redline | 08e8013d59b7a088c895eb01bc33161652ca4af4727ac81749175391bce98bcf

General

Target

08e8013d59b7a088c895eb01bc33161652ca4af4727ac81749175391bce98bcf.exe
Size

1.0MB
MD5

218e01b8394ec1c7811db1ad4632639d
SHA1

dc1b5e2efad19dcbe96174a66079b0e0d65cad07
SHA256

08e8013d59b7a088c895eb01bc33161652ca4af4727ac81749175391bce98bcf
SHA512

9b46b40788be52aa88a05770868ba9a3715229f4eeff757e8181e89ae8ceb515593c9fb631e308c37643b3cbf4a7643fc852ea3f4e5e5d5eef56c08863727abb
SSDEEP

24576:+yAHYc0flqxDY9OzeuZptw95TQ1s423jO/H:NAHDyqxDYgvw95cK42i/

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k0814642.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0814642.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0814642.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0814642.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0814642.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0814642.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4608	y2512388.exe
4644	y3572853.exe
4000	k0814642.exe
732	l8881537.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k0814642.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0814642.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y2512388.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2512388.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3572853.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y3572853.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	08e8013d59b7a088c895eb01bc33161652ca4af4727ac81749175391bce98bcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	08e8013d59b7a088c895eb01bc33161652ca4af4727ac81749175391bce98bcf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4000	k0814642.exe
4000	k0814642.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4000	k0814642.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 4608	4120	08e8013d59b7a088c895eb01bc33161652ca4af4727ac81749175391bce98bcf.exe	84
PID 4120 wrote to memory of 4608	4120	08e8013d59b7a088c895eb01bc33161652ca4af4727ac81749175391bce98bcf.exe	84
PID 4120 wrote to memory of 4608	4120	08e8013d59b7a088c895eb01bc33161652ca4af4727ac81749175391bce98bcf.exe	84
PID 4608 wrote to memory of 4644	4608	y2512388.exe	85
PID 4608 wrote to memory of 4644	4608	y2512388.exe	85
PID 4608 wrote to memory of 4644	4608	y2512388.exe	85
PID 4644 wrote to memory of 4000	4644	y3572853.exe	86
PID 4644 wrote to memory of 4000	4644	y3572853.exe	86
PID 4644 wrote to memory of 4000	4644	y3572853.exe	86
PID 4644 wrote to memory of 732	4644	y3572853.exe	89
PID 4644 wrote to memory of 732	4644	y3572853.exe	89
PID 4644 wrote to memory of 732	4644	y3572853.exe	89

C:\Users\Admin\AppData\Local\Temp\08e8013d59b7a088c895eb01bc33161652ca4af4727ac81749175391bce98bcf.exe
"C:\Users\Admin\AppData\Local\Temp\08e8013d59b7a088c895eb01bc33161652ca4af4727ac81749175391bce98bcf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2512388.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2512388.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3572853.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3572853.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0814642.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0814642.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8881537.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8881537.exe
      4⤵
      Executes dropped EXE
      PID:732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2512388.exe

Filesize
750KB

MD5
d4fe9d8af984337b45ac193497c6d954

SHA1
f6d15ce8705b6966bcc6a454ebd181eb48781ae7

SHA256
b437fe5e599bd88a20f3e13d89195d5ccf04388c2b0f9e179d6bdaf4f6c299e1

SHA512
578cbb68b7751a8162a42652d46a3405512e9c8d310aa22107bb4da24cf08adfa018f06843b33e61bf6e212ec65c26b8c4f2b25c0ced26a2b3c0b67cc83e4e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2512388.exe

Filesize
750KB

MD5
d4fe9d8af984337b45ac193497c6d954

SHA1
f6d15ce8705b6966bcc6a454ebd181eb48781ae7

SHA256
b437fe5e599bd88a20f3e13d89195d5ccf04388c2b0f9e179d6bdaf4f6c299e1

SHA512
578cbb68b7751a8162a42652d46a3405512e9c8d310aa22107bb4da24cf08adfa018f06843b33e61bf6e212ec65c26b8c4f2b25c0ced26a2b3c0b67cc83e4e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3572853.exe

Filesize
305KB

MD5
9a004fa18dfb0c75f95dcdbf83136cf9

SHA1
2f3385dd62e47462f9a9b774bb54117b3f3e0271

SHA256
51491b11e647192e95c84131f97a0e055d9ee132bb6bd7e1afaa53279106f7d7

SHA512
a08a7f9b5d83265527f814d6ada9b8a66d786a6888b60b87a6dd78b5728a780960be39341a7eafa83e6fb8327179923c1ac387d18c3caa13e24bf9173c5800b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3572853.exe

Filesize
305KB

MD5
9a004fa18dfb0c75f95dcdbf83136cf9

SHA1
2f3385dd62e47462f9a9b774bb54117b3f3e0271

SHA256
51491b11e647192e95c84131f97a0e055d9ee132bb6bd7e1afaa53279106f7d7

SHA512
a08a7f9b5d83265527f814d6ada9b8a66d786a6888b60b87a6dd78b5728a780960be39341a7eafa83e6fb8327179923c1ac387d18c3caa13e24bf9173c5800b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0814642.exe

Filesize
185KB

MD5
792f50722eb1c9750ef76ef06fdc1166

SHA1
9d27bad7af145a57771e069443b0c53b6dd62b39

SHA256
36d16c05832231063806b4213865227c9d024bd49b3c787331c16d0df5236119

SHA512
e39b175e8128514e27257355ee41878bd5b1e1ea577ff66f7eea6d1515fdfea81f07d2b96398c2acb3629838b55f276cabf93b8433639487959606e2a22ae960

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0814642.exe

Filesize
185KB

MD5
792f50722eb1c9750ef76ef06fdc1166

SHA1
9d27bad7af145a57771e069443b0c53b6dd62b39

SHA256
36d16c05832231063806b4213865227c9d024bd49b3c787331c16d0df5236119

SHA512
e39b175e8128514e27257355ee41878bd5b1e1ea577ff66f7eea6d1515fdfea81f07d2b96398c2acb3629838b55f276cabf93b8433639487959606e2a22ae960

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8881537.exe

Filesize
145KB

MD5
3a5fee7ac85b821e30141f2b5fbe0397

SHA1
716154356cb1700e2288396429a46d87aaa146c1

SHA256
d8ccc986afbd16be64038d5f3e54fad50378f93546f3bce69fa86e274c179e17

SHA512
e8250599345d917f7144d435cc36b2db1dee3f310eab682a98a5b3298b9d60040549dc3c3f75ed636a22c7fab6589b31e89d17f269951d879d1466c448eb60a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8881537.exe

Filesize
145KB

MD5
3a5fee7ac85b821e30141f2b5fbe0397

SHA1
716154356cb1700e2288396429a46d87aaa146c1

SHA256
d8ccc986afbd16be64038d5f3e54fad50378f93546f3bce69fa86e274c179e17

SHA512
e8250599345d917f7144d435cc36b2db1dee3f310eab682a98a5b3298b9d60040549dc3c3f75ed636a22c7fab6589b31e89d17f269951d879d1466c448eb60a9

Download Submit
memory/732-198-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/732-197-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/732-196-0x0000000005490000-0x00000000054CC000-memory.dmp

Filesize
240KB

Download
memory/732-195-0x0000000005430000-0x0000000005442000-memory.dmp

Filesize
72KB

Download
memory/732-194-0x0000000005500000-0x000000000560A000-memory.dmp

Filesize
1.0MB

Download
memory/732-193-0x0000000005980000-0x0000000005F98000-memory.dmp

Filesize
6.1MB

Download
memory/732-192-0x0000000000A60000-0x0000000000A8A000-memory.dmp

Filesize
168KB

Download
memory/4000-157-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4000-187-0x0000000002030000-0x0000000002040000-memory.dmp

Filesize
64KB

Download
memory/4000-172-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4000-174-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4000-180-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4000-182-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4000-178-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4000-176-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4000-184-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4000-185-0x0000000002030000-0x0000000002040000-memory.dmp

Filesize
64KB

Download
memory/4000-186-0x0000000002030000-0x0000000002040000-memory.dmp

Filesize
64KB

Download
memory/4000-170-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4000-168-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4000-166-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4000-164-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4000-162-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4000-160-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4000-158-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4000-156-0x0000000002030000-0x0000000002040000-memory.dmp

Filesize
64KB

Download
memory/4000-155-0x0000000002030000-0x0000000002040000-memory.dmp

Filesize
64KB

Download
memory/4000-154-0x0000000004A50000-0x0000000004FF4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads