redline | 60c7192fb5c1d846f9253e2e9f95effc17796d3b4aefadbafb6e1d58c6fbcd6d

General

Target

60c7192fb5c1d846f9253e2e9f95effc17796d3b4aefadbafb6e1d58c6fbcd6d.exe
Size

580KB
MD5

b8ea97b93a25d8e5b7f00124759191e2
SHA1

855ff954a752af12f0f00d88ee14635e08b4cb7d
SHA256

60c7192fb5c1d846f9253e2e9f95effc17796d3b4aefadbafb6e1d58c6fbcd6d
SHA512

a16f768acd7b035db2833fb89a973b3e6835705691a6fbedb44bad4d92597f9b0f74e3e8a96b85189e2d62124f6e8de853e47d28f72ffbb146a21aa2e1f50ee9
SSDEEP

12288:UMrty907iSOnjAuQN8q13s0uhiKmSuGIQ3If6EtVYfRail+Z3pQOywF:xyYif8N9s0uhiK7JIQ+bYkb/B

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k0068045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0068045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0068045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0068045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0068045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0068045.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2388	y8664543.exe
1684	y1526027.exe
3768	k0068045.exe
584	l9075391.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0068045.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	60c7192fb5c1d846f9253e2e9f95effc17796d3b4aefadbafb6e1d58c6fbcd6d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8664543.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8664543.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1526027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y1526027.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	60c7192fb5c1d846f9253e2e9f95effc17796d3b4aefadbafb6e1d58c6fbcd6d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3768	k0068045.exe
3768	k0068045.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3768	k0068045.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2388	1680	60c7192fb5c1d846f9253e2e9f95effc17796d3b4aefadbafb6e1d58c6fbcd6d.exe	85
PID 1680 wrote to memory of 2388	1680	60c7192fb5c1d846f9253e2e9f95effc17796d3b4aefadbafb6e1d58c6fbcd6d.exe	85
PID 1680 wrote to memory of 2388	1680	60c7192fb5c1d846f9253e2e9f95effc17796d3b4aefadbafb6e1d58c6fbcd6d.exe	85
PID 2388 wrote to memory of 1684	2388	y8664543.exe	84
PID 2388 wrote to memory of 1684	2388	y8664543.exe	84
PID 2388 wrote to memory of 1684	2388	y8664543.exe	84
PID 1684 wrote to memory of 3768	1684	y1526027.exe	86
PID 1684 wrote to memory of 3768	1684	y1526027.exe	86
PID 1684 wrote to memory of 584	1684	y1526027.exe	87
PID 1684 wrote to memory of 584	1684	y1526027.exe	87
PID 1684 wrote to memory of 584	1684	y1526027.exe	87

C:\Users\Admin\AppData\Local\Temp\60c7192fb5c1d846f9253e2e9f95effc17796d3b4aefadbafb6e1d58c6fbcd6d.exe
"C:\Users\Admin\AppData\Local\Temp\60c7192fb5c1d846f9253e2e9f95effc17796d3b4aefadbafb6e1d58c6fbcd6d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8664543.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8664543.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2388

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1526027.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1526027.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0068045.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0068045.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9075391.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9075391.exe
  2⤵
  - Executes dropped EXE
  PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8664543.exe

Filesize
377KB

MD5
b49f6c6e10965a33997b7fc5e918bcff

SHA1
944a0e7760f66554c9d29a2d2085d18926e94500

SHA256
c913fc6175b1a7c69324481891182199f47f12ec3155570a34cc3d963288435b

SHA512
5f22b0b852880bd66822f6dc28e82d5555a537c5a250dc9c9d3171a4ad59929ad8d5ab0479fe581a1555fedda18652b2ac1e077898ec7518137d25aedda571e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8664543.exe

Filesize
377KB

MD5
b49f6c6e10965a33997b7fc5e918bcff

SHA1
944a0e7760f66554c9d29a2d2085d18926e94500

SHA256
c913fc6175b1a7c69324481891182199f47f12ec3155570a34cc3d963288435b

SHA512
5f22b0b852880bd66822f6dc28e82d5555a537c5a250dc9c9d3171a4ad59929ad8d5ab0479fe581a1555fedda18652b2ac1e077898ec7518137d25aedda571e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1526027.exe

Filesize
206KB

MD5
b101b3514a35734b316c2cfa555ae263

SHA1
caa7895356927d11d3b360c205038423495d8d38

SHA256
065b7668a40941a09e7cfe23becaa23d5538d4ff1bd784e216cc8cae0aa47053

SHA512
268f86363f5b623bfd20ede75ccab9567181c113ccba2d5641b2e4bfe40d83239ee3788df0ef59ac172125c9cda5d1d55589230bedc679b46ea59df518be65e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1526027.exe

Filesize
206KB

MD5
b101b3514a35734b316c2cfa555ae263

SHA1
caa7895356927d11d3b360c205038423495d8d38

SHA256
065b7668a40941a09e7cfe23becaa23d5538d4ff1bd784e216cc8cae0aa47053

SHA512
268f86363f5b623bfd20ede75ccab9567181c113ccba2d5641b2e4bfe40d83239ee3788df0ef59ac172125c9cda5d1d55589230bedc679b46ea59df518be65e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0068045.exe

Filesize
11KB

MD5
4e34e3cda458c0d0b3f5ece1c6e2cdbc

SHA1
bb587ff6430bb716aa30a72dda71631eb7136c2a

SHA256
2fd04e93d4cfa8ab4da43068efbc8eb54f6c22b4ce8aabce229d1de37a6a010f

SHA512
1f248de0b149c17be03b1ec0e4c1e6699bcc92b363708e058539971f4cb51adf904d8c20f80fa3d904a203feabf368cbe4114354bf2c83d27dded4a21c04acc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0068045.exe

Filesize
11KB

MD5
4e34e3cda458c0d0b3f5ece1c6e2cdbc

SHA1
bb587ff6430bb716aa30a72dda71631eb7136c2a

SHA256
2fd04e93d4cfa8ab4da43068efbc8eb54f6c22b4ce8aabce229d1de37a6a010f

SHA512
1f248de0b149c17be03b1ec0e4c1e6699bcc92b363708e058539971f4cb51adf904d8c20f80fa3d904a203feabf368cbe4114354bf2c83d27dded4a21c04acc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9075391.exe

Filesize
172KB

MD5
2ffb7f7f8cf324f99d327055aacc8c3e

SHA1
dc24f0d3179e144a0c2622cfd44e0c4dc1e511fa

SHA256
b542561c703839e0efb64f3a4e2046e73a36cba7d1c4eb90b130305218474181

SHA512
602fc59b48725a05e2d7c506f179e8c0b3f5e8f61531fd6f849df5f57470e731c33d71f37fdc1c62075bb19112c58e967ee5c9c26d8a9e45ba37df782a879f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9075391.exe

Filesize
172KB

MD5
2ffb7f7f8cf324f99d327055aacc8c3e

SHA1
dc24f0d3179e144a0c2622cfd44e0c4dc1e511fa

SHA256
b542561c703839e0efb64f3a4e2046e73a36cba7d1c4eb90b130305218474181

SHA512
602fc59b48725a05e2d7c506f179e8c0b3f5e8f61531fd6f849df5f57470e731c33d71f37fdc1c62075bb19112c58e967ee5c9c26d8a9e45ba37df782a879f01

Download Submit
memory/584-159-0x0000000000040000-0x0000000000070000-memory.dmp

Filesize
192KB

Download
memory/584-160-0x000000000A440000-0x000000000AA58000-memory.dmp

Filesize
6.1MB

Download
memory/584-161-0x0000000009FC0000-0x000000000A0CA000-memory.dmp

Filesize
1.0MB

Download
memory/584-162-0x0000000009F00000-0x0000000009F12000-memory.dmp

Filesize
72KB

Download
memory/584-163-0x0000000009F60000-0x0000000009F9C000-memory.dmp

Filesize
240KB

Download
memory/584-164-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/584-165-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/3768-154-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads