redline | a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b

General

Target

a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe
Size

581KB
MD5

8ce40efd601775fd096265e1e74d9dd8
SHA1

c9e9fda8d3b3fe9fe1317903ab5c9cbe03896899
SHA256

a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b
SHA512

a7cf48306af8ae0baeb188dfcd91ac23727dc3b1d514554ce0e58cbac1486cbfb8eef5880cc1c7d495c0a8d359ccf6f0164496fbc9a86d389ca175d510999827
SSDEEP

12288:iMrCy90X3MMBIzilYy/wVRiO+AvFJXADhvfus:Uyo+zi9fevFWv7

Score

10^/10

redline diza discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0846945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0846945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0846945.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k0846945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0846945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0846945.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2164	y5111759.exe
3196	y8277928.exe
4100	k0846945.exe
2016	l9492403.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0846945.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5111759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5111759.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8277928.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8277928.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4100	k0846945.exe
4100	k0846945.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe
2016	l9492403.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4100	k0846945.exe
Token: SeDebugPrivilege	2016	l9492403.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 2164	4260	a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe	84
PID 4260 wrote to memory of 2164	4260	a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe	84
PID 4260 wrote to memory of 2164	4260	a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe	84
PID 2164 wrote to memory of 3196	2164	y5111759.exe	85
PID 2164 wrote to memory of 3196	2164	y5111759.exe	85
PID 2164 wrote to memory of 3196	2164	y5111759.exe	85
PID 3196 wrote to memory of 4100	3196	y8277928.exe	86
PID 3196 wrote to memory of 4100	3196	y8277928.exe	86
PID 3196 wrote to memory of 2016	3196	y8277928.exe	89
PID 3196 wrote to memory of 2016	3196	y8277928.exe	89
PID 3196 wrote to memory of 2016	3196	y8277928.exe	89

C:\Users\Admin\AppData\Local\Temp\a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe
"C:\Users\Admin\AppData\Local\Temp\a0b6c286e55a5e151e390f77f92bb8e51464a5b4ac4adba19ed3086b486cf19b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5111759.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5111759.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8277928.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8277928.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0846945.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0846945.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4100
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9492403.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9492403.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5111759.exe

Filesize
377KB

MD5
213bac7fd35c50873e679f3c3f59105a

SHA1
f1c48deda7d0b2f0237baa9910950f11a56a3fa0

SHA256
bdb25bcd5105a9c4ee318c30a00460c4a9dc714096491ee3ea10db87452b0e5b

SHA512
c29ff5eb6200ffd26b22504f52a4a2e623367c6032e63576f152f1bd12ea942ab5b86503bbd2c62916498848496646d62b004c017589c4b718facf18d84ee90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5111759.exe

Filesize
377KB

MD5
213bac7fd35c50873e679f3c3f59105a

SHA1
f1c48deda7d0b2f0237baa9910950f11a56a3fa0

SHA256
bdb25bcd5105a9c4ee318c30a00460c4a9dc714096491ee3ea10db87452b0e5b

SHA512
c29ff5eb6200ffd26b22504f52a4a2e623367c6032e63576f152f1bd12ea942ab5b86503bbd2c62916498848496646d62b004c017589c4b718facf18d84ee90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8277928.exe

Filesize
206KB

MD5
55c64f2c8a5104676de91ab7e47c6d11

SHA1
3ef5ec1bf88ea26be4b49115a759ff74557134ca

SHA256
830946070f695dce764bfd6b30c8860663101db4881071e1eda68d32987ec5b7

SHA512
e400a75e19e719f8a317d032972ff8c9035bc7408c7c1f52e2975120dc28b05b141a35c03dc940dcd50f8764535b978e81db790ad18a99c4599e13d9f4ee895b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8277928.exe

Filesize
206KB

MD5
55c64f2c8a5104676de91ab7e47c6d11

SHA1
3ef5ec1bf88ea26be4b49115a759ff74557134ca

SHA256
830946070f695dce764bfd6b30c8860663101db4881071e1eda68d32987ec5b7

SHA512
e400a75e19e719f8a317d032972ff8c9035bc7408c7c1f52e2975120dc28b05b141a35c03dc940dcd50f8764535b978e81db790ad18a99c4599e13d9f4ee895b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0846945.exe

Filesize
11KB

MD5
df64bb318abf7bf0ca3defae3918d397

SHA1
e66918862b02e01a64c217cad5ea165c099f5f4c

SHA256
f68814bf170d9965f8efa549cf59fcae9bbe2bcf58e74673f1a70dafc751f4f9

SHA512
0dbf16d2f894979e7aa1cd9eecf0c9c7097d0dda9928bd31f9a618426023af98055e43f9bae3705ae2fe097ad7318d6f45de6287155fb1c3b9e91a63b9599882

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0846945.exe

Filesize
11KB

MD5
df64bb318abf7bf0ca3defae3918d397

SHA1
e66918862b02e01a64c217cad5ea165c099f5f4c

SHA256
f68814bf170d9965f8efa549cf59fcae9bbe2bcf58e74673f1a70dafc751f4f9

SHA512
0dbf16d2f894979e7aa1cd9eecf0c9c7097d0dda9928bd31f9a618426023af98055e43f9bae3705ae2fe097ad7318d6f45de6287155fb1c3b9e91a63b9599882

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9492403.exe

Filesize
172KB

MD5
4cd3e1d98ff5ce7f3e9bfe095998e3d7

SHA1
79f71759166ea07e0ecd092eec3932f2e6972e53

SHA256
55363be4ebdd9bdce81f56a8da8108d8da5f914c40eea89d8b4c6e7a33002548

SHA512
65859518ea6a66d146239ffc6c687099ac7403b77a080b0a6fafca2910e8cdd055f8b8def6b1f948fdbdeb5e0393f0790d827ff66633ef79f9f003fc31c3e33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9492403.exe

Filesize
172KB

MD5
4cd3e1d98ff5ce7f3e9bfe095998e3d7

SHA1
79f71759166ea07e0ecd092eec3932f2e6972e53

SHA256
55363be4ebdd9bdce81f56a8da8108d8da5f914c40eea89d8b4c6e7a33002548

SHA512
65859518ea6a66d146239ffc6c687099ac7403b77a080b0a6fafca2910e8cdd055f8b8def6b1f948fdbdeb5e0393f0790d827ff66633ef79f9f003fc31c3e33b

Download Submit
memory/2016-160-0x000000000A750000-0x000000000AD68000-memory.dmp

Filesize
6.1MB

Download
memory/2016-165-0x000000000A660000-0x000000000A6D6000-memory.dmp

Filesize
472KB

Download
memory/2016-172-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2016-161-0x000000000A2A0000-0x000000000A3AA000-memory.dmp

Filesize
1.0MB

Download
memory/2016-162-0x000000000A1E0000-0x000000000A1F2000-memory.dmp

Filesize
72KB

Download
memory/2016-163-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2016-164-0x000000000A240000-0x000000000A27C000-memory.dmp

Filesize
240KB

Download
memory/2016-159-0x0000000000320000-0x0000000000350000-memory.dmp

Filesize
192KB

Download
memory/2016-166-0x000000000AE10000-0x000000000AEA2000-memory.dmp

Filesize
584KB

Download
memory/2016-167-0x000000000B460000-0x000000000BA04000-memory.dmp

Filesize
5.6MB

Download
memory/2016-168-0x000000000AD70000-0x000000000ADD6000-memory.dmp

Filesize
408KB

Download
memory/2016-169-0x000000000BA10000-0x000000000BBD2000-memory.dmp

Filesize
1.8MB

Download
memory/2016-170-0x000000000C110000-0x000000000C63C000-memory.dmp

Filesize
5.2MB

Download
memory/2016-171-0x000000000BBE0000-0x000000000BC30000-memory.dmp

Filesize
320KB

Download
memory/4100-154-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads