redline | 611b1da3f688d331cc598818c4376e615aaa6865b93236f8888235fd3e798116

General

Target

611b1da3f688d331cc598818c4376e615aaa6865b93236f8888235fd3e798116.exe
Size

585KB
MD5

4ac73d61cd0321b5249266816b6a5f31
SHA1

94b9587c00d8846dc33e74350c4b8c329f6a628e
SHA256

611b1da3f688d331cc598818c4376e615aaa6865b93236f8888235fd3e798116
SHA512

ac388be9962984dd3291ed26a41691ad577d370c276185d0ceff0d1b8fc8f500179960c565dc90c96d77d3e1b886dff0aa69e682d6897d6aab67fc8f9e1f84a5
SSDEEP

12288:0Mr+y904rsUFzT6A3+BNictSnq+kORmg2uub:yyprxJT6mo1tSnq+fzub

Score

10^/10

redline diza discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8134779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8134779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8134779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8134779.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k8134779.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8134779.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1804	y2433049.exe
1840	y6632228.exe
1532	k8134779.exe
4648	l3147274.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8134779.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	611b1da3f688d331cc598818c4376e615aaa6865b93236f8888235fd3e798116.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	611b1da3f688d331cc598818c4376e615aaa6865b93236f8888235fd3e798116.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y2433049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2433049.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6632228.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y6632228.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1532	k8134779.exe
1532	k8134779.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe
4648	l3147274.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	k8134779.exe
Token: SeDebugPrivilege	4648	l3147274.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 1804	4640	611b1da3f688d331cc598818c4376e615aaa6865b93236f8888235fd3e798116.exe	84
PID 4640 wrote to memory of 1804	4640	611b1da3f688d331cc598818c4376e615aaa6865b93236f8888235fd3e798116.exe	84
PID 4640 wrote to memory of 1804	4640	611b1da3f688d331cc598818c4376e615aaa6865b93236f8888235fd3e798116.exe	84
PID 1804 wrote to memory of 1840	1804	y2433049.exe	85
PID 1804 wrote to memory of 1840	1804	y2433049.exe	85
PID 1804 wrote to memory of 1840	1804	y2433049.exe	85
PID 1840 wrote to memory of 1532	1840	y6632228.exe	86
PID 1840 wrote to memory of 1532	1840	y6632228.exe	86
PID 1840 wrote to memory of 4648	1840	y6632228.exe	91
PID 1840 wrote to memory of 4648	1840	y6632228.exe	91
PID 1840 wrote to memory of 4648	1840	y6632228.exe	91

C:\Users\Admin\AppData\Local\Temp\611b1da3f688d331cc598818c4376e615aaa6865b93236f8888235fd3e798116.exe
"C:\Users\Admin\AppData\Local\Temp\611b1da3f688d331cc598818c4376e615aaa6865b93236f8888235fd3e798116.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2433049.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2433049.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6632228.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6632228.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8134779.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8134779.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3147274.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3147274.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2433049.exe

Filesize
377KB

MD5
2f277b50a89baa334efc680a96a5eb51

SHA1
45dc0592b255db261e0e06ce26628cc992369744

SHA256
73ca47c219363acd17349b05dc8c2b6c3380fbd87ff0bc45c39e6f3b9cb18833

SHA512
f3684c13b47dfea9e07137fa03204cc1417455140d1c526d8b577074180b0991d4ab1fb7b90265e20c8e5f1c2b1785488f61ceb79eb5b0e3e66b0821e9b34f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2433049.exe

Filesize
377KB

MD5
2f277b50a89baa334efc680a96a5eb51

SHA1
45dc0592b255db261e0e06ce26628cc992369744

SHA256
73ca47c219363acd17349b05dc8c2b6c3380fbd87ff0bc45c39e6f3b9cb18833

SHA512
f3684c13b47dfea9e07137fa03204cc1417455140d1c526d8b577074180b0991d4ab1fb7b90265e20c8e5f1c2b1785488f61ceb79eb5b0e3e66b0821e9b34f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6632228.exe

Filesize
206KB

MD5
17dc7d6698123c7d028251c9f30a4515

SHA1
25cf8322d8934ff446f882679345fa323e1a7ca6

SHA256
163da1cf4df0907a5d92c0e13377633a30542dd30f52b818ccdc796131d729ca

SHA512
870be7b02bad54a4c958dda0b72111dc2db87d99fa3775c950c023eda34f1c27f91219446cfe928efe8f640e9019a484e5d31478c229177f039c685dd2d4f79d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6632228.exe

Filesize
206KB

MD5
17dc7d6698123c7d028251c9f30a4515

SHA1
25cf8322d8934ff446f882679345fa323e1a7ca6

SHA256
163da1cf4df0907a5d92c0e13377633a30542dd30f52b818ccdc796131d729ca

SHA512
870be7b02bad54a4c958dda0b72111dc2db87d99fa3775c950c023eda34f1c27f91219446cfe928efe8f640e9019a484e5d31478c229177f039c685dd2d4f79d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8134779.exe

Filesize
13KB

MD5
e4b66278737f6079716f3a98a5d2c917

SHA1
98a6d558bbe544f3c965481fcb38e5240c5ea3fe

SHA256
af2371d729716f4afc0a610bfd0099fd8368bc11d7f12775f2e29921e17e051d

SHA512
423ed2fe701fa5e387a12ba28ee1ca55d15388bad594a71797977ed3cb146732d905d7c865e707345f496e675992e8c1f6185f991a34147db7c23feb734e8da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8134779.exe

Filesize
13KB

MD5
e4b66278737f6079716f3a98a5d2c917

SHA1
98a6d558bbe544f3c965481fcb38e5240c5ea3fe

SHA256
af2371d729716f4afc0a610bfd0099fd8368bc11d7f12775f2e29921e17e051d

SHA512
423ed2fe701fa5e387a12ba28ee1ca55d15388bad594a71797977ed3cb146732d905d7c865e707345f496e675992e8c1f6185f991a34147db7c23feb734e8da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3147274.exe

Filesize
172KB

MD5
dace1a7d006ea0302ddaaf38d6e35be2

SHA1
e4953971dbdeee16f47f6b72fe4cfddc785e8e14

SHA256
78e67c44771d08a44a7f4c4a1f4db064e0fe3752670a3c545e6922009211cc08

SHA512
f430f9e8bad81b864d1e372478d239c9f04f6a87f8778ba73e647bb0ef787673827133bca3c49b50fa0b88917c27c07c5ee482515907ebe002b52feb66de81bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3147274.exe

Filesize
172KB

MD5
dace1a7d006ea0302ddaaf38d6e35be2

SHA1
e4953971dbdeee16f47f6b72fe4cfddc785e8e14

SHA256
78e67c44771d08a44a7f4c4a1f4db064e0fe3752670a3c545e6922009211cc08

SHA512
f430f9e8bad81b864d1e372478d239c9f04f6a87f8778ba73e647bb0ef787673827133bca3c49b50fa0b88917c27c07c5ee482515907ebe002b52feb66de81bc

Download Submit
memory/1532-154-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/4648-160-0x00000000053F0000-0x0000000005A08000-memory.dmp

Filesize
6.1MB

Download
memory/4648-166-0x00000000052F0000-0x0000000005382000-memory.dmp

Filesize
584KB

Download
memory/4648-161-0x0000000004F20000-0x000000000502A000-memory.dmp

Filesize
1.0MB

Download
memory/4648-162-0x0000000004E60000-0x0000000004E72000-memory.dmp

Filesize
72KB

Download
memory/4648-163-0x0000000004EC0000-0x0000000004EFC000-memory.dmp

Filesize
240KB

Download
memory/4648-164-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/4648-165-0x00000000051D0000-0x0000000005246000-memory.dmp

Filesize
472KB

Download
memory/4648-159-0x00000000003C0000-0x00000000003F0000-memory.dmp

Filesize
192KB

Download
memory/4648-167-0x00000000063B0000-0x0000000006954000-memory.dmp

Filesize
5.6MB

Download
memory/4648-168-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/4648-169-0x0000000006050000-0x00000000060A0000-memory.dmp

Filesize
320KB

Download
memory/4648-170-0x0000000006960000-0x0000000006B22000-memory.dmp

Filesize
1.8MB

Download
memory/4648-171-0x0000000008580000-0x0000000008AAC000-memory.dmp

Filesize
5.2MB

Download
memory/4648-172-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads