redline | d676a9e194d2442e057bd9d03fdfd1f372ca72816ca4fdbe9a243a4626bf5bae

General

Target

d676a9e194d2442e057bd9d03fdfd1f372ca72816ca4fdbe9a243a4626bf5bae.exe
Size

488KB
MD5

e43fde73b3f3d42bd413a53824009289
SHA1

baf351fd6d27595722fde16b13da4aae37afb229
SHA256

d676a9e194d2442e057bd9d03fdfd1f372ca72816ca4fdbe9a243a4626bf5bae
SHA512

246a630f3e355c541d7a103144fd801ba178a5111d0b8e4423cb0aa2d9f2d5e1c81665c24f7fde81181b5ae1f6483e859b395548db89e229b9687c16dbec6f1b
SSDEEP

12288:NMrcy907KV6/xteJadHqfRSwnM1gUPt/mp7zsBo:FyQlZXN01s2

Score

10^/10

redline dippo discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dippo

C2

217.196.96.102:4132

Attributes

auth_value
79490ff628fd6af3b29170c3c163874b

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0336238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0336238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0336238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0336238.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k0336238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0336238.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b9a-54.dat	family_redline
behavioral1/memory/4780-56-0x0000000000B70000-0x0000000000B9E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4420	y7039759.exe
2584	k0336238.exe
4780	l4740443.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0336238.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k0336238.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d676a9e194d2442e057bd9d03fdfd1f372ca72816ca4fdbe9a243a4626bf5bae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7039759.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d676a9e194d2442e057bd9d03fdfd1f372ca72816ca4fdbe9a243a4626bf5bae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y7039759.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k0336238.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l4740443.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2584	k0336238.exe
2584	k0336238.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	k0336238.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 4420	3100	d676a9e194d2442e057bd9d03fdfd1f372ca72816ca4fdbe9a243a4626bf5bae.exe	83
PID 3100 wrote to memory of 4420	3100	d676a9e194d2442e057bd9d03fdfd1f372ca72816ca4fdbe9a243a4626bf5bae.exe	83
PID 3100 wrote to memory of 4420	3100	d676a9e194d2442e057bd9d03fdfd1f372ca72816ca4fdbe9a243a4626bf5bae.exe	83
PID 4420 wrote to memory of 2584	4420	y7039759.exe	85
PID 4420 wrote to memory of 2584	4420	y7039759.exe	85
PID 4420 wrote to memory of 2584	4420	y7039759.exe	85
PID 4420 wrote to memory of 4780	4420	y7039759.exe	93
PID 4420 wrote to memory of 4780	4420	y7039759.exe	93
PID 4420 wrote to memory of 4780	4420	y7039759.exe	93

C:\Users\Admin\AppData\Local\Temp\d676a9e194d2442e057bd9d03fdfd1f372ca72816ca4fdbe9a243a4626bf5bae.exe
"C:\Users\Admin\AppData\Local\Temp\d676a9e194d2442e057bd9d03fdfd1f372ca72816ca4fdbe9a243a4626bf5bae.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7039759.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7039759.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0336238.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0336238.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4740443.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4740443.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7039759.exe

Filesize
316KB

MD5
f4f2b943eff65c28045075276ea1af8e

SHA1
9f6357169c3f8c0eb1741d7600f069d545c29b7b

SHA256
8e4363230e62024b370945666b60fb10d9c5dc8c111f038a1c67596be775d336

SHA512
e9e8b8c57ddf5d8a45c1d446b062f631c9ec81e3252547fa540812da51e1193aa1c129f04621984dbe720ec497aee3c37b4221cf7153aae35382a41755363f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0336238.exe

Filesize
184KB

MD5
039e756d4495073d8e1e8c1402aecd16

SHA1
bd917e69f4d71ce8166afb0ff57df949ca7bb1b8

SHA256
dfee0d7984da5accf1d9270c7fbb6fca26479a2b51404d2e41156d4aa6676b76

SHA512
00c4a9c8d3ca53d1904c95e3f4bcc04d2c1861e14c37c1def39367a4d931a803c37ba5134171b9eb3c8d8d064da2a8de1194b514b328ef570fbd71621e6009a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4740443.exe

Filesize
168KB

MD5
b5cafe9fec94162b36ff3c6107df1d89

SHA1
c0029dbd8f8302952b1dac21676488272a2346cc

SHA256
23960e453a377d6053ad8582faa59d4d0b28389787e6c78c8b1a7ed77651bbcb

SHA512
f19150951d15fd9531751e0ae3b1e860e338b537ade54d081a9aca93ba07416251ac97248ad3a98619d551e8bf60e805f843a2ce78ab535c6aefdc81399f9e2b

Download Submit
memory/2584-35-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2584-50-0x0000000074370000-0x0000000074B20000-memory.dmp

Filesize
7.7MB

Download
memory/2584-17-0x0000000004AB0000-0x0000000005054000-memory.dmp

Filesize
5.6MB

Download
memory/2584-18-0x0000000004990000-0x00000000049AC000-memory.dmp

Filesize
112KB

Download
memory/2584-19-0x0000000074370000-0x0000000074B20000-memory.dmp

Filesize
7.7MB

Download
memory/2584-33-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2584-27-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2584-45-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2584-48-0x0000000074370000-0x0000000074B20000-memory.dmp

Filesize
7.7MB

Download
memory/2584-43-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2584-41-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2584-39-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2584-37-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2584-15-0x0000000002370000-0x000000000238E000-memory.dmp

Filesize
120KB

Download
memory/2584-31-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2584-29-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2584-47-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2584-25-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2584-23-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2584-21-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2584-20-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2584-49-0x000000007437E000-0x000000007437F000-memory.dmp

Filesize
4KB

Download
memory/2584-16-0x0000000074370000-0x0000000074B20000-memory.dmp

Filesize
7.7MB

Download
memory/2584-52-0x0000000074370000-0x0000000074B20000-memory.dmp

Filesize
7.7MB

Download
memory/2584-14-0x000000007437E000-0x000000007437F000-memory.dmp

Filesize
4KB

Download
memory/4780-56-0x0000000000B70000-0x0000000000B9E000-memory.dmp

Filesize
184KB

Download
memory/4780-57-0x0000000002E40000-0x0000000002E46000-memory.dmp

Filesize
24KB

Download
memory/4780-58-0x000000000AF00000-0x000000000B518000-memory.dmp

Filesize
6.1MB

Download
memory/4780-59-0x000000000A9F0000-0x000000000AAFA000-memory.dmp

Filesize
1.0MB

Download
memory/4780-60-0x000000000A910000-0x000000000A922000-memory.dmp

Filesize
72KB

Download
memory/4780-61-0x000000000A970000-0x000000000A9AC000-memory.dmp

Filesize
240KB

Download
memory/4780-62-0x0000000001410000-0x000000000145C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads