redline | 66c6faf33855baf093cf2eaa8ab7e5a7c16aae635cb885bbfdf7a40b4fd95580

General

Target

66c6faf33855baf093cf2eaa8ab7e5a7c16aae635cb885bbfdf7a40b4fd95580.exe
Size

584KB
MD5

f3fe9cd0f6d800df46daa028b97dd292
SHA1

7d1896c00e6feea1e29f3c406eed360047ed7010
SHA256

66c6faf33855baf093cf2eaa8ab7e5a7c16aae635cb885bbfdf7a40b4fd95580
SHA512

84fee86d20e8ead2dbf2aaea24cdc1d7abd46a074c5468b1dc226c1b22c1834b5b7d63d101b803d93099043b090908a3933c45c99be26abcc635ad2d347d8943
SSDEEP

12288:7MrMy90faj2VupLuVdwRziwwlAtl5fEw1dvk7Q4L:XyF9pvO89p4L

Score

10^/10

redline diza evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k6850700.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k6850700.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k6850700.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k6850700.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k6850700.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2520	y1546603.exe
2968	y9008867.exe
4120	k6850700.exe
3940	l6894324.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k6850700.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	66c6faf33855baf093cf2eaa8ab7e5a7c16aae635cb885bbfdf7a40b4fd95580.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	66c6faf33855baf093cf2eaa8ab7e5a7c16aae635cb885bbfdf7a40b4fd95580.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1546603.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1546603.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9008867.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9008867.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4120	k6850700.exe
4120	k6850700.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4120	k6850700.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2520	2292	66c6faf33855baf093cf2eaa8ab7e5a7c16aae635cb885bbfdf7a40b4fd95580.exe	66
PID 2292 wrote to memory of 2520	2292	66c6faf33855baf093cf2eaa8ab7e5a7c16aae635cb885bbfdf7a40b4fd95580.exe	66
PID 2292 wrote to memory of 2520	2292	66c6faf33855baf093cf2eaa8ab7e5a7c16aae635cb885bbfdf7a40b4fd95580.exe	66
PID 2520 wrote to memory of 2968	2520	y1546603.exe	67
PID 2520 wrote to memory of 2968	2520	y1546603.exe	67
PID 2520 wrote to memory of 2968	2520	y1546603.exe	67
PID 2968 wrote to memory of 4120	2968	y9008867.exe	68
PID 2968 wrote to memory of 4120	2968	y9008867.exe	68
PID 2968 wrote to memory of 3940	2968	y9008867.exe	69
PID 2968 wrote to memory of 3940	2968	y9008867.exe	69
PID 2968 wrote to memory of 3940	2968	y9008867.exe	69

C:\Users\Admin\AppData\Local\Temp\66c6faf33855baf093cf2eaa8ab7e5a7c16aae635cb885bbfdf7a40b4fd95580.exe
"C:\Users\Admin\AppData\Local\Temp\66c6faf33855baf093cf2eaa8ab7e5a7c16aae635cb885bbfdf7a40b4fd95580.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1546603.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1546603.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9008867.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9008867.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6850700.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6850700.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6894324.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6894324.exe
      4⤵
      Executes dropped EXE
      PID:3940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1546603.exe

Filesize
377KB

MD5
650734f25f706a79314e9f04bba079c9

SHA1
b7071653b681f95203b94584b156e69baf04bba4

SHA256
95ec713dea07acbcbb662f169d5f5ddfe906f6b27937776804196894cf8d0e80

SHA512
dd3abc9ac67b345c1ba806d44843ef30037e08385ab064d8d4e9bb00bb564ff041bf8fd4d14ff6a9c1e539e156e2eb4aa952f7ec602a1bfec1c482b8403a9326

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1546603.exe

Filesize
377KB

MD5
650734f25f706a79314e9f04bba079c9

SHA1
b7071653b681f95203b94584b156e69baf04bba4

SHA256
95ec713dea07acbcbb662f169d5f5ddfe906f6b27937776804196894cf8d0e80

SHA512
dd3abc9ac67b345c1ba806d44843ef30037e08385ab064d8d4e9bb00bb564ff041bf8fd4d14ff6a9c1e539e156e2eb4aa952f7ec602a1bfec1c482b8403a9326

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9008867.exe

Filesize
206KB

MD5
7ce77c7773a64f74d4128cf350239825

SHA1
669f8b34f0e72594eebaf65ab35ca83474ec8aa5

SHA256
5da3daca6d1c3ce65c60ed383604577e3b54f407437d49d366a1233a3e1cc415

SHA512
2834869f897a7a8cd1b1638ecd740df2ef106cbb6ebd8742d556e0186c65202aec3069327a67eb7fb58a2dcd0810f638781e3203e8eb62bda8877dbdf03a80f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9008867.exe

Filesize
206KB

MD5
7ce77c7773a64f74d4128cf350239825

SHA1
669f8b34f0e72594eebaf65ab35ca83474ec8aa5

SHA256
5da3daca6d1c3ce65c60ed383604577e3b54f407437d49d366a1233a3e1cc415

SHA512
2834869f897a7a8cd1b1638ecd740df2ef106cbb6ebd8742d556e0186c65202aec3069327a67eb7fb58a2dcd0810f638781e3203e8eb62bda8877dbdf03a80f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6850700.exe

Filesize
13KB

MD5
92f80ecd1ab49e9ebc125c4535579659

SHA1
a80bccfac6d4b9fa4e874d188bf8399c3b1f8a5e

SHA256
516a635a965f5898dddee4153e616823b3be1b947dec58e783aa4c1dd35992a4

SHA512
a0a798d22a9986605b3bde4262a11b922517129f1f034e25f23e7041777e22b48b47758cffd70dd4484b8727d39886bbd55b721de670372a8c14928024d09bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6850700.exe

Filesize
13KB

MD5
92f80ecd1ab49e9ebc125c4535579659

SHA1
a80bccfac6d4b9fa4e874d188bf8399c3b1f8a5e

SHA256
516a635a965f5898dddee4153e616823b3be1b947dec58e783aa4c1dd35992a4

SHA512
a0a798d22a9986605b3bde4262a11b922517129f1f034e25f23e7041777e22b48b47758cffd70dd4484b8727d39886bbd55b721de670372a8c14928024d09bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6894324.exe

Filesize
172KB

MD5
db2d0173f6dfde1444d6d83c3c10b8cf

SHA1
3d256a99617c6d252963ccda344aa27f0ec1b4dd

SHA256
6b1a811b7bbce5831ad370cfb96ef991495137aab096d56929a60f65dc91d4e6

SHA512
56547717e72eb87e239ac2f8147bb0b1c3f14b95a0721fa80133f10be716d16adae7ff3656fd5302a8038880298118f85907e27b8f2ce54b68da324b285e1899

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6894324.exe

Filesize
172KB

MD5
db2d0173f6dfde1444d6d83c3c10b8cf

SHA1
3d256a99617c6d252963ccda344aa27f0ec1b4dd

SHA256
6b1a811b7bbce5831ad370cfb96ef991495137aab096d56929a60f65dc91d4e6

SHA512
56547717e72eb87e239ac2f8147bb0b1c3f14b95a0721fa80133f10be716d16adae7ff3656fd5302a8038880298118f85907e27b8f2ce54b68da324b285e1899

Download Submit
memory/3940-147-0x00000000003F0000-0x0000000000420000-memory.dmp

Filesize
192KB

Download
memory/3940-148-0x0000000002810000-0x0000000002816000-memory.dmp

Filesize
24KB

Download
memory/3940-149-0x0000000005350000-0x0000000005956000-memory.dmp

Filesize
6.0MB

Download
memory/3940-150-0x0000000004E50000-0x0000000004F5A000-memory.dmp

Filesize
1.0MB

Download
memory/3940-151-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/3940-152-0x0000000004D80000-0x0000000004DBE000-memory.dmp

Filesize
248KB

Download
memory/3940-153-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/3940-154-0x0000000004DC0000-0x0000000004E0B000-memory.dmp

Filesize
300KB

Download
memory/3940-155-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4120-142-0x0000000000C30000-0x0000000000C3A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads