redline | cb0d7efc51da225943743f0055cdf3584ad5d4f3a855150eb0bad8697e579433

General

Target

connector361.exe
Size

1.0MB
MD5

581026913ad722416f7644094188e68a
SHA1

df366a2268e5373f407e73fc80c7f694d31db551
SHA256

cb0d7efc51da225943743f0055cdf3584ad5d4f3a855150eb0bad8697e579433
SHA512

c3f316d248469d932bd10254eccc2f3f3a71f291bd8b068c857247c43ba6d5616672bdb317e404939381e6b1e2452243987b6c7e2205c75b87d29c99ed23b90c
SSDEEP

24576:1yJAzsS6ggVpLLy2qFYDJi1se/qenD6ezp9sXp9G8iZvKwIe:QJLSiVpS2q2i1seCenuezQXiZv

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k7190923.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k7190923.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k7190923.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k7190923.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k7190923.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k7190923.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
552	y2501370.exe
3648	y9897793.exe
5044	k7190923.exe
432	l8580593.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k7190923.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k7190923.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2501370.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9897793.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9897793.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	connector361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	connector361.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y2501370.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5044	k7190923.exe
5044	k7190923.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	k7190923.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 552	4692	connector361.exe	85
PID 4692 wrote to memory of 552	4692	connector361.exe	85
PID 4692 wrote to memory of 552	4692	connector361.exe	85
PID 552 wrote to memory of 3648	552	y2501370.exe	86
PID 552 wrote to memory of 3648	552	y2501370.exe	86
PID 552 wrote to memory of 3648	552	y2501370.exe	86
PID 3648 wrote to memory of 5044	3648	y9897793.exe	87
PID 3648 wrote to memory of 5044	3648	y9897793.exe	87
PID 3648 wrote to memory of 5044	3648	y9897793.exe	87
PID 3648 wrote to memory of 432	3648	y9897793.exe	88
PID 3648 wrote to memory of 432	3648	y9897793.exe	88
PID 3648 wrote to memory of 432	3648	y9897793.exe	88

C:\Users\Admin\AppData\Local\Temp\connector361.exe
"C:\Users\Admin\AppData\Local\Temp\connector361.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2501370.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2501370.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9897793.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9897793.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7190923.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7190923.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8580593.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8580593.exe
      4⤵
      Executes dropped EXE
      PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2501370.exe

Filesize
750KB

MD5
0500fd3e93d3b1d1c668bd1ddb2c335c

SHA1
3e78d16bb8c85bb3ec4def142b48efde564c04a9

SHA256
20232bc5eb828ddbec60f01c2ab2f7ce250490e01a2dfe33518b5a84674323fe

SHA512
5f20b65c60136ab1db0e690e7a339a69f8d9a0537ec704d138aa3ff4707b15e4745903bcdcf517d905b4dfd8ca499c3441565ba5f78e700a2bf036cbe7442adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2501370.exe

Filesize
750KB

MD5
0500fd3e93d3b1d1c668bd1ddb2c335c

SHA1
3e78d16bb8c85bb3ec4def142b48efde564c04a9

SHA256
20232bc5eb828ddbec60f01c2ab2f7ce250490e01a2dfe33518b5a84674323fe

SHA512
5f20b65c60136ab1db0e690e7a339a69f8d9a0537ec704d138aa3ff4707b15e4745903bcdcf517d905b4dfd8ca499c3441565ba5f78e700a2bf036cbe7442adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9897793.exe

Filesize
305KB

MD5
8ffef05a7c87d31fdf35aa7467119627

SHA1
00120a17c8b7c36e5b7c14f91a01a9dba9dd1030

SHA256
872df7c6f35a3d2603518d59d6249ea88572c2ef3e635b39998631e183a15c6c

SHA512
fcbfa224d0fd0d7b5071e106ef7c7b4be3bca0805e5db6e2dff6de40634d051c3cfcedfec05e922c4ff6807fd48a91ae8134bf3c0d8dbfc23c23e74e221c01b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9897793.exe

Filesize
305KB

MD5
8ffef05a7c87d31fdf35aa7467119627

SHA1
00120a17c8b7c36e5b7c14f91a01a9dba9dd1030

SHA256
872df7c6f35a3d2603518d59d6249ea88572c2ef3e635b39998631e183a15c6c

SHA512
fcbfa224d0fd0d7b5071e106ef7c7b4be3bca0805e5db6e2dff6de40634d051c3cfcedfec05e922c4ff6807fd48a91ae8134bf3c0d8dbfc23c23e74e221c01b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7190923.exe

Filesize
186KB

MD5
fca0f1c3037a2b4f0b9871e10e16c038

SHA1
80c39dfb8b07c97cdae11d5c7e335c4d96b0aef1

SHA256
b86263755a383b136d8da35c23bf5a8e59b6743fb9e5942a4e7378dfab5928ec

SHA512
44f428d58a62f45f2e3febfd2bd43f9cc2731ca434f9e319ec6671d6a1dcec9928797896b0a7edd0c34c7a9a14525f53d0a4cc6b79a20597376ef44887473801

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7190923.exe

Filesize
186KB

MD5
fca0f1c3037a2b4f0b9871e10e16c038

SHA1
80c39dfb8b07c97cdae11d5c7e335c4d96b0aef1

SHA256
b86263755a383b136d8da35c23bf5a8e59b6743fb9e5942a4e7378dfab5928ec

SHA512
44f428d58a62f45f2e3febfd2bd43f9cc2731ca434f9e319ec6671d6a1dcec9928797896b0a7edd0c34c7a9a14525f53d0a4cc6b79a20597376ef44887473801

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8580593.exe

Filesize
145KB

MD5
030c62470251bad5ea2d288efca95591

SHA1
799e7324ba03d96efa7be12d6baf6396e7754918

SHA256
4cac0717b5ddf640fbcd467e6b5155372412013f9860aada39177e0003559190

SHA512
0e166a99ebedb7021763212182ffce8688286c8530fcbc2a7f411c3bc0dcb89fe8a45890efe258e69a32c0f440d36b3756a6fbaa8a31fb89a9708831e7b80c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8580593.exe

Filesize
145KB

MD5
030c62470251bad5ea2d288efca95591

SHA1
799e7324ba03d96efa7be12d6baf6396e7754918

SHA256
4cac0717b5ddf640fbcd467e6b5155372412013f9860aada39177e0003559190

SHA512
0e166a99ebedb7021763212182ffce8688286c8530fcbc2a7f411c3bc0dcb89fe8a45890efe258e69a32c0f440d36b3756a6fbaa8a31fb89a9708831e7b80c47

Download Submit
memory/432-194-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/432-192-0x0000000005500000-0x000000000553C000-memory.dmp

Filesize
240KB

Download
memory/432-191-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/432-190-0x0000000005570000-0x000000000567A000-memory.dmp

Filesize
1.0MB

Download
memory/432-189-0x0000000005A50000-0x0000000006068000-memory.dmp

Filesize
6.1MB

Download
memory/432-188-0x0000000000C10000-0x0000000000C3A000-memory.dmp

Filesize
168KB

Download
memory/432-193-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/5044-156-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/5044-167-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/5044-173-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/5044-175-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/5044-177-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/5044-179-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/5044-181-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/5044-183-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/5044-169-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/5044-171-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/5044-165-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/5044-163-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/5044-161-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/5044-159-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/5044-157-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/5044-155-0x0000000004930000-0x0000000004ED4000-memory.dmp

Filesize
5.6MB

Download
memory/5044-154-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads