redline | eb7962ad0ed791b6d0ba29a595492896ccf82359d724e9c38ff42af4a3e8d6f5

General

Target

eb7962ad0ed791b6d0ba29a595492896ccf82359d724e9c38ff42af4a3e8d6f5.exe
Size

1.1MB
MD5

1d6ae658f29d9b2e33131b42ed154810
SHA1

8a0d2cf80eef44f00354878143a3904e03364545
SHA256

eb7962ad0ed791b6d0ba29a595492896ccf82359d724e9c38ff42af4a3e8d6f5
SHA512

8f1ecbdaac8bf0177e352ea4e9a17c0fa676163a0e93d6af686c7b9e568ef282895cc8385d3602f73aa843c963c93c791fa1431822ba8f55883ca3ed4962ea29
SSDEEP

24576:qyACXG/1eYvSJOqVrqWzkAnhIsxzxR4K05b3uQCnX:xAC2NeYvSJOqVXnhPHR4K05L5C

Score

10^/10

redline dogma evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dogma

C2

185.161.248.75:4132

Attributes

auth_value
d6c5d36e9aa03c956dc76aa0fcbe3639

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

k1116936.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1116936.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k1116936.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1116936.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1116936.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1116936.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1116936.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

y7932360.exey8458802.exek1116936.exel6948834.exe

pid process

2988 y7932360.exe
3148 y8458802.exe
3944 k1116936.exe
4664 l6948834.exe

pid	process
2988	y7932360.exe
3148	y8458802.exe
3944	k1116936.exe
4664	l6948834.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

k1116936.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k1116936.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1116936.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

y8458802.exeeb7962ad0ed791b6d0ba29a595492896ccf82359d724e9c38ff42af4a3e8d6f5.exey7932360.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8458802.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eb7962ad0ed791b6d0ba29a595492896ccf82359d724e9c38ff42af4a3e8d6f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eb7962ad0ed791b6d0ba29a595492896ccf82359d724e9c38ff42af4a3e8d6f5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7932360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7932360.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8458802.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

k1116936.exel6948834.exe

pid process

3944 k1116936.exe
3944 k1116936.exe
4664 l6948834.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

k1116936.exel6948834.exe

description pid process

Token: SeDebugPrivilege 3944 k1116936.exe
Token: SeDebugPrivilege 4664 l6948834.exe

pid	process
3944	k1116936.exe
3944	k1116936.exe
4664	l6948834.exe

description	pid	process
Token: SeDebugPrivilege	3944	k1116936.exe
Token: SeDebugPrivilege	4664	l6948834.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

eb7962ad0ed791b6d0ba29a595492896ccf82359d724e9c38ff42af4a3e8d6f5.exey7932360.exey8458802.exe

description	pid	process	target process
PID 1284 wrote to memory of 2988	1284	eb7962ad0ed791b6d0ba29a595492896ccf82359d724e9c38ff42af4a3e8d6f5.exe	y7932360.exe
PID 1284 wrote to memory of 2988	1284	eb7962ad0ed791b6d0ba29a595492896ccf82359d724e9c38ff42af4a3e8d6f5.exe	y7932360.exe
PID 1284 wrote to memory of 2988	1284	eb7962ad0ed791b6d0ba29a595492896ccf82359d724e9c38ff42af4a3e8d6f5.exe	y7932360.exe
PID 2988 wrote to memory of 3148	2988	y7932360.exe	y8458802.exe
PID 2988 wrote to memory of 3148	2988	y7932360.exe	y8458802.exe
PID 2988 wrote to memory of 3148	2988	y7932360.exe	y8458802.exe
PID 3148 wrote to memory of 3944	3148	y8458802.exe	k1116936.exe
PID 3148 wrote to memory of 3944	3148	y8458802.exe	k1116936.exe
PID 3148 wrote to memory of 3944	3148	y8458802.exe	k1116936.exe
PID 3148 wrote to memory of 4664	3148	y8458802.exe	l6948834.exe
PID 3148 wrote to memory of 4664	3148	y8458802.exe	l6948834.exe
PID 3148 wrote to memory of 4664	3148	y8458802.exe	l6948834.exe

C:\Users\Admin\AppData\Local\Temp\eb7962ad0ed791b6d0ba29a595492896ccf82359d724e9c38ff42af4a3e8d6f5.exe
"C:\Users\Admin\AppData\Local\Temp\eb7962ad0ed791b6d0ba29a595492896ccf82359d724e9c38ff42af4a3e8d6f5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7932360.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7932360.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8458802.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8458802.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1116936.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1116936.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6948834.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6948834.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7932360.exe
Filesize
750KB

MD5
fdda1132858317b180ec1d440a36755a

SHA1
368e63c5a854b7226ecf09cadb02cf8027d31220

SHA256
64bb8a1bc00473935c8e9b4c43340355798d8334cb1fa24b61b45a739c6307ca

SHA512
4576014a31ffbce794146ea6d92e8911a63de6b60d7d5d3882cf8bf307e1b83c6f6493ded485cda5757279ae0c054ecf6c8d3e4a9e8e2f144d1c6ee9335744dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7932360.exe
Filesize
750KB

MD5
fdda1132858317b180ec1d440a36755a

SHA1
368e63c5a854b7226ecf09cadb02cf8027d31220

SHA256
64bb8a1bc00473935c8e9b4c43340355798d8334cb1fa24b61b45a739c6307ca

SHA512
4576014a31ffbce794146ea6d92e8911a63de6b60d7d5d3882cf8bf307e1b83c6f6493ded485cda5757279ae0c054ecf6c8d3e4a9e8e2f144d1c6ee9335744dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8458802.exe
Filesize
306KB

MD5
56ed73b373d21b99cef3b9238643a6ef

SHA1
51c441cd9b21471c131b73a15c1e3db020f8f7c3

SHA256
7da73260cfd0352aec45c9f82ab7d5e8340453e093457c2be969dc303a096d1e

SHA512
344755e7a2159c4e9e73c98d01e58b645e40b31307e085483137b3817f237988eb7a72a9181f2875053b62ad8374ed2f7a7fe14d499cd1c87efa36decf4c5f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8458802.exe
Filesize
306KB

MD5
56ed73b373d21b99cef3b9238643a6ef

SHA1
51c441cd9b21471c131b73a15c1e3db020f8f7c3

SHA256
7da73260cfd0352aec45c9f82ab7d5e8340453e093457c2be969dc303a096d1e

SHA512
344755e7a2159c4e9e73c98d01e58b645e40b31307e085483137b3817f237988eb7a72a9181f2875053b62ad8374ed2f7a7fe14d499cd1c87efa36decf4c5f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1116936.exe
Filesize
184KB

MD5
b5b2ed600251a7d4e3c3eff2a5d4b862

SHA1
61d5c610a00858145477f0f157e79f203736acb2

SHA256
3a642392a154ac7d3e7e18661b420ef3006fbce580888edff46c17ba595d8dd0

SHA512
7a5cf7d043473a69bfabed2f363f5fb71791cc8fd78037ee4b554c775401eff16618a184a2bab0f41b4ef4228a114a0d3a0da23e92a1ede96a063959d0c77067

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1116936.exe
Filesize
184KB

MD5
b5b2ed600251a7d4e3c3eff2a5d4b862

SHA1
61d5c610a00858145477f0f157e79f203736acb2

SHA256
3a642392a154ac7d3e7e18661b420ef3006fbce580888edff46c17ba595d8dd0

SHA512
7a5cf7d043473a69bfabed2f363f5fb71791cc8fd78037ee4b554c775401eff16618a184a2bab0f41b4ef4228a114a0d3a0da23e92a1ede96a063959d0c77067

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6948834.exe
Filesize
145KB

MD5
5ea9ec97d691a438baeed56339ab7250

SHA1
0865d7fc1cdf8709021977d0cf792f54bffbba50

SHA256
520d477165266fbf222c603f6aac0470ad18f611bdf89f65b5ffa960c55ea091

SHA512
3bc62444980f1d0025a5d1c0833022940504731b954aba318e611f41302b825ae26548656af61fd8937bb08ff22589ceca57d18aae0c20a69993f6e0e603e620

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6948834.exe
Filesize
145KB

MD5
5ea9ec97d691a438baeed56339ab7250

SHA1
0865d7fc1cdf8709021977d0cf792f54bffbba50

SHA256
520d477165266fbf222c603f6aac0470ad18f611bdf89f65b5ffa960c55ea091

SHA512
3bc62444980f1d0025a5d1c0833022940504731b954aba318e611f41302b825ae26548656af61fd8937bb08ff22589ceca57d18aae0c20a69993f6e0e603e620

Download Submit
memory/3944-174-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/3944-184-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/3944-158-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/3944-159-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/3944-160-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/3944-161-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/3944-162-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/3944-164-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/3944-166-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/3944-168-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/3944-170-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/3944-172-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/3944-156-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/3944-176-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/3944-178-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/3944-180-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/3944-182-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/3944-157-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/3944-186-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/3944-188-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/3944-155-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/3944-154-0x0000000004B00000-0x00000000050A4000-memory.dmp

Filesize
5.6MB

Download
memory/4664-193-0x0000000000EB0000-0x0000000000EDA000-memory.dmp

Filesize
168KB

Download
memory/4664-194-0x0000000006050000-0x0000000006668000-memory.dmp

Filesize
6.1MB

Download
memory/4664-195-0x0000000005BD0000-0x0000000005CDA000-memory.dmp

Filesize
1.0MB

Download
memory/4664-196-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/4664-197-0x0000000005B60000-0x0000000005B9C000-memory.dmp

Filesize
240KB

Download
memory/4664-198-0x0000000005E70000-0x0000000005E80000-memory.dmp

Filesize
64KB

Download
memory/4664-199-0x0000000005E70000-0x0000000005E80000-memory.dmp

Filesize
64KB

Download
memory/4664-200-0x0000000005F20000-0x0000000005FB2000-memory.dmp

Filesize
584KB

Download
memory/4664-201-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/4664-202-0x0000000006970000-0x00000000069E6000-memory.dmp

Filesize
472KB

Download
memory/4664-203-0x00000000068F0000-0x0000000006940000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads