redline | 098e2047457a27b0e3ea12cc1e03ae11c371411b4964f4b735fe4fd4c5433e38

General

Target

098e2047457a27b0e3ea12cc1e03ae11c371411b4964f4b735fe4fd4c5433e38.exe
Size

1.1MB
MD5

386c4ae4f55e0610aeffc8870d113266
SHA1

805996346c3d8601eee22ca759d55cb1ce02df36
SHA256

098e2047457a27b0e3ea12cc1e03ae11c371411b4964f4b735fe4fd4c5433e38
SHA512

7cfb15dd9a48f477da7280317351ecb3e8434a7be0801dbdd50c8305dd503a066b0484692a7fec596d6c90bf3b7c42bb318e220781fecd5869b0d424f2aa2f0b
SSDEEP

24576:+yt5ib8exPSPc6g2xdYfOQuu15v8V0tnMztRULTlbW:N68eQ06jDY2QPHv8etnq4tb

Score

10^/10

redline linda evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

linda

C2

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o4065132.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o4065132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o4065132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o4065132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o4065132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o4065132.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z7333835.exez6378324.exeo4065132.exep1317043.exe

pid process

4036 z7333835.exe
3148 z6378324.exe
4268 o4065132.exe
2548 p1317043.exe

pid	process
4036	z7333835.exe
3148	z6378324.exe
4268	o4065132.exe
2548	p1317043.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o4065132.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o4065132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o4065132.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

098e2047457a27b0e3ea12cc1e03ae11c371411b4964f4b735fe4fd4c5433e38.exez7333835.exez6378324.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	098e2047457a27b0e3ea12cc1e03ae11c371411b4964f4b735fe4fd4c5433e38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	098e2047457a27b0e3ea12cc1e03ae11c371411b4964f4b735fe4fd4c5433e38.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7333835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7333835.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6378324.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6378324.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4964 2548 WerFault.exe p1317043.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o4065132.exe

pid process

4268 o4065132.exe
4268 o4065132.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o4065132.exe

description pid process

Token: SeDebugPrivilege 4268 o4065132.exe

pid	pid_target	process	target process
4964	2548	WerFault.exe	p1317043.exe

pid	process
4268	o4065132.exe
4268	o4065132.exe

description	pid	process
Token: SeDebugPrivilege	4268	o4065132.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

098e2047457a27b0e3ea12cc1e03ae11c371411b4964f4b735fe4fd4c5433e38.exez7333835.exez6378324.exe

description	pid	process	target process
PID 4116 wrote to memory of 4036	4116	098e2047457a27b0e3ea12cc1e03ae11c371411b4964f4b735fe4fd4c5433e38.exe	z7333835.exe
PID 4116 wrote to memory of 4036	4116	098e2047457a27b0e3ea12cc1e03ae11c371411b4964f4b735fe4fd4c5433e38.exe	z7333835.exe
PID 4116 wrote to memory of 4036	4116	098e2047457a27b0e3ea12cc1e03ae11c371411b4964f4b735fe4fd4c5433e38.exe	z7333835.exe
PID 4036 wrote to memory of 3148	4036	z7333835.exe	z6378324.exe
PID 4036 wrote to memory of 3148	4036	z7333835.exe	z6378324.exe
PID 4036 wrote to memory of 3148	4036	z7333835.exe	z6378324.exe
PID 3148 wrote to memory of 4268	3148	z6378324.exe	o4065132.exe
PID 3148 wrote to memory of 4268	3148	z6378324.exe	o4065132.exe
PID 3148 wrote to memory of 4268	3148	z6378324.exe	o4065132.exe
PID 3148 wrote to memory of 2548	3148	z6378324.exe	p1317043.exe
PID 3148 wrote to memory of 2548	3148	z6378324.exe	p1317043.exe
PID 3148 wrote to memory of 2548	3148	z6378324.exe	p1317043.exe

C:\Users\Admin\AppData\Local\Temp\098e2047457a27b0e3ea12cc1e03ae11c371411b4964f4b735fe4fd4c5433e38.exe
"C:\Users\Admin\AppData\Local\Temp\098e2047457a27b0e3ea12cc1e03ae11c371411b4964f4b735fe4fd4c5433e38.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7333835.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7333835.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6378324.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6378324.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4065132.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4065132.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1317043.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1317043.exe
4⤵
- Executes dropped EXE
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 948
5⤵
- Program crash
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7333835.exe
Filesize
702KB

MD5
98168898e3162590f5ded3f066aace79

SHA1
6ccc441fbf0fc82db800764b4c0a2dc8642d49c7

SHA256
76ffd7951587b8b9c7a8cd82a78103c6f07f1cd73147b02428f6f6b0d70a4548

SHA512
0bc43dff691e3ad746f01b4bdf526f270f962e1835b61ed0e327cbeabd51bfb1c974059d54b6bbafb5ac37e2888472b47326158c574b2c575e3d6c7a074752d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7333835.exe
Filesize
702KB

MD5
98168898e3162590f5ded3f066aace79

SHA1
6ccc441fbf0fc82db800764b4c0a2dc8642d49c7

SHA256
76ffd7951587b8b9c7a8cd82a78103c6f07f1cd73147b02428f6f6b0d70a4548

SHA512
0bc43dff691e3ad746f01b4bdf526f270f962e1835b61ed0e327cbeabd51bfb1c974059d54b6bbafb5ac37e2888472b47326158c574b2c575e3d6c7a074752d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6378324.exe
Filesize
305KB

MD5
19d4e82f62db1c273d95172fc0d10692

SHA1
e03414ab6e64436225eac4157e7ee40948f38b4f

SHA256
7b0eb00354ed1de7157ae7f133431c12126a6b3e62533021c0ba12c544c2250f

SHA512
30440ee1867740821fe7811e2d4d24acb6d4277643237f725cd173fdd7d2b00af8646bdc56b9ea7a5f4036898a7a46b546d04150f70717a8a685ab41573a5c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6378324.exe
Filesize
305KB

MD5
19d4e82f62db1c273d95172fc0d10692

SHA1
e03414ab6e64436225eac4157e7ee40948f38b4f

SHA256
7b0eb00354ed1de7157ae7f133431c12126a6b3e62533021c0ba12c544c2250f

SHA512
30440ee1867740821fe7811e2d4d24acb6d4277643237f725cd173fdd7d2b00af8646bdc56b9ea7a5f4036898a7a46b546d04150f70717a8a685ab41573a5c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4065132.exe
Filesize
184KB

MD5
3719c71ce4a7eaee5ea50d2c1bec9f98

SHA1
318ddaf250a65a1ea6a899d4e75345b043b5f61a

SHA256
74c089c1f30c3118b75035e87251c52ffd510cca38fb99556da5d17184a5e2f0

SHA512
04b738ea7a500bfe15c35375c38db446f4e0f6c8efd12c73c119a235c520443d083120371f248c1471f3a2c6015121ee319a330aed36bb0255da5b39592c6755

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4065132.exe
Filesize
184KB

MD5
3719c71ce4a7eaee5ea50d2c1bec9f98

SHA1
318ddaf250a65a1ea6a899d4e75345b043b5f61a

SHA256
74c089c1f30c3118b75035e87251c52ffd510cca38fb99556da5d17184a5e2f0

SHA512
04b738ea7a500bfe15c35375c38db446f4e0f6c8efd12c73c119a235c520443d083120371f248c1471f3a2c6015121ee319a330aed36bb0255da5b39592c6755

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1317043.exe
Filesize
145KB

MD5
75cc82f81069c4ecc4516eceaf3cf73b

SHA1
a568f71d12286ec2d63035514099ba87b0034afa

SHA256
46be97192e27bc7128079e3a174bfb1a5d341b3651eedd1c0ea06063a7775a7d

SHA512
c8b4a5e0e6cc1b246d3b50deea6d8cea0230eedcb055108ead9d7c3198ac1c6d1c9ecb74b09173e52d59df1fb1e32650d8e7fb6110ba8f28664f9f73dda24530

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1317043.exe
Filesize
145KB

MD5
75cc82f81069c4ecc4516eceaf3cf73b

SHA1
a568f71d12286ec2d63035514099ba87b0034afa

SHA256
46be97192e27bc7128079e3a174bfb1a5d341b3651eedd1c0ea06063a7775a7d

SHA512
c8b4a5e0e6cc1b246d3b50deea6d8cea0230eedcb055108ead9d7c3198ac1c6d1c9ecb74b09173e52d59df1fb1e32650d8e7fb6110ba8f28664f9f73dda24530

Download Submit
memory/2548-182-0x0000000000DE0000-0x0000000000E0A000-memory.dmp

Filesize
168KB

Download
memory/4268-154-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/4268-162-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/4268-144-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/4268-147-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/4268-148-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/4268-150-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/4268-152-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/4268-145-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/4268-156-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/4268-158-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/4268-160-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/4268-146-0x0000000002220000-0x000000000223C000-memory.dmp

Filesize
112KB

Download
memory/4268-164-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/4268-166-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/4268-168-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/4268-170-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/4268-172-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/4268-174-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/4268-175-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/4268-176-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/4268-177-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/4268-143-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/4268-142-0x0000000004970000-0x0000000004E6E000-memory.dmp

Filesize
5.0MB

Download
memory/4268-141-0x0000000000640000-0x000000000065E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads