redline | 1455c02724f01860990caf7a8253ad58b32ad2b9ffb955c36205fc82473e222d

General

Target

1455c02724f01860990caf7a8253ad58b32ad2b9ffb955c36205fc82473e222d.exe
Size

585KB
MD5

662bf19ee4d2d7012a4a992e481de2e0
SHA1

af801f5aba409e74a33df5d25411c4007ee7ca41
SHA256

1455c02724f01860990caf7a8253ad58b32ad2b9ffb955c36205fc82473e222d
SHA512

622e93a3321e0299b2d97163d31c5bddba42f442a2e8fc54d0d60ebf8c9195e3079e0e9293e2738d2992e2a2884b7f50c2e4ed3bd3434c980ba309430f203aef
SSDEEP

12288:QMrYy90QUTjhPtkCU+XWOBZhUTnBkmpCNI36YNWR:YylUTJXdBiWmpCNI36Ek

Score

10^/10

redline diza discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k2173268.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k2173268.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k2173268.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k2173268.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k2173268.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k2173268.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1312	y6273343.exe
4368	y7422388.exe
1352	k2173268.exe
1880	l7452627.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k2173268.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1455c02724f01860990caf7a8253ad58b32ad2b9ffb955c36205fc82473e222d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1455c02724f01860990caf7a8253ad58b32ad2b9ffb955c36205fc82473e222d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6273343.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6273343.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7422388.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y7422388.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1352	k2173268.exe
1352	k2173268.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe
1880	l7452627.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	k2173268.exe
Token: SeDebugPrivilege	1880	l7452627.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 1312	3612	1455c02724f01860990caf7a8253ad58b32ad2b9ffb955c36205fc82473e222d.exe	83
PID 3612 wrote to memory of 1312	3612	1455c02724f01860990caf7a8253ad58b32ad2b9ffb955c36205fc82473e222d.exe	83
PID 3612 wrote to memory of 1312	3612	1455c02724f01860990caf7a8253ad58b32ad2b9ffb955c36205fc82473e222d.exe	83
PID 1312 wrote to memory of 4368	1312	y6273343.exe	84
PID 1312 wrote to memory of 4368	1312	y6273343.exe	84
PID 1312 wrote to memory of 4368	1312	y6273343.exe	84
PID 4368 wrote to memory of 1352	4368	y7422388.exe	85
PID 4368 wrote to memory of 1352	4368	y7422388.exe	85
PID 4368 wrote to memory of 1880	4368	y7422388.exe	86
PID 4368 wrote to memory of 1880	4368	y7422388.exe	86
PID 4368 wrote to memory of 1880	4368	y7422388.exe	86

C:\Users\Admin\AppData\Local\Temp\1455c02724f01860990caf7a8253ad58b32ad2b9ffb955c36205fc82473e222d.exe
"C:\Users\Admin\AppData\Local\Temp\1455c02724f01860990caf7a8253ad58b32ad2b9ffb955c36205fc82473e222d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6273343.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6273343.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7422388.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7422388.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2173268.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2173268.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7452627.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7452627.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6273343.exe

Filesize
377KB

MD5
e5566671a09ab4c079b3b205001dcdb0

SHA1
f7d7fb5d22b22d5828c850569381c52745d6932a

SHA256
106b6771ec7785e3dc1c7e84a1746da0abb34cb609098e28e1e65e625078f147

SHA512
9b5fb54768ed50b0a6716bc0858abbfa2d61f1ce0f1bc9565ac4bc0ee5e04d15f9208469ea8a26ca5cc73a2fce8a8a3b64edd4b8ebb0fd9dce1b0249eafa4529

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6273343.exe

Filesize
377KB

MD5
e5566671a09ab4c079b3b205001dcdb0

SHA1
f7d7fb5d22b22d5828c850569381c52745d6932a

SHA256
106b6771ec7785e3dc1c7e84a1746da0abb34cb609098e28e1e65e625078f147

SHA512
9b5fb54768ed50b0a6716bc0858abbfa2d61f1ce0f1bc9565ac4bc0ee5e04d15f9208469ea8a26ca5cc73a2fce8a8a3b64edd4b8ebb0fd9dce1b0249eafa4529

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7422388.exe

Filesize
206KB

MD5
5b03e98f70a829b5c7609450a931fd8f

SHA1
ed626d4d668cc2f5bb13a04bffa05481cc1e2380

SHA256
aa2b356019b3b2d39c086a0f9bba0358b44c5f92dfbc87923ce3506033a3e88a

SHA512
a120d2b2d444c535eb0d722415588f06938191bd0048bfea280d96eee161e6198aaf578288ffbd0a4999bca30e22b770c56aab95cf3f924a88a247a105b7a2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7422388.exe

Filesize
206KB

MD5
5b03e98f70a829b5c7609450a931fd8f

SHA1
ed626d4d668cc2f5bb13a04bffa05481cc1e2380

SHA256
aa2b356019b3b2d39c086a0f9bba0358b44c5f92dfbc87923ce3506033a3e88a

SHA512
a120d2b2d444c535eb0d722415588f06938191bd0048bfea280d96eee161e6198aaf578288ffbd0a4999bca30e22b770c56aab95cf3f924a88a247a105b7a2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2173268.exe

Filesize
13KB

MD5
da360dfb6d6ef212e1f4137f21ba6074

SHA1
6d22357ccf1642f7709e0b06e2cfacd40aae2d6d

SHA256
0128d2b156e79df42f248301641f7857e2e293336959e2b56c469e3a42450f3d

SHA512
cbb7fc6c0ff5601fdf2a57350ef39b6c81d0886e237818d10f9e9a4e6eefa0340a5973eff1a6ad8b3bb9c8d661c00ffd7c09c62d1de52d9bfa91a4ef70bc4aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2173268.exe

Filesize
13KB

MD5
da360dfb6d6ef212e1f4137f21ba6074

SHA1
6d22357ccf1642f7709e0b06e2cfacd40aae2d6d

SHA256
0128d2b156e79df42f248301641f7857e2e293336959e2b56c469e3a42450f3d

SHA512
cbb7fc6c0ff5601fdf2a57350ef39b6c81d0886e237818d10f9e9a4e6eefa0340a5973eff1a6ad8b3bb9c8d661c00ffd7c09c62d1de52d9bfa91a4ef70bc4aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7452627.exe

Filesize
172KB

MD5
128791d4ea48a33d45c844582d3111a1

SHA1
8cb355d49848f92ef53e0793717177bf8736b7c4

SHA256
955b870ca5c3a7fedb340586fd51091da7270c5c49f0716040b2a4a5da622832

SHA512
5fd74c2e3b350d25b37084e6c07c7ec804d34136b80460d8b3aa8d97ed6155d104a47a1640a04c14b41f5e26bea0f4d714342553f39d9e1d9558d836f8f491e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7452627.exe

Filesize
172KB

MD5
128791d4ea48a33d45c844582d3111a1

SHA1
8cb355d49848f92ef53e0793717177bf8736b7c4

SHA256
955b870ca5c3a7fedb340586fd51091da7270c5c49f0716040b2a4a5da622832

SHA512
5fd74c2e3b350d25b37084e6c07c7ec804d34136b80460d8b3aa8d97ed6155d104a47a1640a04c14b41f5e26bea0f4d714342553f39d9e1d9558d836f8f491e9

Download Submit
memory/1352-154-0x0000000000E50000-0x0000000000E5A000-memory.dmp

Filesize
40KB

Download
memory/1880-160-0x000000000AC30000-0x000000000B248000-memory.dmp

Filesize
6.1MB

Download
memory/1880-166-0x000000000AB70000-0x000000000AC02000-memory.dmp

Filesize
584KB

Download
memory/1880-161-0x000000000A7A0000-0x000000000A8AA000-memory.dmp

Filesize
1.0MB

Download
memory/1880-162-0x000000000A6E0000-0x000000000A6F2000-memory.dmp

Filesize
72KB

Download
memory/1880-163-0x000000000A740000-0x000000000A77C000-memory.dmp

Filesize
240KB

Download
memory/1880-164-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1880-165-0x000000000AA50000-0x000000000AAC6000-memory.dmp

Filesize
472KB

Download
memory/1880-159-0x0000000000820000-0x0000000000850000-memory.dmp

Filesize
192KB

Download
memory/1880-167-0x000000000B800000-0x000000000BDA4000-memory.dmp

Filesize
5.6MB

Download
memory/1880-168-0x000000000B350000-0x000000000B3B6000-memory.dmp

Filesize
408KB

Download
memory/1880-169-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/1880-170-0x000000000C0E0000-0x000000000C2A2000-memory.dmp

Filesize
1.8MB

Download
memory/1880-171-0x000000000C7E0000-0x000000000CD0C000-memory.dmp

Filesize
5.2MB

Download
memory/1880-172-0x000000000BF10000-0x000000000BF60000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads