redline | c205b246a13df88ec4eea56426646ce78fbc4e53b96e85840b4d10b9501ae1e1

General

Target

c205b246a13df88ec4eea56426646ce78fbc4e53b96e85840b4d10b9501ae1e1.exe
Size

584KB
MD5

d44df13d992f199f24d77b6e67da2f10
SHA1

b0a62a7f15818d58a5ec8ad21dc16ff435791bc8
SHA256

c205b246a13df88ec4eea56426646ce78fbc4e53b96e85840b4d10b9501ae1e1
SHA512

ac4afaa3dd8d6226e49256b861ce99c545707f26fefb7ea71b0b44b37abdf35ff6083ba640633dc707d92778e9e5cbd51eff95ea9a408a5c0f8d3c7b0d37f171
SSDEEP

12288:XMrQy90SL8aAAgiYqfFD+sAjT83VcTN4ZF8Z8IHqy7:TyhdAAMmFD/RFcSyKIV7

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1336323.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1336323.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k1336323.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1336323.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1336323.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1336323.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4788	y6630422.exe
1632	y0463916.exe
2852	k1336323.exe
1396	l4718880.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1336323.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0463916.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c205b246a13df88ec4eea56426646ce78fbc4e53b96e85840b4d10b9501ae1e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c205b246a13df88ec4eea56426646ce78fbc4e53b96e85840b4d10b9501ae1e1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6630422.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6630422.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0463916.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2852	k1336323.exe
2852	k1336323.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	k1336323.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 4788	4852	c205b246a13df88ec4eea56426646ce78fbc4e53b96e85840b4d10b9501ae1e1.exe	84
PID 4852 wrote to memory of 4788	4852	c205b246a13df88ec4eea56426646ce78fbc4e53b96e85840b4d10b9501ae1e1.exe	84
PID 4852 wrote to memory of 4788	4852	c205b246a13df88ec4eea56426646ce78fbc4e53b96e85840b4d10b9501ae1e1.exe	84
PID 4788 wrote to memory of 1632	4788	y6630422.exe	85
PID 4788 wrote to memory of 1632	4788	y6630422.exe	85
PID 4788 wrote to memory of 1632	4788	y6630422.exe	85
PID 1632 wrote to memory of 2852	1632	y0463916.exe	86
PID 1632 wrote to memory of 2852	1632	y0463916.exe	86
PID 1632 wrote to memory of 1396	1632	y0463916.exe	87
PID 1632 wrote to memory of 1396	1632	y0463916.exe	87
PID 1632 wrote to memory of 1396	1632	y0463916.exe	87

C:\Users\Admin\AppData\Local\Temp\c205b246a13df88ec4eea56426646ce78fbc4e53b96e85840b4d10b9501ae1e1.exe
"C:\Users\Admin\AppData\Local\Temp\c205b246a13df88ec4eea56426646ce78fbc4e53b96e85840b4d10b9501ae1e1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6630422.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6630422.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0463916.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0463916.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1336323.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1336323.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4718880.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4718880.exe
      4⤵
      Executes dropped EXE
      PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6630422.exe

Filesize
377KB

MD5
4e32cc93cd3b15849ec29d04f64575cb

SHA1
b6e5dcc2407bf1336dcf4b9afd177a73dee56a46

SHA256
ee7ad9b24bfaa2c646aa9bbf9a6bc492a0fee88563912f570290a3ac7d413029

SHA512
e562ed19fafd728dde965dafc0ce8a53f1fdb58d8a43ccff75909b0bebf27d534cad55115706fab65f71c8e5416869b11d056a648ff0c2d881915d1e83736a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6630422.exe

Filesize
377KB

MD5
4e32cc93cd3b15849ec29d04f64575cb

SHA1
b6e5dcc2407bf1336dcf4b9afd177a73dee56a46

SHA256
ee7ad9b24bfaa2c646aa9bbf9a6bc492a0fee88563912f570290a3ac7d413029

SHA512
e562ed19fafd728dde965dafc0ce8a53f1fdb58d8a43ccff75909b0bebf27d534cad55115706fab65f71c8e5416869b11d056a648ff0c2d881915d1e83736a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0463916.exe

Filesize
206KB

MD5
a76371cd1bc21035a36b38bb515c3704

SHA1
7ff58cef898da0646538caa18487055397a737e3

SHA256
1f0a566b44851ddc6442f14e5adba09f07dd4a614884ab37c2db41cf8231212a

SHA512
929394d6c698ad3d834280c98b5d291b6084b36c795fbf1280ac1bde92185ae7312d4c4d4d5cbf6bfb4be9e9dca83fb8e8ebd60bd56751f617afc69955247214

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0463916.exe

Filesize
206KB

MD5
a76371cd1bc21035a36b38bb515c3704

SHA1
7ff58cef898da0646538caa18487055397a737e3

SHA256
1f0a566b44851ddc6442f14e5adba09f07dd4a614884ab37c2db41cf8231212a

SHA512
929394d6c698ad3d834280c98b5d291b6084b36c795fbf1280ac1bde92185ae7312d4c4d4d5cbf6bfb4be9e9dca83fb8e8ebd60bd56751f617afc69955247214

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1336323.exe

Filesize
13KB

MD5
3346ede829f21569655a41addfcc749e

SHA1
5f0309daf034714b9e1f53a900648d16095cb927

SHA256
d78968de31e923f4b1ece6b94e1ea41f87602afa9a8dceece56d7757c455a5cb

SHA512
dd069c35f03a63bdddeec481605787463538a3ba2a5610298b167bafc5b1c32f0bf04c89a25cf3ae523d2064f55269b6e1040846930a48a48d16956723a12f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1336323.exe

Filesize
13KB

MD5
3346ede829f21569655a41addfcc749e

SHA1
5f0309daf034714b9e1f53a900648d16095cb927

SHA256
d78968de31e923f4b1ece6b94e1ea41f87602afa9a8dceece56d7757c455a5cb

SHA512
dd069c35f03a63bdddeec481605787463538a3ba2a5610298b167bafc5b1c32f0bf04c89a25cf3ae523d2064f55269b6e1040846930a48a48d16956723a12f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4718880.exe

Filesize
172KB

MD5
c31283f6130644b80d977c1b27c181d4

SHA1
cc283aefff51519c06240db8f23db1cf3ec285eb

SHA256
543533643a302fa3329f9c5793137a1cb1648a2210d77997c32b9995f72468e0

SHA512
538137163f6ee4d0dc8aee313e2031b01f7b2518d99da0590b46552200e9f6ee14c374065d1ecbfa6501ccafce5ded3bb6b5239bbed71ff172de6e5f67d6afa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4718880.exe

Filesize
172KB

MD5
c31283f6130644b80d977c1b27c181d4

SHA1
cc283aefff51519c06240db8f23db1cf3ec285eb

SHA256
543533643a302fa3329f9c5793137a1cb1648a2210d77997c32b9995f72468e0

SHA512
538137163f6ee4d0dc8aee313e2031b01f7b2518d99da0590b46552200e9f6ee14c374065d1ecbfa6501ccafce5ded3bb6b5239bbed71ff172de6e5f67d6afa8

Download Submit
memory/1396-159-0x0000000000970000-0x00000000009A0000-memory.dmp

Filesize
192KB

Download
memory/1396-160-0x000000000AD90000-0x000000000B3A8000-memory.dmp

Filesize
6.1MB

Download
memory/1396-161-0x000000000A8F0000-0x000000000A9FA000-memory.dmp

Filesize
1.0MB

Download
memory/1396-162-0x000000000A830000-0x000000000A842000-memory.dmp

Filesize
72KB

Download
memory/1396-163-0x000000000A890000-0x000000000A8CC000-memory.dmp

Filesize
240KB

Download
memory/1396-164-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/1396-165-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/2852-154-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads