redline | 95648f13573d1dba7a6f604650f90ef17cb492b53047ed5af5bdb77897b12111

General

Target

6e1568bbb3eedfc19307327e912cf9ef7c43c65926831c42ddeaa877fffe723b.exe
Size

1.0MB
MD5

ad77aad43c3e1315f76f837270a022ab
SHA1

b61dda4980b44e829551ebd25e034bd77b5152bb
SHA256

6e1568bbb3eedfc19307327e912cf9ef7c43c65926831c42ddeaa877fffe723b
SHA512

5f1e2f99cd0b621e1e172b7b27a60ff109e09d8d7e87c9304652af90ec49fb06cfab8edfb38e4513e7c6cd8f223bc5cf3a6d20f969a4296dfde14e5535d931af
SSDEEP

24576:OyejuH5yjqA5/BTcv7Rh7n/OJ6TmxRNT++PfOvAf:dyuZyjqmmRt46TaNT+8fOv

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8478633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8478633.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k8478633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8478633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8478633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8478633.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2304	y8839149.exe
2108	y2338937.exe
2184	k8478633.exe
1940	l0035252.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k8478633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8478633.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y2338937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y2338937.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6e1568bbb3eedfc19307327e912cf9ef7c43c65926831c42ddeaa877fffe723b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6e1568bbb3eedfc19307327e912cf9ef7c43c65926831c42ddeaa877fffe723b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8839149.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8839149.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2184	k8478633.exe
2184	k8478633.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	k8478633.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 2304	956	6e1568bbb3eedfc19307327e912cf9ef7c43c65926831c42ddeaa877fffe723b.exe	84
PID 956 wrote to memory of 2304	956	6e1568bbb3eedfc19307327e912cf9ef7c43c65926831c42ddeaa877fffe723b.exe	84
PID 956 wrote to memory of 2304	956	6e1568bbb3eedfc19307327e912cf9ef7c43c65926831c42ddeaa877fffe723b.exe	84
PID 2304 wrote to memory of 2108	2304	y8839149.exe	85
PID 2304 wrote to memory of 2108	2304	y8839149.exe	85
PID 2304 wrote to memory of 2108	2304	y8839149.exe	85
PID 2108 wrote to memory of 2184	2108	y2338937.exe	86
PID 2108 wrote to memory of 2184	2108	y2338937.exe	86
PID 2108 wrote to memory of 2184	2108	y2338937.exe	86
PID 2108 wrote to memory of 1940	2108	y2338937.exe	87
PID 2108 wrote to memory of 1940	2108	y2338937.exe	87
PID 2108 wrote to memory of 1940	2108	y2338937.exe	87

C:\Users\Admin\AppData\Local\Temp\6e1568bbb3eedfc19307327e912cf9ef7c43c65926831c42ddeaa877fffe723b.exe
"C:\Users\Admin\AppData\Local\Temp\6e1568bbb3eedfc19307327e912cf9ef7c43c65926831c42ddeaa877fffe723b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8839149.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8839149.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2338937.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2338937.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8478633.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8478633.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0035252.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0035252.exe
      4⤵
      Executes dropped EXE
      PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8839149.exe

Filesize
750KB

MD5
83f63a066dbf7a32825e92d854c2db3a

SHA1
cd5f53166ab2fe07d43e9a78a29afd804123b8a1

SHA256
dcb8ea3105d54448b6041dfa01ab6cbffb24bf950053c16df42a919ddbc7fbe6

SHA512
314cd69d029fd8ed79eaaa35dfd51865c55f91f4c2c8c5524d1a03e42a656d491ea120c1d12b14206bdde8ff5f0302a184d35e45ad901e8916331d7fd14f3324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8839149.exe

Filesize
750KB

MD5
83f63a066dbf7a32825e92d854c2db3a

SHA1
cd5f53166ab2fe07d43e9a78a29afd804123b8a1

SHA256
dcb8ea3105d54448b6041dfa01ab6cbffb24bf950053c16df42a919ddbc7fbe6

SHA512
314cd69d029fd8ed79eaaa35dfd51865c55f91f4c2c8c5524d1a03e42a656d491ea120c1d12b14206bdde8ff5f0302a184d35e45ad901e8916331d7fd14f3324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2338937.exe

Filesize
305KB

MD5
0df95788a061208b089eb0cee14e2b94

SHA1
3d02c55cdcdcc2c473ffe6439b940628eaaab399

SHA256
f21eac01c9d54c1afc2b6fd10de6938bb311683a5a4b99f6cd38e598621a7448

SHA512
a6cf3c1d28c66b8d2cc6f418255dedae8ea2b65b6c41593c1f4da4329b868fa16c7ea2549681438100fc1e68aace27e6f648158efceea6da7f76fd856df9879d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2338937.exe

Filesize
305KB

MD5
0df95788a061208b089eb0cee14e2b94

SHA1
3d02c55cdcdcc2c473ffe6439b940628eaaab399

SHA256
f21eac01c9d54c1afc2b6fd10de6938bb311683a5a4b99f6cd38e598621a7448

SHA512
a6cf3c1d28c66b8d2cc6f418255dedae8ea2b65b6c41593c1f4da4329b868fa16c7ea2549681438100fc1e68aace27e6f648158efceea6da7f76fd856df9879d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8478633.exe

Filesize
184KB

MD5
e3b5e6da53abdd2976f68e334c31aac2

SHA1
908524d5204a629c2e8fab6637a4dcd78b28dc75

SHA256
bb24f1f41388067c6760c5bce6a192f43b495ef296f2354cf86cf8dbbbf82b3b

SHA512
bea70b682fe041df8021fa4c8e44207aea6e7655eed6f1eb04c7033cd8f5eb81a8a8c1e2220448a30f0aaf89befac6e5c367b51016f833aab593f105dbd0a605

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8478633.exe

Filesize
184KB

MD5
e3b5e6da53abdd2976f68e334c31aac2

SHA1
908524d5204a629c2e8fab6637a4dcd78b28dc75

SHA256
bb24f1f41388067c6760c5bce6a192f43b495ef296f2354cf86cf8dbbbf82b3b

SHA512
bea70b682fe041df8021fa4c8e44207aea6e7655eed6f1eb04c7033cd8f5eb81a8a8c1e2220448a30f0aaf89befac6e5c367b51016f833aab593f105dbd0a605

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0035252.exe

Filesize
145KB

MD5
c72fec84924bf7476024e9be9fb048d0

SHA1
e3d1d9d42ce84463952e723998a75f625755383c

SHA256
5067803e45ca38a804a359d762d364a6ce6a3ae66b13a3f2a2429c189078157a

SHA512
5c55690f272dbc6a643f38e859f326c2c02a358fee5a933cbe8d48921414f7b545ba8c51bd82a5bc1090a0d62c93d0d77f68fd44363f540fc8ea4b17574a7ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0035252.exe

Filesize
145KB

MD5
c72fec84924bf7476024e9be9fb048d0

SHA1
e3d1d9d42ce84463952e723998a75f625755383c

SHA256
5067803e45ca38a804a359d762d364a6ce6a3ae66b13a3f2a2429c189078157a

SHA512
5c55690f272dbc6a643f38e859f326c2c02a358fee5a933cbe8d48921414f7b545ba8c51bd82a5bc1090a0d62c93d0d77f68fd44363f540fc8ea4b17574a7ead

Download Submit
memory/1940-195-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/1940-193-0x00000000056C0000-0x00000000056FC000-memory.dmp

Filesize
240KB

Download
memory/1940-192-0x0000000005660000-0x0000000005672000-memory.dmp

Filesize
72KB

Download
memory/1940-191-0x0000000005750000-0x000000000585A000-memory.dmp

Filesize
1.0MB

Download
memory/1940-190-0x0000000005C60000-0x0000000006278000-memory.dmp

Filesize
6.1MB

Download
memory/1940-189-0x0000000000DD0000-0x0000000000DFA000-memory.dmp

Filesize
168KB

Download
memory/1940-194-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/2184-156-0x0000000004A30000-0x0000000004FD4000-memory.dmp

Filesize
5.6MB

Download
memory/2184-168-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2184-172-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2184-174-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2184-176-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2184-178-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2184-180-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2184-182-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2184-184-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2184-170-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2184-166-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2184-164-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2184-162-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2184-160-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2184-158-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2184-157-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2184-155-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2184-154-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads