redline | 977b2eb0222cd54da6a56abc17715838759486391dde8ac85c5bcc368f6dd635

General

Target

977b2eb0222cd54da6a56abc17715838759486391dde8ac85c5bcc368f6dd635.exe
Size

580KB
MD5

452489a1150425131ed17dbfe2c0ca39
SHA1

fb7023bb777ec8971e4f2de371d574beceda87ba
SHA256

977b2eb0222cd54da6a56abc17715838759486391dde8ac85c5bcc368f6dd635
SHA512

16912a8046fd41dd501e604f19bd4b6e0341787aafff3aac324d34e9c6d3e33b403a38edb49d631747ac7008041d466a8cc3ab2a23359bf8e4353e983adfa0d5
SSDEEP

12288:SMrYy90+xeBwhCxCVeshK4WaJkgqJ1OW8S+XoPspUx8a/:+yneBmbEgqyHSg0EUx8a/

Score

10^/10

redline diza discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k7702934.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k7702934.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k7702934.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k7702934.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k7702934.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k7702934.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1948	y1139040.exe
4604	y1205878.exe
4668	k7702934.exe
4216	l9010273.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k7702934.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	977b2eb0222cd54da6a56abc17715838759486391dde8ac85c5bcc368f6dd635.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	977b2eb0222cd54da6a56abc17715838759486391dde8ac85c5bcc368f6dd635.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1139040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1139040.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1205878.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y1205878.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4668	k7702934.exe
4668	k7702934.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe
4216	l9010273.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	k7702934.exe
Token: SeDebugPrivilege	4216	l9010273.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 1948	1188	977b2eb0222cd54da6a56abc17715838759486391dde8ac85c5bcc368f6dd635.exe	82
PID 1188 wrote to memory of 1948	1188	977b2eb0222cd54da6a56abc17715838759486391dde8ac85c5bcc368f6dd635.exe	82
PID 1188 wrote to memory of 1948	1188	977b2eb0222cd54da6a56abc17715838759486391dde8ac85c5bcc368f6dd635.exe	82
PID 1948 wrote to memory of 4604	1948	y1139040.exe	83
PID 1948 wrote to memory of 4604	1948	y1139040.exe	83
PID 1948 wrote to memory of 4604	1948	y1139040.exe	83
PID 4604 wrote to memory of 4668	4604	y1205878.exe	84
PID 4604 wrote to memory of 4668	4604	y1205878.exe	84
PID 4604 wrote to memory of 4216	4604	y1205878.exe	85
PID 4604 wrote to memory of 4216	4604	y1205878.exe	85
PID 4604 wrote to memory of 4216	4604	y1205878.exe	85

C:\Users\Admin\AppData\Local\Temp\977b2eb0222cd54da6a56abc17715838759486391dde8ac85c5bcc368f6dd635.exe
"C:\Users\Admin\AppData\Local\Temp\977b2eb0222cd54da6a56abc17715838759486391dde8ac85c5bcc368f6dd635.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1139040.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1139040.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1205878.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1205878.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7702934.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7702934.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4668
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9010273.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9010273.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1139040.exe

Filesize
377KB

MD5
7a4834acda15293bab3ef3c97d14a4a3

SHA1
2247528246dc05a1ec0a800377272aa457be47d5

SHA256
0700167b79e7febf337249992af289fc89cdf8ca0ffd6cc994efa9327fb7687b

SHA512
fd2ac5125b0c9de498385fa45b696ad4fae0cf0b473ed2b90d77b4442ccfcc521ad8f766ad7662d6dc653158c4f34953b0f2a20e7be9380425cd2c8010d6c832

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1139040.exe

Filesize
377KB

MD5
7a4834acda15293bab3ef3c97d14a4a3

SHA1
2247528246dc05a1ec0a800377272aa457be47d5

SHA256
0700167b79e7febf337249992af289fc89cdf8ca0ffd6cc994efa9327fb7687b

SHA512
fd2ac5125b0c9de498385fa45b696ad4fae0cf0b473ed2b90d77b4442ccfcc521ad8f766ad7662d6dc653158c4f34953b0f2a20e7be9380425cd2c8010d6c832

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1205878.exe

Filesize
206KB

MD5
d335b9ea65d541899c5c858ab3ff0875

SHA1
9511b6daac68b9186d44d0323426448996ed1e01

SHA256
f5e55fa136144a8f47da30d97d537c3dcc80997c8c2555d90cafcfc75ecde2fc

SHA512
4a4f8d111f881e0dd23b55386095f14139561002dc5efc6848f2ba69c0d6189bda1890ab58f3020a882185813cd7769c3e951fdc5878fd9acaff032c7b3ae023

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1205878.exe

Filesize
206KB

MD5
d335b9ea65d541899c5c858ab3ff0875

SHA1
9511b6daac68b9186d44d0323426448996ed1e01

SHA256
f5e55fa136144a8f47da30d97d537c3dcc80997c8c2555d90cafcfc75ecde2fc

SHA512
4a4f8d111f881e0dd23b55386095f14139561002dc5efc6848f2ba69c0d6189bda1890ab58f3020a882185813cd7769c3e951fdc5878fd9acaff032c7b3ae023

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7702934.exe

Filesize
11KB

MD5
2242a73e5d03dca57c8136edd90d2de1

SHA1
a893a84a8048e464ad5dd78e62be9e4eac326aca

SHA256
f55f37a6b45247381b7bd4f7629bd396d1ea86a919fc9a5e7866dc56921cb2d2

SHA512
39e2eb06b62f81fc6287a1fa3bdcf3ec34bf5a1eb6e383956db43c28772dd8c281794668a5aaa7ae97c8adb81fc7f174f5676429cd8eeb1957a9ba4d9b454ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7702934.exe

Filesize
11KB

MD5
2242a73e5d03dca57c8136edd90d2de1

SHA1
a893a84a8048e464ad5dd78e62be9e4eac326aca

SHA256
f55f37a6b45247381b7bd4f7629bd396d1ea86a919fc9a5e7866dc56921cb2d2

SHA512
39e2eb06b62f81fc6287a1fa3bdcf3ec34bf5a1eb6e383956db43c28772dd8c281794668a5aaa7ae97c8adb81fc7f174f5676429cd8eeb1957a9ba4d9b454ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9010273.exe

Filesize
172KB

MD5
3b91e8875fcd67904171b193cceef2ba

SHA1
b420e12ad52565b5e49599afc9359ad7c86956be

SHA256
5172d5e59066531bbb20e7bd398e01670d3e66a90a297bd362ab1d5753a869a3

SHA512
77998e2832a20b3187bcbded55437c3f704fcbcb4dd6afebe0adf133d81a7d71d90e25e7ea0469a7ba14defa7e8ac7b4d7c53a2942360f5480ae1a6687afc2dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9010273.exe

Filesize
172KB

MD5
3b91e8875fcd67904171b193cceef2ba

SHA1
b420e12ad52565b5e49599afc9359ad7c86956be

SHA256
5172d5e59066531bbb20e7bd398e01670d3e66a90a297bd362ab1d5753a869a3

SHA512
77998e2832a20b3187bcbded55437c3f704fcbcb4dd6afebe0adf133d81a7d71d90e25e7ea0469a7ba14defa7e8ac7b4d7c53a2942360f5480ae1a6687afc2dd

Download Submit
memory/4216-160-0x000000000A4A0000-0x000000000AAB8000-memory.dmp

Filesize
6.1MB

Download
memory/4216-165-0x000000000A260000-0x000000000A2D6000-memory.dmp

Filesize
472KB

Download
memory/4216-172-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/4216-161-0x0000000009FB0000-0x000000000A0BA000-memory.dmp

Filesize
1.0MB

Download
memory/4216-162-0x0000000009EF0000-0x0000000009F02000-memory.dmp

Filesize
72KB

Download
memory/4216-163-0x0000000009F50000-0x0000000009F8C000-memory.dmp

Filesize
240KB

Download
memory/4216-164-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/4216-159-0x0000000000170000-0x00000000001A0000-memory.dmp

Filesize
192KB

Download
memory/4216-166-0x000000000A380000-0x000000000A412000-memory.dmp

Filesize
584KB

Download
memory/4216-167-0x000000000B070000-0x000000000B614000-memory.dmp

Filesize
5.6MB

Download
memory/4216-168-0x000000000A420000-0x000000000A486000-memory.dmp

Filesize
408KB

Download
memory/4216-169-0x000000000AFB0000-0x000000000B000000-memory.dmp

Filesize
320KB

Download
memory/4216-170-0x000000000B8F0000-0x000000000BAB2000-memory.dmp

Filesize
1.8MB

Download
memory/4216-171-0x000000000BFF0000-0x000000000C51C000-memory.dmp

Filesize
5.2MB

Download
memory/4668-154-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads