redline | d3298e33df1052b3af424cff4a972a9b228f8fc0aace1234575eacde90091395

General

Target

d3298e33df1052b3af424cff4a972a9b228f8fc0aace1234575eacde90091395.exe
Size

584KB
MD5

f9e8b9b032e1706b4bbedceb716a0060
SHA1

586dd8f7b8cf7f88bab323cb80ea7fac262b4095
SHA256

d3298e33df1052b3af424cff4a972a9b228f8fc0aace1234575eacde90091395
SHA512

e880ec50b4c2f75a89e0a3bad9bde6334ad22ebd9a7acb314bd7075f78b3022c1db241b3b33fbbf9396b965ee9a09c16444410d9b303538c16160ea44be282ce
SSDEEP

12288:PMrsy90BSk8D2Bj3cNWGJXf1ydvAb980UyjcFpdCzam3:7ywSZ2l3cN1FfAggLdCza0

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8324475.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8324475.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8324475.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8324475.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k8324475.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8324475.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4964	y1948775.exe
380	y0562208.exe
460	k8324475.exe
2788	l1951428.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8324475.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1948775.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1948775.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0562208.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0562208.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d3298e33df1052b3af424cff4a972a9b228f8fc0aace1234575eacde90091395.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d3298e33df1052b3af424cff4a972a9b228f8fc0aace1234575eacde90091395.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
460	k8324475.exe
460	k8324475.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	460	k8324475.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 4964	4264	d3298e33df1052b3af424cff4a972a9b228f8fc0aace1234575eacde90091395.exe	84
PID 4264 wrote to memory of 4964	4264	d3298e33df1052b3af424cff4a972a9b228f8fc0aace1234575eacde90091395.exe	84
PID 4264 wrote to memory of 4964	4264	d3298e33df1052b3af424cff4a972a9b228f8fc0aace1234575eacde90091395.exe	84
PID 4964 wrote to memory of 380	4964	y1948775.exe	85
PID 4964 wrote to memory of 380	4964	y1948775.exe	85
PID 4964 wrote to memory of 380	4964	y1948775.exe	85
PID 380 wrote to memory of 460	380	y0562208.exe	86
PID 380 wrote to memory of 460	380	y0562208.exe	86
PID 380 wrote to memory of 2788	380	y0562208.exe	87
PID 380 wrote to memory of 2788	380	y0562208.exe	87
PID 380 wrote to memory of 2788	380	y0562208.exe	87

C:\Users\Admin\AppData\Local\Temp\d3298e33df1052b3af424cff4a972a9b228f8fc0aace1234575eacde90091395.exe
"C:\Users\Admin\AppData\Local\Temp\d3298e33df1052b3af424cff4a972a9b228f8fc0aace1234575eacde90091395.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1948775.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1948775.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0562208.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0562208.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8324475.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8324475.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:460
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1951428.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1951428.exe
      4⤵
      Executes dropped EXE
      PID:2788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1948775.exe

Filesize
377KB

MD5
28333862295b20bc28cfec9066d001d5

SHA1
a5ae639f348229e501a1c3f8639de07fe0c26375

SHA256
9e0196bb55cdb420a88d1a45f4dd714c96483a2b217ac97ff6fee254129aa0f9

SHA512
e98ee86eb7baab098b30ca330896f8dd256cbd5c622173d908b39d62908dfa7371a9fa4870987c4094d3d8d00391186e72fbac894e35176c5dfedcd76cce8880

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1948775.exe

Filesize
377KB

MD5
28333862295b20bc28cfec9066d001d5

SHA1
a5ae639f348229e501a1c3f8639de07fe0c26375

SHA256
9e0196bb55cdb420a88d1a45f4dd714c96483a2b217ac97ff6fee254129aa0f9

SHA512
e98ee86eb7baab098b30ca330896f8dd256cbd5c622173d908b39d62908dfa7371a9fa4870987c4094d3d8d00391186e72fbac894e35176c5dfedcd76cce8880

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0562208.exe

Filesize
206KB

MD5
839d1c306a762a3952fa234cca7f6807

SHA1
eb755523dee5ed9c6faf1d1d8478b16ae91cfb0f

SHA256
ce922d50a518a9a3b6e55a6bf3bd9e9fdb6574bed723120e496ee55855899c26

SHA512
24aa6ebaa238051e7b955ffb11cdd93f7127017b349ca5bd00b9bfce94ea4de3aeacd3c39ad2bf15326f5405a5da57a0d88c7aa8ae8ccf0063f7422e8f382ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0562208.exe

Filesize
206KB

MD5
839d1c306a762a3952fa234cca7f6807

SHA1
eb755523dee5ed9c6faf1d1d8478b16ae91cfb0f

SHA256
ce922d50a518a9a3b6e55a6bf3bd9e9fdb6574bed723120e496ee55855899c26

SHA512
24aa6ebaa238051e7b955ffb11cdd93f7127017b349ca5bd00b9bfce94ea4de3aeacd3c39ad2bf15326f5405a5da57a0d88c7aa8ae8ccf0063f7422e8f382ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8324475.exe

Filesize
13KB

MD5
aae065afc92ee0f0bbb5168ea0d741f6

SHA1
7c6807111b975df378b2520bde83cdb25e52182f

SHA256
c2fa94717a20ebb66848d1ddc66b204f027219847228395a632257bf15a9000c

SHA512
a78fe340ab6dfa8a11e6dd23aed7c7ea257370bab4553bfe048025a40031d5e17a099d6a82e904b50c6e5b288639486308a869e8bd04dcdfc801f419d22ed923

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8324475.exe

Filesize
13KB

MD5
aae065afc92ee0f0bbb5168ea0d741f6

SHA1
7c6807111b975df378b2520bde83cdb25e52182f

SHA256
c2fa94717a20ebb66848d1ddc66b204f027219847228395a632257bf15a9000c

SHA512
a78fe340ab6dfa8a11e6dd23aed7c7ea257370bab4553bfe048025a40031d5e17a099d6a82e904b50c6e5b288639486308a869e8bd04dcdfc801f419d22ed923

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1951428.exe

Filesize
172KB

MD5
f5d205e0c827698bd42bd5756ad100dd

SHA1
9ab75eb1ff8810f35269f492d7b07e8e00adbaec

SHA256
68b85cfe8c73cc35e7160c5b905d8ee5b7d3c56b51fcd331474a4e6386b92119

SHA512
8865fb6634eea4578385474d1b8e23994ef6b945095f31b93a0b28cd6f04b89a1370c4afc57055c66def68a0d881e89e02b93d82ffc7e3ec773f6789aff6b771

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1951428.exe

Filesize
172KB

MD5
f5d205e0c827698bd42bd5756ad100dd

SHA1
9ab75eb1ff8810f35269f492d7b07e8e00adbaec

SHA256
68b85cfe8c73cc35e7160c5b905d8ee5b7d3c56b51fcd331474a4e6386b92119

SHA512
8865fb6634eea4578385474d1b8e23994ef6b945095f31b93a0b28cd6f04b89a1370c4afc57055c66def68a0d881e89e02b93d82ffc7e3ec773f6789aff6b771

Download Submit
memory/460-154-0x0000000000F90000-0x0000000000F9A000-memory.dmp

Filesize
40KB

Download
memory/2788-159-0x0000000000EF0000-0x0000000000F20000-memory.dmp

Filesize
192KB

Download
memory/2788-160-0x000000000B300000-0x000000000B918000-memory.dmp

Filesize
6.1MB

Download
memory/2788-161-0x000000000AE70000-0x000000000AF7A000-memory.dmp

Filesize
1.0MB

Download
memory/2788-162-0x000000000ADB0000-0x000000000ADC2000-memory.dmp

Filesize
72KB

Download
memory/2788-163-0x000000000AE10000-0x000000000AE4C000-memory.dmp

Filesize
240KB

Download
memory/2788-164-0x0000000005950000-0x0000000005960000-memory.dmp

Filesize
64KB

Download
memory/2788-165-0x0000000005950000-0x0000000005960000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads