redline | ad99d1953019f7fb59e8feb9004b44226fdb61d9a0b02828b1a2cda154b7cbde

General

Target

ad99d1953019f7fb59e8feb9004b44226fdb61d9a0b02828b1a2cda154b7cbde.exe
Size

583KB
MD5

a0499c7f6dd064a93c924a7a04c6b982
SHA1

bc9036ad822351914e8a9471f2da04eb2ccec936
SHA256

ad99d1953019f7fb59e8feb9004b44226fdb61d9a0b02828b1a2cda154b7cbde
SHA512

ba5df4e5cf4bac957e0d86070c77b158d6baf60e8d850a184710d734d2a3505a786a5654ffc131d208c0bb0ff47f8aad432a360f78ea3e93d469a87c20ab3d4f
SSDEEP

12288:xMrMJy90Y/yiW65U9i7o8dkXfaE//+oRgOrDxvq:bJy1NU9iCvaOmoVrDxS

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1388009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1388009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1388009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1388009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1388009.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k1388009.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2184	y0606417.exe
3884	y1636061.exe
2640	k1388009.exe
2020	l5383288.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1388009.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y1636061.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ad99d1953019f7fb59e8feb9004b44226fdb61d9a0b02828b1a2cda154b7cbde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ad99d1953019f7fb59e8feb9004b44226fdb61d9a0b02828b1a2cda154b7cbde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0606417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0606417.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1636061.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2640	k1388009.exe
2640	k1388009.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	k1388009.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 2184	4320	ad99d1953019f7fb59e8feb9004b44226fdb61d9a0b02828b1a2cda154b7cbde.exe	84
PID 4320 wrote to memory of 2184	4320	ad99d1953019f7fb59e8feb9004b44226fdb61d9a0b02828b1a2cda154b7cbde.exe	84
PID 4320 wrote to memory of 2184	4320	ad99d1953019f7fb59e8feb9004b44226fdb61d9a0b02828b1a2cda154b7cbde.exe	84
PID 2184 wrote to memory of 3884	2184	y0606417.exe	85
PID 2184 wrote to memory of 3884	2184	y0606417.exe	85
PID 2184 wrote to memory of 3884	2184	y0606417.exe	85
PID 3884 wrote to memory of 2640	3884	y1636061.exe	86
PID 3884 wrote to memory of 2640	3884	y1636061.exe	86
PID 3884 wrote to memory of 2020	3884	y1636061.exe	87
PID 3884 wrote to memory of 2020	3884	y1636061.exe	87
PID 3884 wrote to memory of 2020	3884	y1636061.exe	87

C:\Users\Admin\AppData\Local\Temp\ad99d1953019f7fb59e8feb9004b44226fdb61d9a0b02828b1a2cda154b7cbde.exe
"C:\Users\Admin\AppData\Local\Temp\ad99d1953019f7fb59e8feb9004b44226fdb61d9a0b02828b1a2cda154b7cbde.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0606417.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0606417.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1636061.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1636061.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1388009.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1388009.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5383288.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5383288.exe
      4⤵
      Executes dropped EXE
      PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0606417.exe

Filesize
377KB

MD5
941f82587957ebf02330e06db6895718

SHA1
173b70e42a0c0c7357a9d8dda7e14c6e6183b902

SHA256
4ef559be5964fa75cde054ebcc3c635ae5204517db9a725d9e787f31dffa1fbd

SHA512
3933020cf8977e8b0c393f0776db17e2377a36d6791993b7751ba5abad4ec0a91ed782c072c74cc7df7e50edcecc65cb4c9918cd5c99cf231a361a34c353ca9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0606417.exe

Filesize
377KB

MD5
941f82587957ebf02330e06db6895718

SHA1
173b70e42a0c0c7357a9d8dda7e14c6e6183b902

SHA256
4ef559be5964fa75cde054ebcc3c635ae5204517db9a725d9e787f31dffa1fbd

SHA512
3933020cf8977e8b0c393f0776db17e2377a36d6791993b7751ba5abad4ec0a91ed782c072c74cc7df7e50edcecc65cb4c9918cd5c99cf231a361a34c353ca9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1636061.exe

Filesize
206KB

MD5
01c4600dfee29fa75f0d6f2c06ab1db1

SHA1
58bc552e7fd324e42355dd62ba3ccbea5880b317

SHA256
5244383d41448e81c57d34c5c06b936ac4562e372199510a8be20ab12f8d0350

SHA512
4665cf87c917d0314445adda57a34dd64187edd6ae1d7ee7a874ab20e8fba63f077ff0062e5af4a279a96edf1de0d9b6332fe10ad9e6b2d24f70d8795c93e94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1636061.exe

Filesize
206KB

MD5
01c4600dfee29fa75f0d6f2c06ab1db1

SHA1
58bc552e7fd324e42355dd62ba3ccbea5880b317

SHA256
5244383d41448e81c57d34c5c06b936ac4562e372199510a8be20ab12f8d0350

SHA512
4665cf87c917d0314445adda57a34dd64187edd6ae1d7ee7a874ab20e8fba63f077ff0062e5af4a279a96edf1de0d9b6332fe10ad9e6b2d24f70d8795c93e94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1388009.exe

Filesize
13KB

MD5
096238df2b82eeae1ff536f4451ce5eb

SHA1
2073ccf8e4c32146f5ca5be49cb7b11c4c51277d

SHA256
aedeecc64ff3d57c16959b026821a1d31b23b4998d1673dbf828cd7979b83807

SHA512
496f3d7a7b092d930e1f86a8c815be26bc15f04c49372c08b1086358cc56586bb152a87cad0431d6d59d04e5ac089df8c948dadad66fb6de61d4741bf1ad9fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1388009.exe

Filesize
13KB

MD5
096238df2b82eeae1ff536f4451ce5eb

SHA1
2073ccf8e4c32146f5ca5be49cb7b11c4c51277d

SHA256
aedeecc64ff3d57c16959b026821a1d31b23b4998d1673dbf828cd7979b83807

SHA512
496f3d7a7b092d930e1f86a8c815be26bc15f04c49372c08b1086358cc56586bb152a87cad0431d6d59d04e5ac089df8c948dadad66fb6de61d4741bf1ad9fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5383288.exe

Filesize
172KB

MD5
918e91c8f65178805ff71fea9e3fad6a

SHA1
857ad94f0ea6b088639851f09fd9d82556ae479c

SHA256
dc802b71ebab50d288a64a4c63a743879e61e3d253399f77e7eff4b006c872cd

SHA512
f5449f5b997f46be2f35f7db65c8e3209c1ea89a764632bcde0b2f8fc856de3cb922ed77265bd6630ddd5e716af4e09f8d8544483bf9f060b027e74582c38b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5383288.exe

Filesize
172KB

MD5
918e91c8f65178805ff71fea9e3fad6a

SHA1
857ad94f0ea6b088639851f09fd9d82556ae479c

SHA256
dc802b71ebab50d288a64a4c63a743879e61e3d253399f77e7eff4b006c872cd

SHA512
f5449f5b997f46be2f35f7db65c8e3209c1ea89a764632bcde0b2f8fc856de3cb922ed77265bd6630ddd5e716af4e09f8d8544483bf9f060b027e74582c38b9a

Download Submit
memory/2020-159-0x00000000008B0000-0x00000000008E0000-memory.dmp

Filesize
192KB

Download
memory/2020-160-0x000000000ACD0000-0x000000000B2E8000-memory.dmp

Filesize
6.1MB

Download
memory/2020-161-0x000000000A830000-0x000000000A93A000-memory.dmp

Filesize
1.0MB

Download
memory/2020-162-0x000000000A770000-0x000000000A782000-memory.dmp

Filesize
72KB

Download
memory/2020-163-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/2020-164-0x000000000A7D0000-0x000000000A80C000-memory.dmp

Filesize
240KB

Download
memory/2020-165-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/2640-154-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads