redline | 17f856d1cc22f4b197f7b578e966521cf72482b8678df9102d9128a999f4d551

General

Target

17f856d1cc22f4b197f7b578e966521cf72482b8678df9102d9128a999f4d551.exe
Size

851KB
MD5

4ae10e95595d3853f1591b9ffd6582f3
SHA1

deea08ce19b594bce56eb89ae55c9e60c5e21b60
SHA256

17f856d1cc22f4b197f7b578e966521cf72482b8678df9102d9128a999f4d551
SHA512

314a78d4b22bd9b3037e7bbf700743a000775653c0efab46f53ca8e7ae08b99f6f207b6a354c077aa2d8ba75253e4f0c68baf442c78454a00442f7f489889176
SSDEEP

12288:YMr0y90KZFOuyDwaLJSu6a8hAhDvB85WA/PTaua7Bb6RsIbrWtMlY4Vx5y1xT:sypZ8X9Z8ihD+YgPSBQsqrWWlY+56B

Score

10^/10

redline lupa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lupa

C2

83.97.73.126:19046

Attributes

auth_value
6a764aa41830c77712442516d143bc9c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o9300831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o9300831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o9300831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o9300831.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o9300831.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1908	z1809978.exe
2404	z2617184.exe
2592	o9300831.exe
3184	p9073462.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	o9300831.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1809978.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2617184.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2617184.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	17f856d1cc22f4b197f7b578e966521cf72482b8678df9102d9128a999f4d551.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	17f856d1cc22f4b197f7b578e966521cf72482b8678df9102d9128a999f4d551.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1809978.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2592	o9300831.exe
2592	o9300831.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe
3184	p9073462.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	o9300831.exe
Token: SeDebugPrivilege	3184	p9073462.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1908	2008	17f856d1cc22f4b197f7b578e966521cf72482b8678df9102d9128a999f4d551.exe	66
PID 2008 wrote to memory of 1908	2008	17f856d1cc22f4b197f7b578e966521cf72482b8678df9102d9128a999f4d551.exe	66
PID 2008 wrote to memory of 1908	2008	17f856d1cc22f4b197f7b578e966521cf72482b8678df9102d9128a999f4d551.exe	66
PID 1908 wrote to memory of 2404	1908	z1809978.exe	67
PID 1908 wrote to memory of 2404	1908	z1809978.exe	67
PID 1908 wrote to memory of 2404	1908	z1809978.exe	67
PID 2404 wrote to memory of 2592	2404	z2617184.exe	68
PID 2404 wrote to memory of 2592	2404	z2617184.exe	68
PID 2404 wrote to memory of 3184	2404	z2617184.exe	69
PID 2404 wrote to memory of 3184	2404	z2617184.exe	69
PID 2404 wrote to memory of 3184	2404	z2617184.exe	69

C:\Users\Admin\AppData\Local\Temp\17f856d1cc22f4b197f7b578e966521cf72482b8678df9102d9128a999f4d551.exe
"C:\Users\Admin\AppData\Local\Temp\17f856d1cc22f4b197f7b578e966521cf72482b8678df9102d9128a999f4d551.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1809978.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1809978.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2617184.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2617184.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9300831.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9300831.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9073462.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9073462.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1809978.exe

Filesize
408KB

MD5
656ca112200e59e159f42992c522d34f

SHA1
544fd3a65cd10ba5b3fdf55b0d08e629385218fe

SHA256
2595bf3229546d56a95e05da12f9719197f0e6fbc6c888a142a084e20a92118e

SHA512
304ba4eb3861510594d5782f82cde15b978c5b67981652022b032fc6c55ab73d7bdf2c208c2d1c11cadd8c67f1c953dc7ad47f9e8edc1899cbcfc3ee3eb373f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1809978.exe

Filesize
408KB

MD5
656ca112200e59e159f42992c522d34f

SHA1
544fd3a65cd10ba5b3fdf55b0d08e629385218fe

SHA256
2595bf3229546d56a95e05da12f9719197f0e6fbc6c888a142a084e20a92118e

SHA512
304ba4eb3861510594d5782f82cde15b978c5b67981652022b032fc6c55ab73d7bdf2c208c2d1c11cadd8c67f1c953dc7ad47f9e8edc1899cbcfc3ee3eb373f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2617184.exe

Filesize
206KB

MD5
c4079f13739a5eb308c6f839265e61f0

SHA1
2636c877ba92085ff60686ce8abd9973e8fe2f87

SHA256
3615a511a9b099d1f4a253a0b4eb88aa74321dfb6a58a3a4150b16ebdc315218

SHA512
e521bc833ca006432d703b3444781bf5c78f91366de60ac8fefe13db37372517b92af6f06641c96258b0cc674f024fda43a64237b794729cd030f0fdf7a061e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2617184.exe

Filesize
206KB

MD5
c4079f13739a5eb308c6f839265e61f0

SHA1
2636c877ba92085ff60686ce8abd9973e8fe2f87

SHA256
3615a511a9b099d1f4a253a0b4eb88aa74321dfb6a58a3a4150b16ebdc315218

SHA512
e521bc833ca006432d703b3444781bf5c78f91366de60ac8fefe13db37372517b92af6f06641c96258b0cc674f024fda43a64237b794729cd030f0fdf7a061e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9300831.exe

Filesize
11KB

MD5
b530de265c83d5fe298e29c97e106d63

SHA1
c895f9bb76f26056719c587e2e62e23751ef3bd0

SHA256
3cefc7b492ac144052388b62f1491823b9559226fd315efa8486011907fc18f7

SHA512
4c415590a9862fd6256998e986982d1e03590993349dd0eda21244acf950c143992aa6929747ab8ce82457513a65f54fda8b77434da54af28f603b464f7f1fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9300831.exe

Filesize
11KB

MD5
b530de265c83d5fe298e29c97e106d63

SHA1
c895f9bb76f26056719c587e2e62e23751ef3bd0

SHA256
3cefc7b492ac144052388b62f1491823b9559226fd315efa8486011907fc18f7

SHA512
4c415590a9862fd6256998e986982d1e03590993349dd0eda21244acf950c143992aa6929747ab8ce82457513a65f54fda8b77434da54af28f603b464f7f1fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9073462.exe

Filesize
172KB

MD5
f0927d3180f9a72f31076afd941e1836

SHA1
c534b84291c1ec3c3375a7d111659afee0ba90dc

SHA256
a7e6e1796d0ac68120de55a41433fb928db98847388656cbbf5c46b411b6458e

SHA512
23ae226ee29b108ae53863708734e4840bc525d8701f2c368081430b4c693f1b8d96f4e59768046967558b4d1b71eeedd64c8809ecda2f37f525599e13ac9e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9073462.exe

Filesize
172KB

MD5
f0927d3180f9a72f31076afd941e1836

SHA1
c534b84291c1ec3c3375a7d111659afee0ba90dc

SHA256
a7e6e1796d0ac68120de55a41433fb928db98847388656cbbf5c46b411b6458e

SHA512
23ae226ee29b108ae53863708734e4840bc525d8701f2c368081430b4c693f1b8d96f4e59768046967558b4d1b71eeedd64c8809ecda2f37f525599e13ac9e98

Download Submit
memory/2592-142-0x0000000000F20000-0x0000000000F2A000-memory.dmp

Filesize
40KB

Download
memory/3184-150-0x0000000005850000-0x000000000595A000-memory.dmp

Filesize
1.0MB

Download
memory/3184-154-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/3184-149-0x0000000005D50000-0x0000000006356000-memory.dmp

Filesize
6.0MB

Download
memory/3184-147-0x0000000000DD0000-0x0000000000E00000-memory.dmp

Filesize
192KB

Download
memory/3184-151-0x00000000055D0000-0x00000000055E2000-memory.dmp

Filesize
72KB

Download
memory/3184-152-0x0000000005740000-0x000000000577E000-memory.dmp

Filesize
248KB

Download
memory/3184-153-0x0000000005790000-0x00000000057DB000-memory.dmp

Filesize
300KB

Download
memory/3184-148-0x0000000005580000-0x0000000005586000-memory.dmp

Filesize
24KB

Download
memory/3184-155-0x0000000005A60000-0x0000000005AD6000-memory.dmp

Filesize
472KB

Download
memory/3184-156-0x0000000005B80000-0x0000000005C12000-memory.dmp

Filesize
584KB

Download
memory/3184-157-0x0000000006D70000-0x000000000726E000-memory.dmp

Filesize
5.0MB

Download
memory/3184-158-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/3184-159-0x0000000006B40000-0x0000000006D02000-memory.dmp

Filesize
1.8MB

Download
memory/3184-160-0x0000000008AC0000-0x0000000008FEC000-memory.dmp

Filesize
5.2MB

Download
memory/3184-161-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/3184-162-0x0000000006D10000-0x0000000006D60000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads