redline | 8a72afce776f369c5705d5d2cae16b3c189fe9ed679a29667b49a9dfd95d34ff

General

Target

8a72afce776f369c5705d5d2cae16b3c189fe9ed679a29667b49a9dfd95d34ff.exe
Size

857KB
MD5

22b03b50bbbaf9776b7bbeffd1ac036e
SHA1

64375b124e1e988040b5309d70c6c4236eef0dd4
SHA256

8a72afce776f369c5705d5d2cae16b3c189fe9ed679a29667b49a9dfd95d34ff
SHA512

70d137ea5fa90d5be60637661445bb86119c9c1071a36978c1b980d29d37ec27c82ab392100b8f28e6ba93b366e236bc18339fc2d8250fb9ed506319b20aa9f9
SSDEEP

24576:sy4/EEgM5qLUjm7pBeSznzS1aWmrM98uWdRc7:bBo5igWpMSLWgJr+qdR

Score

10^/10

redline lupa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lupa

C2

83.97.73.126:19048

Attributes

auth_value
6a764aa41830c77712442516d143bc9c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	o7671351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o7671351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o7671351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o7671351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o7671351.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o7671351.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4392	z2818612.exe
3988	z7869209.exe
2908	o7671351.exe
3276	p6298448.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	o7671351.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8a72afce776f369c5705d5d2cae16b3c189fe9ed679a29667b49a9dfd95d34ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8a72afce776f369c5705d5d2cae16b3c189fe9ed679a29667b49a9dfd95d34ff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2818612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2818612.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7869209.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7869209.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2908	o7671351.exe
2908	o7671351.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	o7671351.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 4392	1760	8a72afce776f369c5705d5d2cae16b3c189fe9ed679a29667b49a9dfd95d34ff.exe	85
PID 1760 wrote to memory of 4392	1760	8a72afce776f369c5705d5d2cae16b3c189fe9ed679a29667b49a9dfd95d34ff.exe	85
PID 1760 wrote to memory of 4392	1760	8a72afce776f369c5705d5d2cae16b3c189fe9ed679a29667b49a9dfd95d34ff.exe	85
PID 4392 wrote to memory of 3988	4392	z2818612.exe	86
PID 4392 wrote to memory of 3988	4392	z2818612.exe	86
PID 4392 wrote to memory of 3988	4392	z2818612.exe	86
PID 3988 wrote to memory of 2908	3988	z7869209.exe	87
PID 3988 wrote to memory of 2908	3988	z7869209.exe	87
PID 3988 wrote to memory of 3276	3988	z7869209.exe	88
PID 3988 wrote to memory of 3276	3988	z7869209.exe	88
PID 3988 wrote to memory of 3276	3988	z7869209.exe	88

C:\Users\Admin\AppData\Local\Temp\8a72afce776f369c5705d5d2cae16b3c189fe9ed679a29667b49a9dfd95d34ff.exe
"C:\Users\Admin\AppData\Local\Temp\8a72afce776f369c5705d5d2cae16b3c189fe9ed679a29667b49a9dfd95d34ff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2818612.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2818612.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7869209.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7869209.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7671351.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7671351.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6298448.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6298448.exe
      4⤵
      Executes dropped EXE
      PID:3276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2818612.exe

Filesize
412KB

MD5
2dcd42eb69807586e47e63c2f5cacf07

SHA1
15fa1b3321446d17067506e51037047af439623e

SHA256
32a286bd115e5e2cef3db152990fde4052303d5deb96b3487c2f291df437865c

SHA512
ce18dbbdbd1395706dff045adc21c9023dabb5b77e72669916c78bd9a902389a4f981581cf0796bea83a3d74be5b43940a3a616f1865deba583e690bc08bbda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2818612.exe

Filesize
412KB

MD5
2dcd42eb69807586e47e63c2f5cacf07

SHA1
15fa1b3321446d17067506e51037047af439623e

SHA256
32a286bd115e5e2cef3db152990fde4052303d5deb96b3487c2f291df437865c

SHA512
ce18dbbdbd1395706dff045adc21c9023dabb5b77e72669916c78bd9a902389a4f981581cf0796bea83a3d74be5b43940a3a616f1865deba583e690bc08bbda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7869209.exe

Filesize
206KB

MD5
9d1dcb28de91522229d49b98ef3d0c3b

SHA1
d7f4a6de2761b8c9caa83eec14d0f86df547d33c

SHA256
32332ea8875afb783edc0b9f1da2728b3b58dabf0d14cd3ffe92c8478c092bf4

SHA512
3f0fccfa2664e0b818d35a79b16b6e6f13695b4eaa842845d198baa500a4ed9920ddd2cfff01e0bb08552861e3b8898167460035543285ea9a6b68d50bd1a64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7869209.exe

Filesize
206KB

MD5
9d1dcb28de91522229d49b98ef3d0c3b

SHA1
d7f4a6de2761b8c9caa83eec14d0f86df547d33c

SHA256
32332ea8875afb783edc0b9f1da2728b3b58dabf0d14cd3ffe92c8478c092bf4

SHA512
3f0fccfa2664e0b818d35a79b16b6e6f13695b4eaa842845d198baa500a4ed9920ddd2cfff01e0bb08552861e3b8898167460035543285ea9a6b68d50bd1a64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7671351.exe

Filesize
13KB

MD5
5cfa698dd4924ba6556169a20a6e60fa

SHA1
644c46c4d10a8a0d1898f6ff50ce5ba7bc9cf86c

SHA256
bdb18c2b97318a05e05bc2974843466aff64a1e0cbb000e5b4fcc51ac022710b

SHA512
9b3f0f97846e4825fc44d2dfa6710c543de2e80ca2cc5fe4e458727a61c8aee1e3dbef61e9bbce8b80664d2eabf45b37278095a3d0faba1b8aef63e9f3a2f573

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7671351.exe

Filesize
13KB

MD5
5cfa698dd4924ba6556169a20a6e60fa

SHA1
644c46c4d10a8a0d1898f6ff50ce5ba7bc9cf86c

SHA256
bdb18c2b97318a05e05bc2974843466aff64a1e0cbb000e5b4fcc51ac022710b

SHA512
9b3f0f97846e4825fc44d2dfa6710c543de2e80ca2cc5fe4e458727a61c8aee1e3dbef61e9bbce8b80664d2eabf45b37278095a3d0faba1b8aef63e9f3a2f573

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6298448.exe

Filesize
172KB

MD5
7cca3b92b267e009862a472eba3b89f5

SHA1
25335dcf7788afe5c80ce62f8b1532aa20381fea

SHA256
262a4da2a0b63672afb2af94d8cb4cbed81eacfeebfe1353ae1412e7cab8d7f4

SHA512
2f14e91af5a3968b02ea3a19cc6ce2a3f3f5ba1c23bb4f046ca6bbf2154f5e906c30af48a2e8cd29393566d6824edc67168d7bfd0de613df56bdc120b174ce61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6298448.exe

Filesize
172KB

MD5
7cca3b92b267e009862a472eba3b89f5

SHA1
25335dcf7788afe5c80ce62f8b1532aa20381fea

SHA256
262a4da2a0b63672afb2af94d8cb4cbed81eacfeebfe1353ae1412e7cab8d7f4

SHA512
2f14e91af5a3968b02ea3a19cc6ce2a3f3f5ba1c23bb4f046ca6bbf2154f5e906c30af48a2e8cd29393566d6824edc67168d7bfd0de613df56bdc120b174ce61

Download Submit
memory/2908-154-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/3276-159-0x0000000000540000-0x0000000000570000-memory.dmp

Filesize
192KB

Download
memory/3276-160-0x000000000A9B0000-0x000000000AFC8000-memory.dmp

Filesize
6.1MB

Download
memory/3276-161-0x000000000A4C0000-0x000000000A5CA000-memory.dmp

Filesize
1.0MB

Download
memory/3276-162-0x000000000A400000-0x000000000A412000-memory.dmp

Filesize
72KB

Download
memory/3276-163-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/3276-164-0x000000000A460000-0x000000000A49C000-memory.dmp

Filesize
240KB

Download
memory/3276-165-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads