redline | c1d401590a3508400a321bb9f99892e4d81515fe98ef49af97a26caefa79044a

General

Target

c1d401590a3508400a321bb9f99892e4d81515fe98ef49af97a26caefa79044a.exe
Size

1.0MB
MD5

44da8673e36728bf155976e362cb6b2d
SHA1

c209ddf4eaaa243403872627920db8e6cb996c6d
SHA256

c1d401590a3508400a321bb9f99892e4d81515fe98ef49af97a26caefa79044a
SHA512

00c4356a0c39547fe87e56ad47b134b93eff01e6816be744e3b394ebacbaa37a83a732992372a5dff2c7f9bcca4098bc0672e142f9f647c38cc7ebc5d361d813
SSDEEP

24576:6yKqHcfimbp3qtZFeQ/pm7eekIZql2sS:Bfv03qtr9/0KIZ42

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k3357790.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k3357790.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k3357790.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k3357790.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k3357790.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
920	y3305322.exe
4544	y7697929.exe
4268	k3357790.exe
4772	l0293059.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k3357790.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k3357790.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7697929.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y7697929.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c1d401590a3508400a321bb9f99892e4d81515fe98ef49af97a26caefa79044a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1d401590a3508400a321bb9f99892e4d81515fe98ef49af97a26caefa79044a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3305322.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3305322.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4268	k3357790.exe
4268	k3357790.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4268	k3357790.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 920	4024	c1d401590a3508400a321bb9f99892e4d81515fe98ef49af97a26caefa79044a.exe	66
PID 4024 wrote to memory of 920	4024	c1d401590a3508400a321bb9f99892e4d81515fe98ef49af97a26caefa79044a.exe	66
PID 4024 wrote to memory of 920	4024	c1d401590a3508400a321bb9f99892e4d81515fe98ef49af97a26caefa79044a.exe	66
PID 920 wrote to memory of 4544	920	y3305322.exe	67
PID 920 wrote to memory of 4544	920	y3305322.exe	67
PID 920 wrote to memory of 4544	920	y3305322.exe	67
PID 4544 wrote to memory of 4268	4544	y7697929.exe	68
PID 4544 wrote to memory of 4268	4544	y7697929.exe	68
PID 4544 wrote to memory of 4268	4544	y7697929.exe	68
PID 4544 wrote to memory of 4772	4544	y7697929.exe	69
PID 4544 wrote to memory of 4772	4544	y7697929.exe	69
PID 4544 wrote to memory of 4772	4544	y7697929.exe	69

C:\Users\Admin\AppData\Local\Temp\c1d401590a3508400a321bb9f99892e4d81515fe98ef49af97a26caefa79044a.exe
"C:\Users\Admin\AppData\Local\Temp\c1d401590a3508400a321bb9f99892e4d81515fe98ef49af97a26caefa79044a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3305322.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3305322.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7697929.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7697929.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3357790.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3357790.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0293059.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0293059.exe
      4⤵
      Executes dropped EXE
      PID:4772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3305322.exe

Filesize
751KB

MD5
82b313713c9937dabf7756892fcd9c80

SHA1
ea4c36481edae2435eee7c82cca8a350801734cb

SHA256
a69425a3c2802841bd943947967d0190873ff166b17facf965a692a5767d2836

SHA512
2b7d37f12bbfba8ee63c9cfe36dd5419d9403882904b599aba949e4631f995fbdca8cac6dc0554303f3a401548016ce326975d630ee44ab0a10a2d52ed03f248

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3305322.exe

Filesize
751KB

MD5
82b313713c9937dabf7756892fcd9c80

SHA1
ea4c36481edae2435eee7c82cca8a350801734cb

SHA256
a69425a3c2802841bd943947967d0190873ff166b17facf965a692a5767d2836

SHA512
2b7d37f12bbfba8ee63c9cfe36dd5419d9403882904b599aba949e4631f995fbdca8cac6dc0554303f3a401548016ce326975d630ee44ab0a10a2d52ed03f248

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7697929.exe

Filesize
305KB

MD5
15089d2408ebb67a0a31911bb46ed651

SHA1
5b94da2c700469da2a8e9c62e430753a4d6348c8

SHA256
a54227dac057e06ecabb21137e2604b8c4d7b05f950019d534cbba6c723a6466

SHA512
6537280d880ec1a0aa1d5ab615950326d5939ff9f193ba03c57741a01385e572bfa8d3db092e90162b6a912102f010041eabad38718973b8ba185846fd1d6379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7697929.exe

Filesize
305KB

MD5
15089d2408ebb67a0a31911bb46ed651

SHA1
5b94da2c700469da2a8e9c62e430753a4d6348c8

SHA256
a54227dac057e06ecabb21137e2604b8c4d7b05f950019d534cbba6c723a6466

SHA512
6537280d880ec1a0aa1d5ab615950326d5939ff9f193ba03c57741a01385e572bfa8d3db092e90162b6a912102f010041eabad38718973b8ba185846fd1d6379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3357790.exe

Filesize
186KB

MD5
7c816a87add8cb55a00dbd0708c55956

SHA1
5e852e705324a39b4130e34326b7ece875eef778

SHA256
8a8af967c5bc8ac54cc93b5c0fcb194f9a3089be67428e52932a09bc068880c5

SHA512
05dd4f078106cf08f8b7798ef91c5a656fd002b5fb5fe6275f28a540162f586889ac1db48d14d9d667c969c50613a05458d2c20fbb95569b595dcb36c1df7c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3357790.exe

Filesize
186KB

MD5
7c816a87add8cb55a00dbd0708c55956

SHA1
5e852e705324a39b4130e34326b7ece875eef778

SHA256
8a8af967c5bc8ac54cc93b5c0fcb194f9a3089be67428e52932a09bc068880c5

SHA512
05dd4f078106cf08f8b7798ef91c5a656fd002b5fb5fe6275f28a540162f586889ac1db48d14d9d667c969c50613a05458d2c20fbb95569b595dcb36c1df7c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0293059.exe

Filesize
146KB

MD5
eb4e80286e306fc7b4c19e2527044f7e

SHA1
2a1ab0c3fe22c17f4f39f1cc9eae13c48fee18de

SHA256
3570d364c7c1b998b991511350e17bd4910da80b7837a173112d6a962af7524d

SHA512
b41644535b685f245f2b3e1b161ebd0b86fa7a4b28361a1425e29e448799e295c3760dd88edae0778c29d378d8ec8bc803af45ea3094fbc283fc31f4c078de74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0293059.exe

Filesize
146KB

MD5
eb4e80286e306fc7b4c19e2527044f7e

SHA1
2a1ab0c3fe22c17f4f39f1cc9eae13c48fee18de

SHA256
3570d364c7c1b998b991511350e17bd4910da80b7837a173112d6a962af7524d

SHA512
b41644535b685f245f2b3e1b161ebd0b86fa7a4b28361a1425e29e448799e295c3760dd88edae0778c29d378d8ec8bc803af45ea3094fbc283fc31f4c078de74

Download Submit
memory/4268-155-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4268-165-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4268-142-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/4268-143-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/4268-144-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4268-145-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4268-147-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4268-149-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4268-151-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4268-153-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4268-140-0x0000000004E40000-0x0000000004E5C000-memory.dmp

Filesize
112KB

Download
memory/4268-157-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4268-159-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4268-161-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4268-163-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4268-141-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/4268-167-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4268-169-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4268-171-0x0000000004E40000-0x0000000004E56000-memory.dmp

Filesize
88KB

Download
memory/4268-172-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/4268-173-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/4268-139-0x0000000004940000-0x0000000004E3E000-memory.dmp

Filesize
5.0MB

Download
memory/4268-138-0x0000000000830000-0x000000000084E000-memory.dmp

Filesize
120KB

Download
memory/4772-178-0x0000000000B40000-0x0000000000B6A000-memory.dmp

Filesize
168KB

Download
memory/4772-179-0x0000000005A10000-0x0000000006016000-memory.dmp

Filesize
6.0MB

Download
memory/4772-180-0x00000000055A0000-0x00000000056AA000-memory.dmp

Filesize
1.0MB

Download
memory/4772-181-0x00000000054D0000-0x00000000054E2000-memory.dmp

Filesize
72KB

Download
memory/4772-182-0x0000000005530000-0x000000000556E000-memory.dmp

Filesize
248KB

Download
memory/4772-183-0x00000000056B0000-0x00000000056FB000-memory.dmp

Filesize
300KB

Download
memory/4772-184-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/4772-185-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads