redline | 2d668fa3bab421509eb905e47d73becc27f4e8aa1c71bf04141f5d4378b9dc09

General

Target

2d668fa3bab421509eb905e47d73becc27f4e8aa1c71bf04141f5d4378b9dc09.exe
Size

1.0MB
MD5

6912f6e3411d4d8d37a7ff8e4a00dca7
SHA1

21a4ea7ca488a7d9ea80ea26b4c7fd6798d70923
SHA256

2d668fa3bab421509eb905e47d73becc27f4e8aa1c71bf04141f5d4378b9dc09
SHA512

3fb5cc54fb36e945e9e70aa7acb33e221d70616e481a48715ec599e3a0312572f93198272a33639e299c1ae4dc623d5bf6a7f63f9db760aedb11e991151ddecf
SSDEEP

24576:Vyo/llUXckx4mAiz8WzQHxDEGGWq36DjiCwJVkGhRsniWN:wot2XfzzfzQRDjGN3w+D30iW

Score

10^/10

redline deren evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

deren

C2

77.91.68.253:19065

Attributes

auth_value
04a169f1fb198bfbeca74d0e06ea2d54

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k7149713.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k7149713.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k7149713.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k7149713.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k7149713.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3512	y7532683.exe
1728	y0514715.exe
3972	k7149713.exe
4848	l7941373.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k7149713.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k7149713.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2d668fa3bab421509eb905e47d73becc27f4e8aa1c71bf04141f5d4378b9dc09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d668fa3bab421509eb905e47d73becc27f4e8aa1c71bf04141f5d4378b9dc09.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7532683.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7532683.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0514715.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0514715.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3972	k7149713.exe
3972	k7149713.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3972	k7149713.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 3512	4024	2d668fa3bab421509eb905e47d73becc27f4e8aa1c71bf04141f5d4378b9dc09.exe	66
PID 4024 wrote to memory of 3512	4024	2d668fa3bab421509eb905e47d73becc27f4e8aa1c71bf04141f5d4378b9dc09.exe	66
PID 4024 wrote to memory of 3512	4024	2d668fa3bab421509eb905e47d73becc27f4e8aa1c71bf04141f5d4378b9dc09.exe	66
PID 3512 wrote to memory of 1728	3512	y7532683.exe	67
PID 3512 wrote to memory of 1728	3512	y7532683.exe	67
PID 3512 wrote to memory of 1728	3512	y7532683.exe	67
PID 1728 wrote to memory of 3972	1728	y0514715.exe	68
PID 1728 wrote to memory of 3972	1728	y0514715.exe	68
PID 1728 wrote to memory of 3972	1728	y0514715.exe	68
PID 1728 wrote to memory of 4848	1728	y0514715.exe	69
PID 1728 wrote to memory of 4848	1728	y0514715.exe	69
PID 1728 wrote to memory of 4848	1728	y0514715.exe	69

C:\Users\Admin\AppData\Local\Temp\2d668fa3bab421509eb905e47d73becc27f4e8aa1c71bf04141f5d4378b9dc09.exe
"C:\Users\Admin\AppData\Local\Temp\2d668fa3bab421509eb905e47d73becc27f4e8aa1c71bf04141f5d4378b9dc09.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7532683.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7532683.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0514715.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0514715.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7149713.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7149713.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7941373.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7941373.exe
      4⤵
      Executes dropped EXE
      PID:4848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7532683.exe

Filesize
750KB

MD5
35edd784c152370dcd5d88a4c77c6903

SHA1
7a002caaaec9406e3f4eda0d425d4cdf6016b833

SHA256
3d466bb7de01ec2e01911c396bd974fe323c84be4a4248b8327edfe98c27d5ac

SHA512
230673cb2a2cf98d72ea60ec1ccdfdd8dda721bb666da8cd400699f9f11783c4f94cbb9b19a09f5822130eb4d24cc9889c6e70281bdd361e2ac697ef4138704a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7532683.exe

Filesize
750KB

MD5
35edd784c152370dcd5d88a4c77c6903

SHA1
7a002caaaec9406e3f4eda0d425d4cdf6016b833

SHA256
3d466bb7de01ec2e01911c396bd974fe323c84be4a4248b8327edfe98c27d5ac

SHA512
230673cb2a2cf98d72ea60ec1ccdfdd8dda721bb666da8cd400699f9f11783c4f94cbb9b19a09f5822130eb4d24cc9889c6e70281bdd361e2ac697ef4138704a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0514715.exe

Filesize
305KB

MD5
5e29f039db2491fed9558d7fd212bdbe

SHA1
0905b1c22738532132c0273702d4de19dd8e40eb

SHA256
a4b2cbe952c39b68c77862c83c9790a69c6cbc6fa14f3defaaae15fa1b5fc440

SHA512
038677a7408c76d87e01feb0c28eebe92ca8d0fd17e4fd2b819acb48c0fede78e0301b475d6ea658f25b49d847248f70a77a20a2f45d4450b0d9b8814d25e0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0514715.exe

Filesize
305KB

MD5
5e29f039db2491fed9558d7fd212bdbe

SHA1
0905b1c22738532132c0273702d4de19dd8e40eb

SHA256
a4b2cbe952c39b68c77862c83c9790a69c6cbc6fa14f3defaaae15fa1b5fc440

SHA512
038677a7408c76d87e01feb0c28eebe92ca8d0fd17e4fd2b819acb48c0fede78e0301b475d6ea658f25b49d847248f70a77a20a2f45d4450b0d9b8814d25e0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7149713.exe

Filesize
184KB

MD5
5f5492310df721cbc81caef0d6bfa1f4

SHA1
fab8b28d5897026078b89091da3772064ad5e5b2

SHA256
353f7ba174c02c8bb9221e5be6b789a38d82b853cef5d5b20ae41d36f7526dfd

SHA512
651dab42cfeeabc312b837d1749f70fec09e24c9b9789ae9b26603020583385d24781a5910352cd49561237d513bef98d317765356bd94aa3a1110441467502c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7149713.exe

Filesize
184KB

MD5
5f5492310df721cbc81caef0d6bfa1f4

SHA1
fab8b28d5897026078b89091da3772064ad5e5b2

SHA256
353f7ba174c02c8bb9221e5be6b789a38d82b853cef5d5b20ae41d36f7526dfd

SHA512
651dab42cfeeabc312b837d1749f70fec09e24c9b9789ae9b26603020583385d24781a5910352cd49561237d513bef98d317765356bd94aa3a1110441467502c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7941373.exe

Filesize
145KB

MD5
64950490116961c202d06d99038f9cab

SHA1
6241229097679c734d8c9db9ac55b0568a75a84d

SHA256
cc545c477837f2f7ca7f35ca55d89d67a469c75344eb30c633cf139d00209b7f

SHA512
c65ed23ff2dd01c3a52e6bfbf4793fb24cfaa899c995551e4b13868386400bb1727c9c97d3a57c0d625b3a60b09e0b12b26896802d1e012d413ded0a90fc3da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7941373.exe

Filesize
145KB

MD5
64950490116961c202d06d99038f9cab

SHA1
6241229097679c734d8c9db9ac55b0568a75a84d

SHA256
cc545c477837f2f7ca7f35ca55d89d67a469c75344eb30c633cf139d00209b7f

SHA512
c65ed23ff2dd01c3a52e6bfbf4793fb24cfaa899c995551e4b13868386400bb1727c9c97d3a57c0d625b3a60b09e0b12b26896802d1e012d413ded0a90fc3da7

Download Submit
memory/3972-147-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3972-169-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/3972-144-0x0000000004920000-0x000000000493C000-memory.dmp

Filesize
112KB

Download
memory/3972-146-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3972-148-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/3972-149-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/3972-155-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/3972-153-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/3972-157-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/3972-151-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/3972-159-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/3972-161-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/3972-163-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/3972-165-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/3972-167-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/3972-145-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3972-171-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/3972-173-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/3972-175-0x0000000004920000-0x0000000004936000-memory.dmp

Filesize
88KB

Download
memory/3972-176-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3972-177-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3972-178-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3972-143-0x0000000004A30000-0x0000000004F2E000-memory.dmp

Filesize
5.0MB

Download
memory/3972-142-0x0000000002290000-0x00000000022AE000-memory.dmp

Filesize
120KB

Download
memory/4848-183-0x0000000000360000-0x000000000038A000-memory.dmp

Filesize
168KB

Download
memory/4848-184-0x00000000050F0000-0x00000000056F6000-memory.dmp

Filesize
6.0MB

Download
memory/4848-185-0x0000000004C80000-0x0000000004D8A000-memory.dmp

Filesize
1.0MB

Download
memory/4848-186-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/4848-187-0x0000000004C20000-0x0000000004C5E000-memory.dmp

Filesize
248KB

Download
memory/4848-188-0x0000000004D90000-0x0000000004DDB000-memory.dmp

Filesize
300KB

Download
memory/4848-189-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/4848-190-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads