redline | bd48e85f2607991dc27704ad7c4367be0cf6e46aa08de8342ab4d8909c0f2c10

General

Target

file429.exe
Size

1.0MB
MD5

497a45950203e618980f2e4545f9838c
SHA1

d7109011a2a588da37eb89e6f3a2cfab4de7e4db
SHA256

bd48e85f2607991dc27704ad7c4367be0cf6e46aa08de8342ab4d8909c0f2c10
SHA512

2778e35c61a44d2112123f468e31cd796acd4ae88b1c58e24f09b740bf27508bb4e27cf0ba1234ca639f26af250e1de931d25f4e50b1061d67a4bebf660dc838
SSDEEP

24576:Wyww5Y4Yphy72eLSqLpFpI8gUkcm9yjVSfMJgQQ2PJKnVo:lwbI72eLSq7pmcmUSfegQQ2O

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k0789123.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0789123.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0789123.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0789123.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0789123.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0789123.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
860	y3682812.exe
5032	y7265859.exe
1860	k0789123.exe
4304	l7862873.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k0789123.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0789123.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file429.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file429.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3682812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3682812.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7265859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y7265859.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1860	k0789123.exe
1860	k0789123.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	k0789123.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 860	4112	file429.exe	84
PID 4112 wrote to memory of 860	4112	file429.exe	84
PID 4112 wrote to memory of 860	4112	file429.exe	84
PID 860 wrote to memory of 5032	860	y3682812.exe	85
PID 860 wrote to memory of 5032	860	y3682812.exe	85
PID 860 wrote to memory of 5032	860	y3682812.exe	85
PID 5032 wrote to memory of 1860	5032	y7265859.exe	86
PID 5032 wrote to memory of 1860	5032	y7265859.exe	86
PID 5032 wrote to memory of 1860	5032	y7265859.exe	86
PID 5032 wrote to memory of 4304	5032	y7265859.exe	88
PID 5032 wrote to memory of 4304	5032	y7265859.exe	88
PID 5032 wrote to memory of 4304	5032	y7265859.exe	88

C:\Users\Admin\AppData\Local\Temp\file429.exe
"C:\Users\Admin\AppData\Local\Temp\file429.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3682812.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3682812.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7265859.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7265859.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0789123.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0789123.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7862873.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7862873.exe
      4⤵
      Executes dropped EXE
      PID:4304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3682812.exe

Filesize
751KB

MD5
185a51d07776fe373d7cc99d77716291

SHA1
8528c88ea0116b7262675d540c2cd33e50961355

SHA256
3a9a76b46275a66269568c99812d9e7dc09ea943b84f6ddcb76a20b45de4e6bd

SHA512
3d019369af433ca612dd44ebf9a97e6391339e5ac20d11ccdac5d1dc5ceaea46d8803d969e2b4cd48a49f4ff07c38d61a54d49e07459e0ecc6382e6de26464b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3682812.exe

Filesize
751KB

MD5
185a51d07776fe373d7cc99d77716291

SHA1
8528c88ea0116b7262675d540c2cd33e50961355

SHA256
3a9a76b46275a66269568c99812d9e7dc09ea943b84f6ddcb76a20b45de4e6bd

SHA512
3d019369af433ca612dd44ebf9a97e6391339e5ac20d11ccdac5d1dc5ceaea46d8803d969e2b4cd48a49f4ff07c38d61a54d49e07459e0ecc6382e6de26464b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7265859.exe

Filesize
305KB

MD5
189327a17f0263ed6ed5d5a093357f55

SHA1
6bd1680125d068c085ffb808d963609db224dd68

SHA256
bacc9b8f03f77aec2700a57608406a9d3c4db286016ae130570906fa81834569

SHA512
eb6544513ab59d5c27a1b42e40aab032eaa1867ba1e6611730c0651ebb7f28f677fa5badc7757a96f1be7d7923851dc4df3b145a4ae51e487567d6cabe786390

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7265859.exe

Filesize
305KB

MD5
189327a17f0263ed6ed5d5a093357f55

SHA1
6bd1680125d068c085ffb808d963609db224dd68

SHA256
bacc9b8f03f77aec2700a57608406a9d3c4db286016ae130570906fa81834569

SHA512
eb6544513ab59d5c27a1b42e40aab032eaa1867ba1e6611730c0651ebb7f28f677fa5badc7757a96f1be7d7923851dc4df3b145a4ae51e487567d6cabe786390

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0789123.exe

Filesize
186KB

MD5
8945615a7d96ab076ec9e5d25d8d2a53

SHA1
4c4fd6732d02b4c45caecb3791f25a94a13543c8

SHA256
d67fc414808101b89c7ee4fb28656aeea1b0681de2008ee9489d9b79b9f438b2

SHA512
0302150c7f96e874095463f858e3d4cac24c2062c758ace3f8c9791aa189c9d3eecd66482968ec938dba100f817cfedacdb0d7005dd9b46559a89d4997cc2bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0789123.exe

Filesize
186KB

MD5
8945615a7d96ab076ec9e5d25d8d2a53

SHA1
4c4fd6732d02b4c45caecb3791f25a94a13543c8

SHA256
d67fc414808101b89c7ee4fb28656aeea1b0681de2008ee9489d9b79b9f438b2

SHA512
0302150c7f96e874095463f858e3d4cac24c2062c758ace3f8c9791aa189c9d3eecd66482968ec938dba100f817cfedacdb0d7005dd9b46559a89d4997cc2bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7862873.exe

Filesize
145KB

MD5
d32af8a5b31345590774df3949fcd3a3

SHA1
650267a29f677337bb8cb1747922057eeda253b0

SHA256
c987d271113be7613c939efa2f470630c5b49f730bef7881c32922cb847d60b4

SHA512
de81eb4d2f9e8caaec01de505933d0e9703e359aa0cf106c478393a586fb7df9b1d785c7cb243f6aa6c54f3ceb3d448a39f87fbeb2ea4ca5d6623b8b19a0f95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7862873.exe

Filesize
145KB

MD5
d32af8a5b31345590774df3949fcd3a3

SHA1
650267a29f677337bb8cb1747922057eeda253b0

SHA256
c987d271113be7613c939efa2f470630c5b49f730bef7881c32922cb847d60b4

SHA512
de81eb4d2f9e8caaec01de505933d0e9703e359aa0cf106c478393a586fb7df9b1d785c7cb243f6aa6c54f3ceb3d448a39f87fbeb2ea4ca5d6623b8b19a0f95f

Download Submit
memory/1860-173-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1860-183-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1860-158-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1860-159-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1860-161-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1860-163-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1860-165-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1860-167-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1860-169-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1860-171-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1860-156-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/1860-175-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1860-177-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1860-179-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1860-181-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1860-157-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/1860-185-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1860-186-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/1860-187-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/1860-188-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/1860-155-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/1860-154-0x0000000004A00000-0x0000000004FA4000-memory.dmp

Filesize
5.6MB

Download
memory/4304-193-0x0000000000410000-0x000000000043A000-memory.dmp

Filesize
168KB

Download
memory/4304-194-0x0000000005280000-0x0000000005898000-memory.dmp

Filesize
6.1MB

Download
memory/4304-195-0x0000000004D70000-0x0000000004E7A000-memory.dmp

Filesize
1.0MB

Download
memory/4304-196-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/4304-197-0x0000000004D30000-0x0000000004D6C000-memory.dmp

Filesize
240KB

Download
memory/4304-198-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/4304-199-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads