redline | 5e4fa10400d0920c89bad20b45e8337e1dd9e765a4092736d5fa71b771a6d679

General

Target

5e4fa10400d0920c89bad20b45e8337e1dd9e765a4092736d5fa71b771a6d679.exe
Size

1.0MB
MD5

c7f98d257e6211df3a0a0de6a47c7f70
SHA1

7e0f419f650056496a70d38aaa54b25e039fa9dc
SHA256

5e4fa10400d0920c89bad20b45e8337e1dd9e765a4092736d5fa71b771a6d679
SHA512

9a59bb2e09c495be77e6a840f652992297a1439bf5315b586d7a7c8ddf35fd4303b835caca10fe92525d996185935d741112466afbbf6f9c6445a07a621cb7fa
SSDEEP

24576:Rya2g73zAA3iIq39+zjr6BTKbQuO3pCdTmGpikU:Ea2gHAAFq3ozjr6BxIdTnp9

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k4571146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k4571146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k4571146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k4571146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k4571146.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3372	y8423047.exe
4168	y8716001.exe
4140	k4571146.exe
4396	l0069049.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k4571146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k4571146.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5e4fa10400d0920c89bad20b45e8337e1dd9e765a4092736d5fa71b771a6d679.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e4fa10400d0920c89bad20b45e8337e1dd9e765a4092736d5fa71b771a6d679.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8423047.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8423047.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8716001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8716001.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4140	k4571146.exe
4140	k4571146.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4140	k4571146.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3372	3076	5e4fa10400d0920c89bad20b45e8337e1dd9e765a4092736d5fa71b771a6d679.exe	66
PID 3076 wrote to memory of 3372	3076	5e4fa10400d0920c89bad20b45e8337e1dd9e765a4092736d5fa71b771a6d679.exe	66
PID 3076 wrote to memory of 3372	3076	5e4fa10400d0920c89bad20b45e8337e1dd9e765a4092736d5fa71b771a6d679.exe	66
PID 3372 wrote to memory of 4168	3372	y8423047.exe	67
PID 3372 wrote to memory of 4168	3372	y8423047.exe	67
PID 3372 wrote to memory of 4168	3372	y8423047.exe	67
PID 4168 wrote to memory of 4140	4168	y8716001.exe	68
PID 4168 wrote to memory of 4140	4168	y8716001.exe	68
PID 4168 wrote to memory of 4140	4168	y8716001.exe	68
PID 4168 wrote to memory of 4396	4168	y8716001.exe	69
PID 4168 wrote to memory of 4396	4168	y8716001.exe	69
PID 4168 wrote to memory of 4396	4168	y8716001.exe	69

C:\Users\Admin\AppData\Local\Temp\5e4fa10400d0920c89bad20b45e8337e1dd9e765a4092736d5fa71b771a6d679.exe
"C:\Users\Admin\AppData\Local\Temp\5e4fa10400d0920c89bad20b45e8337e1dd9e765a4092736d5fa71b771a6d679.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8423047.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8423047.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8716001.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8716001.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4571146.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4571146.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4140
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0069049.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0069049.exe
      4⤵
      Executes dropped EXE
      PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8423047.exe

Filesize
750KB

MD5
ccba13c1154043bdbcb4013b7ef30626

SHA1
e3c4771940def13a9eab7755f4a7d8c41acbdcdc

SHA256
c9d22a2206125a27190c663f88809a360263cc54e1d2d27dec37457647382e2e

SHA512
a5437666877e5368ee46496fb32fc5fcd8315d4e2a1a9b54ffc391154308f81f1726f668f51d2d906e5deb2f38bb6bbb31d03ab7c5a3a4cc769e2eafc033d3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8423047.exe

Filesize
750KB

MD5
ccba13c1154043bdbcb4013b7ef30626

SHA1
e3c4771940def13a9eab7755f4a7d8c41acbdcdc

SHA256
c9d22a2206125a27190c663f88809a360263cc54e1d2d27dec37457647382e2e

SHA512
a5437666877e5368ee46496fb32fc5fcd8315d4e2a1a9b54ffc391154308f81f1726f668f51d2d906e5deb2f38bb6bbb31d03ab7c5a3a4cc769e2eafc033d3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8716001.exe

Filesize
305KB

MD5
2d70b03ea5bf10d1c1492e1a6a07c84b

SHA1
aafe6b453e9ec99ef1bfe217afdda9b576bf3864

SHA256
1f690f7dc263157359754b50ff875bfbc5bed1dc2a087c2bd54316e78a459ea9

SHA512
2dbee67c7bae0ff3953814aea4ca7a01608c2768e9ea2fa310e29ef5c0a7b9326152eac713869ddd3ed6f72ab404e24f33262982bac528a1d96304066a7efc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8716001.exe

Filesize
305KB

MD5
2d70b03ea5bf10d1c1492e1a6a07c84b

SHA1
aafe6b453e9ec99ef1bfe217afdda9b576bf3864

SHA256
1f690f7dc263157359754b50ff875bfbc5bed1dc2a087c2bd54316e78a459ea9

SHA512
2dbee67c7bae0ff3953814aea4ca7a01608c2768e9ea2fa310e29ef5c0a7b9326152eac713869ddd3ed6f72ab404e24f33262982bac528a1d96304066a7efc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4571146.exe

Filesize
186KB

MD5
b6261dbee07ee786b12a9666c210a592

SHA1
877b732087b3067c394f37552cab065a19c08d9e

SHA256
37239d1a999ff5eca8ef84d49144601a5ecafd0a35ae3055a10881967ed4149d

SHA512
f4a1330b8dacfeac7807ecf18e3f3425ef8c428b34019c55e5e461fc8062b90dc6d9de86c777546d19f9c92603ff3edfcd79430d73c2ecb88fc359b0aea9022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4571146.exe

Filesize
186KB

MD5
b6261dbee07ee786b12a9666c210a592

SHA1
877b732087b3067c394f37552cab065a19c08d9e

SHA256
37239d1a999ff5eca8ef84d49144601a5ecafd0a35ae3055a10881967ed4149d

SHA512
f4a1330b8dacfeac7807ecf18e3f3425ef8c428b34019c55e5e461fc8062b90dc6d9de86c777546d19f9c92603ff3edfcd79430d73c2ecb88fc359b0aea9022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0069049.exe

Filesize
145KB

MD5
274200df7b8f0793e09cabd6d44e1c35

SHA1
45a94b94d5b9b904eef5079432cbadadc2311447

SHA256
d87d76769df140db7b1f155c8943dd0a3fada073d2709be45da6181f8733d567

SHA512
1a8e6f817e7f824158a093c4a20c2603d3013da21645712e919c391931f8b2a1edf900f1f304134e1cb6f94086a796ba5e945259bd1b2cde59a91d14b85ba1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0069049.exe

Filesize
145KB

MD5
274200df7b8f0793e09cabd6d44e1c35

SHA1
45a94b94d5b9b904eef5079432cbadadc2311447

SHA256
d87d76769df140db7b1f155c8943dd0a3fada073d2709be45da6181f8733d567

SHA512
1a8e6f817e7f824158a093c4a20c2603d3013da21645712e919c391931f8b2a1edf900f1f304134e1cb6f94086a796ba5e945259bd1b2cde59a91d14b85ba1d9

Download Submit
memory/4140-146-0x0000000004A60000-0x0000000004A7C000-memory.dmp

Filesize
112KB

Download
memory/4140-168-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4140-143-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4140-145-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4140-147-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4140-148-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4140-150-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4140-152-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4140-154-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4140-156-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4140-158-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4140-160-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4140-162-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4140-164-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4140-166-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4140-144-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4140-170-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4140-172-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4140-174-0x0000000004A60000-0x0000000004A76000-memory.dmp

Filesize
88KB

Download
memory/4140-175-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4140-176-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4140-177-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4140-142-0x0000000004B30000-0x000000000502E000-memory.dmp

Filesize
5.0MB

Download
memory/4140-141-0x0000000002130000-0x000000000214E000-memory.dmp

Filesize
120KB

Download
memory/4396-182-0x0000000000880000-0x00000000008AA000-memory.dmp

Filesize
168KB

Download
memory/4396-183-0x00000000057A0000-0x0000000005DA6000-memory.dmp

Filesize
6.0MB

Download
memory/4396-184-0x00000000052E0000-0x00000000053EA000-memory.dmp

Filesize
1.0MB

Download
memory/4396-185-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/4396-186-0x0000000005270000-0x00000000052AE000-memory.dmp

Filesize
248KB

Download
memory/4396-187-0x00000000053F0000-0x000000000543B000-memory.dmp

Filesize
300KB

Download
memory/4396-188-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/4396-189-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads