redline | e17dd3190fc9cd9e9cc2a1d80f1479d062b60ba2b2b9cb2a8877019133fc2cde

General

Target

e17dd3190fc9cd9e9cc2a1d80f1479d062b60ba2b2b9cb2a8877019133fc2cde.exe
Size

1.1MB
MD5

3c64bdc89c6fc41944c044efbaa328cb
SHA1

2fc9de34aa414bdcd3aae0cb249dc0f10b275c7b
SHA256

e17dd3190fc9cd9e9cc2a1d80f1479d062b60ba2b2b9cb2a8877019133fc2cde
SHA512

43c4753e00bcb986fdedbbf17391f50ee4d463637d5dac843cadd34ecd86ec71c2a5cdd8dc9c548a989e9e133a6e05015da927b93d60da7deafe8c5f1749b7b1
SSDEEP

24576:Hy62vOnIuDzH3DFiFGGj2/Rn2rFBfGNliiQsUfmEZSQW:S94HhoGv/x2rFBfGNl7QsUfmeP

Score

10^/10

redline linda evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

linda

C2

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o9688035.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o9688035.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o9688035.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o9688035.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o9688035.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o9688035.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z2925823.exez6771900.exeo9688035.exep9013248.exe

pid process

3776 z2925823.exe
3572 z6771900.exe
4120 o9688035.exe
2228 p9013248.exe

pid	process
3776	z2925823.exe
3572	z6771900.exe
4120	o9688035.exe
2228	p9013248.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o9688035.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o9688035.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o9688035.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e17dd3190fc9cd9e9cc2a1d80f1479d062b60ba2b2b9cb2a8877019133fc2cde.exez2925823.exez6771900.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e17dd3190fc9cd9e9cc2a1d80f1479d062b60ba2b2b9cb2a8877019133fc2cde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2925823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2925823.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6771900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6771900.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e17dd3190fc9cd9e9cc2a1d80f1479d062b60ba2b2b9cb2a8877019133fc2cde.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2760 2228 WerFault.exe p9013248.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o9688035.exe

pid process

4120 o9688035.exe
4120 o9688035.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o9688035.exe

description pid process

Token: SeDebugPrivilege 4120 o9688035.exe

pid	pid_target	process	target process
2760	2228	WerFault.exe	p9013248.exe

pid	process
4120	o9688035.exe
4120	o9688035.exe

description	pid	process
Token: SeDebugPrivilege	4120	o9688035.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e17dd3190fc9cd9e9cc2a1d80f1479d062b60ba2b2b9cb2a8877019133fc2cde.exez2925823.exez6771900.exe

description	pid	process	target process
PID 3044 wrote to memory of 3776	3044	e17dd3190fc9cd9e9cc2a1d80f1479d062b60ba2b2b9cb2a8877019133fc2cde.exe	z2925823.exe
PID 3044 wrote to memory of 3776	3044	e17dd3190fc9cd9e9cc2a1d80f1479d062b60ba2b2b9cb2a8877019133fc2cde.exe	z2925823.exe
PID 3044 wrote to memory of 3776	3044	e17dd3190fc9cd9e9cc2a1d80f1479d062b60ba2b2b9cb2a8877019133fc2cde.exe	z2925823.exe
PID 3776 wrote to memory of 3572	3776	z2925823.exe	z6771900.exe
PID 3776 wrote to memory of 3572	3776	z2925823.exe	z6771900.exe
PID 3776 wrote to memory of 3572	3776	z2925823.exe	z6771900.exe
PID 3572 wrote to memory of 4120	3572	z6771900.exe	o9688035.exe
PID 3572 wrote to memory of 4120	3572	z6771900.exe	o9688035.exe
PID 3572 wrote to memory of 4120	3572	z6771900.exe	o9688035.exe
PID 3572 wrote to memory of 2228	3572	z6771900.exe	p9013248.exe
PID 3572 wrote to memory of 2228	3572	z6771900.exe	p9013248.exe
PID 3572 wrote to memory of 2228	3572	z6771900.exe	p9013248.exe

C:\Users\Admin\AppData\Local\Temp\e17dd3190fc9cd9e9cc2a1d80f1479d062b60ba2b2b9cb2a8877019133fc2cde.exe
"C:\Users\Admin\AppData\Local\Temp\e17dd3190fc9cd9e9cc2a1d80f1479d062b60ba2b2b9cb2a8877019133fc2cde.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2925823.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2925823.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3776

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6771900.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6771900.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9688035.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9688035.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9013248.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9013248.exe
4⤵
- Executes dropped EXE
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 948
5⤵
- Program crash
PID:2760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2925823.exe
Filesize
702KB

MD5
93432b03c94026c6c56780bad7b9cc67

SHA1
e216548b46a72249c06caa1404caf75e016a4d28

SHA256
13793f4486e2d7dc5486ff9d498506382b7701931a92c2c4e0313c18d80827ea

SHA512
2b526500977905c82e2503637eeaee957b28082f8d0737eb41d59d4861a277fdb8df5a9d67b48efcdb5e2a29782beeadbefa0046431c2e7bda61fcdd5133ad97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2925823.exe
Filesize
702KB

MD5
93432b03c94026c6c56780bad7b9cc67

SHA1
e216548b46a72249c06caa1404caf75e016a4d28

SHA256
13793f4486e2d7dc5486ff9d498506382b7701931a92c2c4e0313c18d80827ea

SHA512
2b526500977905c82e2503637eeaee957b28082f8d0737eb41d59d4861a277fdb8df5a9d67b48efcdb5e2a29782beeadbefa0046431c2e7bda61fcdd5133ad97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6771900.exe
Filesize
305KB

MD5
53468cb18dd6155f1298d36b23e5470c

SHA1
419a277a7428056340cc574b25531e1c7e236cad

SHA256
cd3856d8ae78f871cea24588eac48ebfa34f5fdf9e349b3ca8e5813f6bb22f3c

SHA512
402668e3bee0f6619a7d6831a456240be184bebe9511940ee73e70fe4abf9b009b25198733042d7cbb47a363d67a923c5800de938dbca8afc36c33ba2ef12403

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6771900.exe
Filesize
305KB

MD5
53468cb18dd6155f1298d36b23e5470c

SHA1
419a277a7428056340cc574b25531e1c7e236cad

SHA256
cd3856d8ae78f871cea24588eac48ebfa34f5fdf9e349b3ca8e5813f6bb22f3c

SHA512
402668e3bee0f6619a7d6831a456240be184bebe9511940ee73e70fe4abf9b009b25198733042d7cbb47a363d67a923c5800de938dbca8afc36c33ba2ef12403

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9688035.exe
Filesize
184KB

MD5
24bd7f0cbe9d0ce7fc4bd5439ebf50ce

SHA1
e8948cf392582b6c33c926846659ca7bb2156667

SHA256
9b836d01f69cada30704ef13c08a5c510fdd970156dd12079739ff20848f11a3

SHA512
8217cdabcb2a7452ed25baa058e009ad6968049864a6015d581c003507876e5d3b62f64fd67893c57578d5ea69a2a8b85a390bd245de2927deb8fdca05f430c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9688035.exe
Filesize
184KB

MD5
24bd7f0cbe9d0ce7fc4bd5439ebf50ce

SHA1
e8948cf392582b6c33c926846659ca7bb2156667

SHA256
9b836d01f69cada30704ef13c08a5c510fdd970156dd12079739ff20848f11a3

SHA512
8217cdabcb2a7452ed25baa058e009ad6968049864a6015d581c003507876e5d3b62f64fd67893c57578d5ea69a2a8b85a390bd245de2927deb8fdca05f430c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9013248.exe
Filesize
145KB

MD5
0875fe55ab9dba72676e3bff64aea7e1

SHA1
59d0de0488b5526de2742a079faa0c0da466df6d

SHA256
57f240f66734bff6d714c9a3408e59d61d0ca04e62a39b0abfdfe3f45207eaa5

SHA512
de8b7418db63339ba12ef3f45cf30b35624f2901cfd356ff5a1fdca5a7c1e4ced4196cae1364c35ce8eff05592c4bee4814ec5e5e8b6fa2b1a765b13e3c6b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9013248.exe
Filesize
145KB

MD5
0875fe55ab9dba72676e3bff64aea7e1

SHA1
59d0de0488b5526de2742a079faa0c0da466df6d

SHA256
57f240f66734bff6d714c9a3408e59d61d0ca04e62a39b0abfdfe3f45207eaa5

SHA512
de8b7418db63339ba12ef3f45cf30b35624f2901cfd356ff5a1fdca5a7c1e4ced4196cae1364c35ce8eff05592c4bee4814ec5e5e8b6fa2b1a765b13e3c6b8af

Download Submit
memory/2228-181-0x0000000000F60000-0x0000000000F8A000-memory.dmp

Filesize
168KB

Download
memory/4120-152-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/4120-164-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/4120-147-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/4120-148-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/4120-150-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/4120-145-0x0000000004A90000-0x0000000004F8E000-memory.dmp

Filesize
5.0MB

Download
memory/4120-154-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/4120-156-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/4120-158-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/4120-160-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/4120-162-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/4120-146-0x00000000023D0000-0x00000000023EC000-memory.dmp

Filesize
112KB

Download
memory/4120-166-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/4120-168-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/4120-170-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/4120-172-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/4120-174-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/4120-175-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/4120-176-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/4120-144-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/4120-143-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/4120-142-0x00000000006C0000-0x00000000006DE000-memory.dmp

Filesize
120KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads