redline | eef2772c37e31c9f1400ba3bb38e77922a3099771f5fcf4be669c65b9c38fdbf

General

Target

eef2772c37e31c9f1400ba3bb38e77922a3099771f5fcf4be669c65b9c38fdbf.exe
Size

560KB
MD5

be335d601e2c6e34197ce189533dabad
SHA1

0627bb8020d664229f3e20ed56bb996bd480ce08
SHA256

eef2772c37e31c9f1400ba3bb38e77922a3099771f5fcf4be669c65b9c38fdbf
SHA512

b2dfbba5d0578fa8d92e5496a11db6c2027c58b10a1b659683511320449ef3efe59cfa1dd7bab5521aad7d7be05150862504b60f7162071611cbeedf596fcb27
SSDEEP

12288:QMrLy90YmNbZ+o+kg/rfPt1ut0w5eVHNbHMH0Np:LyOVd+kgPut0w5IeHKp

Score

10^/10

redline gogen evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

gogen

C2

185.161.248.75:4132

Attributes

auth_value
dfb27ce11afd52277523c8e405853d53

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2525353.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2525353.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2525353.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2525353.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2525353.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
392	a2525353.exe
2848	d9397249.exe
4744	d9397249.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a2525353.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2525353.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eef2772c37e31c9f1400ba3bb38e77922a3099771f5fcf4be669c65b9c38fdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eef2772c37e31c9f1400ba3bb38e77922a3099771f5fcf4be669c65b9c38fdbf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2848 set thread context of 4744	2848	d9397249.exe	68

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
392	a2525353.exe
392	a2525353.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	392	a2525353.exe
Token: SeDebugPrivilege	2848	d9397249.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 392	3644	eef2772c37e31c9f1400ba3bb38e77922a3099771f5fcf4be669c65b9c38fdbf.exe	66
PID 3644 wrote to memory of 392	3644	eef2772c37e31c9f1400ba3bb38e77922a3099771f5fcf4be669c65b9c38fdbf.exe	66
PID 3644 wrote to memory of 392	3644	eef2772c37e31c9f1400ba3bb38e77922a3099771f5fcf4be669c65b9c38fdbf.exe	66
PID 3644 wrote to memory of 2848	3644	eef2772c37e31c9f1400ba3bb38e77922a3099771f5fcf4be669c65b9c38fdbf.exe	67
PID 3644 wrote to memory of 2848	3644	eef2772c37e31c9f1400ba3bb38e77922a3099771f5fcf4be669c65b9c38fdbf.exe	67
PID 3644 wrote to memory of 2848	3644	eef2772c37e31c9f1400ba3bb38e77922a3099771f5fcf4be669c65b9c38fdbf.exe	67
PID 2848 wrote to memory of 4744	2848	d9397249.exe	68
PID 2848 wrote to memory of 4744	2848	d9397249.exe	68
PID 2848 wrote to memory of 4744	2848	d9397249.exe	68
PID 2848 wrote to memory of 4744	2848	d9397249.exe	68
PID 2848 wrote to memory of 4744	2848	d9397249.exe	68
PID 2848 wrote to memory of 4744	2848	d9397249.exe	68
PID 2848 wrote to memory of 4744	2848	d9397249.exe	68
PID 2848 wrote to memory of 4744	2848	d9397249.exe	68

C:\Users\Admin\AppData\Local\Temp\eef2772c37e31c9f1400ba3bb38e77922a3099771f5fcf4be669c65b9c38fdbf.exe
"C:\Users\Admin\AppData\Local\Temp\eef2772c37e31c9f1400ba3bb38e77922a3099771f5fcf4be669c65b9c38fdbf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a2525353.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a2525353.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:392
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9397249.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9397249.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9397249.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9397249.exe
    3⤵
    - Executes dropped EXE
    PID:4744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d9397249.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a2525353.exe

Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a2525353.exe

Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9397249.exe

Filesize
904KB

MD5
da1392ce8a745ff84066b4b89891c820

SHA1
da95517cc9fd2904df61fbada3268ba8b074c5f1

SHA256
52b27910ae22c29f0bd38aee2637554d48a65862315628dd6a27ed621a216207

SHA512
bca02f85a25239e1171847ab71bf1bcbe8e1d6b54892d56c4259117db2dbf31305f9e11b8dd9f5aff1ece96830534f33e92b01e6d80f0b03022f1972b8b66570

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9397249.exe

Filesize
904KB

MD5
da1392ce8a745ff84066b4b89891c820

SHA1
da95517cc9fd2904df61fbada3268ba8b074c5f1

SHA256
52b27910ae22c29f0bd38aee2637554d48a65862315628dd6a27ed621a216207

SHA512
bca02f85a25239e1171847ab71bf1bcbe8e1d6b54892d56c4259117db2dbf31305f9e11b8dd9f5aff1ece96830534f33e92b01e6d80f0b03022f1972b8b66570

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9397249.exe

Filesize
904KB

MD5
da1392ce8a745ff84066b4b89891c820

SHA1
da95517cc9fd2904df61fbada3268ba8b074c5f1

SHA256
52b27910ae22c29f0bd38aee2637554d48a65862315628dd6a27ed621a216207

SHA512
bca02f85a25239e1171847ab71bf1bcbe8e1d6b54892d56c4259117db2dbf31305f9e11b8dd9f5aff1ece96830534f33e92b01e6d80f0b03022f1972b8b66570

Download Submit
memory/392-128-0x0000000002420000-0x0000000002436000-memory.dmp

Filesize
88KB

Download
memory/392-158-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/392-129-0x0000000002420000-0x0000000002436000-memory.dmp

Filesize
88KB

Download
memory/392-132-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/392-127-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/392-135-0x0000000002420000-0x0000000002436000-memory.dmp

Filesize
88KB

Download
memory/392-137-0x0000000002420000-0x0000000002436000-memory.dmp

Filesize
88KB

Download
memory/392-139-0x0000000002420000-0x0000000002436000-memory.dmp

Filesize
88KB

Download
memory/392-141-0x0000000002420000-0x0000000002436000-memory.dmp

Filesize
88KB

Download
memory/392-143-0x0000000002420000-0x0000000002436000-memory.dmp

Filesize
88KB

Download
memory/392-145-0x0000000002420000-0x0000000002436000-memory.dmp

Filesize
88KB

Download
memory/392-147-0x0000000002420000-0x0000000002436000-memory.dmp

Filesize
88KB

Download
memory/392-149-0x0000000002420000-0x0000000002436000-memory.dmp

Filesize
88KB

Download
memory/392-151-0x0000000002420000-0x0000000002436000-memory.dmp

Filesize
88KB

Download
memory/392-153-0x0000000002420000-0x0000000002436000-memory.dmp

Filesize
88KB

Download
memory/392-155-0x0000000002420000-0x0000000002436000-memory.dmp

Filesize
88KB

Download
memory/392-157-0x0000000002420000-0x0000000002436000-memory.dmp

Filesize
88KB

Download
memory/392-133-0x0000000002420000-0x0000000002436000-memory.dmp

Filesize
88KB

Download
memory/392-159-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/392-160-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/392-130-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/392-126-0x0000000002420000-0x000000000243C000-memory.dmp

Filesize
112KB

Download
memory/392-124-0x0000000002160000-0x000000000217E000-memory.dmp

Filesize
120KB

Download
memory/392-125-0x0000000004A90000-0x0000000004F8E000-memory.dmp

Filesize
5.0MB

Download
memory/2848-165-0x0000000000820000-0x0000000000908000-memory.dmp

Filesize
928KB

Download
memory/4744-166-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4744-170-0x0000000005CE0000-0x00000000062E6000-memory.dmp

Filesize
6.0MB

Download
memory/4744-171-0x0000000005820000-0x000000000592A000-memory.dmp

Filesize
1.0MB

Download
memory/4744-172-0x0000000005740000-0x0000000005752000-memory.dmp

Filesize
72KB

Download
memory/4744-173-0x00000000057A0000-0x00000000057DE000-memory.dmp

Filesize
248KB

Download
memory/4744-174-0x0000000005B20000-0x0000000005B30000-memory.dmp

Filesize
64KB

Download
memory/4744-175-0x0000000005930000-0x000000000597B000-memory.dmp

Filesize
300KB

Download
memory/4744-176-0x0000000005B20000-0x0000000005B30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads