redline | 005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb

General

Target

005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb.exe
Size

560KB
MD5

06be466217b8384774b1898400dc3892
SHA1

8726a74c5aaff8da9de16edf17179f083ea374ff
SHA256

005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb
SHA512

7d415286013ff840b06a142219a66c1a10613e2738ce91aa01b9dcd41c86c6697ae16c7d7e1fdd79e81e2fc0986bb8f119c1e66f22a2ddeac7858fa00a10657c
SSDEEP

12288:pMryy90rG08j5kt0S+GtEsHlbCUFMVGKT/JL4UncZdP5HNf1q:7y478j65Hl+UFM7LVE5tQ

Score

10^/10

redline fud evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes

auth_value
cddc991efd6918ad5321d80dac884b40

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

sf30dJ52sJ80.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	sf30dJ52sJ80.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sf30dJ52sJ80.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	sf30dJ52sJ80.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sf30dJ52sJ80.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	sf30dJ52sJ80.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sf30dJ52sJ80.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2188-158-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-159-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-161-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-163-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-165-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-167-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-169-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-171-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-173-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-175-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-177-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-179-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-181-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-183-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-185-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-187-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-191-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-189-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-193-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-195-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-197-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-199-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-201-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-203-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-205-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-207-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-209-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-211-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-213-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-217-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-215-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-219-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline
behavioral2/memory/2188-221-0x0000000004B80000-0x0000000004BBE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

vhhg9868ym.exesf30dJ52sJ80.exetf20pW60EE15.exe

pid process

5028 vhhg9868ym.exe
4248 sf30dJ52sJ80.exe
2188 tf20pW60EE15.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

sf30dJ52sJ80.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" sf30dJ52sJ80.exe

pid	process
5028	vhhg9868ym.exe
4248	sf30dJ52sJ80.exe
2188	tf20pW60EE15.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	sf30dJ52sJ80.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vhhg9868ym.exe005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vhhg9868ym.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vhhg9868ym.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

sf30dJ52sJ80.exe

pid process

4248 sf30dJ52sJ80.exe
4248 sf30dJ52sJ80.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

sf30dJ52sJ80.exetf20pW60EE15.exe

description pid process

Token: SeDebugPrivilege 4248 sf30dJ52sJ80.exe
Token: SeDebugPrivilege 2188 tf20pW60EE15.exe

pid	process
4248	sf30dJ52sJ80.exe
4248	sf30dJ52sJ80.exe

description	pid	process
Token: SeDebugPrivilege	4248	sf30dJ52sJ80.exe
Token: SeDebugPrivilege	2188	tf20pW60EE15.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb.exevhhg9868ym.exe

description	pid	process	target process
PID 1052 wrote to memory of 5028	1052	005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb.exe	vhhg9868ym.exe
PID 1052 wrote to memory of 5028	1052	005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb.exe	vhhg9868ym.exe
PID 1052 wrote to memory of 5028	1052	005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb.exe	vhhg9868ym.exe
PID 5028 wrote to memory of 4248	5028	vhhg9868ym.exe	sf30dJ52sJ80.exe
PID 5028 wrote to memory of 4248	5028	vhhg9868ym.exe	sf30dJ52sJ80.exe
PID 5028 wrote to memory of 2188	5028	vhhg9868ym.exe	tf20pW60EE15.exe
PID 5028 wrote to memory of 2188	5028	vhhg9868ym.exe	tf20pW60EE15.exe
PID 5028 wrote to memory of 2188	5028	vhhg9868ym.exe	tf20pW60EE15.exe

C:\Users\Admin\AppData\Local\Temp\005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb.exe
"C:\Users\Admin\AppData\Local\Temp\005246f6e658ffe0a40c332315f6d49eaef689cacbfdbf3b8a75e8342fa719cb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1052

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhg9868ym.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhg9868ym.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5028

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf30dJ52sJ80.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf30dJ52sJ80.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf20pW60EE15.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf20pW60EE15.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhg9868ym.exe
Filesize
415KB

MD5
2028d0c150da8bdc3f8f8c1b074c19c5

SHA1
ad3c40217d601a75b91e022e601a8240688b48d9

SHA256
ed5caf2f46b024f50cf772f732fe8669b69b72916926e40b2ea4d3985d7929a1

SHA512
bdbee21ca730693ae45dc739d93e6520155717ca1356788eef9775ace0295955c9879718d3dd27d1c6d23440345317de942b648d1d87280afe28ab14f4bde8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhhg9868ym.exe
Filesize
415KB

MD5
2028d0c150da8bdc3f8f8c1b074c19c5

SHA1
ad3c40217d601a75b91e022e601a8240688b48d9

SHA256
ed5caf2f46b024f50cf772f732fe8669b69b72916926e40b2ea4d3985d7929a1

SHA512
bdbee21ca730693ae45dc739d93e6520155717ca1356788eef9775ace0295955c9879718d3dd27d1c6d23440345317de942b648d1d87280afe28ab14f4bde8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf30dJ52sJ80.exe
Filesize
11KB

MD5
c980f9b51f735536cb17f33896f058f5

SHA1
8bb70679a73bf5239032ecde2bc9958f1811dbe7

SHA256
8c5ce5f2fce798c91cb265b84aea50262834c4e3399d28efece531e8209a8c66

SHA512
5435e6993a4bdc23e93cf3bef623cb5493d37ecf79532316f583a7f1ff2355ca676e3b1f05740a54bd8eb36c86e3169c9f5663ec5ce8bb1f363e254f4461546d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf30dJ52sJ80.exe
Filesize
11KB

MD5
c980f9b51f735536cb17f33896f058f5

SHA1
8bb70679a73bf5239032ecde2bc9958f1811dbe7

SHA256
8c5ce5f2fce798c91cb265b84aea50262834c4e3399d28efece531e8209a8c66

SHA512
5435e6993a4bdc23e93cf3bef623cb5493d37ecf79532316f583a7f1ff2355ca676e3b1f05740a54bd8eb36c86e3169c9f5663ec5ce8bb1f363e254f4461546d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf20pW60EE15.exe
Filesize
416KB

MD5
9ce8c74a533c9909e622ad2c5700ca63

SHA1
bcce3e38eaf3c3b741bad36507671231d94ef844

SHA256
a41658d0c260a9fa32e4797a385856dcbcd11ec5afd2135cee0f69ee6a52576d

SHA512
98491caf62c0bfd90a89e3172801096e12328a4ac379f99a6895db5d85eb70468ccede97678b46eceabdc419d1114f3da59b9e72d68847be2384c58169cb0e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf20pW60EE15.exe
Filesize
416KB

MD5
9ce8c74a533c9909e622ad2c5700ca63

SHA1
bcce3e38eaf3c3b741bad36507671231d94ef844

SHA256
a41658d0c260a9fa32e4797a385856dcbcd11ec5afd2135cee0f69ee6a52576d

SHA512
98491caf62c0bfd90a89e3172801096e12328a4ac379f99a6895db5d85eb70468ccede97678b46eceabdc419d1114f3da59b9e72d68847be2384c58169cb0e73

Download Submit
memory/2188-154-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/2188-153-0x0000000002BE0000-0x0000000002C2B000-memory.dmp

Filesize
300KB

Download
memory/2188-155-0x0000000007340000-0x00000000078E4000-memory.dmp

Filesize
5.6MB

Download
memory/2188-156-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/2188-157-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/2188-158-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-159-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-161-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-163-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-165-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-167-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-169-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-171-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-173-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-175-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-177-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-179-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-181-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-183-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-185-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-187-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-191-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-189-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-193-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-195-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-197-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-199-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-201-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-203-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-205-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-207-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-209-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-211-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-213-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-217-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-215-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-219-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-221-0x0000000004B80000-0x0000000004BBE000-memory.dmp

Filesize
248KB

Download
memory/2188-1064-0x00000000078F0000-0x0000000007F08000-memory.dmp

Filesize
6.1MB

Download
memory/2188-1065-0x0000000007F10000-0x000000000801A000-memory.dmp

Filesize
1.0MB

Download
memory/2188-1066-0x00000000072D0000-0x00000000072E2000-memory.dmp

Filesize
72KB

Download
memory/2188-1067-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/2188-1068-0x00000000072F0000-0x000000000732C000-memory.dmp

Filesize
240KB

Download
memory/2188-1070-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/2188-1071-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/2188-1072-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/4248-147-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads