redline | 6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021

General

Target

6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe
Size

580KB
MD5

8e9a4efaf38f0a13febed31d0cc20b56
SHA1

86c4b21f714bebb72f43a39660879af686aef950
SHA256

6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021
SHA512

067d2f517f77983e56fa9b81c3fc65c695e16f62e4d5bb24b82d34a49614f10216e1328fa2740dab45cc3eebecbe99d8dca4a0e687913a659cb246547e83559c
SSDEEP

12288:6Mryy90La31vaRC5DMkYJCN/f9SVlnZ3dKvQHzwVg6O8:UyeC5J+CN/fM7+QHEV5

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k2808567.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k2808567.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k2808567.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k2808567.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k2808567.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k2808567.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3408	y4879619.exe
1456	y8738743.exe
4696	k2808567.exe
1368	l1048866.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k2808567.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4879619.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4879619.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8738743.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8738743.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4696	k2808567.exe
4696	k2808567.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4696	k2808567.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 3408	464	6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe	85
PID 464 wrote to memory of 3408	464	6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe	85
PID 464 wrote to memory of 3408	464	6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe	85
PID 3408 wrote to memory of 1456	3408	y4879619.exe	86
PID 3408 wrote to memory of 1456	3408	y4879619.exe	86
PID 3408 wrote to memory of 1456	3408	y4879619.exe	86
PID 1456 wrote to memory of 4696	1456	y8738743.exe	87
PID 1456 wrote to memory of 4696	1456	y8738743.exe	87
PID 1456 wrote to memory of 1368	1456	y8738743.exe	88
PID 1456 wrote to memory of 1368	1456	y8738743.exe	88
PID 1456 wrote to memory of 1368	1456	y8738743.exe	88

C:\Users\Admin\AppData\Local\Temp\6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe
"C:\Users\Admin\AppData\Local\Temp\6e732b153f65819114ada8730569eee80e1214cd04ded7ff1a8dad9896017021.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:464
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4879619.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4879619.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8738743.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8738743.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2808567.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2808567.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1048866.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1048866.exe
      4⤵
      Executes dropped EXE
      PID:1368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4879619.exe

Filesize
377KB

MD5
ef89a9b3468fd350efdbf7b7e4f7f4e2

SHA1
6846eae21314e3498b3381ccbe489e0449bca1b9

SHA256
e3bdbcf44f9daeab80e53bd58affe7d6f8279965f266176ae4291cf7df6a7002

SHA512
179f91807d94b6c4f868381b17ec53764ffd77ad434475b40fae6c734d2a7eb9751abfb0fff44f6738cdf445b42184df1450d295309c1c5e598282100e8fa16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4879619.exe

Filesize
377KB

MD5
ef89a9b3468fd350efdbf7b7e4f7f4e2

SHA1
6846eae21314e3498b3381ccbe489e0449bca1b9

SHA256
e3bdbcf44f9daeab80e53bd58affe7d6f8279965f266176ae4291cf7df6a7002

SHA512
179f91807d94b6c4f868381b17ec53764ffd77ad434475b40fae6c734d2a7eb9751abfb0fff44f6738cdf445b42184df1450d295309c1c5e598282100e8fa16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8738743.exe

Filesize
206KB

MD5
5bbef6117725ecf0e4a79a2c9ad9011d

SHA1
a84f657d30f0a415a65643bdf07195f386ab84c9

SHA256
12a8bd6344e8e496b4f0f232a8997d3d01e7062b7b2f6804d7fb55264d5ed6d3

SHA512
4552556c3027e2f6516c921ecd507e8b534c01736db315312b1a3d8326bdd3a82e4cd92b40d8e4bceadd3f78633d597d9d227c771a9bfbbe6fdf747f0da26391

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8738743.exe

Filesize
206KB

MD5
5bbef6117725ecf0e4a79a2c9ad9011d

SHA1
a84f657d30f0a415a65643bdf07195f386ab84c9

SHA256
12a8bd6344e8e496b4f0f232a8997d3d01e7062b7b2f6804d7fb55264d5ed6d3

SHA512
4552556c3027e2f6516c921ecd507e8b534c01736db315312b1a3d8326bdd3a82e4cd92b40d8e4bceadd3f78633d597d9d227c771a9bfbbe6fdf747f0da26391

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2808567.exe

Filesize
12KB

MD5
cbbbea47fb4e20c8046c4ea991cb5fb0

SHA1
b3ecf6484cb839fcb6160ee1d49662ab3cce4ee3

SHA256
82147a07d042e6378822842014793f604367cccc0119efb446c41a8a5d5e2fc9

SHA512
2ee45d79bb142f6b8f9a18e2d8833bb295aa9e3cfdb8369e138623c2be78ea73e5f25665f2acdb706dff5f95a544d796a76178c815288733747a99bbfa8d2726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2808567.exe

Filesize
12KB

MD5
cbbbea47fb4e20c8046c4ea991cb5fb0

SHA1
b3ecf6484cb839fcb6160ee1d49662ab3cce4ee3

SHA256
82147a07d042e6378822842014793f604367cccc0119efb446c41a8a5d5e2fc9

SHA512
2ee45d79bb142f6b8f9a18e2d8833bb295aa9e3cfdb8369e138623c2be78ea73e5f25665f2acdb706dff5f95a544d796a76178c815288733747a99bbfa8d2726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1048866.exe

Filesize
173KB

MD5
a0de61da10995489798eebf79fd46eed

SHA1
d439786b160c448a7c2807e8123bf488deef8ef9

SHA256
f44b541f5e2fea9a666732309eee7897c6ae31f0bd841fa38e8b4b7f3142d5b2

SHA512
c849bf6ffecfd5b8fdb3d42758e1f1d6a7900a79c47556d8d5cee21828c8ffb851222980431216ef9e1d7928bdc2ce1e6a378a9e1d6b1f8319687227d7e0f1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1048866.exe

Filesize
173KB

MD5
a0de61da10995489798eebf79fd46eed

SHA1
d439786b160c448a7c2807e8123bf488deef8ef9

SHA256
f44b541f5e2fea9a666732309eee7897c6ae31f0bd841fa38e8b4b7f3142d5b2

SHA512
c849bf6ffecfd5b8fdb3d42758e1f1d6a7900a79c47556d8d5cee21828c8ffb851222980431216ef9e1d7928bdc2ce1e6a378a9e1d6b1f8319687227d7e0f1c2

Download Submit
memory/1368-159-0x0000000000BB0000-0x0000000000BE0000-memory.dmp

Filesize
192KB

Download
memory/1368-160-0x000000000B000000-0x000000000B618000-memory.dmp

Filesize
6.1MB

Download
memory/1368-161-0x000000000AB30000-0x000000000AC3A000-memory.dmp

Filesize
1.0MB

Download
memory/1368-162-0x000000000AA70000-0x000000000AA82000-memory.dmp

Filesize
72KB

Download
memory/1368-163-0x000000000AAD0000-0x000000000AB0C000-memory.dmp

Filesize
240KB

Download
memory/1368-164-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/1368-165-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/4696-154-0x00000000009D0000-0x00000000009DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads