redline | a55b6b24fe0230a0cfb6479a20435c52cb3e7657bc1ecb729fd2222bac371d16

General

Target

a55b6b24fe0230a0cfb6479a20435c52cb3e7657bc1ecb729fd2222bac371d16.exe
Size

584KB
MD5

c8ca9e1071762fbd54a4451877d3763d
SHA1

a5ec2dca7c1d7490230407d0a83b605a3b6ab2fc
SHA256

a55b6b24fe0230a0cfb6479a20435c52cb3e7657bc1ecb729fd2222bac371d16
SHA512

aaf011528e715403b6f6002b0323409ff72dddc981e75528831bbec2a62b59f244caf2244eb5eaddd9fef10b28fe42313aa72c169fcdd066b271afa3a274e898
SSDEEP

12288:XMrky90wlFco/Rm2elh6KntIkeAxJTG56e/n1MBgLX/3GKMHoXoLb:/yJx7elh6Ut1eQi6Kn+AX/GKEoX0b

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1086326.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1086326.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1086326.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1086326.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1086326.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3028	y5684840.exe
4048	y5898723.exe
4228	k1086326.exe
4212	l8096134.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1086326.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a55b6b24fe0230a0cfb6479a20435c52cb3e7657bc1ecb729fd2222bac371d16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a55b6b24fe0230a0cfb6479a20435c52cb3e7657bc1ecb729fd2222bac371d16.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5684840.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5684840.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5898723.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5898723.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4228	k1086326.exe
4228	k1086326.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	k1086326.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3028	2548	a55b6b24fe0230a0cfb6479a20435c52cb3e7657bc1ecb729fd2222bac371d16.exe	66
PID 2548 wrote to memory of 3028	2548	a55b6b24fe0230a0cfb6479a20435c52cb3e7657bc1ecb729fd2222bac371d16.exe	66
PID 2548 wrote to memory of 3028	2548	a55b6b24fe0230a0cfb6479a20435c52cb3e7657bc1ecb729fd2222bac371d16.exe	66
PID 3028 wrote to memory of 4048	3028	y5684840.exe	67
PID 3028 wrote to memory of 4048	3028	y5684840.exe	67
PID 3028 wrote to memory of 4048	3028	y5684840.exe	67
PID 4048 wrote to memory of 4228	4048	y5898723.exe	68
PID 4048 wrote to memory of 4228	4048	y5898723.exe	68
PID 4048 wrote to memory of 4212	4048	y5898723.exe	69
PID 4048 wrote to memory of 4212	4048	y5898723.exe	69
PID 4048 wrote to memory of 4212	4048	y5898723.exe	69

C:\Users\Admin\AppData\Local\Temp\a55b6b24fe0230a0cfb6479a20435c52cb3e7657bc1ecb729fd2222bac371d16.exe
"C:\Users\Admin\AppData\Local\Temp\a55b6b24fe0230a0cfb6479a20435c52cb3e7657bc1ecb729fd2222bac371d16.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5684840.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5684840.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5898723.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5898723.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1086326.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1086326.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8096134.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8096134.exe
      4⤵
      Executes dropped EXE
      PID:4212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5684840.exe

Filesize
377KB

MD5
a60d70b212f14e5035020972049bdb99

SHA1
f59be69ec65cb3c6e1d776324cbc8c2adba10352

SHA256
c517c6d07c5619d438eb1da3e7b2cb25f592712c91b5624377f5669cdcb190d9

SHA512
d390bf230a120e9e3d16e4024a298fba39a470962d5a362c95722cdfb3118eea03b0fa053ed377f4f3cd1c8fb262df1f74c6645f4aa074aeeb4c7515b34b989b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5684840.exe

Filesize
377KB

MD5
a60d70b212f14e5035020972049bdb99

SHA1
f59be69ec65cb3c6e1d776324cbc8c2adba10352

SHA256
c517c6d07c5619d438eb1da3e7b2cb25f592712c91b5624377f5669cdcb190d9

SHA512
d390bf230a120e9e3d16e4024a298fba39a470962d5a362c95722cdfb3118eea03b0fa053ed377f4f3cd1c8fb262df1f74c6645f4aa074aeeb4c7515b34b989b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5898723.exe

Filesize
206KB

MD5
cc7e0e2211f9762a314ea7f6043a095d

SHA1
f5e7406905b24a5973bee6cfa76d16271dfd9535

SHA256
bd25e1d318608d9b024d0ef288a98fad09815af5dd2cf38746c1ca332c839dd6

SHA512
d181e846e265dc82786953cc31f5501a6cd202caf374cf0bb092a5881c2e5089e1c6054b4cb7e856c8a36a7ee1609832fda63d338224b8284e2f01c8324e4b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5898723.exe

Filesize
206KB

MD5
cc7e0e2211f9762a314ea7f6043a095d

SHA1
f5e7406905b24a5973bee6cfa76d16271dfd9535

SHA256
bd25e1d318608d9b024d0ef288a98fad09815af5dd2cf38746c1ca332c839dd6

SHA512
d181e846e265dc82786953cc31f5501a6cd202caf374cf0bb092a5881c2e5089e1c6054b4cb7e856c8a36a7ee1609832fda63d338224b8284e2f01c8324e4b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1086326.exe

Filesize
12KB

MD5
131ac10565d3f8dc7f5a6b243624ae61

SHA1
1915ad3c36374cdb6ebf64a3158cac350e80d49e

SHA256
ca9452f421588d0788784dd36050c41d4b92bc7dfe122402054c5d72d522c100

SHA512
6347cf1b393bb7cd144a52a5723246eba982b1e3d0719b72ff0bc69897a873bb61228d7afa9db9fd9cc3899bb18f4f489034e8f7dafc33504eed8dd066b592cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1086326.exe

Filesize
12KB

MD5
131ac10565d3f8dc7f5a6b243624ae61

SHA1
1915ad3c36374cdb6ebf64a3158cac350e80d49e

SHA256
ca9452f421588d0788784dd36050c41d4b92bc7dfe122402054c5d72d522c100

SHA512
6347cf1b393bb7cd144a52a5723246eba982b1e3d0719b72ff0bc69897a873bb61228d7afa9db9fd9cc3899bb18f4f489034e8f7dafc33504eed8dd066b592cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8096134.exe

Filesize
172KB

MD5
7ee6bbd32a504e277f4cdea9375f6ecb

SHA1
e8af9caa8043b66641abc7b8f0422b6b5b530e1b

SHA256
d27925e2cc4a0fa3ede6fa11f2e801df7ffcd02e4dc21ffcbd4bb712febed61a

SHA512
0201e8876a4bb3e9eae07d31b9a54d4892d58be414a3b654f683ac7f9322dd50c1a2f006e44f46c06f9fe8feae7dcb9eff627d291606e32aeff30c7b5d8484d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8096134.exe

Filesize
172KB

MD5
7ee6bbd32a504e277f4cdea9375f6ecb

SHA1
e8af9caa8043b66641abc7b8f0422b6b5b530e1b

SHA256
d27925e2cc4a0fa3ede6fa11f2e801df7ffcd02e4dc21ffcbd4bb712febed61a

SHA512
0201e8876a4bb3e9eae07d31b9a54d4892d58be414a3b654f683ac7f9322dd50c1a2f006e44f46c06f9fe8feae7dcb9eff627d291606e32aeff30c7b5d8484d4

Download Submit
memory/4212-147-0x0000000000020000-0x0000000000050000-memory.dmp

Filesize
192KB

Download
memory/4212-148-0x0000000002190000-0x0000000002196000-memory.dmp

Filesize
24KB

Download
memory/4212-149-0x000000000A340000-0x000000000A946000-memory.dmp

Filesize
6.0MB

Download
memory/4212-150-0x0000000009E40000-0x0000000009F4A000-memory.dmp

Filesize
1.0MB

Download
memory/4212-151-0x0000000009D50000-0x0000000009D62000-memory.dmp

Filesize
72KB

Download
memory/4212-152-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/4212-153-0x0000000009DB0000-0x0000000009DEE000-memory.dmp

Filesize
248KB

Download
memory/4212-154-0x0000000009F50000-0x0000000009F9B000-memory.dmp

Filesize
300KB

Download
memory/4212-155-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/4228-142-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads