redline | 415ae2f8f7df6ba924005ca5ee124e963c53473a4683b13cdd85ce78c3887cb2

General

Target

415ae2f8f7df6ba924005ca5ee124e963c53473a4683b13cdd85ce78c3887cb2.exe
Size

579KB
MD5

5154d4caed2e30901e20d5bf445e444f
SHA1

37a24258254c88eb6430d756ed6595cc737c0de6
SHA256

415ae2f8f7df6ba924005ca5ee124e963c53473a4683b13cdd85ce78c3887cb2
SHA512

766cc968ecdd621b10689a86d8065d4cf7eef47dfdede959c637f748bb22e29601e160409aa262ad19f7935410cbfcedd2565b92021872f96d9e97c60d2c10a7
SSDEEP

12288:zMryy90+8iy6AvpjjfXrPF8R43nePEBWD6Yx7rfyenF69CpqSyx/:9yx8iBAv17ySuSvYxffVcx/

Score

10^/10

redline diza discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k7149741.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k7149741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k7149741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k7149741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k7149741.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k7149741.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1340	y7067920.exe
236	y7708755.exe
4788	k7149741.exe
2000	l7460205.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k7149741.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7067920.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7708755.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y7708755.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	415ae2f8f7df6ba924005ca5ee124e963c53473a4683b13cdd85ce78c3887cb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	415ae2f8f7df6ba924005ca5ee124e963c53473a4683b13cdd85ce78c3887cb2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7067920.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4788	k7149741.exe
4788	k7149741.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe
2000	l7460205.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4788	k7149741.exe
Token: SeDebugPrivilege	2000	l7460205.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 1340	2464	415ae2f8f7df6ba924005ca5ee124e963c53473a4683b13cdd85ce78c3887cb2.exe	89
PID 2464 wrote to memory of 1340	2464	415ae2f8f7df6ba924005ca5ee124e963c53473a4683b13cdd85ce78c3887cb2.exe	89
PID 2464 wrote to memory of 1340	2464	415ae2f8f7df6ba924005ca5ee124e963c53473a4683b13cdd85ce78c3887cb2.exe	89
PID 1340 wrote to memory of 236	1340	y7067920.exe	90
PID 1340 wrote to memory of 236	1340	y7067920.exe	90
PID 1340 wrote to memory of 236	1340	y7067920.exe	90
PID 236 wrote to memory of 4788	236	y7708755.exe	91
PID 236 wrote to memory of 4788	236	y7708755.exe	91
PID 236 wrote to memory of 2000	236	y7708755.exe	97
PID 236 wrote to memory of 2000	236	y7708755.exe	97
PID 236 wrote to memory of 2000	236	y7708755.exe	97

C:\Users\Admin\AppData\Local\Temp\415ae2f8f7df6ba924005ca5ee124e963c53473a4683b13cdd85ce78c3887cb2.exe
"C:\Users\Admin\AppData\Local\Temp\415ae2f8f7df6ba924005ca5ee124e963c53473a4683b13cdd85ce78c3887cb2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7067920.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7067920.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7708755.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7708755.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:236
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7149741.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7149741.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4788
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7460205.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7460205.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7067920.exe

Filesize
377KB

MD5
2ac3cb0866fe53a7d578972b0e1ab05b

SHA1
8fe8b239167fd50c96d6a601084ca4acc41c550c

SHA256
a3cef1bb9365a3cc1119a786907dc9471f6083a0cc627c37fcaceb842c30450e

SHA512
5fa0ce24c8a599acaa41460975dc63eb8e5b19eb309eaaa78a6f2f877dd0139eccc6252831d02110131703632c5c8fc2f48aec284329cb7d51f005641a6242ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7067920.exe

Filesize
377KB

MD5
2ac3cb0866fe53a7d578972b0e1ab05b

SHA1
8fe8b239167fd50c96d6a601084ca4acc41c550c

SHA256
a3cef1bb9365a3cc1119a786907dc9471f6083a0cc627c37fcaceb842c30450e

SHA512
5fa0ce24c8a599acaa41460975dc63eb8e5b19eb309eaaa78a6f2f877dd0139eccc6252831d02110131703632c5c8fc2f48aec284329cb7d51f005641a6242ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7708755.exe

Filesize
206KB

MD5
25f6aeef02d6c435b0bdbeefd20dd553

SHA1
9e9252da4b0172881b05a3d21d95f3441c345b6c

SHA256
b072530644728ac818e16b18082b0a268bb549961f090071ad51db828f5dfb06

SHA512
77d33a0296cb3ef4d817968b75b4c0d556d597b0b08cdf59fd3db7ce11af48e9413269ea5d63a9b41430f9cbe2f9b08c2294f730f53224b3b0ac070dd72cbaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7708755.exe

Filesize
206KB

MD5
25f6aeef02d6c435b0bdbeefd20dd553

SHA1
9e9252da4b0172881b05a3d21d95f3441c345b6c

SHA256
b072530644728ac818e16b18082b0a268bb549961f090071ad51db828f5dfb06

SHA512
77d33a0296cb3ef4d817968b75b4c0d556d597b0b08cdf59fd3db7ce11af48e9413269ea5d63a9b41430f9cbe2f9b08c2294f730f53224b3b0ac070dd72cbaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7149741.exe

Filesize
12KB

MD5
4d03e73a1e3fc0d34b007695ea408348

SHA1
1256f27addb6496a9ceb9e6d2f6d0fb27e5306d0

SHA256
74e66cae833b3841933b9f7e23d2c30a7c960f689c78e36b7125b1f43b8dd0b0

SHA512
0542b0dcd2cc256f70f3ffe058483667b21ef714ab6baae6dfdb1f6c5fc8cd5b3ed4e1c0eb89fa4781ba9e4a47e7f91bee20f17a8e3e216d577bd71078673921

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7149741.exe

Filesize
12KB

MD5
4d03e73a1e3fc0d34b007695ea408348

SHA1
1256f27addb6496a9ceb9e6d2f6d0fb27e5306d0

SHA256
74e66cae833b3841933b9f7e23d2c30a7c960f689c78e36b7125b1f43b8dd0b0

SHA512
0542b0dcd2cc256f70f3ffe058483667b21ef714ab6baae6dfdb1f6c5fc8cd5b3ed4e1c0eb89fa4781ba9e4a47e7f91bee20f17a8e3e216d577bd71078673921

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7460205.exe

Filesize
173KB

MD5
2715f248d8682899f159dafe6f4328b1

SHA1
e870a0a9aeda6586a9cf00f9a275115e5a46901f

SHA256
ccd2712c6213824670f54f36b50ccf8f6ac5cbb3b9ad58ebe922e9f998aa38e8

SHA512
55842c120468d7e5b5215d1b44874860c5e9ec1abbd8ddf769e83097be8b88dd62acac1c0cf836908784288a68e36425a7ebfc26661216fc743d6664bce0d41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7460205.exe

Filesize
173KB

MD5
2715f248d8682899f159dafe6f4328b1

SHA1
e870a0a9aeda6586a9cf00f9a275115e5a46901f

SHA256
ccd2712c6213824670f54f36b50ccf8f6ac5cbb3b9ad58ebe922e9f998aa38e8

SHA512
55842c120468d7e5b5215d1b44874860c5e9ec1abbd8ddf769e83097be8b88dd62acac1c0cf836908784288a68e36425a7ebfc26661216fc743d6664bce0d41b

Download Submit
memory/2000-160-0x000000000B2E0000-0x000000000B8F8000-memory.dmp

Filesize
6.1MB

Download
memory/2000-165-0x000000000AFD0000-0x000000000B046000-memory.dmp

Filesize
472KB

Download
memory/2000-172-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/2000-161-0x000000000ADD0000-0x000000000AEDA000-memory.dmp

Filesize
1.0MB

Download
memory/2000-162-0x00000000057D0000-0x00000000057E2000-memory.dmp

Filesize
72KB

Download
memory/2000-163-0x000000000ACC0000-0x000000000ACFC000-memory.dmp

Filesize
240KB

Download
memory/2000-164-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/2000-159-0x0000000000EE0000-0x0000000000F10000-memory.dmp

Filesize
192KB

Download
memory/2000-166-0x000000000B1F0000-0x000000000B282000-memory.dmp

Filesize
584KB

Download
memory/2000-167-0x000000000B150000-0x000000000B1B6000-memory.dmp

Filesize
408KB

Download
memory/2000-168-0x000000000C1B0000-0x000000000C754000-memory.dmp

Filesize
5.6MB

Download
memory/2000-169-0x000000000BDF0000-0x000000000BE40000-memory.dmp

Filesize
320KB

Download
memory/2000-170-0x000000000C760000-0x000000000C922000-memory.dmp

Filesize
1.8MB

Download
memory/2000-171-0x000000000CE60000-0x000000000D38C000-memory.dmp

Filesize
5.2MB

Download
memory/4788-154-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads