redline | 5ef8d1fe5769b291211518bc7b41f33642d73f5766cd267f89a550579ee97357

General

Target

5ef8d1fe5769b291211518bc7b41f33642d73f5766cd267f89a550579ee97357.exe
Size

1.0MB
MD5

0d377fbb2337981b2c37c95d1c3b2425
SHA1

02be4e78432008d78f12e6dcac9bcc7f42e75fcd
SHA256

5ef8d1fe5769b291211518bc7b41f33642d73f5766cd267f89a550579ee97357
SHA512

7ebc829c23238c5463b3076cf5200b4951f96ef93470be5374448bb70533b5edd57665d5840716461940d287df62a5dfcb093285b3b93e8dcef0502fc8dbec0a
SSDEEP

24576:Vy3+L24eumAX/2XJmL1IHj6m4v7mOIUq4pBi:w27OAv2AeHj6x73

Score

10^/10

redline leren evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

leren

C2

77.91.68.253:19065

Attributes

auth_value
4002956b5a03c59e4252363b86bc7713

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o6690939.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o6690939.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o6690939.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o6690939.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o6690939.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o6690939.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4400	z9448370.exe
3488	z9824207.exe
808	o6690939.exe
3788	p2586295.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o6690939.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o6690939.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5ef8d1fe5769b291211518bc7b41f33642d73f5766cd267f89a550579ee97357.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9448370.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9448370.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9824207.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9824207.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5ef8d1fe5769b291211518bc7b41f33642d73f5766cd267f89a550579ee97357.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
808	o6690939.exe
808	o6690939.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	808	o6690939.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4400	5052	5ef8d1fe5769b291211518bc7b41f33642d73f5766cd267f89a550579ee97357.exe	83
PID 5052 wrote to memory of 4400	5052	5ef8d1fe5769b291211518bc7b41f33642d73f5766cd267f89a550579ee97357.exe	83
PID 5052 wrote to memory of 4400	5052	5ef8d1fe5769b291211518bc7b41f33642d73f5766cd267f89a550579ee97357.exe	83
PID 4400 wrote to memory of 3488	4400	z9448370.exe	84
PID 4400 wrote to memory of 3488	4400	z9448370.exe	84
PID 4400 wrote to memory of 3488	4400	z9448370.exe	84
PID 3488 wrote to memory of 808	3488	z9824207.exe	85
PID 3488 wrote to memory of 808	3488	z9824207.exe	85
PID 3488 wrote to memory of 808	3488	z9824207.exe	85
PID 3488 wrote to memory of 3788	3488	z9824207.exe	89
PID 3488 wrote to memory of 3788	3488	z9824207.exe	89
PID 3488 wrote to memory of 3788	3488	z9824207.exe	89

C:\Users\Admin\AppData\Local\Temp\5ef8d1fe5769b291211518bc7b41f33642d73f5766cd267f89a550579ee97357.exe
"C:\Users\Admin\AppData\Local\Temp\5ef8d1fe5769b291211518bc7b41f33642d73f5766cd267f89a550579ee97357.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9448370.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9448370.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9824207.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9824207.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6690939.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6690939.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:808
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2586295.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2586295.exe
      4⤵
      Executes dropped EXE
      PID:3788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9448370.exe

Filesize
584KB

MD5
bca6da20b6921c38c1ff831f30211107

SHA1
ae0cb74da6731622ba76329a66f8e10ad248db50

SHA256
15d57ec943b779c2f5bafe78609cc655959d5a973f83cef5c6785836c29629f0

SHA512
60b565bf8fedfc98ab478fcb657643d8b922e1b11161ac346b098d252844cd16a75cd9337141955ccfd3de88141ac068dd4f30e97e3acfbb74c02bf53dbc1925

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9448370.exe

Filesize
584KB

MD5
bca6da20b6921c38c1ff831f30211107

SHA1
ae0cb74da6731622ba76329a66f8e10ad248db50

SHA256
15d57ec943b779c2f5bafe78609cc655959d5a973f83cef5c6785836c29629f0

SHA512
60b565bf8fedfc98ab478fcb657643d8b922e1b11161ac346b098d252844cd16a75cd9337141955ccfd3de88141ac068dd4f30e97e3acfbb74c02bf53dbc1925

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9824207.exe

Filesize
305KB

MD5
54c1c9a443d40db2087ef4121cb3fb8b

SHA1
df6f5a9f43e1db93cdb364aeb9eb23616b6e6ee0

SHA256
0000857c49f5a1e3f167f006b1c4ff347f3d6a9ac0cc75c5d1402058776f675b

SHA512
0534d8528f0615c9d9f5abcd2068691fe0bb020407592e74c7c3cc6767091eadb6d11e0c19b3d52c1568837aaf12f0f02e7d6c606099e413439b43e0bf70ed36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9824207.exe

Filesize
305KB

MD5
54c1c9a443d40db2087ef4121cb3fb8b

SHA1
df6f5a9f43e1db93cdb364aeb9eb23616b6e6ee0

SHA256
0000857c49f5a1e3f167f006b1c4ff347f3d6a9ac0cc75c5d1402058776f675b

SHA512
0534d8528f0615c9d9f5abcd2068691fe0bb020407592e74c7c3cc6767091eadb6d11e0c19b3d52c1568837aaf12f0f02e7d6c606099e413439b43e0bf70ed36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6690939.exe

Filesize
184KB

MD5
afc5349b1501dac3a8391829a09a3735

SHA1
91a852346753ee6c46edb7a99c1356ac26a71dfd

SHA256
3812ed8606e7c831c2eee9fd35980a91b88ecfff153a27104d723ee3d125ed56

SHA512
fb897d06e7b837997825130c6316ad540d6107004e2767be532997d8461db0cbba76b09190764d14be9cbc31fec6989aef18a6f39d3f61c56239ca4c95f99f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6690939.exe

Filesize
184KB

MD5
afc5349b1501dac3a8391829a09a3735

SHA1
91a852346753ee6c46edb7a99c1356ac26a71dfd

SHA256
3812ed8606e7c831c2eee9fd35980a91b88ecfff153a27104d723ee3d125ed56

SHA512
fb897d06e7b837997825130c6316ad540d6107004e2767be532997d8461db0cbba76b09190764d14be9cbc31fec6989aef18a6f39d3f61c56239ca4c95f99f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2586295.exe

Filesize
145KB

MD5
793b4bc6e290a981e0bb3aed2765763a

SHA1
3c89bc8f13498c5a76f99bfaae4a68753d0e4e1f

SHA256
f9957c7f38ac039b305a7146bd3715577ec2e23d884403f4ae7a928e436ea388

SHA512
fd481f25cddb1975f01f94641020f6cbdb70df1bf774e012adedb7d7fba78fd3efc915028b4fa74aa8a3c85fa012d27dab5dfd8035f420c9d685e6c04375b32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2586295.exe

Filesize
145KB

MD5
793b4bc6e290a981e0bb3aed2765763a

SHA1
3c89bc8f13498c5a76f99bfaae4a68753d0e4e1f

SHA256
f9957c7f38ac039b305a7146bd3715577ec2e23d884403f4ae7a928e436ea388

SHA512
fd481f25cddb1975f01f94641020f6cbdb70df1bf774e012adedb7d7fba78fd3efc915028b4fa74aa8a3c85fa012d27dab5dfd8035f420c9d685e6c04375b32c

Download Submit
memory/808-170-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/808-176-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/808-158-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/808-160-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/808-162-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/808-164-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/808-166-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/808-168-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/808-156-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download
memory/808-172-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/808-174-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/808-157-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/808-178-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/808-180-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/808-182-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/808-184-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/808-185-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download
memory/808-186-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download
memory/808-187-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download
memory/808-155-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download
memory/808-154-0x0000000004A50000-0x0000000004FF4000-memory.dmp

Filesize
5.6MB

Download
memory/3788-192-0x0000000000D70000-0x0000000000D9A000-memory.dmp

Filesize
168KB

Download
memory/3788-193-0x0000000005CB0000-0x00000000062C8000-memory.dmp

Filesize
6.1MB

Download
memory/3788-194-0x0000000005810000-0x000000000591A000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads