redline | c0de72720d2e6802d2eeb4501ae722b6da2e793b0ce64d13e987d4612c096ebc

General

Target

c0de72720d2e6802d2eeb4501ae722b6da2e793b0ce64d13e987d4612c096ebc.exe
Size

856KB
MD5

644a240563aff3656cf66f91fe6a7e2b
SHA1

e92408aa165bf366aec42eaa722ea0a4d2b152c5
SHA256

c0de72720d2e6802d2eeb4501ae722b6da2e793b0ce64d13e987d4612c096ebc
SHA512

12d76f632bfa38ea6e94f488ffa08cfbc7e66742cabf60828854337261470271e995573f833599db918f0b8bc52a8e09308e89e3e04912851c219f99f5c78203
SSDEEP

12288:0MrYy90InsIXJuPJJAEg96E/ltiAZ1ONqEBqITJ0TqtgzoIDGgkotRZQC5U0xToH:kyPsIZCvzyltxcHTe+Iyg3QuUoMH

Score

10^/10

redline lupa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lupa

C2

83.97.73.126:19048

Attributes

auth_value
6a764aa41830c77712442516d143bc9c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o3226352.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o3226352.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o3226352.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o3226352.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o3226352.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	o3226352.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1208	z2258579.exe
3208	z3784138.exe
3716	o3226352.exe
2500	p5650759.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	o3226352.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c0de72720d2e6802d2eeb4501ae722b6da2e793b0ce64d13e987d4612c096ebc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c0de72720d2e6802d2eeb4501ae722b6da2e793b0ce64d13e987d4612c096ebc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2258579.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2258579.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3784138.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z3784138.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3716	o3226352.exe
3716	o3226352.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3716	o3226352.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 1208	4680	c0de72720d2e6802d2eeb4501ae722b6da2e793b0ce64d13e987d4612c096ebc.exe	83
PID 4680 wrote to memory of 1208	4680	c0de72720d2e6802d2eeb4501ae722b6da2e793b0ce64d13e987d4612c096ebc.exe	83
PID 4680 wrote to memory of 1208	4680	c0de72720d2e6802d2eeb4501ae722b6da2e793b0ce64d13e987d4612c096ebc.exe	83
PID 1208 wrote to memory of 3208	1208	z2258579.exe	84
PID 1208 wrote to memory of 3208	1208	z2258579.exe	84
PID 1208 wrote to memory of 3208	1208	z2258579.exe	84
PID 3208 wrote to memory of 3716	3208	z3784138.exe	85
PID 3208 wrote to memory of 3716	3208	z3784138.exe	85
PID 3208 wrote to memory of 2500	3208	z3784138.exe	86
PID 3208 wrote to memory of 2500	3208	z3784138.exe	86
PID 3208 wrote to memory of 2500	3208	z3784138.exe	86

C:\Users\Admin\AppData\Local\Temp\c0de72720d2e6802d2eeb4501ae722b6da2e793b0ce64d13e987d4612c096ebc.exe
"C:\Users\Admin\AppData\Local\Temp\c0de72720d2e6802d2eeb4501ae722b6da2e793b0ce64d13e987d4612c096ebc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2258579.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2258579.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3784138.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3784138.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3226352.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3226352.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3716
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5650759.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5650759.exe
      4⤵
      Executes dropped EXE
      PID:2500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2258579.exe

Filesize
411KB

MD5
bdad354b23f588ad10f70c3cf102e088

SHA1
fd95014c51cdeb6c7e9ff852068179ab920e2882

SHA256
21b1e24f0b0276d294623275a7266ba98abae512176f0cbf046a68dfe5150677

SHA512
ddce0d09dfe337b2b1b25c757a339c8edb736da98bac4185c1df0435e9d9b7f1e3a5eb4fc9e70c7de3b15ddc6707b6d80cb28514956353f49743fe019f53db8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2258579.exe

Filesize
411KB

MD5
bdad354b23f588ad10f70c3cf102e088

SHA1
fd95014c51cdeb6c7e9ff852068179ab920e2882

SHA256
21b1e24f0b0276d294623275a7266ba98abae512176f0cbf046a68dfe5150677

SHA512
ddce0d09dfe337b2b1b25c757a339c8edb736da98bac4185c1df0435e9d9b7f1e3a5eb4fc9e70c7de3b15ddc6707b6d80cb28514956353f49743fe019f53db8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3784138.exe

Filesize
206KB

MD5
4f4c51f31915a3bf885e9a4b170a3b52

SHA1
dd255062b5f5b8157ee6cd75134a6befe042e077

SHA256
5ef1e94f54c67460860f2677af0485684969a5f2984a5c76e7ad591d5bda1797

SHA512
9e7e9aa1a100885006d91b6e54ac203dc92eb8495246b0a986a364b65461a923c8a6a908015c843efbc1432ed8600ad1fee4ea71e31047bf6e3bab7c5049f83d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3784138.exe

Filesize
206KB

MD5
4f4c51f31915a3bf885e9a4b170a3b52

SHA1
dd255062b5f5b8157ee6cd75134a6befe042e077

SHA256
5ef1e94f54c67460860f2677af0485684969a5f2984a5c76e7ad591d5bda1797

SHA512
9e7e9aa1a100885006d91b6e54ac203dc92eb8495246b0a986a364b65461a923c8a6a908015c843efbc1432ed8600ad1fee4ea71e31047bf6e3bab7c5049f83d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3226352.exe

Filesize
12KB

MD5
8c350a8ab78f7aef75078687ceab5711

SHA1
858a03c16af22c8dcb887ad2016d6f999f7e0d14

SHA256
fa5bdf03302727e2417cfe4d824b753cf3243c5066694b82073f101198c3bd0f

SHA512
deff1900e0e9f0158e6b48863aa689ce3b282de939fde8bacb676aaa41f4121e3dd5bd04483d592cc8a6ea28612f5f9762a908505cd5f16e433835df55a1bc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3226352.exe

Filesize
12KB

MD5
8c350a8ab78f7aef75078687ceab5711

SHA1
858a03c16af22c8dcb887ad2016d6f999f7e0d14

SHA256
fa5bdf03302727e2417cfe4d824b753cf3243c5066694b82073f101198c3bd0f

SHA512
deff1900e0e9f0158e6b48863aa689ce3b282de939fde8bacb676aaa41f4121e3dd5bd04483d592cc8a6ea28612f5f9762a908505cd5f16e433835df55a1bc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5650759.exe

Filesize
172KB

MD5
b1bff5459625de84d92c67526ec8657f

SHA1
bd7e97696bed45540dde2a8c8843ca70fd9b57dc

SHA256
8ea6ed6d66da81486c72189943abcf16b55d848f02a4d2b971214e29c6d3d2ea

SHA512
334a49e53b2db9b3ba09f24e8af45672e36e3b199b18c3b1b31757c36d49d87c4645e4be8bb7e8bbbfeccb7c605ebe10c01ca1475b495dd28e205949588b4bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5650759.exe

Filesize
172KB

MD5
b1bff5459625de84d92c67526ec8657f

SHA1
bd7e97696bed45540dde2a8c8843ca70fd9b57dc

SHA256
8ea6ed6d66da81486c72189943abcf16b55d848f02a4d2b971214e29c6d3d2ea

SHA512
334a49e53b2db9b3ba09f24e8af45672e36e3b199b18c3b1b31757c36d49d87c4645e4be8bb7e8bbbfeccb7c605ebe10c01ca1475b495dd28e205949588b4bfd

Download Submit
memory/2500-159-0x00000000008E0000-0x0000000000910000-memory.dmp

Filesize
192KB

Download
memory/2500-160-0x000000000ACE0000-0x000000000B2F8000-memory.dmp

Filesize
6.1MB

Download
memory/2500-161-0x000000000A860000-0x000000000A96A000-memory.dmp

Filesize
1.0MB

Download
memory/2500-162-0x000000000A7A0000-0x000000000A7B2000-memory.dmp

Filesize
72KB

Download
memory/2500-163-0x000000000A800000-0x000000000A83C000-memory.dmp

Filesize
240KB

Download
memory/2500-164-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/2500-165-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/3716-154-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads