redline | bae351dd7dbdef72c256b17fd91ef2e1b5f578ed128b07fee1480f6618f79852

General

Target

bae351dd7dbdef72c256b17fd91ef2e1b5f578ed128b07fee1480f6618f79852.exe
Size

1021KB
MD5

8c88e40112a76c238d9ba1a931b57aa3
SHA1

167fdfe7eae2084cf3a1feba2ecb8fa6e5783408
SHA256

bae351dd7dbdef72c256b17fd91ef2e1b5f578ed128b07fee1480f6618f79852
SHA512

7f6756bc5a447b6eed9d9adbd3bfe257696df8f6975a436f0c8693302a966a5cca8adb2a30054d6cb8217589f60e2fa8a81a090e3904ec38e428e1e44edfbce1
SSDEEP

24576:RyF3lQqaExqrKiFxSqSR2tTfUS8D0x7A:EOK8sxrD0J

Score

10^/10

redline lols evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lols

C2

77.91.68.253:41783

Attributes

auth_value
07dccfc2986896754e6cde616a0a7868

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o1402593.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o1402593.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o1402593.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o1402593.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o1402593.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4144	z3218397.exe
4140	z0525532.exe
5036	o1402593.exe
1408	p5412455.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o1402593.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o1402593.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bae351dd7dbdef72c256b17fd91ef2e1b5f578ed128b07fee1480f6618f79852.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bae351dd7dbdef72c256b17fd91ef2e1b5f578ed128b07fee1480f6618f79852.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3218397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3218397.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0525532.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0525532.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4064	1408	WerFault.exe	69

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5036	o1402593.exe
5036	o1402593.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	o1402593.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 4144	3508	bae351dd7dbdef72c256b17fd91ef2e1b5f578ed128b07fee1480f6618f79852.exe	66
PID 3508 wrote to memory of 4144	3508	bae351dd7dbdef72c256b17fd91ef2e1b5f578ed128b07fee1480f6618f79852.exe	66
PID 3508 wrote to memory of 4144	3508	bae351dd7dbdef72c256b17fd91ef2e1b5f578ed128b07fee1480f6618f79852.exe	66
PID 4144 wrote to memory of 4140	4144	z3218397.exe	67
PID 4144 wrote to memory of 4140	4144	z3218397.exe	67
PID 4144 wrote to memory of 4140	4144	z3218397.exe	67
PID 4140 wrote to memory of 5036	4140	z0525532.exe	68
PID 4140 wrote to memory of 5036	4140	z0525532.exe	68
PID 4140 wrote to memory of 5036	4140	z0525532.exe	68
PID 4140 wrote to memory of 1408	4140	z0525532.exe	69
PID 4140 wrote to memory of 1408	4140	z0525532.exe	69
PID 4140 wrote to memory of 1408	4140	z0525532.exe	69

C:\Users\Admin\AppData\Local\Temp\bae351dd7dbdef72c256b17fd91ef2e1b5f578ed128b07fee1480f6618f79852.exe
"C:\Users\Admin\AppData\Local\Temp\bae351dd7dbdef72c256b17fd91ef2e1b5f578ed128b07fee1480f6618f79852.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3218397.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3218397.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0525532.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0525532.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1402593.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1402593.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5412455.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5412455.exe
      4⤵
      Executes dropped EXE
      PID:1408
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 948
        5⤵
        Program crash
        
        PID:4064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3218397.exe

Filesize
577KB

MD5
24f816aa19fc69d2ff82f977a04439b8

SHA1
45875befee3c65b7a5ee32e098a942903b3c87e9

SHA256
fd90491dc3817490eb613486d5a2dec11198577ef26b920c5cdc435e73e49c98

SHA512
ce22c75ec1fa14ea3aa3b9fd89bb7a22bac177efb6e91b39bba9959916bf869aa5d2272ab7cd13e27f99e0b1f0769d0a5ac440c28b0d50db59e702fee1d99cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3218397.exe

Filesize
577KB

MD5
24f816aa19fc69d2ff82f977a04439b8

SHA1
45875befee3c65b7a5ee32e098a942903b3c87e9

SHA256
fd90491dc3817490eb613486d5a2dec11198577ef26b920c5cdc435e73e49c98

SHA512
ce22c75ec1fa14ea3aa3b9fd89bb7a22bac177efb6e91b39bba9959916bf869aa5d2272ab7cd13e27f99e0b1f0769d0a5ac440c28b0d50db59e702fee1d99cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0525532.exe

Filesize
305KB

MD5
70a0140d515f057b788d14558b775f19

SHA1
77497bc42592786c8a1f6be937c5c413ff7577dc

SHA256
263d4e793d1c61a9b6602263b8c233e5563963df4aa379ef61de503689bd2d38

SHA512
798db50306260a9c7ba1485184f2237a2912bf006f6ea752c519783e1e3984fc5adeed39163a6271fbc034e6c428e1d3d9e7240ab5d5a05663d760274d03a87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0525532.exe

Filesize
305KB

MD5
70a0140d515f057b788d14558b775f19

SHA1
77497bc42592786c8a1f6be937c5c413ff7577dc

SHA256
263d4e793d1c61a9b6602263b8c233e5563963df4aa379ef61de503689bd2d38

SHA512
798db50306260a9c7ba1485184f2237a2912bf006f6ea752c519783e1e3984fc5adeed39163a6271fbc034e6c428e1d3d9e7240ab5d5a05663d760274d03a87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1402593.exe

Filesize
184KB

MD5
4c94e0df16c58143287479c74f3e54e7

SHA1
f93129b20ac587e95b91f611d4c58b3005b140a9

SHA256
c55f04038db70d84fe431937ecf878573a31f0777ea612ad482f76c9a9968a2f

SHA512
72d63fafde9940b14b6ffcad664c287adadee194d8bd3cd685916814ab2b6be4fee82cd6af2035433a1ec39609d2a4ca74cffa414a92182c06ccd4d86b085f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1402593.exe

Filesize
184KB

MD5
4c94e0df16c58143287479c74f3e54e7

SHA1
f93129b20ac587e95b91f611d4c58b3005b140a9

SHA256
c55f04038db70d84fe431937ecf878573a31f0777ea612ad482f76c9a9968a2f

SHA512
72d63fafde9940b14b6ffcad664c287adadee194d8bd3cd685916814ab2b6be4fee82cd6af2035433a1ec39609d2a4ca74cffa414a92182c06ccd4d86b085f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5412455.exe

Filesize
145KB

MD5
6633962990a012aad8ac3cc9d3b7ed8e

SHA1
f110187812482b500120d4c7be03c5d377f3532d

SHA256
d78edbeb1d5a18a5570de6e461b7400a748dd7dd6f7889387f688d564f5d0049

SHA512
c757735ec6b3ea5956dc011c8774e9caec1337aeab5010e49e7a100b40612c335857d963137fa0a5084a321586ef3b6d130af37dda9da8737b47faad02d7230c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5412455.exe

Filesize
145KB

MD5
6633962990a012aad8ac3cc9d3b7ed8e

SHA1
f110187812482b500120d4c7be03c5d377f3532d

SHA256
d78edbeb1d5a18a5570de6e461b7400a748dd7dd6f7889387f688d564f5d0049

SHA512
c757735ec6b3ea5956dc011c8774e9caec1337aeab5010e49e7a100b40612c335857d963137fa0a5084a321586ef3b6d130af37dda9da8737b47faad02d7230c

Download Submit
memory/1408-180-0x00000000006B0000-0x00000000006DA000-memory.dmp

Filesize
168KB

Download
memory/5036-152-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/5036-160-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/5036-144-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/5036-145-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/5036-146-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/5036-148-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/5036-150-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/5036-142-0x00000000021B0000-0x00000000021CC000-memory.dmp

Filesize
112KB

Download
memory/5036-154-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/5036-156-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/5036-158-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/5036-143-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/5036-162-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/5036-164-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/5036-166-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/5036-168-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/5036-170-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/5036-172-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/5036-173-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/5036-174-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/5036-175-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/5036-141-0x0000000004AE0000-0x0000000004FDE000-memory.dmp

Filesize
5.0MB

Download
memory/5036-140-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/5036-139-0x0000000002110000-0x000000000212E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads