redline | 663230ad825c0378eb98e4f804438b287c37cba2240d3f08d295b82c799ac36f

General

Target

663230ad825c0378eb98e4f804438b287c37cba2240d3f08d295b82c799ac36f.exe
Size

852KB
MD5

d8478d5053c7d8a6f71f188bfe82959b
SHA1

99085d740a72872f30d63622e5d0f0c4a9bd3347
SHA256

663230ad825c0378eb98e4f804438b287c37cba2240d3f08d295b82c799ac36f
SHA512

13a315794285d5ee1d4e314aa23248a0d88f54d84c80b47961ddb565dd1c81da392affc6eda4f758de04e362f6b78a924498b737846e153252ff0d1be055ae99
SSDEEP

12288:CMrWy90YbzxUBdXebjaPkYhQSGOemWkjEXTWAI56gdVIeLaodFEMGbBM:AylbzcpebjxSFskjGk56gXIeLDdmZO

Score

10^/10

redline lupa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lupa

C2

83.97.73.126:19046

Attributes

auth_value
6a764aa41830c77712442516d143bc9c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o4496965.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o4496965.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o4496965.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	o4496965.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o4496965.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o4496965.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3908	z7740814.exe
1092	z0343085.exe
1780	o4496965.exe
3232	p5481753.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	o4496965.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0343085.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	663230ad825c0378eb98e4f804438b287c37cba2240d3f08d295b82c799ac36f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	663230ad825c0378eb98e4f804438b287c37cba2240d3f08d295b82c799ac36f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7740814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7740814.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0343085.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1780	o4496965.exe
1780	o4496965.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	o4496965.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 3908	3984	663230ad825c0378eb98e4f804438b287c37cba2240d3f08d295b82c799ac36f.exe	87
PID 3984 wrote to memory of 3908	3984	663230ad825c0378eb98e4f804438b287c37cba2240d3f08d295b82c799ac36f.exe	87
PID 3984 wrote to memory of 3908	3984	663230ad825c0378eb98e4f804438b287c37cba2240d3f08d295b82c799ac36f.exe	87
PID 3908 wrote to memory of 1092	3908	z7740814.exe	88
PID 3908 wrote to memory of 1092	3908	z7740814.exe	88
PID 3908 wrote to memory of 1092	3908	z7740814.exe	88
PID 1092 wrote to memory of 1780	1092	z0343085.exe	89
PID 1092 wrote to memory of 1780	1092	z0343085.exe	89
PID 1092 wrote to memory of 3232	1092	z0343085.exe	94
PID 1092 wrote to memory of 3232	1092	z0343085.exe	94
PID 1092 wrote to memory of 3232	1092	z0343085.exe	94

C:\Users\Admin\AppData\Local\Temp\663230ad825c0378eb98e4f804438b287c37cba2240d3f08d295b82c799ac36f.exe
"C:\Users\Admin\AppData\Local\Temp\663230ad825c0378eb98e4f804438b287c37cba2240d3f08d295b82c799ac36f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7740814.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7740814.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0343085.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0343085.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4496965.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4496965.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1780
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5481753.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5481753.exe
      4⤵
      Executes dropped EXE
      PID:3232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7740814.exe

Filesize
407KB

MD5
a9f6607e4e7b4a1ff941f3f8e4a274d3

SHA1
ce7cb967ae7c4b3e646625da2f0ff329da3b9342

SHA256
0323698de01ca272219a00e70f2e992f7ae2d7962e5bfd52df305cc9895d1fe4

SHA512
84b406f88372607db9d29c0ec43e7ae8c3440ff18b26a248a1585168d574ace0e2e54116b17f42f4305a2f1f8af8a540a4281c8bdcbc72d045481a4ff35a56c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7740814.exe

Filesize
407KB

MD5
a9f6607e4e7b4a1ff941f3f8e4a274d3

SHA1
ce7cb967ae7c4b3e646625da2f0ff329da3b9342

SHA256
0323698de01ca272219a00e70f2e992f7ae2d7962e5bfd52df305cc9895d1fe4

SHA512
84b406f88372607db9d29c0ec43e7ae8c3440ff18b26a248a1585168d574ace0e2e54116b17f42f4305a2f1f8af8a540a4281c8bdcbc72d045481a4ff35a56c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0343085.exe

Filesize
206KB

MD5
cefe93d89efffc0c371e880efa3c26b0

SHA1
eeb3c0fc5efbed6e24e8f152e4334ccbd233402e

SHA256
9f07a88c0a264e2d1d35b0f60bfde82af37948930d1a3264af1b15b435b60d26

SHA512
526cb4af58d0be55478712014b657316e7d892fc6affe5c2bf1c22825ae90ed8c0ceb90eee8c67d2fce0f002b8efc13cf8b1f39eefdf7a8e0a5a58b48506db10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0343085.exe

Filesize
206KB

MD5
cefe93d89efffc0c371e880efa3c26b0

SHA1
eeb3c0fc5efbed6e24e8f152e4334ccbd233402e

SHA256
9f07a88c0a264e2d1d35b0f60bfde82af37948930d1a3264af1b15b435b60d26

SHA512
526cb4af58d0be55478712014b657316e7d892fc6affe5c2bf1c22825ae90ed8c0ceb90eee8c67d2fce0f002b8efc13cf8b1f39eefdf7a8e0a5a58b48506db10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4496965.exe

Filesize
12KB

MD5
3dee36b75657e42f643591ceac6af15a

SHA1
4c2de5072a1ca02bbc13d99e5be250807b3563fd

SHA256
d7a2203f9712448ce305e60cfdfdc8faa013fb121417a2ee41c676e49c3c87d9

SHA512
bcf1886345d8eccd330fa569f15b52be13b8f4a813a9d722c74b52cdf4c2c2d9611985fab51224f298f9554feeb24d3bfc92def9256258e1675567cdf96e928e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4496965.exe

Filesize
12KB

MD5
3dee36b75657e42f643591ceac6af15a

SHA1
4c2de5072a1ca02bbc13d99e5be250807b3563fd

SHA256
d7a2203f9712448ce305e60cfdfdc8faa013fb121417a2ee41c676e49c3c87d9

SHA512
bcf1886345d8eccd330fa569f15b52be13b8f4a813a9d722c74b52cdf4c2c2d9611985fab51224f298f9554feeb24d3bfc92def9256258e1675567cdf96e928e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5481753.exe

Filesize
172KB

MD5
0739a0def73dec126f1ce16a4b17b7b6

SHA1
416b3f2b41fb80580418a69bf87dfce0f5b8c895

SHA256
e4dc91e160bebe4f468332e27d67c3eb450f4dce8f629cc97fe0e43444b0191a

SHA512
6e192440857d0e217ef11e7aff1456043db0d0573f3f8f2407974c57f9ac810cb103a660551c0ce79a22f701590fa424fb41f4b0d9bd57b61eefce5c5419f3c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5481753.exe

Filesize
172KB

MD5
0739a0def73dec126f1ce16a4b17b7b6

SHA1
416b3f2b41fb80580418a69bf87dfce0f5b8c895

SHA256
e4dc91e160bebe4f468332e27d67c3eb450f4dce8f629cc97fe0e43444b0191a

SHA512
6e192440857d0e217ef11e7aff1456043db0d0573f3f8f2407974c57f9ac810cb103a660551c0ce79a22f701590fa424fb41f4b0d9bd57b61eefce5c5419f3c1

Download Submit
memory/1780-154-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/3232-159-0x0000000000AD0000-0x0000000000B00000-memory.dmp

Filesize
192KB

Download
memory/3232-160-0x000000000AED0000-0x000000000B4E8000-memory.dmp

Filesize
6.1MB

Download
memory/3232-161-0x000000000AA50000-0x000000000AB5A000-memory.dmp

Filesize
1.0MB

Download
memory/3232-162-0x000000000A990000-0x000000000A9A2000-memory.dmp

Filesize
72KB

Download
memory/3232-163-0x000000000A9F0000-0x000000000AA2C000-memory.dmp

Filesize
240KB

Download
memory/3232-164-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/3232-165-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads