb9ddad0a545ea65e8f4439e9e7e3033

SHA1
2c47474fc7891bb8383a7762cda7e606513a99c4

SHA256
2b79e345af40c7142002b372c3ffe4c9f36c5b58e98ca50e575255d2a27c59ab

SHA512
95ca0d4ecb94d2649331d772650cb375d9ecca862d1252d13b5fca249102e664a321f11ec44703b91937d81d9a1ac9813d9d849ddab58935a265b259924bfde0

Download Submit
memory/4372-150-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4372-160-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4372-142-0x0000000004A60000-0x0000000004A7C000-memory.dmp

Filesize
112KB

Download
memory/4372-141-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/4372-143-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4372-144-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4372-146-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4372-148-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4372-139-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/4372-152-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4372-154-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4372-156-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4372-158-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4372-140-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/4372-162-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4372-164-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4372-166-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4372-168-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4372-170-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4372-171-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/4372-172-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/4372-173-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/4372-138-0x0000000004BD0000-0x00000000050CE000-memory.dmp

Filesize
5.0MB

Download
memory/4372-137-0x0000000002470000-0x000000000248E000-memory.dmp

Filesize
120KB

Download
memory/4640-178-0x00000000003F0000-0x000000000041A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads