redline | 069ff3a81f6e320aefcec2b4d3bea4d4accb2c5efc0f7242f69e726fe7a6c67c

General

Target

e918c3e788ea50d8a445474cf24df6a5.exe
Size

584KB
MD5

e918c3e788ea50d8a445474cf24df6a5
SHA1

87511142ea05cc980c38eaebeb873d203a6369b4
SHA256

069ff3a81f6e320aefcec2b4d3bea4d4accb2c5efc0f7242f69e726fe7a6c67c
SHA512

5e168350b01ecba882a999ebecdbdd1097b1ff63749d735989149bce29ce795daeafed2efac639e7330da80bd5ab783ad7f462f54a6a49d03bc873daa23e7cd2
SSDEEP

12288:zMriy90b6W71TSYxzpANmBPurdJblbiVrNjuDLvpHFtz:NyUSYVpkmRurdRlbyNaHfz

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k9073293.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k9073293.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k9073293.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k9073293.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k9073293.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k9073293.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
820	y3883917.exe
4676	y8434884.exe
1592	k9073293.exe
4200	l8473760.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k9073293.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e918c3e788ea50d8a445474cf24df6a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e918c3e788ea50d8a445474cf24df6a5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3883917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3883917.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8434884.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8434884.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1592	k9073293.exe
1592	k9073293.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	k9073293.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 820	4296	e918c3e788ea50d8a445474cf24df6a5.exe	78
PID 4296 wrote to memory of 820	4296	e918c3e788ea50d8a445474cf24df6a5.exe	78
PID 4296 wrote to memory of 820	4296	e918c3e788ea50d8a445474cf24df6a5.exe	78
PID 820 wrote to memory of 4676	820	y3883917.exe	79
PID 820 wrote to memory of 4676	820	y3883917.exe	79
PID 820 wrote to memory of 4676	820	y3883917.exe	79
PID 4676 wrote to memory of 1592	4676	y8434884.exe	80
PID 4676 wrote to memory of 1592	4676	y8434884.exe	80
PID 4676 wrote to memory of 4200	4676	y8434884.exe	82
PID 4676 wrote to memory of 4200	4676	y8434884.exe	82
PID 4676 wrote to memory of 4200	4676	y8434884.exe	82

C:\Users\Admin\AppData\Local\Temp\e918c3e788ea50d8a445474cf24df6a5.exe
"C:\Users\Admin\AppData\Local\Temp\e918c3e788ea50d8a445474cf24df6a5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3883917.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3883917.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8434884.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8434884.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9073293.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9073293.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8473760.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8473760.exe
      4⤵
      Executes dropped EXE
      PID:4200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3883917.exe

Filesize
377KB

MD5
363116cb8c3c785136038a0884ec9db8

SHA1
69f8c6a7173570123164c1637a23a1919463153f

SHA256
65c389ded47b4daf0cce53d02ac15233f4dc4a49d0b07764030e5eee3183766a

SHA512
0a5cc7dedea6ff424b39a1762df96ee07117025e2373a5ff62ece7ebcaf2b9d509e733f6378b44bc5055a57139115ca3e3394fb649f7effb9b5d445b665885ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3883917.exe

Filesize
377KB

MD5
363116cb8c3c785136038a0884ec9db8

SHA1
69f8c6a7173570123164c1637a23a1919463153f

SHA256
65c389ded47b4daf0cce53d02ac15233f4dc4a49d0b07764030e5eee3183766a

SHA512
0a5cc7dedea6ff424b39a1762df96ee07117025e2373a5ff62ece7ebcaf2b9d509e733f6378b44bc5055a57139115ca3e3394fb649f7effb9b5d445b665885ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8434884.exe

Filesize
206KB

MD5
10848932f5db5bffc6d447c562453b94

SHA1
3a44d12d85b1c51c48c0f9d2a22591cae005f2be

SHA256
845c446fcdb6f8055838b1aa4b851e2b7ab53ca8224fb5308064232714aaa584

SHA512
7f70d76e18e12f35dfb404530b871e4c185ce003d132e0955e73204bde888d4fed71d0946cf09653d6e96cf126a1fff791c5f409b8314ef51cd12989e8747e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8434884.exe

Filesize
206KB

MD5
10848932f5db5bffc6d447c562453b94

SHA1
3a44d12d85b1c51c48c0f9d2a22591cae005f2be

SHA256
845c446fcdb6f8055838b1aa4b851e2b7ab53ca8224fb5308064232714aaa584

SHA512
7f70d76e18e12f35dfb404530b871e4c185ce003d132e0955e73204bde888d4fed71d0946cf09653d6e96cf126a1fff791c5f409b8314ef51cd12989e8747e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9073293.exe

Filesize
12KB

MD5
bdb6ebef577e3901f1ab1cdbb09c83ce

SHA1
fd0aa3ec9cf3b63b1b40b06455eeaf3d8a74bf49

SHA256
331898a9875d9d918a9b39f8b88cfd29492486a60d43bc11d2b99b03c59f06e3

SHA512
99023b993fbe4081f5d3eb8c5be7e884b059cb69c91672fe697b54960d8c7c1f160a7d2ae2f2a377d68db720b946f8ec3f61057cdd48460cfeb2017ad044f475

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9073293.exe

Filesize
12KB

MD5
bdb6ebef577e3901f1ab1cdbb09c83ce

SHA1
fd0aa3ec9cf3b63b1b40b06455eeaf3d8a74bf49

SHA256
331898a9875d9d918a9b39f8b88cfd29492486a60d43bc11d2b99b03c59f06e3

SHA512
99023b993fbe4081f5d3eb8c5be7e884b059cb69c91672fe697b54960d8c7c1f160a7d2ae2f2a377d68db720b946f8ec3f61057cdd48460cfeb2017ad044f475

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8473760.exe

Filesize
172KB

MD5
abdaa2cd14b6f4135df4303102cb0cc4

SHA1
39fbcdf0ec5c054eee0c9021ca513c53af15d0e5

SHA256
c6faf97e3986bf7a92383b62d4c29a4011c74da876e92b2ce07816da75a477c2

SHA512
a9df990d35541f5e641d5f8805994a87184d1e98312bf2d3c0a52110e9e67c51f9d6712e325d42e4d441db178296510475a45c1a61d1f998c894f6938bf984da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8473760.exe

Filesize
172KB

MD5
abdaa2cd14b6f4135df4303102cb0cc4

SHA1
39fbcdf0ec5c054eee0c9021ca513c53af15d0e5

SHA256
c6faf97e3986bf7a92383b62d4c29a4011c74da876e92b2ce07816da75a477c2

SHA512
a9df990d35541f5e641d5f8805994a87184d1e98312bf2d3c0a52110e9e67c51f9d6712e325d42e4d441db178296510475a45c1a61d1f998c894f6938bf984da

Download Submit
memory/1592-154-0x0000000000060000-0x000000000006A000-memory.dmp

Filesize
40KB

Download
memory/4200-159-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/4200-160-0x000000000A420000-0x000000000AA38000-memory.dmp

Filesize
6.1MB

Download
memory/4200-161-0x0000000009F50000-0x000000000A05A000-memory.dmp

Filesize
1.0MB

Download
memory/4200-162-0x0000000009E80000-0x0000000009E92000-memory.dmp

Filesize
72KB

Download
memory/4200-163-0x0000000009EE0000-0x0000000009F1C000-memory.dmp

Filesize
240KB

Download
memory/4200-164-0x00000000007C0000-0x00000000007D0000-memory.dmp

Filesize
64KB

Download
memory/4200-165-0x00000000007C0000-0x00000000007D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads