redline | fb0aaca253997e0ea4e9b98adf035c429c4d70b28f57631023e6632d081039ec

General

Target

fb0aaca253997e0ea4e9b98adf035c429c4d70b28f57631023e6632d081039ec.exe
Size

1.1MB
MD5

3b92c7e5459ebf81e7755b4a1a78a864
SHA1

d82ee6e506d1a7138b94809a8bfa3edb11394bb2
SHA256

fb0aaca253997e0ea4e9b98adf035c429c4d70b28f57631023e6632d081039ec
SHA512

92c0be501f986b33268eebf12016fa6da087fc6fd4546ed8f4cdc18ccb35b33153fa3bac169aacd937844502526260e92848fdb7fb2aad0ecf90ad10593777ca
SSDEEP

24576:Ry9bRNPvH9rruYpS/56yq8vWc4r+HrdFrcLI+++EniAsD:E9ll/9npY50wdNcI+EniAs

Score

10^/10

redline luka evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

luka

C2

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o7068724.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o7068724.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o7068724.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o7068724.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o7068724.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o7068724.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z2877188.exez7989094.exeo7068724.exep5151016.exe

pid process

4144 z2877188.exe
2112 z7989094.exe
4624 o7068724.exe
4936 p5151016.exe

pid	process
4144	z2877188.exe
2112	z7989094.exe
4624	o7068724.exe
4936	p5151016.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o7068724.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o7068724.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o7068724.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z7989094.exefb0aaca253997e0ea4e9b98adf035c429c4d70b28f57631023e6632d081039ec.exez2877188.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7989094.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fb0aaca253997e0ea4e9b98adf035c429c4d70b28f57631023e6632d081039ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fb0aaca253997e0ea4e9b98adf035c429c4d70b28f57631023e6632d081039ec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2877188.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2877188.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7989094.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4584 4936 WerFault.exe p5151016.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o7068724.exe

pid process

4624 o7068724.exe
4624 o7068724.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o7068724.exe

description pid process

Token: SeDebugPrivilege 4624 o7068724.exe

pid	pid_target	process	target process
4584	4936	WerFault.exe	p5151016.exe

pid	process
4624	o7068724.exe
4624	o7068724.exe

description	pid	process
Token: SeDebugPrivilege	4624	o7068724.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fb0aaca253997e0ea4e9b98adf035c429c4d70b28f57631023e6632d081039ec.exez2877188.exez7989094.exe

description	pid	process	target process
PID 4128 wrote to memory of 4144	4128	fb0aaca253997e0ea4e9b98adf035c429c4d70b28f57631023e6632d081039ec.exe	z2877188.exe
PID 4128 wrote to memory of 4144	4128	fb0aaca253997e0ea4e9b98adf035c429c4d70b28f57631023e6632d081039ec.exe	z2877188.exe
PID 4128 wrote to memory of 4144	4128	fb0aaca253997e0ea4e9b98adf035c429c4d70b28f57631023e6632d081039ec.exe	z2877188.exe
PID 4144 wrote to memory of 2112	4144	z2877188.exe	z7989094.exe
PID 4144 wrote to memory of 2112	4144	z2877188.exe	z7989094.exe
PID 4144 wrote to memory of 2112	4144	z2877188.exe	z7989094.exe
PID 2112 wrote to memory of 4624	2112	z7989094.exe	o7068724.exe
PID 2112 wrote to memory of 4624	2112	z7989094.exe	o7068724.exe
PID 2112 wrote to memory of 4624	2112	z7989094.exe	o7068724.exe
PID 2112 wrote to memory of 4936	2112	z7989094.exe	p5151016.exe
PID 2112 wrote to memory of 4936	2112	z7989094.exe	p5151016.exe
PID 2112 wrote to memory of 4936	2112	z7989094.exe	p5151016.exe

C:\Users\Admin\AppData\Local\Temp\fb0aaca253997e0ea4e9b98adf035c429c4d70b28f57631023e6632d081039ec.exe
"C:\Users\Admin\AppData\Local\Temp\fb0aaca253997e0ea4e9b98adf035c429c4d70b28f57631023e6632d081039ec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2877188.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2877188.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7989094.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7989094.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7068724.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7068724.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5151016.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5151016.exe
      4⤵
      Executes dropped EXE
      PID:4936
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 948
        5⤵
        Program crash
        
        PID:4584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2877188.exe

Filesize
702KB

MD5
83d62c619fcdc1b4c06c7eb80719de75

SHA1
30189f385e322f054c824f93eeab1334d6e41ed2

SHA256
1b46d5e79d0ce437818a1c46906b0a0611bf8e65836910d0e98b193384047d59

SHA512
0005c897b1e3a45c495d26cdc2447b78abce841479e4686eef647643ae9c6f4b0f31ee09e9a31cb88efa7ca6843e9fb4e1f12b8f2e55deb85eb38731504f1b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2877188.exe

Filesize
702KB

MD5
83d62c619fcdc1b4c06c7eb80719de75

SHA1
30189f385e322f054c824f93eeab1334d6e41ed2

SHA256
1b46d5e79d0ce437818a1c46906b0a0611bf8e65836910d0e98b193384047d59

SHA512
0005c897b1e3a45c495d26cdc2447b78abce841479e4686eef647643ae9c6f4b0f31ee09e9a31cb88efa7ca6843e9fb4e1f12b8f2e55deb85eb38731504f1b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7989094.exe

Filesize
306KB

MD5
4a268b70bcd874bfaba14b06eae35628

SHA1
b0e2a23cec4ac46a57fd42490c540c88dc71b434

SHA256
b4bc0fc728b05114784eeeca23b459352a3a1e4690932cb3665a4b2aa0984432

SHA512
28a4240ee633af818d12f485d14ba8ab560276376c177bdb289bff15c6d03255617325546d0654b2cf168485264b0e3dd8d87053c80d57fa37a8e89354b8b16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7989094.exe

Filesize
306KB

MD5
4a268b70bcd874bfaba14b06eae35628

SHA1
b0e2a23cec4ac46a57fd42490c540c88dc71b434

SHA256
b4bc0fc728b05114784eeeca23b459352a3a1e4690932cb3665a4b2aa0984432

SHA512
28a4240ee633af818d12f485d14ba8ab560276376c177bdb289bff15c6d03255617325546d0654b2cf168485264b0e3dd8d87053c80d57fa37a8e89354b8b16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7068724.exe

Filesize
185KB

MD5
5844af7078974457c36e999d91d565d6

SHA1
1f95f96cffa9c77f15980e21d947903a0fc17b9b

SHA256
1a754bf8fddeb54155efc7cd0ebc1a0b33cf9e95c358aab8fb21e0544aed8e3f

SHA512
b04f3aa9cc6c8fa1e242c4320ba812d64107294904ff0d8eb613ee0035246451352d8ce5e69f0b75b7db443bb54dbd9ec13fabbe4523b29ee3465beec6b74596

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7068724.exe

Filesize
185KB

MD5
5844af7078974457c36e999d91d565d6

SHA1
1f95f96cffa9c77f15980e21d947903a0fc17b9b

SHA256
1a754bf8fddeb54155efc7cd0ebc1a0b33cf9e95c358aab8fb21e0544aed8e3f

SHA512
b04f3aa9cc6c8fa1e242c4320ba812d64107294904ff0d8eb613ee0035246451352d8ce5e69f0b75b7db443bb54dbd9ec13fabbe4523b29ee3465beec6b74596

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5151016.exe

Filesize
145KB

MD5
6d40e173f2fb6d4ad4d11293af5b6b96

SHA1
2f6c3cb2001a87d634e891bb0fa29cf96577c81e

SHA256
c38e3a35fad447a447ef1e9519fff9ce095ff9623a436ba8040d9acedb5d1f12

SHA512
d214f66496c0db463b2a880c640aa6ee2793043d2333d96884d13d61bd15a0d7f7da80e7388d8b69b998e3982eb2aaff8d03feeece1a0d8c152d1f860ca7fb03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5151016.exe

Filesize
145KB

MD5
6d40e173f2fb6d4ad4d11293af5b6b96

SHA1
2f6c3cb2001a87d634e891bb0fa29cf96577c81e

SHA256
c38e3a35fad447a447ef1e9519fff9ce095ff9623a436ba8040d9acedb5d1f12

SHA512
d214f66496c0db463b2a880c640aa6ee2793043d2333d96884d13d61bd15a0d7f7da80e7388d8b69b998e3982eb2aaff8d03feeece1a0d8c152d1f860ca7fb03

Download Submit
memory/4624-154-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4624-160-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4624-146-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4624-145-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4624-147-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4624-148-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4624-150-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4624-152-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4624-143-0x00000000023E0000-0x00000000023FC000-memory.dmp

Filesize
112KB

Download
memory/4624-156-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4624-158-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4624-144-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4624-162-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4624-164-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4624-166-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4624-168-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4624-170-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4624-172-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4624-174-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4624-175-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4624-176-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4624-142-0x0000000004CD0000-0x00000000051CE000-memory.dmp

Filesize
5.0MB

Download
memory/4624-141-0x0000000002360000-0x000000000237E000-memory.dmp

Filesize
120KB

Download
memory/4936-181-0x0000000000C90000-0x0000000000CBA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads