redline | 30dddb5126a55cdc6fb11e127ca1ca69a00525685fb9809762420eac30cdf30d

General

Target

30dddb5126a55cdc6fb11e127ca1ca69a00525685fb9809762420eac30cdf30d.exe
Size

579KB
MD5

a27f9f821a5fb88167ebebf10b3dadac
SHA1

192fe06a6afe01717deb91ce386bd5fdea640434
SHA256

30dddb5126a55cdc6fb11e127ca1ca69a00525685fb9809762420eac30cdf30d
SHA512

b72892fbed1148c62aad65fb2fbefe0e4d9d11a5cfb61c524c127c6bb1cca19bb8c2a7335a017e2e1d27094c7b6a5dc4ac0d22d2fd85174266c30c807608a4b3
SSDEEP

12288:VMrxy90/1GyI5mIKTmGXx4Zo0EzAoxJV4Rln9ipF3M6/R:ky0G/5CmZSJNjKfn9SZ

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k7313757.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k7313757.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k7313757.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k7313757.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k7313757.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k7313757.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1176	y7225321.exe
2756	y3490522.exe
1732	k7313757.exe
3456	l3747349.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k7313757.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7225321.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7225321.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3490522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y3490522.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	30dddb5126a55cdc6fb11e127ca1ca69a00525685fb9809762420eac30cdf30d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	30dddb5126a55cdc6fb11e127ca1ca69a00525685fb9809762420eac30cdf30d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1732	k7313757.exe
1732	k7313757.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	k7313757.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 1176	3528	30dddb5126a55cdc6fb11e127ca1ca69a00525685fb9809762420eac30cdf30d.exe	83
PID 3528 wrote to memory of 1176	3528	30dddb5126a55cdc6fb11e127ca1ca69a00525685fb9809762420eac30cdf30d.exe	83
PID 3528 wrote to memory of 1176	3528	30dddb5126a55cdc6fb11e127ca1ca69a00525685fb9809762420eac30cdf30d.exe	83
PID 1176 wrote to memory of 2756	1176	y7225321.exe	84
PID 1176 wrote to memory of 2756	1176	y7225321.exe	84
PID 1176 wrote to memory of 2756	1176	y7225321.exe	84
PID 2756 wrote to memory of 1732	2756	y3490522.exe	85
PID 2756 wrote to memory of 1732	2756	y3490522.exe	85
PID 2756 wrote to memory of 3456	2756	y3490522.exe	90
PID 2756 wrote to memory of 3456	2756	y3490522.exe	90
PID 2756 wrote to memory of 3456	2756	y3490522.exe	90

C:\Users\Admin\AppData\Local\Temp\30dddb5126a55cdc6fb11e127ca1ca69a00525685fb9809762420eac30cdf30d.exe
"C:\Users\Admin\AppData\Local\Temp\30dddb5126a55cdc6fb11e127ca1ca69a00525685fb9809762420eac30cdf30d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7225321.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7225321.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3490522.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3490522.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7313757.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7313757.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3747349.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3747349.exe
      4⤵
      Executes dropped EXE
      PID:3456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7225321.exe

Filesize
377KB

MD5
b407a93534058ce453b01695bed32cfe

SHA1
d7217c103ea1933d27a162efd557ed9e27f8fea2

SHA256
3d795c479def975741b229e84c116dd74b9f0acb74043b93e58c01be07143abd

SHA512
e7754a6830816fa4c988cde704207c9031e0fc9cba5c80593e97ea368b139e7a897f8ea2cbba90f53fdcf14dea96994beabdb316a3a043e1b1fa2df9678e94dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7225321.exe

Filesize
377KB

MD5
b407a93534058ce453b01695bed32cfe

SHA1
d7217c103ea1933d27a162efd557ed9e27f8fea2

SHA256
3d795c479def975741b229e84c116dd74b9f0acb74043b93e58c01be07143abd

SHA512
e7754a6830816fa4c988cde704207c9031e0fc9cba5c80593e97ea368b139e7a897f8ea2cbba90f53fdcf14dea96994beabdb316a3a043e1b1fa2df9678e94dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3490522.exe

Filesize
206KB

MD5
1b88fddcfbd67f2cb3fe0c7bbd8be10e

SHA1
424eab025972c1a54541ef29a66b854958f5ff98

SHA256
6617bbd19f618f51ada67f9b91213b9b1cc88b5081c260263420834c617ca523

SHA512
8e1784f880022cc2955f15076dd22b662d77995fe3fc52f0c52b5389fc845391eb7e3dc495650a86261aecaaab8decfb40b4f0438faf9a80dbde55b363d1164c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3490522.exe

Filesize
206KB

MD5
1b88fddcfbd67f2cb3fe0c7bbd8be10e

SHA1
424eab025972c1a54541ef29a66b854958f5ff98

SHA256
6617bbd19f618f51ada67f9b91213b9b1cc88b5081c260263420834c617ca523

SHA512
8e1784f880022cc2955f15076dd22b662d77995fe3fc52f0c52b5389fc845391eb7e3dc495650a86261aecaaab8decfb40b4f0438faf9a80dbde55b363d1164c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7313757.exe

Filesize
12KB

MD5
f415fc3a352af3e39d8c0eedebb88fcd

SHA1
9f6b9a24b17b4a9064767790aded8f43b3084413

SHA256
6b15c7cd387710451ce523873e0cb92ae98e429c568503c0e8b87818525f62f1

SHA512
3bc9f357ed749ac16fa68363bd7957bbfeb7f00051006b24bc3ecc2a9aa5a7543b6b9438b71dc8ae00f83a21c17785488aef5b5cfa0ebe6579d19513b3f65b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7313757.exe

Filesize
12KB

MD5
f415fc3a352af3e39d8c0eedebb88fcd

SHA1
9f6b9a24b17b4a9064767790aded8f43b3084413

SHA256
6b15c7cd387710451ce523873e0cb92ae98e429c568503c0e8b87818525f62f1

SHA512
3bc9f357ed749ac16fa68363bd7957bbfeb7f00051006b24bc3ecc2a9aa5a7543b6b9438b71dc8ae00f83a21c17785488aef5b5cfa0ebe6579d19513b3f65b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3747349.exe

Filesize
172KB

MD5
43a2080e938479d26811f35c39590aff

SHA1
886c3f31da052f922067c79a0f4dcd5ad2bdf144

SHA256
98efe25fd541c20475471864d6f79198aa11696fd24bb16e7c7ea80de9f76c5d

SHA512
1bf7a925d72e204766d7e9f1f6566b32a41206a8802cbb49992372442a1b2512e6657eae07983f5f571241be23603760be53546e78567d0cd885a918ba841d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3747349.exe

Filesize
172KB

MD5
43a2080e938479d26811f35c39590aff

SHA1
886c3f31da052f922067c79a0f4dcd5ad2bdf144

SHA256
98efe25fd541c20475471864d6f79198aa11696fd24bb16e7c7ea80de9f76c5d

SHA512
1bf7a925d72e204766d7e9f1f6566b32a41206a8802cbb49992372442a1b2512e6657eae07983f5f571241be23603760be53546e78567d0cd885a918ba841d77

Download Submit
memory/1732-154-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/3456-159-0x0000000000D10000-0x0000000000D40000-memory.dmp

Filesize
192KB

Download
memory/3456-160-0x000000000B190000-0x000000000B7A8000-memory.dmp

Filesize
6.1MB

Download
memory/3456-161-0x000000000AC90000-0x000000000AD9A000-memory.dmp

Filesize
1.0MB

Download
memory/3456-162-0x000000000ABD0000-0x000000000ABE2000-memory.dmp

Filesize
72KB

Download
memory/3456-163-0x000000000AC30000-0x000000000AC6C000-memory.dmp

Filesize
240KB

Download
memory/3456-164-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/3456-165-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads