redline | 77bc01a4eede5bca41a64a18e338570895b9989d7fa21ae94c8998e7e1ff3fa9

General

Target

file.exe
Size

783KB
MD5

806d990edc91fe7cb95ea2e6b86e3533
SHA1

540b81b1a4375d9658bf3cd9d0af15ba790ec15b
SHA256

77bc01a4eede5bca41a64a18e338570895b9989d7fa21ae94c8998e7e1ff3fa9
SHA512

c2296bf0d9502d5cc17380a9822c48e9960c2a982b6e25fd58f5be9eb0bb3417e253e6ad5412b72fa0c190d11891a8613048518fc41fff988a209ef54dfbb934
SSDEEP

12288:QMrqy902iD5s9DZThWA3E83N8ClrHamLikFF7HMlqwDL6ztBgEtN:qy+D5s99FWAzdlr93S5cgED

Score

10^/10

redline dubna evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

dubna

C2

193.233.20.11:4131

Attributes

auth_value
f324b1269094b7462e56bab025f032f4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	aJv86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	aJv86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	aJv86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	aJv86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	aJv86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	aJv86.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4272	fBa28El.exe
904	fIW85uX.exe
332	aJv86.exe
3640	bOV38pa.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	aJv86.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fBa28El.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	fBa28El.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fIW85uX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fIW85uX.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
332	aJv86.exe
332	aJv86.exe
3640	bOV38pa.exe
3640	bOV38pa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	332	aJv86.exe
Token: SeDebugPrivilege	3640	bOV38pa.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 4272	4084	file.exe	81
PID 4084 wrote to memory of 4272	4084	file.exe	81
PID 4084 wrote to memory of 4272	4084	file.exe	81
PID 4272 wrote to memory of 904	4272	fBa28El.exe	82
PID 4272 wrote to memory of 904	4272	fBa28El.exe	82
PID 4272 wrote to memory of 904	4272	fBa28El.exe	82
PID 904 wrote to memory of 332	904	fIW85uX.exe	83
PID 904 wrote to memory of 332	904	fIW85uX.exe	83
PID 904 wrote to memory of 3640	904	fIW85uX.exe	84
PID 904 wrote to memory of 3640	904	fIW85uX.exe	84
PID 904 wrote to memory of 3640	904	fIW85uX.exe	84

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fBa28El.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fBa28El.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fIW85uX.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fIW85uX.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aJv86.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aJv86.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:332
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bOV38pa.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bOV38pa.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fBa28El.exe

Filesize
596KB

MD5
1990cf46256750b7807371ed69a52d7b

SHA1
998970a9a365e8e57ff659626bc3d50f64c2c114

SHA256
7424ea8227de81a6fdb81bc2bc70297434b28dbb4bdc4348c6dc3c0137aeebfd

SHA512
a469f3a8bb0260a52156d5cdf55cf4f7fc02644a3211d7f33bfbb707528377f6e851a887692b9c6c19a7a83dca5adda0823f52993b634d771cfb249319df1c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fBa28El.exe

Filesize
596KB

MD5
1990cf46256750b7807371ed69a52d7b

SHA1
998970a9a365e8e57ff659626bc3d50f64c2c114

SHA256
7424ea8227de81a6fdb81bc2bc70297434b28dbb4bdc4348c6dc3c0137aeebfd

SHA512
a469f3a8bb0260a52156d5cdf55cf4f7fc02644a3211d7f33bfbb707528377f6e851a887692b9c6c19a7a83dca5adda0823f52993b634d771cfb249319df1c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fIW85uX.exe

Filesize
202KB

MD5
072ef2b6a1859be1d92e839fc163c9a8

SHA1
3493a14a4afe7af533efa8f0762a655e3eaf5f5d

SHA256
fef40d702359e7d4c237f9bfeb6818c2dc6eb9630c14a22976cdb7e7308b30b2

SHA512
7df81311ec71b5106cc86a4243ea0a4ee60a54521918885ca390543d8805727142297c5a9550bea986d35b24c4489c7f89aca6071355aeaa2678640d69bc6e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fIW85uX.exe

Filesize
202KB

MD5
072ef2b6a1859be1d92e839fc163c9a8

SHA1
3493a14a4afe7af533efa8f0762a655e3eaf5f5d

SHA256
fef40d702359e7d4c237f9bfeb6818c2dc6eb9630c14a22976cdb7e7308b30b2

SHA512
7df81311ec71b5106cc86a4243ea0a4ee60a54521918885ca390543d8805727142297c5a9550bea986d35b24c4489c7f89aca6071355aeaa2678640d69bc6e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aJv86.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aJv86.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bOV38pa.exe

Filesize
175KB

MD5
ef8079cf160510d0da7162bc08f753d8

SHA1
e786cc8bee83e4a37433ddccf9d3540e1f6533fe

SHA256
a6416ca607f03e7d02dd9c8b546113c71f421c0ba8438dafb941d25f8cf2c9e6

SHA512
959b08126358527b794a276f6e9f818250f888d9f108b46766f6c2e50186acc8f406acbeb94ca97b5f0e329b27f3851003446715d5d040b5c0fef4010011a2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bOV38pa.exe

Filesize
175KB

MD5
ef8079cf160510d0da7162bc08f753d8

SHA1
e786cc8bee83e4a37433ddccf9d3540e1f6533fe

SHA256
a6416ca607f03e7d02dd9c8b546113c71f421c0ba8438dafb941d25f8cf2c9e6

SHA512
959b08126358527b794a276f6e9f818250f888d9f108b46766f6c2e50186acc8f406acbeb94ca97b5f0e329b27f3851003446715d5d040b5c0fef4010011a2c3

Download Submit
memory/332-142-0x00000000001D0000-0x00000000001DA000-memory.dmp

Filesize
40KB

Download
memory/332-143-0x00007FFC3A930000-0x00007FFC3B3F1000-memory.dmp

Filesize
10.8MB

Download
memory/332-144-0x00007FFC3A930000-0x00007FFC3B3F1000-memory.dmp

Filesize
10.8MB

Download
memory/332-145-0x00007FFC3A930000-0x00007FFC3B3F1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-150-0x0000000005C40000-0x0000000006258000-memory.dmp

Filesize
6.1MB

Download
memory/3640-154-0x00000000069C0000-0x0000000006F64000-memory.dmp

Filesize
5.6MB

Download
memory/3640-149-0x0000000000D00000-0x0000000000D32000-memory.dmp

Filesize
200KB

Download
memory/3640-151-0x00000000057A0000-0x00000000058AA000-memory.dmp

Filesize
1.0MB

Download
memory/3640-152-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/3640-153-0x0000000005AF0000-0x0000000005B2C000-memory.dmp

Filesize
240KB

Download
memory/3640-160-0x0000000007840000-0x0000000007D6C000-memory.dmp

Filesize
5.2MB

Download
memory/3640-155-0x00000000064B0000-0x0000000006542000-memory.dmp

Filesize
584KB

Download
memory/3640-156-0x0000000006550000-0x00000000065B6000-memory.dmp

Filesize
408KB

Download
memory/3640-157-0x00000000068C0000-0x0000000006936000-memory.dmp

Filesize
472KB

Download
memory/3640-158-0x0000000001320000-0x0000000001370000-memory.dmp

Filesize
320KB

Download
memory/3640-159-0x0000000007140000-0x0000000007302000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads