redline | acc11827e48f2b8c97831350347cd88935891e0ec4f665a6c705a58ad6512a2f

General

Target

acc11827e48f2b8c97831350347cd88935891e0ec4f665a6c705a58ad6512a2f.exe
Size

901KB
MD5

3143aa29bef779dc6a571e9d937b0349
SHA1

fa30770b83a9dd544bdf856fca117f109f348fc4
SHA256

acc11827e48f2b8c97831350347cd88935891e0ec4f665a6c705a58ad6512a2f
SHA512

548eea974acc601dd568dff54b26bb2776f05f57c6faa48ea84b53719f1d35fef6cd162af2ee1c9036ad7adcab18f132760d086814948528d85ae755e0e4af8a
SSDEEP

24576:gyq1TFa5hKu6E+5WTDrT1LJ+J1YGvDlG2E:nqRF8695WL7KYKlG

Score

10^/10

redline lupa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lupa

C2

83.97.73.126:19046

Attributes

auth_value
6a764aa41830c77712442516d143bc9c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
892	z1613462.exe
3224	z3383308.exe
636	o6994690.exe
3568	p0934982.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	acc11827e48f2b8c97831350347cd88935891e0ec4f665a6c705a58ad6512a2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	acc11827e48f2b8c97831350347cd88935891e0ec4f665a6c705a58ad6512a2f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1613462.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1613462.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3383308.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z3383308.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 636 set thread context of 2832	636	o6994690.exe	87

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2832	AppLaunch.exe
2832	AppLaunch.exe
3568	p0934982.exe
3568	p0934982.exe
3568	p0934982.exe
3568	p0934982.exe
3568	p0934982.exe
3568	p0934982.exe
3568	p0934982.exe
3568	p0934982.exe
3568	p0934982.exe
3568	p0934982.exe
3568	p0934982.exe
3568	p0934982.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	AppLaunch.exe
Token: SeDebugPrivilege	3568	p0934982.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 892	5028	acc11827e48f2b8c97831350347cd88935891e0ec4f665a6c705a58ad6512a2f.exe	83
PID 5028 wrote to memory of 892	5028	acc11827e48f2b8c97831350347cd88935891e0ec4f665a6c705a58ad6512a2f.exe	83
PID 5028 wrote to memory of 892	5028	acc11827e48f2b8c97831350347cd88935891e0ec4f665a6c705a58ad6512a2f.exe	83
PID 892 wrote to memory of 3224	892	z1613462.exe	84
PID 892 wrote to memory of 3224	892	z1613462.exe	84
PID 892 wrote to memory of 3224	892	z1613462.exe	84
PID 3224 wrote to memory of 636	3224	z3383308.exe	85
PID 3224 wrote to memory of 636	3224	z3383308.exe	85
PID 3224 wrote to memory of 636	3224	z3383308.exe	85
PID 636 wrote to memory of 2832	636	o6994690.exe	87
PID 636 wrote to memory of 2832	636	o6994690.exe	87
PID 636 wrote to memory of 2832	636	o6994690.exe	87
PID 636 wrote to memory of 2832	636	o6994690.exe	87
PID 636 wrote to memory of 2832	636	o6994690.exe	87
PID 3224 wrote to memory of 3568	3224	z3383308.exe	88
PID 3224 wrote to memory of 3568	3224	z3383308.exe	88
PID 3224 wrote to memory of 3568	3224	z3383308.exe	88

C:\Users\Admin\AppData\Local\Temp\acc11827e48f2b8c97831350347cd88935891e0ec4f665a6c705a58ad6512a2f.exe
"C:\Users\Admin\AppData\Local\Temp\acc11827e48f2b8c97831350347cd88935891e0ec4f665a6c705a58ad6512a2f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1613462.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1613462.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3383308.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3383308.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6994690.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6994690.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0934982.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0934982.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1613462.exe

Filesize
457KB

MD5
c3458732af9eda0ac99f710588c94fda

SHA1
d368d836febab679087e51405607c5c742196780

SHA256
9157696e1e9d0544f92dc993f3ca4d501e8f503b4003bd0f20d071695ad33e97

SHA512
a8c17c311a7c72ee78b1728bbfbf161fa265fec5cb72f0ea16c1eed6fbb8df241d418f24ffc789690aa4f90ed84d19052b6717ffcf693ed176eb756d314e8b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1613462.exe

Filesize
457KB

MD5
c3458732af9eda0ac99f710588c94fda

SHA1
d368d836febab679087e51405607c5c742196780

SHA256
9157696e1e9d0544f92dc993f3ca4d501e8f503b4003bd0f20d071695ad33e97

SHA512
a8c17c311a7c72ee78b1728bbfbf161fa265fec5cb72f0ea16c1eed6fbb8df241d418f24ffc789690aa4f90ed84d19052b6717ffcf693ed176eb756d314e8b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3383308.exe

Filesize
254KB

MD5
1acfadafa150f396b9a15ae7e7028142

SHA1
d873935bc40a29e198d04c8e3f14c0656be397ee

SHA256
f04cb30686c6da87be916eb0155dabca4c27ffd4d7596bc776d3ba2c05972682

SHA512
ea291cac911697024b1d3cb464f1f79b40b36c962a9cacb3da291b02c0df901d4cd351fbe0b45cd2dbee19b040f98e01d3ef82bf3a1399599a06be5bede67290

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3383308.exe

Filesize
254KB

MD5
1acfadafa150f396b9a15ae7e7028142

SHA1
d873935bc40a29e198d04c8e3f14c0656be397ee

SHA256
f04cb30686c6da87be916eb0155dabca4c27ffd4d7596bc776d3ba2c05972682

SHA512
ea291cac911697024b1d3cb464f1f79b40b36c962a9cacb3da291b02c0df901d4cd351fbe0b45cd2dbee19b040f98e01d3ef82bf3a1399599a06be5bede67290

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6994690.exe

Filesize
108KB

MD5
36c15821c870cd413b17eb00a1929223

SHA1
dce51d9373eb1dc9a6714fa9f88ca243d6d6c484

SHA256
c740105a4efced86ca5c8d0c06cef9297f865fa0c2ef3c8aac1e9f75bf3fb21d

SHA512
c8ac36cec585643a40a67a08b6de0b7b89190ee1cbeef46b34fb86589aeb0a1ba3a269902b73820638f2282d2000f142b65b657ea666f888ddb418c2179043ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6994690.exe

Filesize
108KB

MD5
36c15821c870cd413b17eb00a1929223

SHA1
dce51d9373eb1dc9a6714fa9f88ca243d6d6c484

SHA256
c740105a4efced86ca5c8d0c06cef9297f865fa0c2ef3c8aac1e9f75bf3fb21d

SHA512
c8ac36cec585643a40a67a08b6de0b7b89190ee1cbeef46b34fb86589aeb0a1ba3a269902b73820638f2282d2000f142b65b657ea666f888ddb418c2179043ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0934982.exe

Filesize
172KB

MD5
3b77f1afd02fc96c02ccd9af4b0dd9e4

SHA1
6db1dada2768be95686762113f8ac9a689ac05c2

SHA256
a0cbfb3c60c1e0a5ed0fbfdcc770727770654e5a254d7ece37c92fe43306d056

SHA512
b9a636acaeb94f2c8d95adb544d2e0d2578f9c4e1eb24a84b9206d0900f6182216bf2f4cdcafc8a3ab6ea3a98fb3f639e8483ac9882bb8f559eab2474a775be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0934982.exe

Filesize
172KB

MD5
3b77f1afd02fc96c02ccd9af4b0dd9e4

SHA1
6db1dada2768be95686762113f8ac9a689ac05c2

SHA256
a0cbfb3c60c1e0a5ed0fbfdcc770727770654e5a254d7ece37c92fe43306d056

SHA512
b9a636acaeb94f2c8d95adb544d2e0d2578f9c4e1eb24a84b9206d0900f6182216bf2f4cdcafc8a3ab6ea3a98fb3f639e8483ac9882bb8f559eab2474a775be3

Download Submit
memory/2832-154-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3568-163-0x000000000AB70000-0x000000000B188000-memory.dmp

Filesize
6.1MB

Download
memory/3568-170-0x000000000B310000-0x000000000B386000-memory.dmp

Filesize
472KB

Download
memory/3568-164-0x000000000A690000-0x000000000A79A000-memory.dmp

Filesize
1.0MB

Download
memory/3568-165-0x000000000A5D0000-0x000000000A5E2000-memory.dmp

Filesize
72KB

Download
memory/3568-166-0x000000000A630000-0x000000000A66C000-memory.dmp

Filesize
240KB

Download
memory/3568-167-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3568-169-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3568-162-0x0000000000710000-0x0000000000740000-memory.dmp

Filesize
192KB

Download
memory/3568-171-0x000000000B430000-0x000000000B4C2000-memory.dmp

Filesize
584KB

Download
memory/3568-172-0x000000000BA80000-0x000000000C024000-memory.dmp

Filesize
5.6MB

Download
memory/3568-173-0x000000000B390000-0x000000000B3F6000-memory.dmp

Filesize
408KB

Download
memory/3568-174-0x000000000B660000-0x000000000B6B0000-memory.dmp

Filesize
320KB

Download
memory/3568-175-0x000000000C030000-0x000000000C1F2000-memory.dmp

Filesize
1.8MB

Download
memory/3568-176-0x000000000C730000-0x000000000CC5C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads