redline | 1464329747969616965cdc7dab631bd1bde38e09d9fb0c55ce2b2dbee5a4420a

General

Target

1464329747969616965cdc7dab631bd1bde38e09d9fb0c55ce2b2dbee5a4420a.exe
Size

1.1MB
MD5

dd5839e7b896ff9e33b78aa2a2ad7bb7
SHA1

3936cfe4d9b24e953bdf52cbc019e599461c58d1
SHA256

1464329747969616965cdc7dab631bd1bde38e09d9fb0c55ce2b2dbee5a4420a
SHA512

b1e37131ca476dfab855287e6bb131a976a250fa2b1fa7bbe7014b94ab343da819e941c750e76603d3fc5cc7ad19decf71c6395e13a9d90cd0982ba2da69e504
SSDEEP

24576:GyjAqGysuaFEDRsFLo975HM1CcHxkaA/Xw4:V83uBQUdJNcHxklX

Score

10^/10

redline linda evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

linda

C2

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o0467106.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o0467106.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o0467106.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o0467106.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o0467106.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o0467106.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z5081726.exez1522033.exeo0467106.exep9104594.exe

pid process

1440 z5081726.exe
1776 z1522033.exe
976 o0467106.exe
2576 p9104594.exe

pid	process
1440	z5081726.exe
1776	z1522033.exe
976	o0467106.exe
2576	p9104594.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o0467106.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o0467106.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o0467106.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1464329747969616965cdc7dab631bd1bde38e09d9fb0c55ce2b2dbee5a4420a.exez5081726.exez1522033.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1464329747969616965cdc7dab631bd1bde38e09d9fb0c55ce2b2dbee5a4420a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5081726.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5081726.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1522033.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1522033.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1464329747969616965cdc7dab631bd1bde38e09d9fb0c55ce2b2dbee5a4420a.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4764 2576 WerFault.exe p9104594.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o0467106.exe

pid process

976 o0467106.exe
976 o0467106.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o0467106.exe

description pid process

Token: SeDebugPrivilege 976 o0467106.exe

pid	pid_target	process	target process
4764	2576	WerFault.exe	p9104594.exe

pid	process
976	o0467106.exe
976	o0467106.exe

description	pid	process
Token: SeDebugPrivilege	976	o0467106.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1464329747969616965cdc7dab631bd1bde38e09d9fb0c55ce2b2dbee5a4420a.exez5081726.exez1522033.exe

description	pid	process	target process
PID 1228 wrote to memory of 1440	1228	1464329747969616965cdc7dab631bd1bde38e09d9fb0c55ce2b2dbee5a4420a.exe	z5081726.exe
PID 1228 wrote to memory of 1440	1228	1464329747969616965cdc7dab631bd1bde38e09d9fb0c55ce2b2dbee5a4420a.exe	z5081726.exe
PID 1228 wrote to memory of 1440	1228	1464329747969616965cdc7dab631bd1bde38e09d9fb0c55ce2b2dbee5a4420a.exe	z5081726.exe
PID 1440 wrote to memory of 1776	1440	z5081726.exe	z1522033.exe
PID 1440 wrote to memory of 1776	1440	z5081726.exe	z1522033.exe
PID 1440 wrote to memory of 1776	1440	z5081726.exe	z1522033.exe
PID 1776 wrote to memory of 976	1776	z1522033.exe	o0467106.exe
PID 1776 wrote to memory of 976	1776	z1522033.exe	o0467106.exe
PID 1776 wrote to memory of 976	1776	z1522033.exe	o0467106.exe
PID 1776 wrote to memory of 2576	1776	z1522033.exe	p9104594.exe
PID 1776 wrote to memory of 2576	1776	z1522033.exe	p9104594.exe
PID 1776 wrote to memory of 2576	1776	z1522033.exe	p9104594.exe

C:\Users\Admin\AppData\Local\Temp\1464329747969616965cdc7dab631bd1bde38e09d9fb0c55ce2b2dbee5a4420a.exe
"C:\Users\Admin\AppData\Local\Temp\1464329747969616965cdc7dab631bd1bde38e09d9fb0c55ce2b2dbee5a4420a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5081726.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5081726.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1522033.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1522033.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0467106.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0467106.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9104594.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9104594.exe
4⤵
- Executes dropped EXE
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 948
5⤵
- Program crash
PID:4764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5081726.exe
Filesize
703KB

MD5
48904ba0a90046b2875f0f8e4b771513

SHA1
3086ebd5e8ed4ff0adfe836978139b2b70543700

SHA256
938648da8a052024ce5c57caf24938684335b30e281be80bb1634088bf6ab369

SHA512
c8c578dabe2366d4a3323ad6269ad227f3861e479a93bb07702b6aca3b2b8d302f27305aab3706a37e18c28dbe582d2761e6c323d448685f0db9e9230b7528db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5081726.exe
Filesize
703KB

MD5
48904ba0a90046b2875f0f8e4b771513

SHA1
3086ebd5e8ed4ff0adfe836978139b2b70543700

SHA256
938648da8a052024ce5c57caf24938684335b30e281be80bb1634088bf6ab369

SHA512
c8c578dabe2366d4a3323ad6269ad227f3861e479a93bb07702b6aca3b2b8d302f27305aab3706a37e18c28dbe582d2761e6c323d448685f0db9e9230b7528db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1522033.exe
Filesize
305KB

MD5
57b0d52fc190a561872311cbba4d55b1

SHA1
3188c666e662181b272004e8ed4169fe33221de4

SHA256
5cd3d5a10bd6b5e5c084c9dbc95eb2bd2958447b2bb37b589be78372e8d27408

SHA512
c20d41124ef3ad303b7a7131e58b3d2d6288007dc8adb23d7d06dfb3e5c206373a8d1588a61ce6f32879dd75cbaf1e60a64f0c40357d1f7cb4b57b1695683686

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1522033.exe
Filesize
305KB

MD5
57b0d52fc190a561872311cbba4d55b1

SHA1
3188c666e662181b272004e8ed4169fe33221de4

SHA256
5cd3d5a10bd6b5e5c084c9dbc95eb2bd2958447b2bb37b589be78372e8d27408

SHA512
c20d41124ef3ad303b7a7131e58b3d2d6288007dc8adb23d7d06dfb3e5c206373a8d1588a61ce6f32879dd75cbaf1e60a64f0c40357d1f7cb4b57b1695683686

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0467106.exe
Filesize
184KB

MD5
c7c000fe0473f99487903f126583f438

SHA1
403f38dfa776fefb1d259d8e19f552608fc17153

SHA256
e935f76623d3e1cca6bd0aa211271725db63405776fa05d7600251d2888650a1

SHA512
7bd80e2e2e25028877c3a487d4ec6d8d8e44f301421e0f2319edbd0cb64b8fe45672d77907df57b73cbdfe47a699b0b9d9f8383cb6170a6a5c596448ca5f358c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0467106.exe
Filesize
184KB

MD5
c7c000fe0473f99487903f126583f438

SHA1
403f38dfa776fefb1d259d8e19f552608fc17153

SHA256
e935f76623d3e1cca6bd0aa211271725db63405776fa05d7600251d2888650a1

SHA512
7bd80e2e2e25028877c3a487d4ec6d8d8e44f301421e0f2319edbd0cb64b8fe45672d77907df57b73cbdfe47a699b0b9d9f8383cb6170a6a5c596448ca5f358c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9104594.exe
Filesize
145KB

MD5
c404c72ef2c55aa68c05f9d6fce27f00

SHA1
c9d4a014847c3b9cfc61a375fb04a538e774b6b8

SHA256
55337bedce3d4f3b98e834c18174deeb02c9573fae6ac5f290f5459fa0ec27e3

SHA512
8f4a3d0e44e6721fccff7bd9fd5a41c64bcf7acd322a99380cedab82bfb0565c9e020fce491cd3279db3c4aed99b25b73824cc08f4689dca7e453e5ffb5e7a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9104594.exe
Filesize
145KB

MD5
c404c72ef2c55aa68c05f9d6fce27f00

SHA1
c9d4a014847c3b9cfc61a375fb04a538e774b6b8

SHA256
55337bedce3d4f3b98e834c18174deeb02c9573fae6ac5f290f5459fa0ec27e3

SHA512
8f4a3d0e44e6721fccff7bd9fd5a41c64bcf7acd322a99380cedab82bfb0565c9e020fce491cd3279db3c4aed99b25b73824cc08f4689dca7e453e5ffb5e7a75

Download Submit
memory/976-169-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/976-163-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/976-147-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/976-146-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/976-149-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/976-151-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/976-148-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/976-171-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/976-144-0x0000000004940000-0x000000000495C000-memory.dmp

Filesize
112KB

Download
memory/976-167-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/976-175-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/976-173-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/976-165-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/976-145-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/976-161-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/976-159-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/976-157-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/976-155-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/976-153-0x0000000004940000-0x0000000004956000-memory.dmp

Filesize
88KB

Download
memory/976-176-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/976-177-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/976-178-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/976-143-0x0000000004990000-0x0000000004E8E000-memory.dmp

Filesize
5.0MB

Download
memory/976-142-0x0000000002120000-0x000000000213E000-memory.dmp

Filesize
120KB

Download
memory/2576-183-0x00000000005C0000-0x00000000005EA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads