redline | aa96fcd06ef78f9ccb75fac2386b86b1a6c181c203151fb92fcdd45b8ddbe359

General

Target

aa96fcd06ef78f9ccb75fac2386b86b1a6c181c203151fb92fcdd45b8ddbe359.exe
Size

580KB
MD5

e59ba44ba2941b99c5da7513f08d4991
SHA1

21947e8b542b130670fcd4ec8df9aaa3e500dd22
SHA256

aa96fcd06ef78f9ccb75fac2386b86b1a6c181c203151fb92fcdd45b8ddbe359
SHA512

1a20c2e491f07e6b474b98de496fb8550104e2dc1b9c8aa01bdf78a7832299daae33010a046f6837703f018d69b6e4dc9a352a53bc3fb526df43cd4d07313417
SSDEEP

12288:MMr0y90MdBxzybhOIdI3k0wr7dZb8QOdq1/Pbjf1eYt06v:wyNdPzwhOIS3Hwnvb8hdq1H1tZv

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1740037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1740037.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k1740037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1740037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1740037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1740037.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
5072	y8320182.exe
1916	y4407298.exe
4396	k1740037.exe
3124	l3311827.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1740037.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8320182.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8320182.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4407298.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y4407298.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	aa96fcd06ef78f9ccb75fac2386b86b1a6c181c203151fb92fcdd45b8ddbe359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aa96fcd06ef78f9ccb75fac2386b86b1a6c181c203151fb92fcdd45b8ddbe359.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4396	k1740037.exe
4396	k1740037.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4396	k1740037.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 5072	4548	aa96fcd06ef78f9ccb75fac2386b86b1a6c181c203151fb92fcdd45b8ddbe359.exe	84
PID 4548 wrote to memory of 5072	4548	aa96fcd06ef78f9ccb75fac2386b86b1a6c181c203151fb92fcdd45b8ddbe359.exe	84
PID 4548 wrote to memory of 5072	4548	aa96fcd06ef78f9ccb75fac2386b86b1a6c181c203151fb92fcdd45b8ddbe359.exe	84
PID 5072 wrote to memory of 1916	5072	y8320182.exe	85
PID 5072 wrote to memory of 1916	5072	y8320182.exe	85
PID 5072 wrote to memory of 1916	5072	y8320182.exe	85
PID 1916 wrote to memory of 4396	1916	y4407298.exe	86
PID 1916 wrote to memory of 4396	1916	y4407298.exe	86
PID 1916 wrote to memory of 3124	1916	y4407298.exe	87
PID 1916 wrote to memory of 3124	1916	y4407298.exe	87
PID 1916 wrote to memory of 3124	1916	y4407298.exe	87

C:\Users\Admin\AppData\Local\Temp\aa96fcd06ef78f9ccb75fac2386b86b1a6c181c203151fb92fcdd45b8ddbe359.exe
"C:\Users\Admin\AppData\Local\Temp\aa96fcd06ef78f9ccb75fac2386b86b1a6c181c203151fb92fcdd45b8ddbe359.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8320182.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8320182.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4407298.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4407298.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1740037.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1740037.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3311827.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3311827.exe
      4⤵
      Executes dropped EXE
      PID:3124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8320182.exe

Filesize
377KB

MD5
cab8faf819edc28278a9ef45d6cb7e13

SHA1
4228635a35bc2730aa10e40f6c962212c1aa1e64

SHA256
a83c0f43bac72615000102ffa06a321a56631a656b541bff097ca12d5c7bc64a

SHA512
2a7c1ae79d860054a431d44c60eb1c049ff22755ce55bdc8b79f19bdedd66dc2ba4200bb18d7afd3ab3524dc47d0a5343d5ad12b3fd627d803e05692dc9eb595

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8320182.exe

Filesize
377KB

MD5
cab8faf819edc28278a9ef45d6cb7e13

SHA1
4228635a35bc2730aa10e40f6c962212c1aa1e64

SHA256
a83c0f43bac72615000102ffa06a321a56631a656b541bff097ca12d5c7bc64a

SHA512
2a7c1ae79d860054a431d44c60eb1c049ff22755ce55bdc8b79f19bdedd66dc2ba4200bb18d7afd3ab3524dc47d0a5343d5ad12b3fd627d803e05692dc9eb595

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4407298.exe

Filesize
206KB

MD5
09e7e8ea4467e922263198bbea50a6a2

SHA1
37f25ee887a1da756bee8f0e03651e3b86282c2c

SHA256
bf9c43cd08d50d53a61119f0800d8341704d421941453c4a69ab1e94fb6ad254

SHA512
f01fab3b96fcbfb2c664564568564b4785ef90165c403fbbbb133c0372065d3e8e50711baac44b4399a2a933c531a383d700359a6065aaba053ed5b97ee8be03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4407298.exe

Filesize
206KB

MD5
09e7e8ea4467e922263198bbea50a6a2

SHA1
37f25ee887a1da756bee8f0e03651e3b86282c2c

SHA256
bf9c43cd08d50d53a61119f0800d8341704d421941453c4a69ab1e94fb6ad254

SHA512
f01fab3b96fcbfb2c664564568564b4785ef90165c403fbbbb133c0372065d3e8e50711baac44b4399a2a933c531a383d700359a6065aaba053ed5b97ee8be03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1740037.exe

Filesize
12KB

MD5
893392084b653859a026ab269a29784c

SHA1
d1e4ee69b91c71b392fd03f862711ca1e2aae80c

SHA256
0163732e696d36b9714cafb23954712bfb9646e6eb2e5ce047cb1d6c908af6ad

SHA512
1b0edaaed51a0e6cd8f624e816b26af0d301b76741c328db2532e0e725f12b4e488034291da1cc09fc55b7aab9e9e93de9c1fa9cca084d48fe22edb144dff8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1740037.exe

Filesize
12KB

MD5
893392084b653859a026ab269a29784c

SHA1
d1e4ee69b91c71b392fd03f862711ca1e2aae80c

SHA256
0163732e696d36b9714cafb23954712bfb9646e6eb2e5ce047cb1d6c908af6ad

SHA512
1b0edaaed51a0e6cd8f624e816b26af0d301b76741c328db2532e0e725f12b4e488034291da1cc09fc55b7aab9e9e93de9c1fa9cca084d48fe22edb144dff8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3311827.exe

Filesize
172KB

MD5
616e535d7a8337ab42f71442e1e1b99c

SHA1
ed4eeef733c1c19878c26290ca38996e7eabcce3

SHA256
6fd2a212b88649adbff5b8b12e2731b04864e6323c8483d5d4c2a8653a1c98d3

SHA512
4201de57f03e21b32a2b0c5591996370f3c7977dc3eef4ae6c17b2b29eb027481bc1541d3542fcd5c86ddd675a6d92ed3137d3190bf997b321fe6412cf02afbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3311827.exe

Filesize
172KB

MD5
616e535d7a8337ab42f71442e1e1b99c

SHA1
ed4eeef733c1c19878c26290ca38996e7eabcce3

SHA256
6fd2a212b88649adbff5b8b12e2731b04864e6323c8483d5d4c2a8653a1c98d3

SHA512
4201de57f03e21b32a2b0c5591996370f3c7977dc3eef4ae6c17b2b29eb027481bc1541d3542fcd5c86ddd675a6d92ed3137d3190bf997b321fe6412cf02afbd

Download Submit
memory/3124-159-0x0000000000CE0000-0x0000000000D10000-memory.dmp

Filesize
192KB

Download
memory/3124-160-0x000000000B110000-0x000000000B728000-memory.dmp

Filesize
6.1MB

Download
memory/3124-161-0x000000000AC60000-0x000000000AD6A000-memory.dmp

Filesize
1.0MB

Download
memory/3124-162-0x000000000ABA0000-0x000000000ABB2000-memory.dmp

Filesize
72KB

Download
memory/3124-163-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/3124-164-0x000000000AC00000-0x000000000AC3C000-memory.dmp

Filesize
240KB

Download
memory/3124-165-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/4396-154-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads