redline | 259c471444aefbfb49e6d2b84872fbde7e96d983478f0f6807840a2c2dc00358

General

Target

259c471444aefbfb49e6d2b84872fbde7e96d983478f0f6807840a2c2dc00358.exe
Size

1.0MB
MD5

acc0494c47036396c97aaf4a27cd5f0c
SHA1

3aa03956c981d32a3e826678d41fdb0a265955ee
SHA256

259c471444aefbfb49e6d2b84872fbde7e96d983478f0f6807840a2c2dc00358
SHA512

538b282e0b002f59280418e8ac6fb5271530742c063f388067c29217c55c3bb91ecc893a22da8004e7f42062846cf4a75e268c1b746b338b704fdf8030db0b12
SSDEEP

24576:Oy4RJy3H4O0mgiszZ7O6gBHmd7u077TGDOQVkTo3E5q:d4Je90jEBHOu0GD3VkTb5

Score

10^/10

redline dusor evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dusor

C2

185.161.248.25:4132

Attributes

auth_value
b81217cf5a516122d407aeaf79d22948

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k4749057.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k4749057.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k4749057.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k4749057.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k4749057.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k4749057.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1428	y8077980.exe
3720	y1918597.exe
3924	k4749057.exe
4968	l0443020.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k4749057.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k4749057.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8077980.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1918597.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y1918597.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	259c471444aefbfb49e6d2b84872fbde7e96d983478f0f6807840a2c2dc00358.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	259c471444aefbfb49e6d2b84872fbde7e96d983478f0f6807840a2c2dc00358.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8077980.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3924	k4749057.exe
3924	k4749057.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3924	k4749057.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1428	1304	259c471444aefbfb49e6d2b84872fbde7e96d983478f0f6807840a2c2dc00358.exe	71
PID 1304 wrote to memory of 1428	1304	259c471444aefbfb49e6d2b84872fbde7e96d983478f0f6807840a2c2dc00358.exe	71
PID 1304 wrote to memory of 1428	1304	259c471444aefbfb49e6d2b84872fbde7e96d983478f0f6807840a2c2dc00358.exe	71
PID 1428 wrote to memory of 3720	1428	y8077980.exe	83
PID 1428 wrote to memory of 3720	1428	y8077980.exe	83
PID 1428 wrote to memory of 3720	1428	y8077980.exe	83
PID 3720 wrote to memory of 3924	3720	y1918597.exe	85
PID 3720 wrote to memory of 3924	3720	y1918597.exe	85
PID 3720 wrote to memory of 3924	3720	y1918597.exe	85
PID 3720 wrote to memory of 4968	3720	y1918597.exe	86
PID 3720 wrote to memory of 4968	3720	y1918597.exe	86
PID 3720 wrote to memory of 4968	3720	y1918597.exe	86

C:\Users\Admin\AppData\Local\Temp\259c471444aefbfb49e6d2b84872fbde7e96d983478f0f6807840a2c2dc00358.exe
"C:\Users\Admin\AppData\Local\Temp\259c471444aefbfb49e6d2b84872fbde7e96d983478f0f6807840a2c2dc00358.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8077980.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8077980.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1918597.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1918597.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4749057.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4749057.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0443020.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0443020.exe
      4⤵
      Executes dropped EXE
      PID:4968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8077980.exe

Filesize
748KB

MD5
97c1af0cb4bc6f7332c5786eaeb77bd1

SHA1
2d65fdf4889f0886d7f30311888409c7f1960de1

SHA256
4b4d9fd7b93823292e5b6a3683b3b9b6bb5a925547a66f1e04f692287a126e79

SHA512
66f9bda98899f0b25f6b55bf4e2b88e564ce13176f3aa26fc13cbc30ed42f54d54c01bd43ff096fd7ac5d943cf789481a8bc8eaad6048d8922e2ee59e424bf76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8077980.exe

Filesize
748KB

MD5
97c1af0cb4bc6f7332c5786eaeb77bd1

SHA1
2d65fdf4889f0886d7f30311888409c7f1960de1

SHA256
4b4d9fd7b93823292e5b6a3683b3b9b6bb5a925547a66f1e04f692287a126e79

SHA512
66f9bda98899f0b25f6b55bf4e2b88e564ce13176f3aa26fc13cbc30ed42f54d54c01bd43ff096fd7ac5d943cf789481a8bc8eaad6048d8922e2ee59e424bf76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1918597.exe

Filesize
304KB

MD5
b01b515b2fbb8cfd8164cf3cdd145a8c

SHA1
730e8b3faef4d229dd046c0d331a585e3dab4b3d

SHA256
24b5da971ae128846c9c7dca617bc66527ca88031783ba5083377ce1a86fb521

SHA512
c0a708fe637453faddf1d0a0d36a0f12b95656d863eecd7cd9bacf1a69335cd90c0d90bf36e66f269b7858cb606a52ebdf730d2ef04dea4b035601d93973f639

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1918597.exe

Filesize
304KB

MD5
b01b515b2fbb8cfd8164cf3cdd145a8c

SHA1
730e8b3faef4d229dd046c0d331a585e3dab4b3d

SHA256
24b5da971ae128846c9c7dca617bc66527ca88031783ba5083377ce1a86fb521

SHA512
c0a708fe637453faddf1d0a0d36a0f12b95656d863eecd7cd9bacf1a69335cd90c0d90bf36e66f269b7858cb606a52ebdf730d2ef04dea4b035601d93973f639

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4749057.exe

Filesize
184KB

MD5
bcca8bbba2840c1a00b0ba406d49939a

SHA1
a1fdb03609bc1d8aeb2eef4ec12eb6bdc14365a1

SHA256
178541b2de42cdffd48c8ce529588f7100474c2fc99c757fe463882cbc598dd6

SHA512
4f279f7ca54b32d70bdc91016a29ca4016092ea90cc3d8d175836d8dc7b27b28177a2f1ebdacc95f29d88c210d76a5dfbac15c0e314694650a974cf983d5173d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4749057.exe

Filesize
184KB

MD5
bcca8bbba2840c1a00b0ba406d49939a

SHA1
a1fdb03609bc1d8aeb2eef4ec12eb6bdc14365a1

SHA256
178541b2de42cdffd48c8ce529588f7100474c2fc99c757fe463882cbc598dd6

SHA512
4f279f7ca54b32d70bdc91016a29ca4016092ea90cc3d8d175836d8dc7b27b28177a2f1ebdacc95f29d88c210d76a5dfbac15c0e314694650a974cf983d5173d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0443020.exe

Filesize
145KB

MD5
96830ff79b642eab47803d79ddf89c2b

SHA1
4afd7aaa893f7be8386cfa268b3a9aecde0dc602

SHA256
7bdf0cf09e23051b265e838f8b612157c92b20b811f21dd79d2e0f1929f17ff6

SHA512
6e8ea2370b83ab59098cefb7e1530d8e0398366dd8653906fdb89fdfce08074530f5afa53f2f113ea1f562d21264375a199bfa79a7e8fbf45ccc95886180d763

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0443020.exe

Filesize
145KB

MD5
96830ff79b642eab47803d79ddf89c2b

SHA1
4afd7aaa893f7be8386cfa268b3a9aecde0dc602

SHA256
7bdf0cf09e23051b265e838f8b612157c92b20b811f21dd79d2e0f1929f17ff6

SHA512
6e8ea2370b83ab59098cefb7e1530d8e0398366dd8653906fdb89fdfce08074530f5afa53f2f113ea1f562d21264375a199bfa79a7e8fbf45ccc95886180d763

Download Submit
memory/3924-181-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/3924-173-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/3924-158-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/3924-159-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/3924-161-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/3924-163-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/3924-165-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/3924-169-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/3924-171-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/3924-183-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/3924-157-0x00000000021C0000-0x00000000021D0000-memory.dmp

Filesize
64KB

Download
memory/3924-179-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/3924-185-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/3924-177-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/3924-175-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/3924-155-0x00000000021C0000-0x00000000021D0000-memory.dmp

Filesize
64KB

Download
memory/3924-167-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/3924-188-0x00000000021C0000-0x00000000021D0000-memory.dmp

Filesize
64KB

Download
memory/3924-187-0x00000000021C0000-0x00000000021D0000-memory.dmp

Filesize
64KB

Download
memory/3924-186-0x00000000021C0000-0x00000000021D0000-memory.dmp

Filesize
64KB

Download
memory/3924-156-0x00000000021C0000-0x00000000021D0000-memory.dmp

Filesize
64KB

Download
memory/3924-154-0x0000000004920000-0x0000000004EC4000-memory.dmp

Filesize
5.6MB

Download
memory/4968-193-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/4968-194-0x0000000005810000-0x0000000005E28000-memory.dmp

Filesize
6.1MB

Download
memory/4968-195-0x0000000005390000-0x000000000549A000-memory.dmp

Filesize
1.0MB

Download
memory/4968-196-0x00000000052C0000-0x00000000052D2000-memory.dmp

Filesize
72KB

Download
memory/4968-197-0x0000000005320000-0x000000000535C000-memory.dmp

Filesize
240KB

Download
memory/4968-198-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/4968-199-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads