redline | 3e718df1bca021ecfccdcb6464dfc2ba08323af4fca7d9cc6d330b8a5ed132bd

General

Target

3e718df1bca021ecfccdcb6464dfc2ba08323af4fca7d9cc6d330b8a5ed132bd.exe
Size

570KB
MD5

97c0e0d08214675b63562dad5ba1e123
SHA1

08f935c66ecd751197bbd73f0d39bfbcbe8736d2
SHA256

3e718df1bca021ecfccdcb6464dfc2ba08323af4fca7d9cc6d330b8a5ed132bd
SHA512

98d672f89ea0c8769a5307c8d56dff7381b1496a3b49cd7aea91d96b89c72e4b1c21a732caf0a7bae45758fe4faf24faa5583ad594cfd2b146fa932172888daa
SSDEEP

12288:4Mrxy90Pahimz7AuxqV2KnxfUEQBOMel19QdS2QPeY3:5ySsVAuxYfnq7UMgsdSzPv

Score

10^/10

redline fud evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes

auth_value
cddc991efd6918ad5321d80dac884b40

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

r5436wX.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	r5436wX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	r5436wX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	r5436wX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	r5436wX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	r5436wX.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4236-171-0x0000000001FC0000-0x0000000002006000-memory.dmp	family_redline
behavioral1/memory/4236-172-0x0000000002260000-0x00000000022A4000-memory.dmp	family_redline
behavioral1/memory/4236-173-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-174-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-176-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-178-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-180-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-188-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-184-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-190-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-192-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-194-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-196-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-198-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-200-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-202-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-204-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-206-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-210-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-208-0x0000000002260000-0x000000000229E000-memory.dmp	family_redline
behavioral1/memory/4236-1091-0x00000000022A0000-0x00000000022B0000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

r5436wX.exew51Jq49.exe

pid process

4144 r5436wX.exe
4236 w51Jq49.exe

pid	process
4144	r5436wX.exe
4236	w51Jq49.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

r5436wX.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	r5436wX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	r5436wX.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3e718df1bca021ecfccdcb6464dfc2ba08323af4fca7d9cc6d330b8a5ed132bd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3e718df1bca021ecfccdcb6464dfc2ba08323af4fca7d9cc6d330b8a5ed132bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3e718df1bca021ecfccdcb6464dfc2ba08323af4fca7d9cc6d330b8a5ed132bd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

r5436wX.exe

pid process

4144 r5436wX.exe
4144 r5436wX.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

r5436wX.exew51Jq49.exe

description pid process

Token: SeDebugPrivilege 4144 r5436wX.exe
Token: SeDebugPrivilege 4236 w51Jq49.exe

pid	process
4144	r5436wX.exe
4144	r5436wX.exe

description	pid	process
Token: SeDebugPrivilege	4144	r5436wX.exe
Token: SeDebugPrivilege	4236	w51Jq49.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3e718df1bca021ecfccdcb6464dfc2ba08323af4fca7d9cc6d330b8a5ed132bd.exe

description	pid	process	target process
PID 4332 wrote to memory of 4144	4332	3e718df1bca021ecfccdcb6464dfc2ba08323af4fca7d9cc6d330b8a5ed132bd.exe	r5436wX.exe
PID 4332 wrote to memory of 4144	4332	3e718df1bca021ecfccdcb6464dfc2ba08323af4fca7d9cc6d330b8a5ed132bd.exe	r5436wX.exe
PID 4332 wrote to memory of 4144	4332	3e718df1bca021ecfccdcb6464dfc2ba08323af4fca7d9cc6d330b8a5ed132bd.exe	r5436wX.exe
PID 4332 wrote to memory of 4236	4332	3e718df1bca021ecfccdcb6464dfc2ba08323af4fca7d9cc6d330b8a5ed132bd.exe	w51Jq49.exe
PID 4332 wrote to memory of 4236	4332	3e718df1bca021ecfccdcb6464dfc2ba08323af4fca7d9cc6d330b8a5ed132bd.exe	w51Jq49.exe
PID 4332 wrote to memory of 4236	4332	3e718df1bca021ecfccdcb6464dfc2ba08323af4fca7d9cc6d330b8a5ed132bd.exe	w51Jq49.exe

C:\Users\Admin\AppData\Local\Temp\3e718df1bca021ecfccdcb6464dfc2ba08323af4fca7d9cc6d330b8a5ed132bd.exe
"C:\Users\Admin\AppData\Local\Temp\3e718df1bca021ecfccdcb6464dfc2ba08323af4fca7d9cc6d330b8a5ed132bd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4332

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r5436wX.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r5436wX.exe
2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w51Jq49.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w51Jq49.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r5436wX.exe
Filesize
322KB

MD5
8141937b23cd1895e561d8e90fdeeff3

SHA1
6f810e9e480564f5837461f8ccdd07c951a1bece

SHA256
ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6

SHA512
40957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r5436wX.exe
Filesize
322KB

MD5
8141937b23cd1895e561d8e90fdeeff3

SHA1
6f810e9e480564f5837461f8ccdd07c951a1bece

SHA256
ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6

SHA512
40957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w51Jq49.exe
Filesize
301KB

MD5
c56a78af142f0676801bb0e0dde9eb08

SHA1
6c085cffa3182b0de27a195b9ed322ef010bd128

SHA256
5c6b6a5168c0f4d2cee7924014f735f88dd4819d00867484682c2df9822b35d7

SHA512
4a8038347716d2dcb218bda76bced069de23a6fff0736b696d1f378826ef47d2792ae8c420ecd6f6b7850890b2a75b8f222d69416c8acdc495b56b8969d5da04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w51Jq49.exe
Filesize
301KB

MD5
c56a78af142f0676801bb0e0dde9eb08

SHA1
6c085cffa3182b0de27a195b9ed322ef010bd128

SHA256
5c6b6a5168c0f4d2cee7924014f735f88dd4819d00867484682c2df9822b35d7

SHA512
4a8038347716d2dcb218bda76bced069de23a6fff0736b696d1f378826ef47d2792ae8c420ecd6f6b7850890b2a75b8f222d69416c8acdc495b56b8969d5da04

Download Submit
memory/4144-129-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4144-130-0x0000000001FD0000-0x0000000001FEA000-memory.dmp

Filesize
104KB

Download
memory/4144-131-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/4144-132-0x0000000004AC0000-0x0000000004FBE000-memory.dmp

Filesize
5.0MB

Download
memory/4144-133-0x0000000002150000-0x0000000002168000-memory.dmp

Filesize
96KB

Download
memory/4144-134-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4144-135-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4144-137-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4144-139-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4144-141-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4144-149-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4144-147-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4144-159-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4144-161-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4144-157-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4144-155-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4144-153-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4144-151-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4144-145-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4144-143-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/4144-162-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/4144-163-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4144-164-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/4144-166-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4236-171-0x0000000001FC0000-0x0000000002006000-memory.dmp

Filesize
280KB

Download
memory/4236-172-0x0000000002260000-0x00000000022A4000-memory.dmp

Filesize
272KB

Download
memory/4236-173-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-174-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-176-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-178-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-180-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-181-0x0000000000590000-0x00000000005DB000-memory.dmp

Filesize
300KB

Download
memory/4236-183-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/4236-185-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/4236-187-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/4236-188-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-184-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-190-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-192-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-194-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-196-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-198-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-200-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-202-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-204-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-206-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-210-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-208-0x0000000002260000-0x000000000229E000-memory.dmp

Filesize
248KB

Download
memory/4236-1083-0x0000000005020000-0x0000000005626000-memory.dmp

Filesize
6.0MB

Download
memory/4236-1084-0x0000000005630000-0x000000000573A000-memory.dmp

Filesize
1.0MB

Download
memory/4236-1085-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/4236-1086-0x0000000005770000-0x00000000057AE000-memory.dmp

Filesize
248KB

Download
memory/4236-1087-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/4236-1088-0x00000000058C0000-0x000000000590B000-memory.dmp

Filesize
300KB

Download
memory/4236-1090-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/4236-1091-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/4236-1092-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/4236-1093-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads