redline | 5d9d698e7d2629d45dda24f9fc1d3f80fa992d9124d27f1a94f0d482f27e4f56

General

Target

5d9d698e7d2629d45dda24f9fc1d3f80fa992d9124d27f1a94f0d482f27e4f56.exe
Size

1.0MB
MD5

eefa3c3611778fd7e3c9e50fb4a02599
SHA1

c0257047f8cbeb5e731f7bf43c350270b1bc6104
SHA256

5d9d698e7d2629d45dda24f9fc1d3f80fa992d9124d27f1a94f0d482f27e4f56
SHA512

301e0a93bcb975ce96760e0b658201e3324fea8312208187dd3b55a7abc60f3723a5e8b9c94523e97211db1c9f678f92ec388a243aeb9b8b7cf19741b0e515ce
SSDEEP

24576:7yFrUBqRHEq5hIfxfojG7prIWTLQ4Poe:uFowdEqLIfgGVcW/3o

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k6590829.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k6590829.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k6590829.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k6590829.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k6590829.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k6590829.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2092	y5806449.exe
2044	y2684303.exe
1756	k6590829.exe
1956	l4055178.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k6590829.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k6590829.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5d9d698e7d2629d45dda24f9fc1d3f80fa992d9124d27f1a94f0d482f27e4f56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5d9d698e7d2629d45dda24f9fc1d3f80fa992d9124d27f1a94f0d482f27e4f56.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5806449.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5806449.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y2684303.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y2684303.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1756	k6590829.exe
1756	k6590829.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	k6590829.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2092	1816	5d9d698e7d2629d45dda24f9fc1d3f80fa992d9124d27f1a94f0d482f27e4f56.exe	82
PID 1816 wrote to memory of 2092	1816	5d9d698e7d2629d45dda24f9fc1d3f80fa992d9124d27f1a94f0d482f27e4f56.exe	82
PID 1816 wrote to memory of 2092	1816	5d9d698e7d2629d45dda24f9fc1d3f80fa992d9124d27f1a94f0d482f27e4f56.exe	82
PID 2092 wrote to memory of 2044	2092	y5806449.exe	83
PID 2092 wrote to memory of 2044	2092	y5806449.exe	83
PID 2092 wrote to memory of 2044	2092	y5806449.exe	83
PID 2044 wrote to memory of 1756	2044	y2684303.exe	84
PID 2044 wrote to memory of 1756	2044	y2684303.exe	84
PID 2044 wrote to memory of 1756	2044	y2684303.exe	84
PID 2044 wrote to memory of 1956	2044	y2684303.exe	85
PID 2044 wrote to memory of 1956	2044	y2684303.exe	85
PID 2044 wrote to memory of 1956	2044	y2684303.exe	85

C:\Users\Admin\AppData\Local\Temp\5d9d698e7d2629d45dda24f9fc1d3f80fa992d9124d27f1a94f0d482f27e4f56.exe
"C:\Users\Admin\AppData\Local\Temp\5d9d698e7d2629d45dda24f9fc1d3f80fa992d9124d27f1a94f0d482f27e4f56.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5806449.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5806449.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2684303.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2684303.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6590829.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6590829.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4055178.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4055178.exe
      4⤵
      Executes dropped EXE
      PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5806449.exe

Filesize
750KB

MD5
23b4f27bf01ed2908cefda129424282b

SHA1
50123057254ff629b9de65f6b6e1a9c0cbf0b709

SHA256
ccd0896f4f8ce7cb62418c23f5c8ed4deff580bff58e70dfaf34228045d719e1

SHA512
7bbefb7d6d04c47a5d06c3da485a07ba264d6f9ef25c433770f8099bf6a995b67f712d592681ce7a4bbc4cc29e2fc4018ce4d06cb791defdb8f4e1b61e0e0663

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5806449.exe

Filesize
750KB

MD5
23b4f27bf01ed2908cefda129424282b

SHA1
50123057254ff629b9de65f6b6e1a9c0cbf0b709

SHA256
ccd0896f4f8ce7cb62418c23f5c8ed4deff580bff58e70dfaf34228045d719e1

SHA512
7bbefb7d6d04c47a5d06c3da485a07ba264d6f9ef25c433770f8099bf6a995b67f712d592681ce7a4bbc4cc29e2fc4018ce4d06cb791defdb8f4e1b61e0e0663

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2684303.exe

Filesize
305KB

MD5
740644f413e63cd1974b34ff17e3720e

SHA1
6f18c10720eb0356548b0109130d3142b883c08b

SHA256
303dce344f0a65fcbabd821ab43a82cf678b0b029f02aa1cdeca2dfad60b679c

SHA512
a998d2004e919435e200db4e9a3dfaca76cb7d8adae10ce03f9a21dfee4b31f7b99cc23f2bb447c78e540eed3a84d144f02e6aeb748bc612ca4142f04481a19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2684303.exe

Filesize
305KB

MD5
740644f413e63cd1974b34ff17e3720e

SHA1
6f18c10720eb0356548b0109130d3142b883c08b

SHA256
303dce344f0a65fcbabd821ab43a82cf678b0b029f02aa1cdeca2dfad60b679c

SHA512
a998d2004e919435e200db4e9a3dfaca76cb7d8adae10ce03f9a21dfee4b31f7b99cc23f2bb447c78e540eed3a84d144f02e6aeb748bc612ca4142f04481a19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6590829.exe

Filesize
186KB

MD5
dc5a53fe428996376fd242532d4c2aab

SHA1
e700ecb5a0baf274fb38fc1b33b6c77859c4eabf

SHA256
1ec4c1e0bd855c5a6fb683951b4168310210ad8ac9aff43464693b6e49fc2af5

SHA512
4b5515b7009977cfc472ff03fc6e258750b36cfb4b8e6af65315e21ca4cced7672ebd62ecbb7bd79e9c613d4656cb2c98329913757d2c5839155a285560b5605

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6590829.exe

Filesize
186KB

MD5
dc5a53fe428996376fd242532d4c2aab

SHA1
e700ecb5a0baf274fb38fc1b33b6c77859c4eabf

SHA256
1ec4c1e0bd855c5a6fb683951b4168310210ad8ac9aff43464693b6e49fc2af5

SHA512
4b5515b7009977cfc472ff03fc6e258750b36cfb4b8e6af65315e21ca4cced7672ebd62ecbb7bd79e9c613d4656cb2c98329913757d2c5839155a285560b5605

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4055178.exe

Filesize
145KB

MD5
4923ff0f2dc02addf84632601fe01d7b

SHA1
aba53140a2d7c2ac0852430f107ffb667519a6a7

SHA256
97904e482c31aa9d2701eac79adf9647b13a296fff1ca5edb5c07c423ee63b3c

SHA512
b1e2dffeb33e4b24ea52ebc347ea24e84daa8a2c0d767f69ceb3496938aee0ca07cd48799b1a3bbd4b2a66663a50a8c0659ea344f95181985b8f2f3fbc3581a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4055178.exe

Filesize
145KB

MD5
4923ff0f2dc02addf84632601fe01d7b

SHA1
aba53140a2d7c2ac0852430f107ffb667519a6a7

SHA256
97904e482c31aa9d2701eac79adf9647b13a296fff1ca5edb5c07c423ee63b3c

SHA512
b1e2dffeb33e4b24ea52ebc347ea24e84daa8a2c0d767f69ceb3496938aee0ca07cd48799b1a3bbd4b2a66663a50a8c0659ea344f95181985b8f2f3fbc3581a2

Download Submit
memory/1756-172-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1756-182-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1756-160-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1756-162-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1756-164-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1756-166-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1756-168-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1756-170-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1756-156-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1756-174-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1756-176-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1756-178-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1756-180-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1756-158-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1756-183-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1756-184-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1756-185-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1756-155-0x0000000004970000-0x0000000004986000-memory.dmp

Filesize
88KB

Download
memory/1756-154-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download
memory/1956-190-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/1956-191-0x00000000050F0000-0x0000000005708000-memory.dmp

Filesize
6.1MB

Download
memory/1956-192-0x0000000004C50000-0x0000000004D5A000-memory.dmp

Filesize
1.0MB

Download
memory/1956-193-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/1956-194-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/1956-195-0x0000000004BE0000-0x0000000004C1C000-memory.dmp

Filesize
240KB

Download
memory/1956-196-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads