redline | da001378fabef8421c89bf648c9729ac6ec8fe5a4dcf6d4255928ec997385008

General

Target

da001378fabef8421c89bf648c9729ac6ec8fe5a4dcf6d4255928ec997385008.exe
Size

1.1MB
MD5

29d7e45b43ec1d43ebb98fac13c15c4a
SHA1

c53bb9b748fe8ea407a255af188a9fd982e1a19f
SHA256

da001378fabef8421c89bf648c9729ac6ec8fe5a4dcf6d4255928ec997385008
SHA512

d49760088fcc7a26bec83168cfc2fb1a90ce7816ce10b196c2792c79687381ea54a56bcc915a67edd99ddba0697d77f95828c01926b2704e2278d204432d2d92
SSDEEP

24576:hyL6F3AoLQUim3RSibOoRL7DjUDzabP4zqzodPy0Z1fTvx5+56:UL6VA41im3R7I24Guy0fF5+

Score

10^/10

redline larry evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

larry

C2

185.161.248.75:4132

Attributes

auth_value
9039557bb7a08f5f2f60e2b71e1dee0e

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o1680550.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o1680550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o1680550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o1680550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o1680550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o1680550.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o1680550.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z5421568.exez4506698.exeo1680550.exep9709445.exe

pid process

1548 z5421568.exe
4400 z4506698.exe
1516 o1680550.exe
4736 p9709445.exe

pid	process
1548	z5421568.exe
4400	z4506698.exe
1516	o1680550.exe
4736	p9709445.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o1680550.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o1680550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o1680550.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z4506698.exeda001378fabef8421c89bf648c9729ac6ec8fe5a4dcf6d4255928ec997385008.exez5421568.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4506698.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4506698.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	da001378fabef8421c89bf648c9729ac6ec8fe5a4dcf6d4255928ec997385008.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	da001378fabef8421c89bf648c9729ac6ec8fe5a4dcf6d4255928ec997385008.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5421568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5421568.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o1680550.exe

pid process

1516 o1680550.exe
1516 o1680550.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o1680550.exe

description pid process

Token: SeDebugPrivilege 1516 o1680550.exe

pid	process
1516	o1680550.exe
1516	o1680550.exe

description	pid	process
Token: SeDebugPrivilege	1516	o1680550.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

da001378fabef8421c89bf648c9729ac6ec8fe5a4dcf6d4255928ec997385008.exez5421568.exez4506698.exe

description	pid	process	target process
PID 1556 wrote to memory of 1548	1556	da001378fabef8421c89bf648c9729ac6ec8fe5a4dcf6d4255928ec997385008.exe	z5421568.exe
PID 1556 wrote to memory of 1548	1556	da001378fabef8421c89bf648c9729ac6ec8fe5a4dcf6d4255928ec997385008.exe	z5421568.exe
PID 1556 wrote to memory of 1548	1556	da001378fabef8421c89bf648c9729ac6ec8fe5a4dcf6d4255928ec997385008.exe	z5421568.exe
PID 1548 wrote to memory of 4400	1548	z5421568.exe	z4506698.exe
PID 1548 wrote to memory of 4400	1548	z5421568.exe	z4506698.exe
PID 1548 wrote to memory of 4400	1548	z5421568.exe	z4506698.exe
PID 4400 wrote to memory of 1516	4400	z4506698.exe	o1680550.exe
PID 4400 wrote to memory of 1516	4400	z4506698.exe	o1680550.exe
PID 4400 wrote to memory of 1516	4400	z4506698.exe	o1680550.exe
PID 4400 wrote to memory of 4736	4400	z4506698.exe	p9709445.exe
PID 4400 wrote to memory of 4736	4400	z4506698.exe	p9709445.exe
PID 4400 wrote to memory of 4736	4400	z4506698.exe	p9709445.exe

C:\Users\Admin\AppData\Local\Temp\da001378fabef8421c89bf648c9729ac6ec8fe5a4dcf6d4255928ec997385008.exe
"C:\Users\Admin\AppData\Local\Temp\da001378fabef8421c89bf648c9729ac6ec8fe5a4dcf6d4255928ec997385008.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5421568.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5421568.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4506698.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4506698.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4400

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1680550.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1680550.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9709445.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9709445.exe
4⤵
- Executes dropped EXE
PID:4736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5421568.exe
Filesize
700KB

MD5
c28e377bdb722d384dae6b29f4591649

SHA1
932bd9efc834f3a207d7a1f68331039ee745f976

SHA256
831037dbfe7c210de22af087126f6cea94a4450630a54dd18330524f372c9641

SHA512
26b7eb5f8b06aac37f9637bd35f3b77375e2f76a2a2bcfe1dccf07b4fbd51ecbd1bbfd25fe4ede0baae5de7ad0e37e5e1ace6ce48240444456a4694429d1b3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5421568.exe
Filesize
700KB

MD5
c28e377bdb722d384dae6b29f4591649

SHA1
932bd9efc834f3a207d7a1f68331039ee745f976

SHA256
831037dbfe7c210de22af087126f6cea94a4450630a54dd18330524f372c9641

SHA512
26b7eb5f8b06aac37f9637bd35f3b77375e2f76a2a2bcfe1dccf07b4fbd51ecbd1bbfd25fe4ede0baae5de7ad0e37e5e1ace6ce48240444456a4694429d1b3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4506698.exe
Filesize
305KB

MD5
1136a5270eee9e07b907b8f0c960af2e

SHA1
2d3033289b68fc8085b8528200a1418ead23991f

SHA256
76d1a82eb0d45b701f36471ffbf9740282c6a33cd6f4ccde69e920e31bd88fb3

SHA512
2cc43f5ee551d391f64172dd5ae8dd900cf111d6b68a09883347bcde08095f8dcbd352813bf0c37940ae4d01f062463a920665a88975ce0618026d16e86d047d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4506698.exe
Filesize
305KB

MD5
1136a5270eee9e07b907b8f0c960af2e

SHA1
2d3033289b68fc8085b8528200a1418ead23991f

SHA256
76d1a82eb0d45b701f36471ffbf9740282c6a33cd6f4ccde69e920e31bd88fb3

SHA512
2cc43f5ee551d391f64172dd5ae8dd900cf111d6b68a09883347bcde08095f8dcbd352813bf0c37940ae4d01f062463a920665a88975ce0618026d16e86d047d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1680550.exe
Filesize
183KB

MD5
2ca28dfd16ac056819786778340f4fb5

SHA1
c4de7f1fc0ca7175103c9a55009ba6173358740f

SHA256
2814fed35407943478ebba374299199d36f99d637b3fa532657514fa287c9bab

SHA512
a6291885024cecf19cbb3610f2afd0dc7558ea4d7221b3294401b49ac7f3c99766b038dcc50d51e712c38c7ac64fb2fafd65531b1dba8a756055b86d9c5fbad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1680550.exe
Filesize
183KB

MD5
2ca28dfd16ac056819786778340f4fb5

SHA1
c4de7f1fc0ca7175103c9a55009ba6173358740f

SHA256
2814fed35407943478ebba374299199d36f99d637b3fa532657514fa287c9bab

SHA512
a6291885024cecf19cbb3610f2afd0dc7558ea4d7221b3294401b49ac7f3c99766b038dcc50d51e712c38c7ac64fb2fafd65531b1dba8a756055b86d9c5fbad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9709445.exe
Filesize
145KB

MD5
fef39dd0894e8b5a7ff2f881cf6fed30

SHA1
6641c43a2873de2f34f6c8153b2e94a87af3c8ed

SHA256
1abf06e4868c28b2287e063878c0a80e757aa404bd38fc97ee93bfe709907ea9

SHA512
0779289d2f405094b929325079aea5a5e024528ee4e4b9a534b743eb4eb78ce949e8f289feb480e8838117f1198221ea0ed7e4bc95c08058d3d96959f241ea41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9709445.exe
Filesize
145KB

MD5
fef39dd0894e8b5a7ff2f881cf6fed30

SHA1
6641c43a2873de2f34f6c8153b2e94a87af3c8ed

SHA256
1abf06e4868c28b2287e063878c0a80e757aa404bd38fc97ee93bfe709907ea9

SHA512
0779289d2f405094b929325079aea5a5e024528ee4e4b9a534b743eb4eb78ce949e8f289feb480e8838117f1198221ea0ed7e4bc95c08058d3d96959f241ea41

Download Submit
memory/1516-158-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/1516-182-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/1516-160-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/1516-164-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/1516-166-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/1516-162-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/1516-168-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/1516-170-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/1516-172-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/1516-174-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/1516-176-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/1516-178-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/1516-180-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/1516-156-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/1516-183-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1516-184-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1516-185-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1516-186-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1516-187-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1516-155-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/1516-154-0x0000000004BF0000-0x0000000005194000-memory.dmp

Filesize
5.6MB

Download
memory/4736-192-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/4736-193-0x0000000005350000-0x0000000005968000-memory.dmp

Filesize
6.1MB

Download
memory/4736-194-0x0000000004EC0000-0x0000000004FCA000-memory.dmp

Filesize
1.0MB

Download
memory/4736-195-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/4736-196-0x0000000004E60000-0x0000000004E9C000-memory.dmp

Filesize
240KB

Download
memory/4736-197-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4736-198-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads