redline | e49f3e10d04def90bcd4bb4dc2106cf2161b13c5bb0073866ed2c8ef14dda1af

General

Target

eee2af8cb9fce696685e45f7f328963cfdce3ac4c1bc55775e46205b2b4ee333.exe
Size

1021KB
MD5

3eb41edab78db1b73fe65e768c0936c1
SHA1

9e623ff0f9a010baf6ec0a845f610d366cd33155
SHA256

eee2af8cb9fce696685e45f7f328963cfdce3ac4c1bc55775e46205b2b4ee333
SHA512

51fef1595378fcf089d7343887e94b31648101e54fa20860297c3e51a58a05106fa7035b725fc08900fe5a3148cd3b276f1f5286b1c8cd9c2dfca9de9026bd8f
SSDEEP

24576:Ay9lAduF8o5mmqZwcEEfjg3iuQJALUpU6uE7Hu:H9ofopqScEAg3IJsU9uE7H

Score

10^/10

redline luza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

luza

C2

185.161.248.37:4138

Attributes

auth_value
1261701914d508e02e8b4f25d38bc7f9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o9037440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o9037440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o9037440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o9037440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o9037440.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o9037440.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4208	z9102937.exe
3784	z6830828.exe
2184	o9037440.exe
1664	p1596133.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o9037440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o9037440.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6830828.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eee2af8cb9fce696685e45f7f328963cfdce3ac4c1bc55775e46205b2b4ee333.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eee2af8cb9fce696685e45f7f328963cfdce3ac4c1bc55775e46205b2b4ee333.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9102937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9102937.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6830828.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2184	o9037440.exe
2184	o9037440.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	o9037440.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 4208	3984	eee2af8cb9fce696685e45f7f328963cfdce3ac4c1bc55775e46205b2b4ee333.exe	79
PID 3984 wrote to memory of 4208	3984	eee2af8cb9fce696685e45f7f328963cfdce3ac4c1bc55775e46205b2b4ee333.exe	79
PID 3984 wrote to memory of 4208	3984	eee2af8cb9fce696685e45f7f328963cfdce3ac4c1bc55775e46205b2b4ee333.exe	79
PID 4208 wrote to memory of 3784	4208	z9102937.exe	80
PID 4208 wrote to memory of 3784	4208	z9102937.exe	80
PID 4208 wrote to memory of 3784	4208	z9102937.exe	80
PID 3784 wrote to memory of 2184	3784	z6830828.exe	81
PID 3784 wrote to memory of 2184	3784	z6830828.exe	81
PID 3784 wrote to memory of 2184	3784	z6830828.exe	81
PID 3784 wrote to memory of 1664	3784	z6830828.exe	87
PID 3784 wrote to memory of 1664	3784	z6830828.exe	87
PID 3784 wrote to memory of 1664	3784	z6830828.exe	87

C:\Users\Admin\AppData\Local\Temp\eee2af8cb9fce696685e45f7f328963cfdce3ac4c1bc55775e46205b2b4ee333.exe
"C:\Users\Admin\AppData\Local\Temp\eee2af8cb9fce696685e45f7f328963cfdce3ac4c1bc55775e46205b2b4ee333.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9102937.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9102937.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6830828.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6830828.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9037440.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9037440.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1596133.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1596133.exe
      4⤵
      Executes dropped EXE
      PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9102937.exe

Filesize
577KB

MD5
fc5bf8546a3b24c0489c4f8e4e69b7ff

SHA1
a118537e4bc88df67b9bfc6e0940f64236844836

SHA256
037ad8e86172ca2f7a3f180f87bdf7e43bcee427c7ab6d2044c5c599c0c78c80

SHA512
0434d9683cbc02905a0a718e14c0058d5e3e612104c372b824530817409831a8b3135e84efb0a4a8d041cf02cf6ea8b57d3771225156847787ba077450f45943

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9102937.exe

Filesize
577KB

MD5
fc5bf8546a3b24c0489c4f8e4e69b7ff

SHA1
a118537e4bc88df67b9bfc6e0940f64236844836

SHA256
037ad8e86172ca2f7a3f180f87bdf7e43bcee427c7ab6d2044c5c599c0c78c80

SHA512
0434d9683cbc02905a0a718e14c0058d5e3e612104c372b824530817409831a8b3135e84efb0a4a8d041cf02cf6ea8b57d3771225156847787ba077450f45943

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6830828.exe

Filesize
305KB

MD5
467cf5a08083fb94c2209aeef74a787d

SHA1
22a153b84ff7b5639c219208cb259b7b13a26d39

SHA256
aaaccc600478029eba7e10399dfc29c0fdc4f1f4ae5d6d0ed71e8589de6edc5a

SHA512
067c7674127b8d2d049bc2ddb377127cacc69c3859625578c6a5296bf20c459ef217581ec933a8513b6069a44c758961abd1f458cd1e3915313643793b48e5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6830828.exe

Filesize
305KB

MD5
467cf5a08083fb94c2209aeef74a787d

SHA1
22a153b84ff7b5639c219208cb259b7b13a26d39

SHA256
aaaccc600478029eba7e10399dfc29c0fdc4f1f4ae5d6d0ed71e8589de6edc5a

SHA512
067c7674127b8d2d049bc2ddb377127cacc69c3859625578c6a5296bf20c459ef217581ec933a8513b6069a44c758961abd1f458cd1e3915313643793b48e5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9037440.exe

Filesize
185KB

MD5
bc1d4cbaf2008c1a437600275f7e31f2

SHA1
e6f3d76a463d3154963acdd00a7ec7b9e3d80ae7

SHA256
acf21666dad76a5452ec2115a0127beedd8fe8ef8e14dcb3c6950cbcac3957da

SHA512
4832a40ca94e279b6eac8a7b8da081aadf9b67597b05a1dbde3cddba36ab32c7fd931f545f27e08b7bdbbe28fed7c6074b6c1c289b4243369103471b29eda2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9037440.exe

Filesize
185KB

MD5
bc1d4cbaf2008c1a437600275f7e31f2

SHA1
e6f3d76a463d3154963acdd00a7ec7b9e3d80ae7

SHA256
acf21666dad76a5452ec2115a0127beedd8fe8ef8e14dcb3c6950cbcac3957da

SHA512
4832a40ca94e279b6eac8a7b8da081aadf9b67597b05a1dbde3cddba36ab32c7fd931f545f27e08b7bdbbe28fed7c6074b6c1c289b4243369103471b29eda2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1596133.exe

Filesize
145KB

MD5
73d80ec0c39ad9030380c3b23b218244

SHA1
cddcfa52407d01e8d7953f6c2470e1e025da6ebb

SHA256
01e84ba1a1338027b2fc6e303f03d915c6928af2c6fe10bdf4dcb5cf856f2036

SHA512
a33369ee16f25f40a60fb9bdeca01bd09a1a1fe25a59854b616f907f4534cae4f8c95a08f4335e98debb0a25f7487becf82e1df984e06a25a43f7a01afb58f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1596133.exe

Filesize
145KB

MD5
73d80ec0c39ad9030380c3b23b218244

SHA1
cddcfa52407d01e8d7953f6c2470e1e025da6ebb

SHA256
01e84ba1a1338027b2fc6e303f03d915c6928af2c6fe10bdf4dcb5cf856f2036

SHA512
a33369ee16f25f40a60fb9bdeca01bd09a1a1fe25a59854b616f907f4534cae4f8c95a08f4335e98debb0a25f7487becf82e1df984e06a25a43f7a01afb58f15

Download Submit
memory/1664-198-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1664-197-0x0000000004C70000-0x0000000004CAC000-memory.dmp

Filesize
240KB

Download
memory/1664-196-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/1664-195-0x0000000004C10000-0x0000000004C22000-memory.dmp

Filesize
72KB

Download
memory/1664-194-0x0000000004CD0000-0x0000000004DDA000-memory.dmp

Filesize
1.0MB

Download
memory/1664-193-0x0000000005150000-0x0000000005768000-memory.dmp

Filesize
6.1MB

Download
memory/1664-192-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/2184-157-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2184-187-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/2184-172-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2184-174-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2184-176-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2184-178-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2184-180-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2184-182-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2184-184-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2184-185-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/2184-186-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/2184-170-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2184-168-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2184-166-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2184-164-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2184-162-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2184-160-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2184-158-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/2184-154-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/2184-156-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/2184-155-0x0000000004AF0000-0x0000000005094000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads