redline | fb1315c34f10b602ba39e593e12f2872f4b5a4e7f96cb3806572ce7859132157

General

Target

fb1315c34f10b602ba39e593e12f2872f4b5a4e7f96cb3806572ce7859132157.exe
Size

584KB
MD5

e7e9fbd5291c2f5b74c94f6844675aff
SHA1

69b25d9fab859c9fc6a3e5b6293e72c72fa8b6b2
SHA256

fb1315c34f10b602ba39e593e12f2872f4b5a4e7f96cb3806572ce7859132157
SHA512

4b67d7b008fafb7e331e1a42b5ef1caa3643388e4c88181cd0653ad55ba035769509c181360398810c25bf382c4247045b1564896bcfca186d2c03b5282c6858
SSDEEP

12288:XMrdy90K4aT1MyBJQGw0CVj0o1gPZ+pEjajOv6d+LA:Oy5TBWGw5jxcZ+KaZA8

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0572218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0572218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0572218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0572218.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k0572218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0572218.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
788	y7232725.exe
2388	y3563196.exe
4188	k0572218.exe
2392	l0601316.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0572218.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7232725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7232725.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3563196.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y3563196.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fb1315c34f10b602ba39e593e12f2872f4b5a4e7f96cb3806572ce7859132157.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fb1315c34f10b602ba39e593e12f2872f4b5a4e7f96cb3806572ce7859132157.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4188	k0572218.exe
4188	k0572218.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4188	k0572218.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 788	2092	fb1315c34f10b602ba39e593e12f2872f4b5a4e7f96cb3806572ce7859132157.exe	83
PID 2092 wrote to memory of 788	2092	fb1315c34f10b602ba39e593e12f2872f4b5a4e7f96cb3806572ce7859132157.exe	83
PID 2092 wrote to memory of 788	2092	fb1315c34f10b602ba39e593e12f2872f4b5a4e7f96cb3806572ce7859132157.exe	83
PID 788 wrote to memory of 2388	788	y7232725.exe	84
PID 788 wrote to memory of 2388	788	y7232725.exe	84
PID 788 wrote to memory of 2388	788	y7232725.exe	84
PID 2388 wrote to memory of 4188	2388	y3563196.exe	85
PID 2388 wrote to memory of 4188	2388	y3563196.exe	85
PID 2388 wrote to memory of 2392	2388	y3563196.exe	86
PID 2388 wrote to memory of 2392	2388	y3563196.exe	86
PID 2388 wrote to memory of 2392	2388	y3563196.exe	86

C:\Users\Admin\AppData\Local\Temp\fb1315c34f10b602ba39e593e12f2872f4b5a4e7f96cb3806572ce7859132157.exe
"C:\Users\Admin\AppData\Local\Temp\fb1315c34f10b602ba39e593e12f2872f4b5a4e7f96cb3806572ce7859132157.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7232725.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7232725.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3563196.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3563196.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0572218.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0572218.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0601316.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0601316.exe
      4⤵
      Executes dropped EXE
      PID:2392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7232725.exe

Filesize
377KB

MD5
f63d30f4efb26fd751df86498e5360e5

SHA1
67ba744491ab5c9bd883642974120a4aa4ae97d7

SHA256
31eceda7fc1e46b83ed28ba042a00c3f5e9d8a53514c445a4e0d98d82ea863b0

SHA512
a053a410432db4476c03f601e9760f9b932d39b9365df1525480ea3394dc45d21868eeabb1346a3c6bfddbd9100612f9cc476fb893a1275e0577b041baed9a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7232725.exe

Filesize
377KB

MD5
f63d30f4efb26fd751df86498e5360e5

SHA1
67ba744491ab5c9bd883642974120a4aa4ae97d7

SHA256
31eceda7fc1e46b83ed28ba042a00c3f5e9d8a53514c445a4e0d98d82ea863b0

SHA512
a053a410432db4476c03f601e9760f9b932d39b9365df1525480ea3394dc45d21868eeabb1346a3c6bfddbd9100612f9cc476fb893a1275e0577b041baed9a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3563196.exe

Filesize
206KB

MD5
99e563ad040711a2124f228f8af5c642

SHA1
9c5fc7568fbca5e084a5069441227d82fa251bb5

SHA256
3bf8dc5be87a57725236a051469032594b2075e4aba23b0b894f6a55265f87d8

SHA512
2a8a5c80146d87dbc6d4529d2409125c519a746d1e12f185bd828633df68a4a42083e56ce22e533859b9c3303ac18252d699a80d6c1d674e3a22d9aadb24704a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3563196.exe

Filesize
206KB

MD5
99e563ad040711a2124f228f8af5c642

SHA1
9c5fc7568fbca5e084a5069441227d82fa251bb5

SHA256
3bf8dc5be87a57725236a051469032594b2075e4aba23b0b894f6a55265f87d8

SHA512
2a8a5c80146d87dbc6d4529d2409125c519a746d1e12f185bd828633df68a4a42083e56ce22e533859b9c3303ac18252d699a80d6c1d674e3a22d9aadb24704a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0572218.exe

Filesize
13KB

MD5
75f93dd94c0b93390c9c54ef58de90d6

SHA1
60f18851afc81e2bf55aac2ba4fce7fc10911c2c

SHA256
583d2cbd1c5bc2a9460a5a12488bd9692ddff97b052cc466eb706ee4be6ef301

SHA512
05dd7176dfc62bc1fd17bc051159a33cd81c0b8327120ce6fbe6f995ae9b4833a786da21b4f802bceab18bcb816b7bc8e6ac16e1610635ebe02ab8ebedfecb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0572218.exe

Filesize
13KB

MD5
75f93dd94c0b93390c9c54ef58de90d6

SHA1
60f18851afc81e2bf55aac2ba4fce7fc10911c2c

SHA256
583d2cbd1c5bc2a9460a5a12488bd9692ddff97b052cc466eb706ee4be6ef301

SHA512
05dd7176dfc62bc1fd17bc051159a33cd81c0b8327120ce6fbe6f995ae9b4833a786da21b4f802bceab18bcb816b7bc8e6ac16e1610635ebe02ab8ebedfecb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0601316.exe

Filesize
172KB

MD5
ec9b54ecff1baf2326c43dc4c49953c6

SHA1
defe0e3b5e5e8f728d38d1e573bc7f26476b183e

SHA256
d2ebb9bfa91b2207a0a60059caca3a8109ca2cd3000372b01c4c13bcd97482ec

SHA512
a8df1f5b4b0af2820e5b7f3c91d782751e6c48a77d79d99c593fcc9ed4784aaff8f18d6f6ec7e5489ce32034f766a2548ccb26594df0d59e01d3d50d3e37b8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0601316.exe

Filesize
172KB

MD5
ec9b54ecff1baf2326c43dc4c49953c6

SHA1
defe0e3b5e5e8f728d38d1e573bc7f26476b183e

SHA256
d2ebb9bfa91b2207a0a60059caca3a8109ca2cd3000372b01c4c13bcd97482ec

SHA512
a8df1f5b4b0af2820e5b7f3c91d782751e6c48a77d79d99c593fcc9ed4784aaff8f18d6f6ec7e5489ce32034f766a2548ccb26594df0d59e01d3d50d3e37b8f8

Download Submit
memory/2392-159-0x0000000000950000-0x0000000000980000-memory.dmp

Filesize
192KB

Download
memory/2392-160-0x000000000ADB0000-0x000000000B3C8000-memory.dmp

Filesize
6.1MB

Download
memory/2392-161-0x000000000A8D0000-0x000000000A9DA000-memory.dmp

Filesize
1.0MB

Download
memory/2392-162-0x000000000A810000-0x000000000A822000-memory.dmp

Filesize
72KB

Download
memory/2392-163-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/2392-164-0x000000000A870000-0x000000000A8AC000-memory.dmp

Filesize
240KB

Download
memory/2392-165-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/4188-154-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads