redline | b1a83c2d2962cf0fe4d4940df9740a06602cf9ead2dd9456cb2475efaa327a4f

General

Target

b1a83c2d2962cf0fe4d4940df9740a06602cf9ead2dd9456cb2475efaa327a4f.exe
Size

583KB
MD5

0b710baf188f9fec3314c7d15e47cba6
SHA1

8c8fd58ae31d09967a20a3453914484569080f69
SHA256

b1a83c2d2962cf0fe4d4940df9740a06602cf9ead2dd9456cb2475efaa327a4f
SHA512

597e44e2797e8956998a56a23fb6a864e102c96898d3c0ddbe3de0a48021ed730bd6ba93c55ec24aaf15c0c42089584509fafaf83279b879b02d8b116ccaaae3
SSDEEP

12288:eMr0y90P8SE3RFAWT1ouI4cql3lWhl9xPIykWATD2oJlN504:Gy28S0AqM4yNPVlA3PDN

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k4972052.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k4972052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k4972052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k4972052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k4972052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k4972052.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
5060	y8937723.exe
4508	y8105523.exe
2936	k4972052.exe
3996	l0304411.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k4972052.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b1a83c2d2962cf0fe4d4940df9740a06602cf9ead2dd9456cb2475efaa327a4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b1a83c2d2962cf0fe4d4940df9740a06602cf9ead2dd9456cb2475efaa327a4f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8937723.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8937723.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8105523.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8105523.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2936	k4972052.exe
2936	k4972052.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	k4972052.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 5060	2032	b1a83c2d2962cf0fe4d4940df9740a06602cf9ead2dd9456cb2475efaa327a4f.exe	83
PID 2032 wrote to memory of 5060	2032	b1a83c2d2962cf0fe4d4940df9740a06602cf9ead2dd9456cb2475efaa327a4f.exe	83
PID 2032 wrote to memory of 5060	2032	b1a83c2d2962cf0fe4d4940df9740a06602cf9ead2dd9456cb2475efaa327a4f.exe	83
PID 5060 wrote to memory of 4508	5060	y8937723.exe	84
PID 5060 wrote to memory of 4508	5060	y8937723.exe	84
PID 5060 wrote to memory of 4508	5060	y8937723.exe	84
PID 4508 wrote to memory of 2936	4508	y8105523.exe	85
PID 4508 wrote to memory of 2936	4508	y8105523.exe	85
PID 4508 wrote to memory of 3996	4508	y8105523.exe	86
PID 4508 wrote to memory of 3996	4508	y8105523.exe	86
PID 4508 wrote to memory of 3996	4508	y8105523.exe	86

C:\Users\Admin\AppData\Local\Temp\b1a83c2d2962cf0fe4d4940df9740a06602cf9ead2dd9456cb2475efaa327a4f.exe
"C:\Users\Admin\AppData\Local\Temp\b1a83c2d2962cf0fe4d4940df9740a06602cf9ead2dd9456cb2475efaa327a4f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8937723.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8937723.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8105523.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8105523.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4972052.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4972052.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0304411.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0304411.exe
      4⤵
      Executes dropped EXE
      PID:3996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8937723.exe

Filesize
377KB

MD5
539f228c52fc77b944f9f9a3b6bc50e7

SHA1
ab9b11883035a71044bf814e7b2ae35257caa21d

SHA256
22a7bbcfc5cc4372a7378d296af76f79e1f48cfa102b0a87821d76838c9b06ee

SHA512
6284eef48d82ff4d960f8ffc05f167df22b3a62abf80b7f7dcc8007a408038efce36958dd0b160e782e9cdf777fe2a50520d8c16ababea67c6ba6e06946a2cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8937723.exe

Filesize
377KB

MD5
539f228c52fc77b944f9f9a3b6bc50e7

SHA1
ab9b11883035a71044bf814e7b2ae35257caa21d

SHA256
22a7bbcfc5cc4372a7378d296af76f79e1f48cfa102b0a87821d76838c9b06ee

SHA512
6284eef48d82ff4d960f8ffc05f167df22b3a62abf80b7f7dcc8007a408038efce36958dd0b160e782e9cdf777fe2a50520d8c16ababea67c6ba6e06946a2cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8105523.exe

Filesize
206KB

MD5
fec6c998adb2c2bafb9575559493642a

SHA1
70887680ec095faf9138928bf07458d35a483af8

SHA256
6c4a9b99eaf34ced4c2682f86fb980864e21db5d06f5409f3995da79acab3454

SHA512
b7082723b20d54a60e8350a1d6842abaff75e2670156bcc489101ead17b8ce60a6c6c4d2d6e9425f6310f9d9fa589f39ad7195bea262869eedddf31b16c79601

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8105523.exe

Filesize
206KB

MD5
fec6c998adb2c2bafb9575559493642a

SHA1
70887680ec095faf9138928bf07458d35a483af8

SHA256
6c4a9b99eaf34ced4c2682f86fb980864e21db5d06f5409f3995da79acab3454

SHA512
b7082723b20d54a60e8350a1d6842abaff75e2670156bcc489101ead17b8ce60a6c6c4d2d6e9425f6310f9d9fa589f39ad7195bea262869eedddf31b16c79601

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4972052.exe

Filesize
13KB

MD5
464291ebdf9499c6a2d36b45850c128d

SHA1
38e8f34097e59a4123bac72eca3fbdaa10eaa57a

SHA256
147f89c7f420a29f063660dabea8183c4692040d5a69808baea7c969a932cc5e

SHA512
a671c66ffeb7b0804e4aa15d307d5a799bbe5f928d2979eccd22872c7337c269a3c933b893dd3ca4c46cdc27836272ca2b6cc71cf710a63ef7a8378d4b2f43f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4972052.exe

Filesize
13KB

MD5
464291ebdf9499c6a2d36b45850c128d

SHA1
38e8f34097e59a4123bac72eca3fbdaa10eaa57a

SHA256
147f89c7f420a29f063660dabea8183c4692040d5a69808baea7c969a932cc5e

SHA512
a671c66ffeb7b0804e4aa15d307d5a799bbe5f928d2979eccd22872c7337c269a3c933b893dd3ca4c46cdc27836272ca2b6cc71cf710a63ef7a8378d4b2f43f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0304411.exe

Filesize
172KB

MD5
f9adb31d9127566023ebe72c57346add

SHA1
bf63b1a0a183462f238dfd70ba044bfbaec37c32

SHA256
f324adb5a17530232444b3e5fd6373a9855cd933444382b53bd92060d1297340

SHA512
c8602b13cbce155e7916b69ec4cf2ac27789dfb7acb806dbdae5238a201dd2d972f8943d30438bf65b0d3cb9d828fe77d66a87c289f6aec99b5b21e3920ab9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0304411.exe

Filesize
172KB

MD5
f9adb31d9127566023ebe72c57346add

SHA1
bf63b1a0a183462f238dfd70ba044bfbaec37c32

SHA256
f324adb5a17530232444b3e5fd6373a9855cd933444382b53bd92060d1297340

SHA512
c8602b13cbce155e7916b69ec4cf2ac27789dfb7acb806dbdae5238a201dd2d972f8943d30438bf65b0d3cb9d828fe77d66a87c289f6aec99b5b21e3920ab9bd

Download Submit
memory/2936-154-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/3996-159-0x00000000004A0000-0x00000000004D0000-memory.dmp

Filesize
192KB

Download
memory/3996-160-0x000000000A8F0000-0x000000000AF08000-memory.dmp

Filesize
6.1MB

Download
memory/3996-161-0x000000000A420000-0x000000000A52A000-memory.dmp

Filesize
1.0MB

Download
memory/3996-162-0x000000000A360000-0x000000000A372000-memory.dmp

Filesize
72KB

Download
memory/3996-163-0x000000000A3C0000-0x000000000A3FC000-memory.dmp

Filesize
240KB

Download
memory/3996-164-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3996-165-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads