redline | b8c98f298402345de6ea70fa12269eb67babe6dea25440a084b3b3d7c67afc36

General

Target

b8c98f298402345de6ea70fa12269eb67babe6dea25440a084b3b3d7c67afc36.exe
Size

865KB
MD5

76980f5b517f1090ce297664ea0d7465
SHA1

65a843106e4365b1321181258c5d4f7d34fef4dc
SHA256

b8c98f298402345de6ea70fa12269eb67babe6dea25440a084b3b3d7c67afc36
SHA512

413356310b088ab29f362887885f735b16cc7e405a8aa0d3d853f2d6e51c357fa68d91ff2da47bc9ed698bc105046631e7deabbb7b4353095ac173d9ff3038b5
SSDEEP

12288:eMray90Yytl+T4gA7U/XtGLnyx4EQe3bcy74hpF57wg/my1hu8LiHrt:YyGl6A7U/Xq5EX3bHMfRwgO6/iLt

Score

10^/10

redline lupa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lupa

C2

83.97.73.129:19068

Attributes

auth_value
6a764aa41830c77712442516d143bc9c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o7881815.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o7881815.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o7881815.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o7881815.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o7881815.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o7881815.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z0938577.exez6938162.exeo7881815.exep6597666.exe

pid process

4440 z0938577.exe
4904 z6938162.exe
2092 o7881815.exe
4284 p6597666.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

o7881815.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" o7881815.exe

pid	process
4440	z0938577.exe
4904	z6938162.exe
2092	o7881815.exe
4284	p6597666.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	o7881815.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z0938577.exez6938162.exeb8c98f298402345de6ea70fa12269eb67babe6dea25440a084b3b3d7c67afc36.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0938577.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0938577.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6938162.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6938162.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b8c98f298402345de6ea70fa12269eb67babe6dea25440a084b3b3d7c67afc36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b8c98f298402345de6ea70fa12269eb67babe6dea25440a084b3b3d7c67afc36.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

o7881815.exe

pid process

2092 o7881815.exe
2092 o7881815.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o7881815.exe

description pid process

Token: SeDebugPrivilege 2092 o7881815.exe

pid	process
2092	o7881815.exe
2092	o7881815.exe

description	pid	process
Token: SeDebugPrivilege	2092	o7881815.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

b8c98f298402345de6ea70fa12269eb67babe6dea25440a084b3b3d7c67afc36.exez0938577.exez6938162.exe

description	pid	process	target process
PID 1636 wrote to memory of 4440	1636	b8c98f298402345de6ea70fa12269eb67babe6dea25440a084b3b3d7c67afc36.exe	z0938577.exe
PID 1636 wrote to memory of 4440	1636	b8c98f298402345de6ea70fa12269eb67babe6dea25440a084b3b3d7c67afc36.exe	z0938577.exe
PID 1636 wrote to memory of 4440	1636	b8c98f298402345de6ea70fa12269eb67babe6dea25440a084b3b3d7c67afc36.exe	z0938577.exe
PID 4440 wrote to memory of 4904	4440	z0938577.exe	z6938162.exe
PID 4440 wrote to memory of 4904	4440	z0938577.exe	z6938162.exe
PID 4440 wrote to memory of 4904	4440	z0938577.exe	z6938162.exe
PID 4904 wrote to memory of 2092	4904	z6938162.exe	o7881815.exe
PID 4904 wrote to memory of 2092	4904	z6938162.exe	o7881815.exe
PID 4904 wrote to memory of 4284	4904	z6938162.exe	p6597666.exe
PID 4904 wrote to memory of 4284	4904	z6938162.exe	p6597666.exe
PID 4904 wrote to memory of 4284	4904	z6938162.exe	p6597666.exe

C:\Users\Admin\AppData\Local\Temp\b8c98f298402345de6ea70fa12269eb67babe6dea25440a084b3b3d7c67afc36.exe
"C:\Users\Admin\AppData\Local\Temp\b8c98f298402345de6ea70fa12269eb67babe6dea25440a084b3b3d7c67afc36.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0938577.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0938577.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4440

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6938162.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6938162.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4904

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7881815.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7881815.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6597666.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6597666.exe
4⤵
- Executes dropped EXE
PID:4284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0938577.exe
Filesize
420KB

MD5
66ba9b13ca206797ec93ebb616a330fb

SHA1
08cdb70bdaa395a076f5f1661221ae4b9cbf0567

SHA256
6d1d127a94fd2c11acb9704f9596db1e000e789f82c48755ad7c549c55e0e551

SHA512
42d25bcf3896d453b3b164a7d3259425982223daa2390735ea0a94448531904c87825de290247ff1855308f24319800ce5038c7107a924b7c0f4d3fdd256a5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0938577.exe
Filesize
420KB

MD5
66ba9b13ca206797ec93ebb616a330fb

SHA1
08cdb70bdaa395a076f5f1661221ae4b9cbf0567

SHA256
6d1d127a94fd2c11acb9704f9596db1e000e789f82c48755ad7c549c55e0e551

SHA512
42d25bcf3896d453b3b164a7d3259425982223daa2390735ea0a94448531904c87825de290247ff1855308f24319800ce5038c7107a924b7c0f4d3fdd256a5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6938162.exe
Filesize
206KB

MD5
746b29198ab064602805086610e8cb15

SHA1
d68f3cd6fceb1f8fc8e48f74ab15f66ebffa9b09

SHA256
3387df711377c5d1def191d8c70f0a0e952c8a6463473c49fd10484409e2e040

SHA512
cdbfd2b27fef86d9050e3bf564c82232551e45400e8120bbb830194cbc66ba1b8632d31824072d6fc7e8d8070f0b69c76e8ec919209b8ba33a5d30e98bb9e89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6938162.exe
Filesize
206KB

MD5
746b29198ab064602805086610e8cb15

SHA1
d68f3cd6fceb1f8fc8e48f74ab15f66ebffa9b09

SHA256
3387df711377c5d1def191d8c70f0a0e952c8a6463473c49fd10484409e2e040

SHA512
cdbfd2b27fef86d9050e3bf564c82232551e45400e8120bbb830194cbc66ba1b8632d31824072d6fc7e8d8070f0b69c76e8ec919209b8ba33a5d30e98bb9e89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7881815.exe
Filesize
13KB

MD5
9277e60815c2ad9f71754ff8520e9f67

SHA1
efffd9ca99801e1bf426bd0f5844b0239c2f0bc5

SHA256
d6d39d093b5780bf57b0a4a2eda3841fb69b86dfcd915ee67d91d870b5dda3c5

SHA512
ccd3d2ccaf41a0836d195410828bee4cd64db4a2b05f336424340ec759a348d6f5c11d1fa0e98936014e931e4b8ce2aebc8622ccdf0842bc305eee2f3c4f3e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7881815.exe
Filesize
13KB

MD5
9277e60815c2ad9f71754ff8520e9f67

SHA1
efffd9ca99801e1bf426bd0f5844b0239c2f0bc5

SHA256
d6d39d093b5780bf57b0a4a2eda3841fb69b86dfcd915ee67d91d870b5dda3c5

SHA512
ccd3d2ccaf41a0836d195410828bee4cd64db4a2b05f336424340ec759a348d6f5c11d1fa0e98936014e931e4b8ce2aebc8622ccdf0842bc305eee2f3c4f3e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6597666.exe
Filesize
172KB

MD5
26de848c0b8481d24798f4d6741580fd

SHA1
40f336c0aebf3d10206d58192789ca820deb8154

SHA256
9f20cf90047f3b3b1d80a009013334de538ac158cebadc3d865b6b65100cabe6

SHA512
eb851d6582a7c13f5472b2ad3b18c9324d0aa1fc0727d701592a5cfeafbcb50ec049c04ca3348689752b5ad7d175a4451591f07f05238d8ba05ce385e80ccf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6597666.exe
Filesize
172KB

MD5
26de848c0b8481d24798f4d6741580fd

SHA1
40f336c0aebf3d10206d58192789ca820deb8154

SHA256
9f20cf90047f3b3b1d80a009013334de538ac158cebadc3d865b6b65100cabe6

SHA512
eb851d6582a7c13f5472b2ad3b18c9324d0aa1fc0727d701592a5cfeafbcb50ec049c04ca3348689752b5ad7d175a4451591f07f05238d8ba05ce385e80ccf1e

Download Submit
memory/2092-138-0x0000000000F90000-0x0000000000F9A000-memory.dmp

Filesize
40KB

Download
memory/4284-143-0x0000000000370000-0x00000000003A0000-memory.dmp

Filesize
192KB

Download
memory/4284-144-0x00000000026D0000-0x00000000026D6000-memory.dmp

Filesize
24KB

Download
memory/4284-145-0x0000000005360000-0x0000000005966000-memory.dmp

Filesize
6.0MB

Download
memory/4284-146-0x0000000004E60000-0x0000000004F6A000-memory.dmp

Filesize
1.0MB

Download
memory/4284-147-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/4284-148-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/4284-149-0x0000000002780000-0x00000000027BE000-memory.dmp

Filesize
248KB

Download
memory/4284-150-0x0000000004D50000-0x0000000004D9B000-memory.dmp

Filesize
300KB

Download
memory/4284-151-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads