redline | 703d3e9c7c4570b7c4351f244f5c3aae501a3997975f9345db81b7de49e47f43

General

Target

703d3e9c7c4570b7c4351f244f5c3aae501a3997975f9345db81b7de49e47f43.exe
Size

579KB
MD5

2c64ab25262e4b045c135e5c6383406e
SHA1

c8111ad90d3e2a28f3166f359a22a0a5ea887ac5
SHA256

703d3e9c7c4570b7c4351f244f5c3aae501a3997975f9345db81b7de49e47f43
SHA512

075763e80bdf156633a0b100f48ee5c7cb86b5a9449a69d773eae2ca560d948370af9b5c501abd6dc9795fa756513a3d570e35841d36b417ae96c1caf3c315ec
SSDEEP

12288:DMrRy90ONXOyqC4XPRuDQ48KVdfGvsDG/6teIpf6:Cy01r4ZdOkCGeIpf6

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k2079823.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k2079823.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k2079823.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k2079823.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k2079823.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1836	y6369053.exe
4100	y4493210.exe
4244	k2079823.exe
4256	l1603600.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k2079823.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y4493210.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	703d3e9c7c4570b7c4351f244f5c3aae501a3997975f9345db81b7de49e47f43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	703d3e9c7c4570b7c4351f244f5c3aae501a3997975f9345db81b7de49e47f43.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6369053.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6369053.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4493210.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4244	k2079823.exe
4244	k2079823.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4244	k2079823.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 1836	3496	703d3e9c7c4570b7c4351f244f5c3aae501a3997975f9345db81b7de49e47f43.exe	66
PID 3496 wrote to memory of 1836	3496	703d3e9c7c4570b7c4351f244f5c3aae501a3997975f9345db81b7de49e47f43.exe	66
PID 3496 wrote to memory of 1836	3496	703d3e9c7c4570b7c4351f244f5c3aae501a3997975f9345db81b7de49e47f43.exe	66
PID 1836 wrote to memory of 4100	1836	y6369053.exe	67
PID 1836 wrote to memory of 4100	1836	y6369053.exe	67
PID 1836 wrote to memory of 4100	1836	y6369053.exe	67
PID 4100 wrote to memory of 4244	4100	y4493210.exe	68
PID 4100 wrote to memory of 4244	4100	y4493210.exe	68
PID 4100 wrote to memory of 4256	4100	y4493210.exe	69
PID 4100 wrote to memory of 4256	4100	y4493210.exe	69
PID 4100 wrote to memory of 4256	4100	y4493210.exe	69

C:\Users\Admin\AppData\Local\Temp\703d3e9c7c4570b7c4351f244f5c3aae501a3997975f9345db81b7de49e47f43.exe
"C:\Users\Admin\AppData\Local\Temp\703d3e9c7c4570b7c4351f244f5c3aae501a3997975f9345db81b7de49e47f43.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6369053.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6369053.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4493210.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4493210.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2079823.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2079823.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4244
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1603600.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1603600.exe
      4⤵
      Executes dropped EXE
      PID:4256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6369053.exe

Filesize
377KB

MD5
17ad3bc683bd395c8b03a78131104ea3

SHA1
d5f9460abab93e3a42b2b6b040472b330ac68dec

SHA256
b5aead44635748dc4c128b8b92a55349c0ad4e097a5c729b88d91a582435346c

SHA512
e1cec36a606bdd9dc1bd902d3f455138067d60c250fd24ac2bf6f0ff26703b6b469828906beffc663ef98a644c7ae50ca110043e6bd369dc4fe1920a6d22277a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6369053.exe

Filesize
377KB

MD5
17ad3bc683bd395c8b03a78131104ea3

SHA1
d5f9460abab93e3a42b2b6b040472b330ac68dec

SHA256
b5aead44635748dc4c128b8b92a55349c0ad4e097a5c729b88d91a582435346c

SHA512
e1cec36a606bdd9dc1bd902d3f455138067d60c250fd24ac2bf6f0ff26703b6b469828906beffc663ef98a644c7ae50ca110043e6bd369dc4fe1920a6d22277a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4493210.exe

Filesize
206KB

MD5
02b1f14ecaf425aa929ed2ee28420863

SHA1
e2c2db4fe3c5da11e6ecce6b3c343314b0a5cec7

SHA256
048cda76224725bd515179600e69d54e2ac29514ac4f85ef1fb58571a4b9ea9a

SHA512
4bc226a46fb09162cb58b6fcafc8fcbd086a779bff16adf9c155dd0334c912bcf45d18f5cd6db4d1a911cfeee73bb9cfa52abd07b786aef553785f7578d85c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4493210.exe

Filesize
206KB

MD5
02b1f14ecaf425aa929ed2ee28420863

SHA1
e2c2db4fe3c5da11e6ecce6b3c343314b0a5cec7

SHA256
048cda76224725bd515179600e69d54e2ac29514ac4f85ef1fb58571a4b9ea9a

SHA512
4bc226a46fb09162cb58b6fcafc8fcbd086a779bff16adf9c155dd0334c912bcf45d18f5cd6db4d1a911cfeee73bb9cfa52abd07b786aef553785f7578d85c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2079823.exe

Filesize
12KB

MD5
774ab1a982847e95c547d907c43211bf

SHA1
ed442523022e18d6a695193f27e2c8d1f9e8e430

SHA256
c724fdb3e9e51e05f71129fb166af9f58e0416d09cf2025eff3c3c8be715af67

SHA512
ae8cfbe78b0f62f23ba6a00193b3324d59fe41b21307ce11c73e83fb422966be7b2a0147092d93797f2310023beea14c4fc03a6a049eb9b6077a613fbeb3e4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2079823.exe

Filesize
12KB

MD5
774ab1a982847e95c547d907c43211bf

SHA1
ed442523022e18d6a695193f27e2c8d1f9e8e430

SHA256
c724fdb3e9e51e05f71129fb166af9f58e0416d09cf2025eff3c3c8be715af67

SHA512
ae8cfbe78b0f62f23ba6a00193b3324d59fe41b21307ce11c73e83fb422966be7b2a0147092d93797f2310023beea14c4fc03a6a049eb9b6077a613fbeb3e4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1603600.exe

Filesize
172KB

MD5
d8a1f9c48939ae235593f2dcef4ea857

SHA1
f335c06195e125171905bdaa85eb31445ea6648a

SHA256
3fd7d767e1c02c288da40750d7ae3af9fc31b63afddd4c2c7913136e0fcc512f

SHA512
f5fdc0fe3c50446b261d1cad464bdbff387255f37afd30f584505a4e2ef2f790c429db336bca9cd54d818bbbb39be63186c5b36fd6aba7719690979687c798bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1603600.exe

Filesize
172KB

MD5
d8a1f9c48939ae235593f2dcef4ea857

SHA1
f335c06195e125171905bdaa85eb31445ea6648a

SHA256
3fd7d767e1c02c288da40750d7ae3af9fc31b63afddd4c2c7913136e0fcc512f

SHA512
f5fdc0fe3c50446b261d1cad464bdbff387255f37afd30f584505a4e2ef2f790c429db336bca9cd54d818bbbb39be63186c5b36fd6aba7719690979687c798bf

Download Submit
memory/4244-138-0x0000000000A70000-0x0000000000A7A000-memory.dmp

Filesize
40KB

Download
memory/4256-143-0x0000000000290000-0x00000000002C0000-memory.dmp

Filesize
192KB

Download
memory/4256-144-0x0000000004A40000-0x0000000004A46000-memory.dmp

Filesize
24KB

Download
memory/4256-145-0x00000000051D0000-0x00000000057D6000-memory.dmp

Filesize
6.0MB

Download
memory/4256-146-0x0000000004CD0000-0x0000000004DDA000-memory.dmp

Filesize
1.0MB

Download
memory/4256-147-0x0000000004A90000-0x0000000004AA2000-memory.dmp

Filesize
72KB

Download
memory/4256-148-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4256-149-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/4256-150-0x0000000004C50000-0x0000000004C9B000-memory.dmp

Filesize
300KB

Download
memory/4256-151-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads