redline | 5b5fd8f37a036d8323fd02dbd8ae21ba233d591ed2e45dac8ce887bd505e2cf6

General

Target

5b5fd8f37a036d8323fd02dbd8ae21ba233d591ed2e45dac8ce887bd505e2cf6.exe
Size

580KB
MD5

b4518646701999e56883fbcbdf1eb9e8
SHA1

3e2cf8d26b5a9cb4e7224617ad9a12bea2921b4c
SHA256

5b5fd8f37a036d8323fd02dbd8ae21ba233d591ed2e45dac8ce887bd505e2cf6
SHA512

042f7e57c1477aaafabb7bd3ccd41ba787f65bbd544ff06517290db7bbffef803a9e5839e6d8cd4c78238e1681a078a08261fe675d59205cbac685f768d1588f
SSDEEP

12288:FMrOy90sSi8E2Qwi8YupgdaZLdHssxTH9i3USAs:nyLJLwi8YE0aZLdHsQk3t

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1815199.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1815199.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1815199.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1815199.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1815199.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3968	y8954052.exe
1420	y2541962.exe
2068	k1815199.exe
3100	l6104716.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1815199.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8954052.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8954052.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y2541962.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y2541962.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5b5fd8f37a036d8323fd02dbd8ae21ba233d591ed2e45dac8ce887bd505e2cf6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5b5fd8f37a036d8323fd02dbd8ae21ba233d591ed2e45dac8ce887bd505e2cf6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2068	k1815199.exe
2068	k1815199.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	k1815199.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 3968	1608	5b5fd8f37a036d8323fd02dbd8ae21ba233d591ed2e45dac8ce887bd505e2cf6.exe	66
PID 1608 wrote to memory of 3968	1608	5b5fd8f37a036d8323fd02dbd8ae21ba233d591ed2e45dac8ce887bd505e2cf6.exe	66
PID 1608 wrote to memory of 3968	1608	5b5fd8f37a036d8323fd02dbd8ae21ba233d591ed2e45dac8ce887bd505e2cf6.exe	66
PID 3968 wrote to memory of 1420	3968	y8954052.exe	67
PID 3968 wrote to memory of 1420	3968	y8954052.exe	67
PID 3968 wrote to memory of 1420	3968	y8954052.exe	67
PID 1420 wrote to memory of 2068	1420	y2541962.exe	68
PID 1420 wrote to memory of 2068	1420	y2541962.exe	68
PID 1420 wrote to memory of 3100	1420	y2541962.exe	69
PID 1420 wrote to memory of 3100	1420	y2541962.exe	69
PID 1420 wrote to memory of 3100	1420	y2541962.exe	69

C:\Users\Admin\AppData\Local\Temp\5b5fd8f37a036d8323fd02dbd8ae21ba233d591ed2e45dac8ce887bd505e2cf6.exe
"C:\Users\Admin\AppData\Local\Temp\5b5fd8f37a036d8323fd02dbd8ae21ba233d591ed2e45dac8ce887bd505e2cf6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8954052.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8954052.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2541962.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2541962.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1815199.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1815199.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6104716.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6104716.exe
      4⤵
      Executes dropped EXE
      PID:3100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8954052.exe

Filesize
377KB

MD5
3fefe64fcad0c7254e939673b71f5e96

SHA1
c44dccd6b440a1338d1b0a23be7637e6d250c154

SHA256
738353a55485255f1ca3ba3bea41b95359ec82720d610352354f62aff929cab5

SHA512
c324fefaa7ef62234d26d7241b33bfe29b7df8615fa8136b1398cc313459e094e093847f33edef65e4894019ad8956dc66d63ab2414746327992dc4f4eb35da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8954052.exe

Filesize
377KB

MD5
3fefe64fcad0c7254e939673b71f5e96

SHA1
c44dccd6b440a1338d1b0a23be7637e6d250c154

SHA256
738353a55485255f1ca3ba3bea41b95359ec82720d610352354f62aff929cab5

SHA512
c324fefaa7ef62234d26d7241b33bfe29b7df8615fa8136b1398cc313459e094e093847f33edef65e4894019ad8956dc66d63ab2414746327992dc4f4eb35da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2541962.exe

Filesize
206KB

MD5
cf6ac5d2394041046d9f594c0dd306fd

SHA1
d4b696858f1589cfd96c26a8ea50ebcabb41f7a9

SHA256
326b2be10d2c1d6457510d71d7271d348a3ee4cbffd87164b5a7c0787cb46775

SHA512
cb860081ac0f073a63b99a061ebc0112f66a2d9d0806f87f178a94687a146eb9a4d905f9d3d9a5c5db92da25791b1fc675120bfd2be77eb9b409b7c8d4515394

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2541962.exe

Filesize
206KB

MD5
cf6ac5d2394041046d9f594c0dd306fd

SHA1
d4b696858f1589cfd96c26a8ea50ebcabb41f7a9

SHA256
326b2be10d2c1d6457510d71d7271d348a3ee4cbffd87164b5a7c0787cb46775

SHA512
cb860081ac0f073a63b99a061ebc0112f66a2d9d0806f87f178a94687a146eb9a4d905f9d3d9a5c5db92da25791b1fc675120bfd2be77eb9b409b7c8d4515394

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1815199.exe

Filesize
11KB

MD5
ce4af9f1dbc4522cadd23ca8d69a827c

SHA1
2b7ac155af8c4e9fc76cfb97ce2799c4ed3f5248

SHA256
62865b2ad238ff03423c26b040b0d0c5729aedf81f21333e4e89277c46988c76

SHA512
b285c6471a134af607679e255896d047b1c72b13de49ae880fa9e6617524c1c41ac4556129a305149bb8a019766d30b6f2a624a7069741d3f1db85ead4cf6332

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1815199.exe

Filesize
11KB

MD5
ce4af9f1dbc4522cadd23ca8d69a827c

SHA1
2b7ac155af8c4e9fc76cfb97ce2799c4ed3f5248

SHA256
62865b2ad238ff03423c26b040b0d0c5729aedf81f21333e4e89277c46988c76

SHA512
b285c6471a134af607679e255896d047b1c72b13de49ae880fa9e6617524c1c41ac4556129a305149bb8a019766d30b6f2a624a7069741d3f1db85ead4cf6332

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6104716.exe

Filesize
172KB

MD5
099add230763b8b8a6b2ae9c90115401

SHA1
1e628a9c9afc7b729cd1e0bc7f6f46993b43d8f7

SHA256
88f9dd7e86907a18683e2379516b037e71e5665a53a3572be22e1da36a7ad881

SHA512
b0e4a860d7d6fe6a416e4c9e8a4186dfe3b41673dc84560e8cf84b1383132f6a6bbab17715b7adb90c22bb9e8a7d53ba5e537ff693ee22295689fa12ca538b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6104716.exe

Filesize
172KB

MD5
099add230763b8b8a6b2ae9c90115401

SHA1
1e628a9c9afc7b729cd1e0bc7f6f46993b43d8f7

SHA256
88f9dd7e86907a18683e2379516b037e71e5665a53a3572be22e1da36a7ad881

SHA512
b0e4a860d7d6fe6a416e4c9e8a4186dfe3b41673dc84560e8cf84b1383132f6a6bbab17715b7adb90c22bb9e8a7d53ba5e537ff693ee22295689fa12ca538b5a

Download Submit
memory/2068-141-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/3100-146-0x0000000000B40000-0x0000000000B70000-memory.dmp

Filesize
192KB

Download
memory/3100-147-0x0000000001310000-0x0000000001316000-memory.dmp

Filesize
24KB

Download
memory/3100-148-0x0000000005C30000-0x0000000006236000-memory.dmp

Filesize
6.0MB

Download
memory/3100-149-0x0000000005730000-0x000000000583A000-memory.dmp

Filesize
1.0MB

Download
memory/3100-150-0x0000000005380000-0x0000000005392000-memory.dmp

Filesize
72KB

Download
memory/3100-151-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/3100-152-0x0000000005620000-0x000000000565E000-memory.dmp

Filesize
248KB

Download
memory/3100-153-0x0000000005660000-0x00000000056AB000-memory.dmp

Filesize
300KB

Download
memory/3100-154-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads