redline | eab5ebc157032ac3357da96b04a989fb4d0da91d10896289955e92f6a024f5c3

General

Target

eab5ebc157032ac3357da96b04a989fb4d0da91d10896289955e92f6a024f5c3.exe
Size

488KB
MD5

71dccbbf901a68b85def5e6d4c737241
SHA1

bdacb665bae8364bf7201c87d4c13cb445f64f35
SHA256

eab5ebc157032ac3357da96b04a989fb4d0da91d10896289955e92f6a024f5c3
SHA512

cfb5fd3b12f2bf2467ab3f4b68fd68dd70eb87637ce52748d9cfc5108f3ac97738e7f854a737991057876603dfe64254b6a0beea774622f1a87b269c40389509
SSDEEP

12288:xMr2y90wmDyJBgY6Ge7mCbiefrIXagRtINu+oBhE/FQ+PR3:LyNUOimCble+u+ow9HR3

Score

10^/10

redline dubur discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dubur

C2

217.196.96.102:4132

Attributes

auth_value
32d04179aa1e8d655d2d80c21f99de41

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k9996079.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k9996079.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k9996079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k9996079.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k9996079.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k9996079.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b97-53.dat	family_redline
behavioral1/memory/3820-55-0x0000000000900000-0x000000000092E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2660	y8717693.exe
4580	k9996079.exe
3820	l2260822.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k9996079.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k9996079.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eab5ebc157032ac3357da96b04a989fb4d0da91d10896289955e92f6a024f5c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8717693.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eab5ebc157032ac3357da96b04a989fb4d0da91d10896289955e92f6a024f5c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y8717693.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k9996079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l2260822.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4580	k9996079.exe
4580	k9996079.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	k9996079.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2660	2168	eab5ebc157032ac3357da96b04a989fb4d0da91d10896289955e92f6a024f5c3.exe	83
PID 2168 wrote to memory of 2660	2168	eab5ebc157032ac3357da96b04a989fb4d0da91d10896289955e92f6a024f5c3.exe	83
PID 2168 wrote to memory of 2660	2168	eab5ebc157032ac3357da96b04a989fb4d0da91d10896289955e92f6a024f5c3.exe	83
PID 2660 wrote to memory of 4580	2660	y8717693.exe	84
PID 2660 wrote to memory of 4580	2660	y8717693.exe	84
PID 2660 wrote to memory of 4580	2660	y8717693.exe	84
PID 2660 wrote to memory of 3820	2660	y8717693.exe	93
PID 2660 wrote to memory of 3820	2660	y8717693.exe	93
PID 2660 wrote to memory of 3820	2660	y8717693.exe	93

C:\Users\Admin\AppData\Local\Temp\eab5ebc157032ac3357da96b04a989fb4d0da91d10896289955e92f6a024f5c3.exe
"C:\Users\Admin\AppData\Local\Temp\eab5ebc157032ac3357da96b04a989fb4d0da91d10896289955e92f6a024f5c3.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8717693.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8717693.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9996079.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9996079.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4580
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2260822.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2260822.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8717693.exe

Filesize
316KB

MD5
90691bdb6b6e7b1d548123096c1814d7

SHA1
ce7070b51556d0788bbedba39b9c2be0216443af

SHA256
7f8322b2b33a5071c52d2ee4f1015f558448b448c6a265c5f0d4de34d1f136eb

SHA512
de2e79adbcb1c532c115bc63a1d7a22c956c3ab30d6d55201308c58d4431fef52fae693ac7b702a2bf75b8837445f206dbde1999708f728069a9d3260f41b3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9996079.exe

Filesize
184KB

MD5
96a8b6d817b2cf4ba2ca2f09f2d4d9cc

SHA1
84c765832b855a95bc14109fe1600958c6b4629b

SHA256
707eb979c3138cf67829447e07f9c72691ccbb5438651618b69655b5ebb7f671

SHA512
215566b400ad56fc26583fa45ef126d631f1582ce100e33046da01ef25bcb80e8f54c08e64739fa38fecd92968def27a416b1b5c46b91b6d202f36993d1cd90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2260822.exe

Filesize
168KB

MD5
ee61e622646fb74fb7e71a42e86b2b69

SHA1
b59770730bd4f7c7bd2512fc16e0b95d4ae35382

SHA256
5ecc5772b7cf1d7f346147c52fd4ba0dbe7b8fe6c7cc079021ede486ba0d7b67

SHA512
33445d13072e1ae8bb8e02f75075cdb3a145167d8b0bb32ef7610a65caef49c2b4625cdb8af01c5e79de1c7078cc7b9cd2e14dc24014217f0e55340d78e026f9

Download Submit
memory/3820-61-0x0000000005460000-0x00000000054AC000-memory.dmp

Filesize
304KB

Download
memory/3820-60-0x00000000052E0000-0x000000000531C000-memory.dmp

Filesize
240KB

Download
memory/3820-59-0x0000000005280000-0x0000000005292000-memory.dmp

Filesize
72KB

Download
memory/3820-58-0x0000000005350000-0x000000000545A000-memory.dmp

Filesize
1.0MB

Download
memory/3820-57-0x0000000005830000-0x0000000005E48000-memory.dmp

Filesize
6.1MB

Download
memory/3820-56-0x0000000002AB0000-0x0000000002AB6000-memory.dmp

Filesize
24KB

Download
memory/3820-55-0x0000000000900000-0x000000000092E000-memory.dmp

Filesize
184KB

Download
memory/4580-32-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4580-20-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4580-40-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4580-38-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4580-36-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4580-34-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4580-44-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4580-30-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4580-28-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4580-26-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4580-22-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4580-42-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4580-19-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4580-48-0x000000007414E000-0x000000007414F000-memory.dmp

Filesize
4KB

Download
memory/4580-49-0x0000000074140000-0x00000000748F0000-memory.dmp

Filesize
7.7MB

Download
memory/4580-51-0x0000000074140000-0x00000000748F0000-memory.dmp

Filesize
7.7MB

Download
memory/4580-47-0x0000000074140000-0x00000000748F0000-memory.dmp

Filesize
7.7MB

Download
memory/4580-46-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4580-24-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4580-18-0x0000000004990000-0x00000000049AC000-memory.dmp

Filesize
112KB

Download
memory/4580-17-0x0000000004AA0000-0x0000000005044000-memory.dmp

Filesize
5.6MB

Download
memory/4580-16-0x0000000074140000-0x00000000748F0000-memory.dmp

Filesize
7.7MB

Download
memory/4580-15-0x00000000022C0000-0x00000000022DE000-memory.dmp

Filesize
120KB

Download
memory/4580-14-0x000000007414E000-0x000000007414F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads