redline | ecd14d9a546313c6d22973e3efdaabbf7ff7398024d5639e9432df77f643f4f4

General

Target

ecd14d9a546313c6d22973e3efdaabbf7ff7398024d5639e9432df77f643f4f4.exe
Size

1.0MB
MD5

1fa40c47c535612e09f4befcad486aca
SHA1

794d0d7017e2caa47d4d6fd13bfee72b45d4b56a
SHA256

ecd14d9a546313c6d22973e3efdaabbf7ff7398024d5639e9432df77f643f4f4
SHA512

8bca52f84297dfcea70920fa7328f9e931ac0619e90da976924d9d323a64bd2099599edf28b02be2e2c9097e0e0eb992392ce830dd59017a4137b13a356a06b3
SSDEEP

24576:jyx32HaUDrIgiy904qlHmIY6GavE2VREkIYlani708ct/S:2xwIFyG4qtmzBas2lIYV70

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k7457291.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k7457291.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k7457291.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k7457291.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k7457291.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2804	y6650597.exe
2592	y7535132.exe
5012	k7457291.exe
3516	l4806187.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k7457291.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k7457291.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6650597.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6650597.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7535132.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y7535132.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ecd14d9a546313c6d22973e3efdaabbf7ff7398024d5639e9432df77f643f4f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ecd14d9a546313c6d22973e3efdaabbf7ff7398024d5639e9432df77f643f4f4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5012	k7457291.exe
5012	k7457291.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5012	k7457291.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2804	2476	ecd14d9a546313c6d22973e3efdaabbf7ff7398024d5639e9432df77f643f4f4.exe	66
PID 2476 wrote to memory of 2804	2476	ecd14d9a546313c6d22973e3efdaabbf7ff7398024d5639e9432df77f643f4f4.exe	66
PID 2476 wrote to memory of 2804	2476	ecd14d9a546313c6d22973e3efdaabbf7ff7398024d5639e9432df77f643f4f4.exe	66
PID 2804 wrote to memory of 2592	2804	y6650597.exe	67
PID 2804 wrote to memory of 2592	2804	y6650597.exe	67
PID 2804 wrote to memory of 2592	2804	y6650597.exe	67
PID 2592 wrote to memory of 5012	2592	y7535132.exe	68
PID 2592 wrote to memory of 5012	2592	y7535132.exe	68
PID 2592 wrote to memory of 5012	2592	y7535132.exe	68
PID 2592 wrote to memory of 3516	2592	y7535132.exe	69
PID 2592 wrote to memory of 3516	2592	y7535132.exe	69
PID 2592 wrote to memory of 3516	2592	y7535132.exe	69

C:\Users\Admin\AppData\Local\Temp\ecd14d9a546313c6d22973e3efdaabbf7ff7398024d5639e9432df77f643f4f4.exe
"C:\Users\Admin\AppData\Local\Temp\ecd14d9a546313c6d22973e3efdaabbf7ff7398024d5639e9432df77f643f4f4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6650597.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6650597.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7535132.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7535132.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7457291.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7457291.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4806187.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4806187.exe
      4⤵
      Executes dropped EXE
      PID:3516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6650597.exe

Filesize
750KB

MD5
0eadb7b2ebd5f0b49696a11e0d5d2753

SHA1
e1e652e137d3ebb134a3c11b37fcc6d869ce802a

SHA256
c2d0f92020e11414a55a5519d7197fb398548ea2a182bab1e3d891306315aa9a

SHA512
3e20501b6dbd07ca2ab795181616880a66a0c3d3075f7b146265e624738f0f0791f06429e176cd2d01f6ec566a9998c5d95a4de07e3d83f1d0399c4049053874

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6650597.exe

Filesize
750KB

MD5
0eadb7b2ebd5f0b49696a11e0d5d2753

SHA1
e1e652e137d3ebb134a3c11b37fcc6d869ce802a

SHA256
c2d0f92020e11414a55a5519d7197fb398548ea2a182bab1e3d891306315aa9a

SHA512
3e20501b6dbd07ca2ab795181616880a66a0c3d3075f7b146265e624738f0f0791f06429e176cd2d01f6ec566a9998c5d95a4de07e3d83f1d0399c4049053874

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7535132.exe

Filesize
305KB

MD5
0e6537d2af1d503e9f76442f8344dfa1

SHA1
aa8b5fb86dd2226cc01377d296a42ec97cfd77ac

SHA256
0e7f5b2a44df288d84f3ee45f347ad288dd261e94c44c716b1b7b06ac08b62b5

SHA512
909345e2c638ecf53fb3e90921316854ea8da3ec50682f17df6de7216ea234f800969d64a4e9fc4f789ff7fb7a06a72a6a7273a81f110fe19fcb946744df7741

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7535132.exe

Filesize
305KB

MD5
0e6537d2af1d503e9f76442f8344dfa1

SHA1
aa8b5fb86dd2226cc01377d296a42ec97cfd77ac

SHA256
0e7f5b2a44df288d84f3ee45f347ad288dd261e94c44c716b1b7b06ac08b62b5

SHA512
909345e2c638ecf53fb3e90921316854ea8da3ec50682f17df6de7216ea234f800969d64a4e9fc4f789ff7fb7a06a72a6a7273a81f110fe19fcb946744df7741

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7457291.exe

Filesize
186KB

MD5
a94da13a43cca72f7f774c5fb7100be7

SHA1
aa7363d9539fd5d046497c78a6574241b832e350

SHA256
e796784dc6998cb1bbf6ac6a8533743102ae62f2c3aeef64c20d8d8681b3066c

SHA512
b2ae14014ae3e0d8534789a342ab2706f8af790b2435a231fd0ef93383aff35238de1526ac58e7e0ad37770c6046bdb1da36a8d85911532d8113df4540455471

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7457291.exe

Filesize
186KB

MD5
a94da13a43cca72f7f774c5fb7100be7

SHA1
aa7363d9539fd5d046497c78a6574241b832e350

SHA256
e796784dc6998cb1bbf6ac6a8533743102ae62f2c3aeef64c20d8d8681b3066c

SHA512
b2ae14014ae3e0d8534789a342ab2706f8af790b2435a231fd0ef93383aff35238de1526ac58e7e0ad37770c6046bdb1da36a8d85911532d8113df4540455471

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4806187.exe

Filesize
146KB

MD5
1ce6211caef67fdde88d13d8a2513cc8

SHA1
761ef365829b5981f79aedc7ad51daefd4bbd8d6

SHA256
eb5debe00a60034907177b0bb1dfe32178756d8da001c51706571af7a9fc46d8

SHA512
6486c6e0d18f7c8a82a254dac333ec3f8c72a6a82e29871ba6f6ecd448e9a4584ad35b7bb8c736e5beb79ff48bf71c9b0a8126fda392d8a18d8dad88ca586c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4806187.exe

Filesize
146KB

MD5
1ce6211caef67fdde88d13d8a2513cc8

SHA1
761ef365829b5981f79aedc7ad51daefd4bbd8d6

SHA256
eb5debe00a60034907177b0bb1dfe32178756d8da001c51706571af7a9fc46d8

SHA512
6486c6e0d18f7c8a82a254dac333ec3f8c72a6a82e29871ba6f6ecd448e9a4584ad35b7bb8c736e5beb79ff48bf71c9b0a8126fda392d8a18d8dad88ca586c28

Download Submit
memory/3516-183-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/3516-182-0x00000000048D0000-0x000000000490E000-memory.dmp

Filesize
248KB

Download
memory/3516-181-0x0000000004870000-0x0000000004882000-memory.dmp

Filesize
72KB

Download
memory/3516-180-0x0000000004940000-0x0000000004A4A000-memory.dmp

Filesize
1.0MB

Download
memory/3516-179-0x0000000004DC0000-0x00000000053C6000-memory.dmp

Filesize
6.0MB

Download
memory/3516-178-0x0000000000020000-0x000000000004A000-memory.dmp

Filesize
168KB

Download
memory/3516-184-0x0000000004A50000-0x0000000004A9B000-memory.dmp

Filesize
300KB

Download
memory/3516-185-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/5012-157-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/5012-155-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/5012-161-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/5012-163-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/5012-165-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/5012-167-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/5012-169-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/5012-171-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/5012-173-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/5012-159-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/5012-153-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/5012-151-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/5012-149-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/5012-147-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/5012-146-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/5012-145-0x0000000002490000-0x00000000024AC000-memory.dmp

Filesize
112KB

Download
memory/5012-144-0x0000000004960000-0x0000000004E5E000-memory.dmp

Filesize
5.0MB

Download
memory/5012-143-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/5012-142-0x0000000001FD0000-0x0000000001FEE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads