redline | 6f87072209491f4fb4f378b710abff8cf6279a23da5791d69376fcd4d23748fd

General

Target

6f87072209491f4fb4f378b710abff8cf6279a23da5791d69376fcd4d23748fd.exe
Size

584KB
MD5

08de973129a4fa0f4f74ad721bec1734
SHA1

b010ea25be04dcfd91eb96fae9722f823d8a28ac
SHA256

6f87072209491f4fb4f378b710abff8cf6279a23da5791d69376fcd4d23748fd
SHA512

bf4336041306590f89d741028e1b16600b72316295de3f66056fba72aa05ea66ce90913d234ac5e0aea597dc9d9f5a12e8057af1034150f051572475f114580b
SSDEEP

12288:PMrJy90NXGNnQKPsspNORHvVnoXYnqul6MpjP4bJ:yyqKsspQ/oXYqgT4V

Score

10^/10

redline diza discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k1229084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1229084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1229084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1229084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1229084.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1229084.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4872	y9585187.exe
4544	y3451029.exe
2200	k1229084.exe
1852	l6781255.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1229084.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6f87072209491f4fb4f378b710abff8cf6279a23da5791d69376fcd4d23748fd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9585187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9585187.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3451029.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y3451029.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6f87072209491f4fb4f378b710abff8cf6279a23da5791d69376fcd4d23748fd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2200	k1229084.exe
2200	k1229084.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe
1852	l6781255.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	k1229084.exe
Token: SeDebugPrivilege	1852	l6781255.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 4872	1868	6f87072209491f4fb4f378b710abff8cf6279a23da5791d69376fcd4d23748fd.exe	84
PID 1868 wrote to memory of 4872	1868	6f87072209491f4fb4f378b710abff8cf6279a23da5791d69376fcd4d23748fd.exe	84
PID 1868 wrote to memory of 4872	1868	6f87072209491f4fb4f378b710abff8cf6279a23da5791d69376fcd4d23748fd.exe	84
PID 4872 wrote to memory of 4544	4872	y9585187.exe	85
PID 4872 wrote to memory of 4544	4872	y9585187.exe	85
PID 4872 wrote to memory of 4544	4872	y9585187.exe	85
PID 4544 wrote to memory of 2200	4544	y3451029.exe	86
PID 4544 wrote to memory of 2200	4544	y3451029.exe	86
PID 4544 wrote to memory of 1852	4544	y3451029.exe	87
PID 4544 wrote to memory of 1852	4544	y3451029.exe	87
PID 4544 wrote to memory of 1852	4544	y3451029.exe	87

C:\Users\Admin\AppData\Local\Temp\6f87072209491f4fb4f378b710abff8cf6279a23da5791d69376fcd4d23748fd.exe
"C:\Users\Admin\AppData\Local\Temp\6f87072209491f4fb4f378b710abff8cf6279a23da5791d69376fcd4d23748fd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9585187.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9585187.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3451029.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3451029.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1229084.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1229084.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6781255.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6781255.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9585187.exe

Filesize
377KB

MD5
ace546960b19d2d372598f355aed3405

SHA1
f000f4966ce145b2038d914949b27cda2ac3e1c6

SHA256
18c3a81b2efce43fdb34682efca14bd8293ebbd3ecacdb83a496259ea4453851

SHA512
bfa1144520ad5418e7f30f9c51cb13e316aee8cd853fb1be4b7e8d768ff683ac9be7e922a24b36e6ccc0d34f7b913ae2528632ee8792e58bd0679413001dfcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9585187.exe

Filesize
377KB

MD5
ace546960b19d2d372598f355aed3405

SHA1
f000f4966ce145b2038d914949b27cda2ac3e1c6

SHA256
18c3a81b2efce43fdb34682efca14bd8293ebbd3ecacdb83a496259ea4453851

SHA512
bfa1144520ad5418e7f30f9c51cb13e316aee8cd853fb1be4b7e8d768ff683ac9be7e922a24b36e6ccc0d34f7b913ae2528632ee8792e58bd0679413001dfcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3451029.exe

Filesize
206KB

MD5
92255b6b995dd7dadc23c5ff712adcdd

SHA1
db135978fb20723c76d25914d50bec96efbc9c21

SHA256
79dc50759f2b929ded86c9f394705fb3ddf5e595de1eed02c23dd5430a8d6a53

SHA512
27d3362b6032ab2c7bda673cf50d31fd3ff1b3487c17e6299dbd8ee7b4ccd4b66bd33ae80454d1314182a09805e96ab6f47dbe6ca9e0010a06c9206e704cadd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3451029.exe

Filesize
206KB

MD5
92255b6b995dd7dadc23c5ff712adcdd

SHA1
db135978fb20723c76d25914d50bec96efbc9c21

SHA256
79dc50759f2b929ded86c9f394705fb3ddf5e595de1eed02c23dd5430a8d6a53

SHA512
27d3362b6032ab2c7bda673cf50d31fd3ff1b3487c17e6299dbd8ee7b4ccd4b66bd33ae80454d1314182a09805e96ab6f47dbe6ca9e0010a06c9206e704cadd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1229084.exe

Filesize
13KB

MD5
2170f349dab4e5f56ae9da269cd5c01e

SHA1
fd741baf1cee4fd15ff483af659035bf8274d137

SHA256
6fcec4fca9821525e9d32f81060d06e900a56f2bd8417961316f4ce98f139f3f

SHA512
a7452a46afbdf2fb16e4a63a31ccf13991ef08cb7f7cecac75443f86608d34c0d1635dee08892cfe9fb0c577c1ab2056671024d65955433f88de95a2879ef4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1229084.exe

Filesize
13KB

MD5
2170f349dab4e5f56ae9da269cd5c01e

SHA1
fd741baf1cee4fd15ff483af659035bf8274d137

SHA256
6fcec4fca9821525e9d32f81060d06e900a56f2bd8417961316f4ce98f139f3f

SHA512
a7452a46afbdf2fb16e4a63a31ccf13991ef08cb7f7cecac75443f86608d34c0d1635dee08892cfe9fb0c577c1ab2056671024d65955433f88de95a2879ef4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6781255.exe

Filesize
172KB

MD5
af046e9f47c98d68215fddfdf0e1ff95

SHA1
4a59d62a067f3d2141111778c914418f02998b85

SHA256
be24feeab2060543b0f014bd085a42d69419a75d1f36fa7b195f490d7f0aee67

SHA512
e5a2d28c6595e6225f2d9b8d5cdd41cfca4dfca466aee400d4d9f3ac3927aeacad1ca2affbf46d3b78eb57942414d6ba1faf37b9ca200062e8f4a78ce3223291

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6781255.exe

Filesize
172KB

MD5
af046e9f47c98d68215fddfdf0e1ff95

SHA1
4a59d62a067f3d2141111778c914418f02998b85

SHA256
be24feeab2060543b0f014bd085a42d69419a75d1f36fa7b195f490d7f0aee67

SHA512
e5a2d28c6595e6225f2d9b8d5cdd41cfca4dfca466aee400d4d9f3ac3927aeacad1ca2affbf46d3b78eb57942414d6ba1faf37b9ca200062e8f4a78ce3223291

Download Submit
memory/1852-160-0x000000000A890000-0x000000000AEA8000-memory.dmp

Filesize
6.1MB

Download
memory/1852-165-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/1852-172-0x000000000C690000-0x000000000CBBC000-memory.dmp

Filesize
5.2MB

Download
memory/1852-161-0x000000000A400000-0x000000000A50A000-memory.dmp

Filesize
1.0MB

Download
memory/1852-162-0x000000000A340000-0x000000000A352000-memory.dmp

Filesize
72KB

Download
memory/1852-163-0x000000000A3A0000-0x000000000A3DC000-memory.dmp

Filesize
240KB

Download
memory/1852-164-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/1852-159-0x0000000000480000-0x00000000004B0000-memory.dmp

Filesize
192KB

Download
memory/1852-166-0x000000000A810000-0x000000000A886000-memory.dmp

Filesize
472KB

Download
memory/1852-167-0x000000000AF50000-0x000000000AFE2000-memory.dmp

Filesize
584KB

Download
memory/1852-168-0x000000000AEB0000-0x000000000AF16000-memory.dmp

Filesize
408KB

Download
memory/1852-169-0x000000000B9E0000-0x000000000BF84000-memory.dmp

Filesize
5.6MB

Download
memory/1852-170-0x000000000B4F0000-0x000000000B540000-memory.dmp

Filesize
320KB

Download
memory/1852-171-0x000000000BF90000-0x000000000C152000-memory.dmp

Filesize
1.8MB

Download
memory/2200-154-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads