redline | aa237d3a712b090bb3eee03ad50c2593b625f9c0b4555f5b12e615d1701e693b

General

Target

aa237d3a712b090bb3eee03ad50c2593b625f9c0b4555f5b12e615d1701e693b.exe
Size

1.1MB
MD5

b5c9a17743bfc5850eea486c3ab13c0a
SHA1

f4dd884767f77d4f3a878279f0f2cef16bce2e1b
SHA256

aa237d3a712b090bb3eee03ad50c2593b625f9c0b4555f5b12e615d1701e693b
SHA512

0da286863245e79ddfd2ab5dc0462f518b4da09f15e304323625857a31a88435498c168589687ae2c01919db8089035e2ba4e704e5282aef71fa68e26131aa93
SSDEEP

24576:6yGdG/d2CUV4pXpFazsQKsV93cev/RMbQrYGW3ysi7Lgc3:B1MCUeXyZ53/RMaA0gc

Score

10^/10

redline linda evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

linda

C2

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o9771555.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o9771555.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o9771555.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o9771555.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o9771555.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o9771555.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z1546092.exez7754699.exeo9771555.exep0138934.exe

pid process

3888 z1546092.exe
3632 z7754699.exe
4184 o9771555.exe
3252 p0138934.exe

pid	process
3888	z1546092.exe
3632	z7754699.exe
4184	o9771555.exe
3252	p0138934.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o9771555.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o9771555.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o9771555.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aa237d3a712b090bb3eee03ad50c2593b625f9c0b4555f5b12e615d1701e693b.exez1546092.exez7754699.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	aa237d3a712b090bb3eee03ad50c2593b625f9c0b4555f5b12e615d1701e693b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aa237d3a712b090bb3eee03ad50c2593b625f9c0b4555f5b12e615d1701e693b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1546092.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1546092.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7754699.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7754699.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4744 3252 WerFault.exe p0138934.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o9771555.exe

pid process

4184 o9771555.exe
4184 o9771555.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o9771555.exe

description pid process

Token: SeDebugPrivilege 4184 o9771555.exe

pid	pid_target	process	target process
4744	3252	WerFault.exe	p0138934.exe

pid	process
4184	o9771555.exe
4184	o9771555.exe

description	pid	process
Token: SeDebugPrivilege	4184	o9771555.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

aa237d3a712b090bb3eee03ad50c2593b625f9c0b4555f5b12e615d1701e693b.exez1546092.exez7754699.exe

description	pid	process	target process
PID 2040 wrote to memory of 3888	2040	aa237d3a712b090bb3eee03ad50c2593b625f9c0b4555f5b12e615d1701e693b.exe	z1546092.exe
PID 2040 wrote to memory of 3888	2040	aa237d3a712b090bb3eee03ad50c2593b625f9c0b4555f5b12e615d1701e693b.exe	z1546092.exe
PID 2040 wrote to memory of 3888	2040	aa237d3a712b090bb3eee03ad50c2593b625f9c0b4555f5b12e615d1701e693b.exe	z1546092.exe
PID 3888 wrote to memory of 3632	3888	z1546092.exe	z7754699.exe
PID 3888 wrote to memory of 3632	3888	z1546092.exe	z7754699.exe
PID 3888 wrote to memory of 3632	3888	z1546092.exe	z7754699.exe
PID 3632 wrote to memory of 4184	3632	z7754699.exe	o9771555.exe
PID 3632 wrote to memory of 4184	3632	z7754699.exe	o9771555.exe
PID 3632 wrote to memory of 4184	3632	z7754699.exe	o9771555.exe
PID 3632 wrote to memory of 3252	3632	z7754699.exe	p0138934.exe
PID 3632 wrote to memory of 3252	3632	z7754699.exe	p0138934.exe
PID 3632 wrote to memory of 3252	3632	z7754699.exe	p0138934.exe

C:\Users\Admin\AppData\Local\Temp\aa237d3a712b090bb3eee03ad50c2593b625f9c0b4555f5b12e615d1701e693b.exe
"C:\Users\Admin\AppData\Local\Temp\aa237d3a712b090bb3eee03ad50c2593b625f9c0b4555f5b12e615d1701e693b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1546092.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1546092.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3888

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7754699.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7754699.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3632

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9771555.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9771555.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0138934.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0138934.exe
4⤵
- Executes dropped EXE
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 948
5⤵
- Program crash
PID:4744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1546092.exe
Filesize
702KB

MD5
e9ce01aa158c50221b5e9af23d4a8c1f

SHA1
cb227ed1c63245af2e1fa7ff02a3cdd02974fdda

SHA256
207d2d980382da8fce3170a7777bd650dea849cda54c075c63289668230a30a0

SHA512
da94a4c93ab18dc1371b40a97f3d2b9b5eeec3e9d0a8437dcd086c31dfc58c70140cd4733fb877889b99b4e205ef0fcf304abd768113fc2e825bd70f491f8fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1546092.exe
Filesize
702KB

MD5
e9ce01aa158c50221b5e9af23d4a8c1f

SHA1
cb227ed1c63245af2e1fa7ff02a3cdd02974fdda

SHA256
207d2d980382da8fce3170a7777bd650dea849cda54c075c63289668230a30a0

SHA512
da94a4c93ab18dc1371b40a97f3d2b9b5eeec3e9d0a8437dcd086c31dfc58c70140cd4733fb877889b99b4e205ef0fcf304abd768113fc2e825bd70f491f8fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7754699.exe
Filesize
305KB

MD5
24453af561fd2f98adfcb79c4dba0b8a

SHA1
564fc2dc1f28d7bbcb20fa82811135d00452a9dd

SHA256
7de9c58a618b6413ffdafbddc6b8a6c38e6b77ec87c650791aed15d5b49f4ef3

SHA512
b06b544d7e087fc1ce43820deab859600dcb95c5c929e0bdc4a475f67c43369842df55f0a4e60be8d63cfd171c13e5966c8e68f603c7d130f8a1e28bce98b307

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7754699.exe
Filesize
305KB

MD5
24453af561fd2f98adfcb79c4dba0b8a

SHA1
564fc2dc1f28d7bbcb20fa82811135d00452a9dd

SHA256
7de9c58a618b6413ffdafbddc6b8a6c38e6b77ec87c650791aed15d5b49f4ef3

SHA512
b06b544d7e087fc1ce43820deab859600dcb95c5c929e0bdc4a475f67c43369842df55f0a4e60be8d63cfd171c13e5966c8e68f603c7d130f8a1e28bce98b307

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9771555.exe
Filesize
184KB

MD5
570807f384ab510cc5afa71897aa4a53

SHA1
96035a9be2fde76a55d60561ad1352817045d99b

SHA256
8f09fdb37dafb01440a8ac0d8c8f65537083348666e65805d50af6b2c09c64c4

SHA512
e3d7cc2875b208d1a61ccfca7822cd6b7cf7ed71011b024d4958b12845b153b67d1d931cba38163ef3a0812371a751afa9501d3b8717d099bc46d85dacfe123e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9771555.exe
Filesize
184KB

MD5
570807f384ab510cc5afa71897aa4a53

SHA1
96035a9be2fde76a55d60561ad1352817045d99b

SHA256
8f09fdb37dafb01440a8ac0d8c8f65537083348666e65805d50af6b2c09c64c4

SHA512
e3d7cc2875b208d1a61ccfca7822cd6b7cf7ed71011b024d4958b12845b153b67d1d931cba38163ef3a0812371a751afa9501d3b8717d099bc46d85dacfe123e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0138934.exe
Filesize
145KB

MD5
99c9b54b329a4a4ec0acea9548a16953

SHA1
ffbc378b262fbfc23d99744f16e0e2d1aed62651

SHA256
0b6c62f2ec9ebe6f37edb6f6b091b4084923a2d58013a584e7fdeecc5549cd6c

SHA512
584dc427e0acee80678bbddaed7322449dd4f7d3362610af11f5e3335d7ecb16a61a12c037b41788bf9ac4e2cb14b915f0a5fcb91c81ca6a169fdd54c3413c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0138934.exe
Filesize
145KB

MD5
99c9b54b329a4a4ec0acea9548a16953

SHA1
ffbc378b262fbfc23d99744f16e0e2d1aed62651

SHA256
0b6c62f2ec9ebe6f37edb6f6b091b4084923a2d58013a584e7fdeecc5549cd6c

SHA512
584dc427e0acee80678bbddaed7322449dd4f7d3362610af11f5e3335d7ecb16a61a12c037b41788bf9ac4e2cb14b915f0a5fcb91c81ca6a169fdd54c3413c79

Download Submit
memory/3252-182-0x0000000000330000-0x000000000035A000-memory.dmp

Filesize
168KB

Download
memory/4184-156-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/4184-164-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/4184-147-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/4184-148-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/4184-150-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/4184-152-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/4184-154-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/4184-145-0x0000000004920000-0x000000000493C000-memory.dmp

Filesize
112KB

Download
memory/4184-158-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/4184-160-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/4184-162-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/4184-146-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/4184-166-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/4184-168-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/4184-170-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/4184-172-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/4184-174-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/4184-175-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/4184-176-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/4184-177-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/4184-144-0x0000000004980000-0x0000000004E7E000-memory.dmp

Filesize
5.0MB

Download
memory/4184-143-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/4184-142-0x0000000004880000-0x000000000489E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads