redline | 8deecd1bae718ca10a5f76510c08818cf7b29453764a08a84de44ee89d321ced

General

Target

8deecd1bae718ca10a5f76510c08818cf7b29453764a08a84de44ee89d321ced.exe
Size

856KB
MD5

5bf91a2fbd82de72ed9b2b85b29292a5
SHA1

5a14572c7c9376b24ffa944f7732361de45aa49b
SHA256

8deecd1bae718ca10a5f76510c08818cf7b29453764a08a84de44ee89d321ced
SHA512

5f24c7a65d6acf30aa8b0b76078749fdda5ccc74af50ea3d597bd778f7bbbb184c656bc97e36c362742b3c6461a391cac016fabdd20f4638fd2cbfa80769d78d
SSDEEP

12288:fMrQy90lZAI+wIifIM1Na1OZZs8nSJOb0QS1Js5qUZQXIHUhIvG0TxotUumMy3:zyuZuwZLaHUQXq5qUye2UoyaC

Score

10^/10

redline lupa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lupa

C2

83.97.73.126:19048

Attributes

auth_value
6a764aa41830c77712442516d143bc9c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o2438997.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o2438997.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o2438997.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o2438997.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o2438997.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	o2438997.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3096	z0048925.exe
1896	z0704530.exe
3008	o2438997.exe
2852	p2611985.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	o2438997.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0704530.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0704530.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8deecd1bae718ca10a5f76510c08818cf7b29453764a08a84de44ee89d321ced.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8deecd1bae718ca10a5f76510c08818cf7b29453764a08a84de44ee89d321ced.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0048925.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0048925.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3008	o2438997.exe
3008	o2438997.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	o2438997.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 3096	4340	8deecd1bae718ca10a5f76510c08818cf7b29453764a08a84de44ee89d321ced.exe	81
PID 4340 wrote to memory of 3096	4340	8deecd1bae718ca10a5f76510c08818cf7b29453764a08a84de44ee89d321ced.exe	81
PID 4340 wrote to memory of 3096	4340	8deecd1bae718ca10a5f76510c08818cf7b29453764a08a84de44ee89d321ced.exe	81
PID 3096 wrote to memory of 1896	3096	z0048925.exe	82
PID 3096 wrote to memory of 1896	3096	z0048925.exe	82
PID 3096 wrote to memory of 1896	3096	z0048925.exe	82
PID 1896 wrote to memory of 3008	1896	z0704530.exe	83
PID 1896 wrote to memory of 3008	1896	z0704530.exe	83
PID 1896 wrote to memory of 2852	1896	z0704530.exe	86
PID 1896 wrote to memory of 2852	1896	z0704530.exe	86
PID 1896 wrote to memory of 2852	1896	z0704530.exe	86

C:\Users\Admin\AppData\Local\Temp\8deecd1bae718ca10a5f76510c08818cf7b29453764a08a84de44ee89d321ced.exe
"C:\Users\Admin\AppData\Local\Temp\8deecd1bae718ca10a5f76510c08818cf7b29453764a08a84de44ee89d321ced.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0048925.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0048925.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0704530.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0704530.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2438997.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2438997.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2611985.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2611985.exe
      4⤵
      Executes dropped EXE
      PID:2852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0048925.exe

Filesize
411KB

MD5
a7d32162adbe95aeb94438ce3a68d8b7

SHA1
e6eee2af448814d4fd6951e1db79407e9aceed32

SHA256
adfe41b6e12bb3d56d207fe234e0796e0dcd2651174ba809b2bdd4b9a8cab48d

SHA512
e54c32600275bf0e92007e6a7fc39be30dcbaa0174372258ab8c011dfa931048f08eed2b660f90ca1f4258d044ba0a1309a58c88d5ed898e8dc3a78ecd4d5c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0048925.exe

Filesize
411KB

MD5
a7d32162adbe95aeb94438ce3a68d8b7

SHA1
e6eee2af448814d4fd6951e1db79407e9aceed32

SHA256
adfe41b6e12bb3d56d207fe234e0796e0dcd2651174ba809b2bdd4b9a8cab48d

SHA512
e54c32600275bf0e92007e6a7fc39be30dcbaa0174372258ab8c011dfa931048f08eed2b660f90ca1f4258d044ba0a1309a58c88d5ed898e8dc3a78ecd4d5c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0704530.exe

Filesize
206KB

MD5
2ea41f30d1385b5958b0b5bca5663192

SHA1
2e34705e4be85420d355ed69f8fdf399fe895746

SHA256
67c1a9941ae8c8b173b373c603e9e660c3f24d25ceba94018dde2aef3dd8e880

SHA512
bc84b16e366e2de3b4a68b8a550544eda7a1f58a9e15cfac30c7dc6e877e6839d446aae1cceb93928fb7c4736302f155c2cb11fd7537c7a242d330492092b730

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0704530.exe

Filesize
206KB

MD5
2ea41f30d1385b5958b0b5bca5663192

SHA1
2e34705e4be85420d355ed69f8fdf399fe895746

SHA256
67c1a9941ae8c8b173b373c603e9e660c3f24d25ceba94018dde2aef3dd8e880

SHA512
bc84b16e366e2de3b4a68b8a550544eda7a1f58a9e15cfac30c7dc6e877e6839d446aae1cceb93928fb7c4736302f155c2cb11fd7537c7a242d330492092b730

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2438997.exe

Filesize
13KB

MD5
283ff789a29b3abc05c92196eacd1179

SHA1
cfae9866a5fe68759f12979ff0c0caf050f22f2d

SHA256
0086d5ba84df8d2156a7988e4a9dc11ada7126777bba14f61c234c48dc55b28f

SHA512
b2a207c1cb28d9a3e5114fc9c39455a79e1bdac6bbb64084c12705256cc86d94e9fb05bb80f1f1317bcffbafbce36dad3652febb9a78a8a6290bcdc949d31b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2438997.exe

Filesize
13KB

MD5
283ff789a29b3abc05c92196eacd1179

SHA1
cfae9866a5fe68759f12979ff0c0caf050f22f2d

SHA256
0086d5ba84df8d2156a7988e4a9dc11ada7126777bba14f61c234c48dc55b28f

SHA512
b2a207c1cb28d9a3e5114fc9c39455a79e1bdac6bbb64084c12705256cc86d94e9fb05bb80f1f1317bcffbafbce36dad3652febb9a78a8a6290bcdc949d31b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2611985.exe

Filesize
172KB

MD5
6c8c0ff2afadcad1524df86a696be797

SHA1
307fdc6572d3dd9fc703d640830469bc2fa9b20b

SHA256
1a79bb7ce144233f37b7410ec960453b95eed170611ee1ced15028a1dd7ad662

SHA512
4b6e22fb7aaaa58b09c5968da87c5399e60d3b4ea8085c77084407de7e8354a4a5004a60a153518913ebc69614c6ef9b9d8205c543668387c2d4c245a79fc1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2611985.exe

Filesize
172KB

MD5
6c8c0ff2afadcad1524df86a696be797

SHA1
307fdc6572d3dd9fc703d640830469bc2fa9b20b

SHA256
1a79bb7ce144233f37b7410ec960453b95eed170611ee1ced15028a1dd7ad662

SHA512
4b6e22fb7aaaa58b09c5968da87c5399e60d3b4ea8085c77084407de7e8354a4a5004a60a153518913ebc69614c6ef9b9d8205c543668387c2d4c245a79fc1dc

Download Submit
memory/2852-159-0x0000000000C00000-0x0000000000C30000-memory.dmp

Filesize
192KB

Download
memory/2852-160-0x000000000B010000-0x000000000B628000-memory.dmp

Filesize
6.1MB

Download
memory/2852-161-0x000000000AB80000-0x000000000AC8A000-memory.dmp

Filesize
1.0MB

Download
memory/2852-162-0x000000000AAC0000-0x000000000AAD2000-memory.dmp

Filesize
72KB

Download
memory/2852-163-0x000000000AB20000-0x000000000AB5C000-memory.dmp

Filesize
240KB

Download
memory/2852-164-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/2852-165-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/3008-154-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads