redline | 2d8014ac8ee54a6f25410b3053359a084403062dae06f317623b9cf08b34271f

General

Target

2d8014ac8ee54a6f25410b3053359a084403062dae06f317623b9cf08b34271f.exe
Size

850KB
MD5

cfb32317f4ce201471305c0b06406cfe
SHA1

d4772f1d85ed9ed66d2ce0c81af24c5ceae2dc49
SHA256

2d8014ac8ee54a6f25410b3053359a084403062dae06f317623b9cf08b34271f
SHA512

9e31df7421799e7441fe5d68a35b7e40e5fe8de305bbaec8680a666cc7f803fbeff27dbfc1707a29857d86aa00f13fadf28067bcb505751ce425fa1814bafc36
SSDEEP

12288:ZMrdy90arC53BPWVtjj07gthhpnOn+KcPSxf5LYS6Wr7OLKjMTTLz5N76LvXI:ky9+l2pI7848CyC/O/j3+E

Score

10^/10

redline loxa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

loxa

C2

83.97.73.129:19068

Attributes

auth_value
c709e1d3fce1e71b1abb95c0a30242b8

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o7457797.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	o7457797.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o7457797.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o7457797.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o7457797.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o7457797.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4264	z5778346.exe
2020	z0652855.exe
1808	o7457797.exe
2116	p9455358.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	o7457797.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0652855.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2d8014ac8ee54a6f25410b3053359a084403062dae06f317623b9cf08b34271f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d8014ac8ee54a6f25410b3053359a084403062dae06f317623b9cf08b34271f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5778346.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5778346.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0652855.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1808	o7457797.exe
1808	o7457797.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe
2116	p9455358.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	o7457797.exe
Token: SeDebugPrivilege	2116	p9455358.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 4264	2984	2d8014ac8ee54a6f25410b3053359a084403062dae06f317623b9cf08b34271f.exe	86
PID 2984 wrote to memory of 4264	2984	2d8014ac8ee54a6f25410b3053359a084403062dae06f317623b9cf08b34271f.exe	86
PID 2984 wrote to memory of 4264	2984	2d8014ac8ee54a6f25410b3053359a084403062dae06f317623b9cf08b34271f.exe	86
PID 4264 wrote to memory of 2020	4264	z5778346.exe	87
PID 4264 wrote to memory of 2020	4264	z5778346.exe	87
PID 4264 wrote to memory of 2020	4264	z5778346.exe	87
PID 2020 wrote to memory of 1808	2020	z0652855.exe	88
PID 2020 wrote to memory of 1808	2020	z0652855.exe	88
PID 2020 wrote to memory of 2116	2020	z0652855.exe	89
PID 2020 wrote to memory of 2116	2020	z0652855.exe	89
PID 2020 wrote to memory of 2116	2020	z0652855.exe	89

C:\Users\Admin\AppData\Local\Temp\2d8014ac8ee54a6f25410b3053359a084403062dae06f317623b9cf08b34271f.exe
"C:\Users\Admin\AppData\Local\Temp\2d8014ac8ee54a6f25410b3053359a084403062dae06f317623b9cf08b34271f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5778346.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5778346.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0652855.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0652855.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7457797.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7457797.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9455358.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9455358.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5778346.exe

Filesize
405KB

MD5
b72c105aae22415a0cd58eb765984428

SHA1
f65a35ef139935d470e6fa58da2cbc55d6457aff

SHA256
2e4bd9988674bf5a040c6f3417511b23bc005fb05d3f4c4168db783eb30814e5

SHA512
1c736af98c9aecc887183cfb7b5171dd84c0ab582545ba280b5e6c90dcc304f168a4e832863c44b663d413c03ce1a61f111d39e71c6ae04f9b6af13f253faef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5778346.exe

Filesize
405KB

MD5
b72c105aae22415a0cd58eb765984428

SHA1
f65a35ef139935d470e6fa58da2cbc55d6457aff

SHA256
2e4bd9988674bf5a040c6f3417511b23bc005fb05d3f4c4168db783eb30814e5

SHA512
1c736af98c9aecc887183cfb7b5171dd84c0ab582545ba280b5e6c90dcc304f168a4e832863c44b663d413c03ce1a61f111d39e71c6ae04f9b6af13f253faef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0652855.exe

Filesize
206KB

MD5
6e01ab58f0adae507671f48830f4a0b4

SHA1
ebcb0ff301cf4aed9a3c3deb9e3911e635f34000

SHA256
edd9c9c71f02dcc2b7d547daaceb6c4b6784db9a984c653090ccc1d90a280a99

SHA512
f68a493adf5d662a6b8b0a93970177b9507bfc1b80a4e053983c563bc178a69d5823fd516ddf2306f223753281e30c2405b32c6adcceb7901b32df0d8cf954d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0652855.exe

Filesize
206KB

MD5
6e01ab58f0adae507671f48830f4a0b4

SHA1
ebcb0ff301cf4aed9a3c3deb9e3911e635f34000

SHA256
edd9c9c71f02dcc2b7d547daaceb6c4b6784db9a984c653090ccc1d90a280a99

SHA512
f68a493adf5d662a6b8b0a93970177b9507bfc1b80a4e053983c563bc178a69d5823fd516ddf2306f223753281e30c2405b32c6adcceb7901b32df0d8cf954d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7457797.exe

Filesize
11KB

MD5
ffa806fcde598c40288f7dedcf1f3687

SHA1
205b34112f10fb73813018f5e44c744386e1a96b

SHA256
83ee008e83c0ab56a531c5ff7c7aefb9dee303aa02e7e81c8cf407d4dee617a0

SHA512
6dbaaf246c6ea4246b5ca168e5effaa6fc9663668888250d232754ea48c14f6ba95c43e8b49480f46ba0d614b13a971a308b6a109b684c02b6d529af66769c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7457797.exe

Filesize
11KB

MD5
ffa806fcde598c40288f7dedcf1f3687

SHA1
205b34112f10fb73813018f5e44c744386e1a96b

SHA256
83ee008e83c0ab56a531c5ff7c7aefb9dee303aa02e7e81c8cf407d4dee617a0

SHA512
6dbaaf246c6ea4246b5ca168e5effaa6fc9663668888250d232754ea48c14f6ba95c43e8b49480f46ba0d614b13a971a308b6a109b684c02b6d529af66769c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9455358.exe

Filesize
172KB

MD5
c2f1888af3e84dfb6f472a9f3ac3407e

SHA1
daf70ee4e94db1d1cc7338bcebb7a47f5f47de30

SHA256
fb67e11b9428a84af88d451aa6b1873750861ff4c983d5da955a6b117998cbe5

SHA512
8789afe0d905b3af0be2bd3de00c7a73060d0ef581c6a8f5ef9b1d3b393ead79b0a2e688cb7f7a9c41c971bf5832cd687eebc970cee2edbe88c358e42e709594

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9455358.exe

Filesize
172KB

MD5
c2f1888af3e84dfb6f472a9f3ac3407e

SHA1
daf70ee4e94db1d1cc7338bcebb7a47f5f47de30

SHA256
fb67e11b9428a84af88d451aa6b1873750861ff4c983d5da955a6b117998cbe5

SHA512
8789afe0d905b3af0be2bd3de00c7a73060d0ef581c6a8f5ef9b1d3b393ead79b0a2e688cb7f7a9c41c971bf5832cd687eebc970cee2edbe88c358e42e709594

Download Submit
memory/1808-154-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2116-160-0x000000000AE50000-0x000000000B468000-memory.dmp

Filesize
6.1MB

Download
memory/2116-166-0x000000000AD90000-0x000000000AE22000-memory.dmp

Filesize
584KB

Download
memory/2116-161-0x000000000A940000-0x000000000AA4A000-memory.dmp

Filesize
1.0MB

Download
memory/2116-162-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/2116-163-0x000000000A870000-0x000000000A8AC000-memory.dmp

Filesize
240KB

Download
memory/2116-164-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/2116-165-0x000000000AC70000-0x000000000ACE6000-memory.dmp

Filesize
472KB

Download
memory/2116-159-0x0000000000A80000-0x0000000000AB0000-memory.dmp

Filesize
192KB

Download
memory/2116-167-0x000000000ACF0000-0x000000000AD56000-memory.dmp

Filesize
408KB

Download
memory/2116-168-0x000000000BD60000-0x000000000C304000-memory.dmp

Filesize
5.6MB

Download
memory/2116-169-0x000000000B990000-0x000000000B9E0000-memory.dmp

Filesize
320KB

Download
memory/2116-170-0x000000000C310000-0x000000000C4D2000-memory.dmp

Filesize
1.8MB

Download
memory/2116-171-0x000000000CA10000-0x000000000CF3C000-memory.dmp

Filesize
5.2MB

Download
memory/2116-172-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads