redline | ba0f32de76d892cc21190307bd97fd78deef96e21120be7ba54a2dcd849104e9

General

Target

ba0f32de76d892cc21190307bd97fd78deef96e21120be7ba54a2dcd849104e9.exe
Size

853KB
MD5

cb4e0d4e0e776d800c5966028f7d6294
SHA1

a50e85eec3199751e55521d609408155e20c0a15
SHA256

ba0f32de76d892cc21190307bd97fd78deef96e21120be7ba54a2dcd849104e9
SHA512

3b7287f2f72f3f818ba106e634a8b9ff1d53275c3e9805d8e852d1f60ad23c58db5776cb6a4b32d5c7c21d1e0bcd3442f10027971f33e3f3d72c84f7c85219e8
SSDEEP

12288:qMrdy90LvrLCfjsj0H/7wXlrSJhdnZIUsVa1jDl7OKCZYHyJ/MW1B5+ZF:ryovr2fjsj0H/7wpSBnlea1jjMBCF

Score

10^/10

redline lupa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lupa

C2

83.97.73.126:19046

Attributes

auth_value
6a764aa41830c77712442516d143bc9c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	o0567143.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o0567143.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o0567143.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o0567143.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o0567143.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o0567143.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1036	z2870243.exe
4800	z1085831.exe
1456	o0567143.exe
2648	p8074410.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	o0567143.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1085831.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ba0f32de76d892cc21190307bd97fd78deef96e21120be7ba54a2dcd849104e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ba0f32de76d892cc21190307bd97fd78deef96e21120be7ba54a2dcd849104e9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2870243.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2870243.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1085831.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1456	o0567143.exe
1456	o0567143.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1456	o0567143.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 1036	520	ba0f32de76d892cc21190307bd97fd78deef96e21120be7ba54a2dcd849104e9.exe	85
PID 520 wrote to memory of 1036	520	ba0f32de76d892cc21190307bd97fd78deef96e21120be7ba54a2dcd849104e9.exe	85
PID 520 wrote to memory of 1036	520	ba0f32de76d892cc21190307bd97fd78deef96e21120be7ba54a2dcd849104e9.exe	85
PID 1036 wrote to memory of 4800	1036	z2870243.exe	86
PID 1036 wrote to memory of 4800	1036	z2870243.exe	86
PID 1036 wrote to memory of 4800	1036	z2870243.exe	86
PID 4800 wrote to memory of 1456	4800	z1085831.exe	87
PID 4800 wrote to memory of 1456	4800	z1085831.exe	87
PID 4800 wrote to memory of 2648	4800	z1085831.exe	90
PID 4800 wrote to memory of 2648	4800	z1085831.exe	90
PID 4800 wrote to memory of 2648	4800	z1085831.exe	90

C:\Users\Admin\AppData\Local\Temp\ba0f32de76d892cc21190307bd97fd78deef96e21120be7ba54a2dcd849104e9.exe
"C:\Users\Admin\AppData\Local\Temp\ba0f32de76d892cc21190307bd97fd78deef96e21120be7ba54a2dcd849104e9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2870243.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2870243.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1085831.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1085831.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0567143.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0567143.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8074410.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8074410.exe
      4⤵
      Executes dropped EXE
      PID:2648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2870243.exe

Filesize
408KB

MD5
018562591cbf89a5e124c8cda385042b

SHA1
c3359f65dc9891ab15ba8cf8443aa9a94f8cd297

SHA256
a9179eb33fc7daca238a74c55141a258431c758eab792e776e190a406e982630

SHA512
db770f4eb70c1368f6d5b80b3216aff9ecdba79a8cf17c209ecff6681c5813cd338e8707ceafdc22f1d1787d9638c9c7da3987255a85881b9dde81c2f42818d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2870243.exe

Filesize
408KB

MD5
018562591cbf89a5e124c8cda385042b

SHA1
c3359f65dc9891ab15ba8cf8443aa9a94f8cd297

SHA256
a9179eb33fc7daca238a74c55141a258431c758eab792e776e190a406e982630

SHA512
db770f4eb70c1368f6d5b80b3216aff9ecdba79a8cf17c209ecff6681c5813cd338e8707ceafdc22f1d1787d9638c9c7da3987255a85881b9dde81c2f42818d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1085831.exe

Filesize
206KB

MD5
467958c47b6e03a69d7c19fe1d586444

SHA1
6f75e415b02e3a32a0f961ca8118739f110b7b5e

SHA256
61dfac2917fb28097a2516adaeeb0f77f2cf580ff312ddef1db86c52c2ff6320

SHA512
43fcdbff1f8b8ac61ce8b7358d17fe9f6bf6a64162be02a6f4e1d554020ccbd81c60326c039034c547a1a6718238663b6ed027b6b43a7d90ca06bd6b1acc30f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1085831.exe

Filesize
206KB

MD5
467958c47b6e03a69d7c19fe1d586444

SHA1
6f75e415b02e3a32a0f961ca8118739f110b7b5e

SHA256
61dfac2917fb28097a2516adaeeb0f77f2cf580ff312ddef1db86c52c2ff6320

SHA512
43fcdbff1f8b8ac61ce8b7358d17fe9f6bf6a64162be02a6f4e1d554020ccbd81c60326c039034c547a1a6718238663b6ed027b6b43a7d90ca06bd6b1acc30f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0567143.exe

Filesize
11KB

MD5
e864b619d63f738144eba1a463eecda4

SHA1
2316aa286398bd899803501e55dce35b069272fa

SHA256
2c121138be36a330cca26ef9be284574972d511ad21dd01e655d76864db0aa1e

SHA512
562b987b7e91b7d088b9ffd8f5222b3d18c5ffbc5e93244de6cb0483793d7de40512bbff0d2187773afba18bd569df5db82dbb3a7552364dfa4a32b608a6c1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0567143.exe

Filesize
11KB

MD5
e864b619d63f738144eba1a463eecda4

SHA1
2316aa286398bd899803501e55dce35b069272fa

SHA256
2c121138be36a330cca26ef9be284574972d511ad21dd01e655d76864db0aa1e

SHA512
562b987b7e91b7d088b9ffd8f5222b3d18c5ffbc5e93244de6cb0483793d7de40512bbff0d2187773afba18bd569df5db82dbb3a7552364dfa4a32b608a6c1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8074410.exe

Filesize
172KB

MD5
b4b19cd97d1ebac70a66e87694e88adf

SHA1
a494ab6c36a6a316b6391d6ee4f2e137a5118bb2

SHA256
9ec7f91bc15b0a0898a5f5e86fa3f538871ec9b858e5402c8235ea4ad3d084c0

SHA512
2df73496856d6891543b603ed7971c05a63fa56b51c179fecdb0372cc1ed55d4563041d9178d8ae4b02e3f807bb5fe08eb28e9109b35d506366bc11fc297cc2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8074410.exe

Filesize
172KB

MD5
b4b19cd97d1ebac70a66e87694e88adf

SHA1
a494ab6c36a6a316b6391d6ee4f2e137a5118bb2

SHA256
9ec7f91bc15b0a0898a5f5e86fa3f538871ec9b858e5402c8235ea4ad3d084c0

SHA512
2df73496856d6891543b603ed7971c05a63fa56b51c179fecdb0372cc1ed55d4563041d9178d8ae4b02e3f807bb5fe08eb28e9109b35d506366bc11fc297cc2d

Download Submit
memory/1456-154-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/2648-159-0x0000000000C20000-0x0000000000C50000-memory.dmp

Filesize
192KB

Download
memory/2648-160-0x000000000B030000-0x000000000B648000-memory.dmp

Filesize
6.1MB

Download
memory/2648-161-0x000000000ABA0000-0x000000000ACAA000-memory.dmp

Filesize
1.0MB

Download
memory/2648-162-0x000000000AAE0000-0x000000000AAF2000-memory.dmp

Filesize
72KB

Download
memory/2648-163-0x000000000AB40000-0x000000000AB7C000-memory.dmp

Filesize
240KB

Download
memory/2648-164-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/2648-165-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads