redline | d78e728259d69b40a9211931c7c0f7d5a44c190a9667f9749773033a9d0ed70d

General

Target

d78e728259d69b40a9211931c7c0f7d5a44c190a9667f9749773033a9d0ed70d.exe
Size

586KB
MD5

64066bbbeae79db1e3be237fa523f7cc
SHA1

cf1cf4850ba93350a47430d26855a9b26d900ccf
SHA256

d78e728259d69b40a9211931c7c0f7d5a44c190a9667f9749773033a9d0ed70d
SHA512

805dbe050d45c8dba6125faf4f901780444b45892a93bc1280a1048592d3e74ca3fe9b281e5ec2c05e3a400acad3784be3e3d074adac69736528262fbcf19765
SSDEEP

12288:MMrsRYyqTwczrXn3HXn3HXn3HXiyCSiyCSiyCSiyCSZp5JZp5JZp5JZVy90EpM1C:1y+7UrQynpQqJM9TlqNtDBH/Qy

Score

10^/10

redline diza discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k8250399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8250399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8250399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8250399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8250399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8250399.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
764	y5001134.exe
1180	y4079902.exe
4908	k8250399.exe
3924	l4487634.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8250399.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5001134.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4079902.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y4079902.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d78e728259d69b40a9211931c7c0f7d5a44c190a9667f9749773033a9d0ed70d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d78e728259d69b40a9211931c7c0f7d5a44c190a9667f9749773033a9d0ed70d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5001134.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4908	k8250399.exe
4908	k8250399.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe
3924	l4487634.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	k8250399.exe
Token: SeDebugPrivilege	3924	l4487634.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 764	616	d78e728259d69b40a9211931c7c0f7d5a44c190a9667f9749773033a9d0ed70d.exe	84
PID 616 wrote to memory of 764	616	d78e728259d69b40a9211931c7c0f7d5a44c190a9667f9749773033a9d0ed70d.exe	84
PID 616 wrote to memory of 764	616	d78e728259d69b40a9211931c7c0f7d5a44c190a9667f9749773033a9d0ed70d.exe	84
PID 764 wrote to memory of 1180	764	y5001134.exe	85
PID 764 wrote to memory of 1180	764	y5001134.exe	85
PID 764 wrote to memory of 1180	764	y5001134.exe	85
PID 1180 wrote to memory of 4908	1180	y4079902.exe	86
PID 1180 wrote to memory of 4908	1180	y4079902.exe	86
PID 1180 wrote to memory of 3924	1180	y4079902.exe	89
PID 1180 wrote to memory of 3924	1180	y4079902.exe	89
PID 1180 wrote to memory of 3924	1180	y4079902.exe	89

C:\Users\Admin\AppData\Local\Temp\d78e728259d69b40a9211931c7c0f7d5a44c190a9667f9749773033a9d0ed70d.exe
"C:\Users\Admin\AppData\Local\Temp\d78e728259d69b40a9211931c7c0f7d5a44c190a9667f9749773033a9d0ed70d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:616
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5001134.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5001134.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4079902.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4079902.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8250399.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8250399.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4487634.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4487634.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5001134.exe

Filesize
377KB

MD5
2325559eb37a391b5d3bc75585ec9a81

SHA1
c45260570f6fe28386026a8a65980574644d8b1d

SHA256
d0bc89425b47d76662898d144961795ff981582e8ea326831af90fe47351cbe3

SHA512
60237221cd025db3e9c07b38b722136995839ea3c11de395b7a06f06ecd7ad28cbecd07adac88258114bc58126ad004af8051b4a262dd932b29899620cce66b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5001134.exe

Filesize
377KB

MD5
2325559eb37a391b5d3bc75585ec9a81

SHA1
c45260570f6fe28386026a8a65980574644d8b1d

SHA256
d0bc89425b47d76662898d144961795ff981582e8ea326831af90fe47351cbe3

SHA512
60237221cd025db3e9c07b38b722136995839ea3c11de395b7a06f06ecd7ad28cbecd07adac88258114bc58126ad004af8051b4a262dd932b29899620cce66b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4079902.exe

Filesize
206KB

MD5
049f79ff641b940b853c90b24ee7d306

SHA1
c12b7ad32cea60396dd09e0a03d27ddfca7a62d1

SHA256
aed097e79ae501bfc20e13002e4ab4f4324180c72e408a6207796d47c7cb3634

SHA512
e9d66bbd0cc1cd97a9be6c299e64d2646539ed3622d548dae99d17eb698b46f866fff49b896961996bb784591b1b7baf6df647eb0d6fc1ff8a4d127ed901c352

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4079902.exe

Filesize
206KB

MD5
049f79ff641b940b853c90b24ee7d306

SHA1
c12b7ad32cea60396dd09e0a03d27ddfca7a62d1

SHA256
aed097e79ae501bfc20e13002e4ab4f4324180c72e408a6207796d47c7cb3634

SHA512
e9d66bbd0cc1cd97a9be6c299e64d2646539ed3622d548dae99d17eb698b46f866fff49b896961996bb784591b1b7baf6df647eb0d6fc1ff8a4d127ed901c352

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8250399.exe

Filesize
13KB

MD5
0a8ab530eaeefad1e6cd01b267132403

SHA1
5a9725d74860ab852355e92c2c00f4260249b2dc

SHA256
916c4bfc12519fc27050c4ff51ace34088b35b40753156946587fb8b926489e3

SHA512
64939e50725384beffdcafac83aa00137322785316075e47b82ad5029dd2c4f869e5d0cfd97a1a8c30cb87356ad730177646aa90e69c742d84396b8554af64d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8250399.exe

Filesize
13KB

MD5
0a8ab530eaeefad1e6cd01b267132403

SHA1
5a9725d74860ab852355e92c2c00f4260249b2dc

SHA256
916c4bfc12519fc27050c4ff51ace34088b35b40753156946587fb8b926489e3

SHA512
64939e50725384beffdcafac83aa00137322785316075e47b82ad5029dd2c4f869e5d0cfd97a1a8c30cb87356ad730177646aa90e69c742d84396b8554af64d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4487634.exe

Filesize
172KB

MD5
4911388803a0f3e4ada0368fca5609f9

SHA1
af762a0dcf1da5cd19e1455523e930190174e04b

SHA256
f9a6dc8715743e314b1ac665f2ce1d59da56898e421686f39bbb7dc27b6c422f

SHA512
59264d66723c5d558eea32c713a3e7550bd0e02665d9a5641b0d18676617998c4b1dd65a9b46072e2ff5b362bb17476f79cd8e6a450e61e108a657844fe51803

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4487634.exe

Filesize
172KB

MD5
4911388803a0f3e4ada0368fca5609f9

SHA1
af762a0dcf1da5cd19e1455523e930190174e04b

SHA256
f9a6dc8715743e314b1ac665f2ce1d59da56898e421686f39bbb7dc27b6c422f

SHA512
59264d66723c5d558eea32c713a3e7550bd0e02665d9a5641b0d18676617998c4b1dd65a9b46072e2ff5b362bb17476f79cd8e6a450e61e108a657844fe51803

Download Submit
memory/3924-160-0x000000000B320000-0x000000000B938000-memory.dmp

Filesize
6.1MB

Download
memory/3924-165-0x000000000B0A0000-0x000000000B116000-memory.dmp

Filesize
472KB

Download
memory/3924-172-0x000000000C570000-0x000000000C5C0000-memory.dmp

Filesize
320KB

Download
memory/3924-161-0x000000000AE10000-0x000000000AF1A000-memory.dmp

Filesize
1.0MB

Download
memory/3924-162-0x000000000AD30000-0x000000000AD42000-memory.dmp

Filesize
72KB

Download
memory/3924-164-0x000000000AD90000-0x000000000ADCC000-memory.dmp

Filesize
240KB

Download
memory/3924-163-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/3924-159-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/3924-166-0x000000000B1C0000-0x000000000B252000-memory.dmp

Filesize
584KB

Download
memory/3924-167-0x000000000BEF0000-0x000000000C494000-memory.dmp

Filesize
5.6MB

Download
memory/3924-168-0x000000000B260000-0x000000000B2C6000-memory.dmp

Filesize
408KB

Download
memory/3924-169-0x000000000C670000-0x000000000C832000-memory.dmp

Filesize
1.8MB

Download
memory/3924-170-0x000000000CD70000-0x000000000D29C000-memory.dmp

Filesize
5.2MB

Download
memory/3924-171-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4908-154-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads