redline | f7eae242d988e333cddead1f113e0ee294582abb3140c2deba02ec4e53afa266

General

Target

monitor230.exe
Size

1022KB
MD5

8229a3450e17343b9cf2ea7492822875
SHA1

7d8da8ce9d3a9c798517cb8dd92e20d6c687d029
SHA256

f7eae242d988e333cddead1f113e0ee294582abb3140c2deba02ec4e53afa266
SHA512

d4d6255ee5dd09cb3ceca750536d472c3d08701b909df6202ef9ae0b571d910ae66f76183bf158042138890964632820ea080fc52c6f91b8c56e0e0dd5d27a14
SSDEEP

24576:5yvn3MnL7C/tLtLq/9Z34RBx1HBxNEm5ZzI6BicNC8Z:svncnXYZLqF94RBx1pEm5f9C8

Score

10^/10

redline luza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

luza

C2

185.161.248.37:4138

Attributes

auth_value
1261701914d508e02e8b4f25d38bc7f9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o6484029.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o6484029.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o6484029.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o6484029.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o6484029.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o6484029.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4864	z2422562.exe
408	z1858052.exe
1484	o6484029.exe
956	p0336463.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o6484029.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o6484029.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	monitor230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	monitor230.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2422562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2422562.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1858052.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1858052.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1484	o6484029.exe
1484	o6484029.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	o6484029.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 4864	2068	monitor230.exe	84
PID 2068 wrote to memory of 4864	2068	monitor230.exe	84
PID 2068 wrote to memory of 4864	2068	monitor230.exe	84
PID 4864 wrote to memory of 408	4864	z2422562.exe	85
PID 4864 wrote to memory of 408	4864	z2422562.exe	85
PID 4864 wrote to memory of 408	4864	z2422562.exe	85
PID 408 wrote to memory of 1484	408	z1858052.exe	86
PID 408 wrote to memory of 1484	408	z1858052.exe	86
PID 408 wrote to memory of 1484	408	z1858052.exe	86
PID 408 wrote to memory of 956	408	z1858052.exe	87
PID 408 wrote to memory of 956	408	z1858052.exe	87
PID 408 wrote to memory of 956	408	z1858052.exe	87

C:\Users\Admin\AppData\Local\Temp\monitor230.exe
"C:\Users\Admin\AppData\Local\Temp\monitor230.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2422562.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2422562.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1858052.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1858052.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6484029.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6484029.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0336463.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0336463.exe
      4⤵
      Executes dropped EXE
      PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2422562.exe

Filesize
577KB

MD5
91e071d5a2a9b6a13e6c6ff9f0aafaa3

SHA1
b6e1bc53d007e0d7b0f30858c164abd48c4fd2a2

SHA256
665736d9b6dc44ad8252cb21d5cdc6a063e50cd9925c28ce6238894c704cc3ba

SHA512
5769016d0c07bfaef47d2682a54470c37df9fbc6279b221272c78238815b36efd8c1fdaff64bb116ca863aeafe8a6949be0709c39b039e3bbd70ff576bca9f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2422562.exe

Filesize
577KB

MD5
91e071d5a2a9b6a13e6c6ff9f0aafaa3

SHA1
b6e1bc53d007e0d7b0f30858c164abd48c4fd2a2

SHA256
665736d9b6dc44ad8252cb21d5cdc6a063e50cd9925c28ce6238894c704cc3ba

SHA512
5769016d0c07bfaef47d2682a54470c37df9fbc6279b221272c78238815b36efd8c1fdaff64bb116ca863aeafe8a6949be0709c39b039e3bbd70ff576bca9f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1858052.exe

Filesize
305KB

MD5
ec9eeab665801d04cdf1351230c285f6

SHA1
ace8f30ffe0629e06c29308642b01aa8cf68cbc5

SHA256
95d5718d086ca2c49c93d65b5ec06e7b24c5f43932ca8f627e96320645854db9

SHA512
1fbd47ee01ed2d6e266a1d98f8d7737b02383ea2c2515f66ac6471d70c51cc5a9cd2961a083952348351e261619ee4778200a1d36cfc8fa369d38a3436bb45f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1858052.exe

Filesize
305KB

MD5
ec9eeab665801d04cdf1351230c285f6

SHA1
ace8f30ffe0629e06c29308642b01aa8cf68cbc5

SHA256
95d5718d086ca2c49c93d65b5ec06e7b24c5f43932ca8f627e96320645854db9

SHA512
1fbd47ee01ed2d6e266a1d98f8d7737b02383ea2c2515f66ac6471d70c51cc5a9cd2961a083952348351e261619ee4778200a1d36cfc8fa369d38a3436bb45f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6484029.exe

Filesize
186KB

MD5
ef865ab483b7d9b9a979b4ccb512474e

SHA1
04630de9276d7abf5df00aff8e15fd428699e7d8

SHA256
e3c0b2dd5d22c07b527b26a2fbf4fbe3e1140be6813e735bc7a496bcf018b584

SHA512
ac037fae3f3d3b413dba18c917a9149838de505df151d1685e925860935d73a542a953a3334459d168fce0b7f4e59c5a005d542dd551ac52b2a646091dba8c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6484029.exe

Filesize
186KB

MD5
ef865ab483b7d9b9a979b4ccb512474e

SHA1
04630de9276d7abf5df00aff8e15fd428699e7d8

SHA256
e3c0b2dd5d22c07b527b26a2fbf4fbe3e1140be6813e735bc7a496bcf018b584

SHA512
ac037fae3f3d3b413dba18c917a9149838de505df151d1685e925860935d73a542a953a3334459d168fce0b7f4e59c5a005d542dd551ac52b2a646091dba8c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0336463.exe

Filesize
145KB

MD5
3daa2fdd3536b4e664d93bb737b0f131

SHA1
2973ab4138367d3f81d093b2d096fe221fffdc84

SHA256
3955b899259ee508b9c13865eccec670c9dc2ca8a581fdf6b183ad9b4d749dc0

SHA512
905750933f32926c246e3d913c50b74738ff2be6183e66d88e80797d1edf09eb416f3dfad999dacee164378119a5ed3a32cb696d9bb8b1e9260097e3c8441410

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0336463.exe

Filesize
145KB

MD5
3daa2fdd3536b4e664d93bb737b0f131

SHA1
2973ab4138367d3f81d093b2d096fe221fffdc84

SHA256
3955b899259ee508b9c13865eccec670c9dc2ca8a581fdf6b183ad9b4d749dc0

SHA512
905750933f32926c246e3d913c50b74738ff2be6183e66d88e80797d1edf09eb416f3dfad999dacee164378119a5ed3a32cb696d9bb8b1e9260097e3c8441410

Download Submit
memory/956-199-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download
memory/956-196-0x00000000056B0000-0x00000000056C2000-memory.dmp

Filesize
72KB

Download
memory/956-195-0x0000000005780000-0x000000000588A000-memory.dmp

Filesize
1.0MB

Download
memory/956-194-0x0000000005C00000-0x0000000006218000-memory.dmp

Filesize
6.1MB

Download
memory/956-193-0x0000000000E20000-0x0000000000E4A000-memory.dmp

Filesize
168KB

Download
memory/956-197-0x0000000005710000-0x000000000574C000-memory.dmp

Filesize
240KB

Download
memory/956-198-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download
memory/1484-173-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1484-187-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1484-171-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1484-167-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1484-175-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1484-177-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1484-179-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1484-181-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1484-183-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1484-185-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1484-186-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1484-169-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1484-188-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1484-165-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1484-163-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1484-161-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1484-159-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1484-158-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1484-157-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1484-156-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1484-155-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1484-154-0x0000000004930000-0x0000000004ED4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads