redline | 457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8

General

Target

457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe
Size

1.0MB
MD5

57e3240e91b855b16fc01b3a0e675d1c
SHA1

860c69daa332dc6e7c949ff7fadad26eac3c7303
SHA256

457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8
SHA512

606f9327fba60b0a2b7665ae9024e8043b766fb740d9afdc0f8dee4e3774ad81439158b5fd464ccda9017115969dcee7f5774ef81f48c6f9539a425c7d5054bc
SSDEEP

24576:ny3lHqJQ+g53DiBq/SCLACqywNv0m02rJM8QX6OJ5:y1H953DiBqRH+vl02r4X6

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8704938.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2356	y1900768.exe
2488	y9646688.exe
2816	k8704938.exe
4808	l2928420.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k8704938.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8704938.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1900768.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9646688.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9646688.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1900768.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2816	k8704938.exe
2816	k8704938.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	k8704938.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2356	1724	457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe	66
PID 1724 wrote to memory of 2356	1724	457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe	66
PID 1724 wrote to memory of 2356	1724	457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe	66
PID 2356 wrote to memory of 2488	2356	y1900768.exe	67
PID 2356 wrote to memory of 2488	2356	y1900768.exe	67
PID 2356 wrote to memory of 2488	2356	y1900768.exe	67
PID 2488 wrote to memory of 2816	2488	y9646688.exe	68
PID 2488 wrote to memory of 2816	2488	y9646688.exe	68
PID 2488 wrote to memory of 2816	2488	y9646688.exe	68
PID 2488 wrote to memory of 4808	2488	y9646688.exe	69
PID 2488 wrote to memory of 4808	2488	y9646688.exe	69
PID 2488 wrote to memory of 4808	2488	y9646688.exe	69

C:\Users\Admin\AppData\Local\Temp\457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe
"C:\Users\Admin\AppData\Local\Temp\457db42a4e399f41bcd9dacf2aa527cc170a0ed46b0840ea2d6a0cf12be9bdd8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1900768.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1900768.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9646688.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9646688.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8704938.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8704938.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2928420.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2928420.exe
      4⤵
      Executes dropped EXE
      PID:4808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1900768.exe

Filesize
750KB

MD5
4c7cba3a55b78101c772c5a36dc4854b

SHA1
696b83b6fe555c5b7239f6f6d6d33c2511f885d9

SHA256
31eb80847dbb0e4aff78f011d60c6a6b46ed2050e050bcc7b262b07a30b62fae

SHA512
2c2a97a0c40a74396b138e2ca9ce54e6e9bba507268813e3e252df227661f53fa87164a22f98e7c2f40e0040482d47e2f8b8e30a71bf715baca788157afeb5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1900768.exe

Filesize
750KB

MD5
4c7cba3a55b78101c772c5a36dc4854b

SHA1
696b83b6fe555c5b7239f6f6d6d33c2511f885d9

SHA256
31eb80847dbb0e4aff78f011d60c6a6b46ed2050e050bcc7b262b07a30b62fae

SHA512
2c2a97a0c40a74396b138e2ca9ce54e6e9bba507268813e3e252df227661f53fa87164a22f98e7c2f40e0040482d47e2f8b8e30a71bf715baca788157afeb5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9646688.exe

Filesize
305KB

MD5
b15f12fa6678d9d697cc6805a6db603f

SHA1
83a974b62218eb7a064cc6d5d0d3f64b161380e4

SHA256
d6e1a1f38e2b9cdc8e2f1533006875f728417893e6793d41a14f2b66f361a295

SHA512
d0da911794b407c447abc8773ca83f4181cfbc0125e33f93f62c798c2b8c85a2eae402a2fe9761327b03d3d256e44ed1aed9b624a07218d7347567bc84bc94a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9646688.exe

Filesize
305KB

MD5
b15f12fa6678d9d697cc6805a6db603f

SHA1
83a974b62218eb7a064cc6d5d0d3f64b161380e4

SHA256
d6e1a1f38e2b9cdc8e2f1533006875f728417893e6793d41a14f2b66f361a295

SHA512
d0da911794b407c447abc8773ca83f4181cfbc0125e33f93f62c798c2b8c85a2eae402a2fe9761327b03d3d256e44ed1aed9b624a07218d7347567bc84bc94a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8704938.exe

Filesize
184KB

MD5
58dba47f9c7d53ae734da0f314af09b1

SHA1
85146261b71e0bfdbb5854b77d72f4cd3b461d89

SHA256
97399d4a530ea277cb9502555ee3d85100e1e9a1c56a173fa6c570df0c5f88a4

SHA512
f1a0f7802130e119979afe60f254e659e0eaf141c5a8618a143d3eecff4d038681f9cfccf9af190fed269018cd8897d59e432a545aaac5af8c3e724d21a19e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8704938.exe

Filesize
184KB

MD5
58dba47f9c7d53ae734da0f314af09b1

SHA1
85146261b71e0bfdbb5854b77d72f4cd3b461d89

SHA256
97399d4a530ea277cb9502555ee3d85100e1e9a1c56a173fa6c570df0c5f88a4

SHA512
f1a0f7802130e119979afe60f254e659e0eaf141c5a8618a143d3eecff4d038681f9cfccf9af190fed269018cd8897d59e432a545aaac5af8c3e724d21a19e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2928420.exe

Filesize
145KB

MD5
71c3ccdf8723c44dbe1d0fa7800ccca5

SHA1
83406d3e8591985d6a0b42549e643ec0764a4b57

SHA256
a33012df84df0946bd2a348e8682f266487763eef41a9232874ae9ec013f97e6

SHA512
d908bbf9008c88fae675707902d6f12159be1be1e2c16a1863eaa8b9d07c3c3f0d38561e32d1c19fabcb94236155a5698c0b26aaec178e333521b68ded1c779e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2928420.exe

Filesize
145KB

MD5
71c3ccdf8723c44dbe1d0fa7800ccca5

SHA1
83406d3e8591985d6a0b42549e643ec0764a4b57

SHA256
a33012df84df0946bd2a348e8682f266487763eef41a9232874ae9ec013f97e6

SHA512
d908bbf9008c88fae675707902d6f12159be1be1e2c16a1863eaa8b9d07c3c3f0d38561e32d1c19fabcb94236155a5698c0b26aaec178e333521b68ded1c779e

Download Submit
memory/2816-145-0x0000000004950000-0x0000000004E4E000-memory.dmp

Filesize
5.0MB

Download
memory/2816-170-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2816-146-0x00000000023D0000-0x00000000023EC000-memory.dmp

Filesize
112KB

Download
memory/2816-147-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2816-148-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2816-150-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2816-152-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2816-154-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2816-156-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2816-158-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2816-160-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2816-162-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2816-164-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2816-166-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2816-168-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2816-144-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/2816-172-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2816-174-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2816-175-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/2816-143-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/2816-142-0x0000000000630000-0x000000000064E000-memory.dmp

Filesize
120KB

Download
memory/4808-180-0x0000000000A90000-0x0000000000ABA000-memory.dmp

Filesize
168KB

Download
memory/4808-181-0x0000000005960000-0x0000000005F66000-memory.dmp

Filesize
6.0MB

Download
memory/4808-182-0x00000000054F0000-0x00000000055FA000-memory.dmp

Filesize
1.0MB

Download
memory/4808-183-0x0000000005430000-0x0000000005442000-memory.dmp

Filesize
72KB

Download
memory/4808-184-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/4808-185-0x0000000005490000-0x00000000054CE000-memory.dmp

Filesize
248KB

Download
memory/4808-186-0x0000000005600000-0x000000000564B000-memory.dmp

Filesize
300KB

Download
memory/4808-187-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads