redline | 4d5d30c1b2ef071c1888a441b0a24d48e0fc2869bac01b9bf2cf23c2816bbb75

General

Target

4d5d30c1b2ef071c1888a441b0a24d48e0fc2869bac01b9bf2cf23c2816bbb75.exe
Size

769KB
MD5

20a7d113b9aa9a24823cdc7a87ac8aa8
SHA1

b707067296a8718dc45af1aea3b682fca001fe78
SHA256

4d5d30c1b2ef071c1888a441b0a24d48e0fc2869bac01b9bf2cf23c2816bbb75
SHA512

20ac508df90db4e6ca68fa05a017571a862c8e673e2a4acdf2893722fd378207f9f415322f0fe6687fc5f270b8a418bc9f85465b9d5f8d7e0f54eb855d7a4d39
SSDEEP

12288:rMrdy90M/ETQREXnsCPy7DYRQSh4DUwvpQ2s7Kk/Oxgfhl7jqiz71:6yekRE3sCPyMb4U0PVk/OSfhlBF

Score

10^/10

redline mixa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.75:4132

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1574710.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a1574710.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1574710.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1574710.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1574710.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1574710.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4184	v3559470.exe
4904	v8856240.exe
2484	a1574710.exe
456	b0939035.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a1574710.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1574710.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4d5d30c1b2ef071c1888a441b0a24d48e0fc2869bac01b9bf2cf23c2816bbb75.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3559470.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3559470.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8856240.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8856240.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4d5d30c1b2ef071c1888a441b0a24d48e0fc2869bac01b9bf2cf23c2816bbb75.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2484	a1574710.exe
2484	a1574710.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	a1574710.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 4184	3688	4d5d30c1b2ef071c1888a441b0a24d48e0fc2869bac01b9bf2cf23c2816bbb75.exe	79
PID 3688 wrote to memory of 4184	3688	4d5d30c1b2ef071c1888a441b0a24d48e0fc2869bac01b9bf2cf23c2816bbb75.exe	79
PID 3688 wrote to memory of 4184	3688	4d5d30c1b2ef071c1888a441b0a24d48e0fc2869bac01b9bf2cf23c2816bbb75.exe	79
PID 4184 wrote to memory of 4904	4184	v3559470.exe	80
PID 4184 wrote to memory of 4904	4184	v3559470.exe	80
PID 4184 wrote to memory of 4904	4184	v3559470.exe	80
PID 4904 wrote to memory of 2484	4904	v8856240.exe	81
PID 4904 wrote to memory of 2484	4904	v8856240.exe	81
PID 4904 wrote to memory of 2484	4904	v8856240.exe	81
PID 4904 wrote to memory of 456	4904	v8856240.exe	85
PID 4904 wrote to memory of 456	4904	v8856240.exe	85
PID 4904 wrote to memory of 456	4904	v8856240.exe	85

C:\Users\Admin\AppData\Local\Temp\4d5d30c1b2ef071c1888a441b0a24d48e0fc2869bac01b9bf2cf23c2816bbb75.exe
"C:\Users\Admin\AppData\Local\Temp\4d5d30c1b2ef071c1888a441b0a24d48e0fc2869bac01b9bf2cf23c2816bbb75.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3559470.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3559470.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8856240.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8856240.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1574710.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1574710.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0939035.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0939035.exe
      4⤵
      Executes dropped EXE
      PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3559470.exe

Filesize
488KB

MD5
12224b85b2bdb5da423a8ba4ace43104

SHA1
e6954797f66262c1861d800a25d3aeee5e09e059

SHA256
5548f3a812a89123fedd34c16c2a1f2313a7a7c952ef0bd885f13ec58e0e64ac

SHA512
7a6758b7ad2b5723e7fedf02b12c0c91929ae94b155e8a6a6887c69bf5271bf5c6d2132c7ebbde8d8b2485a2a1f59ebb91e4064cde05d6e50df8e5e9d08810db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3559470.exe

Filesize
488KB

MD5
12224b85b2bdb5da423a8ba4ace43104

SHA1
e6954797f66262c1861d800a25d3aeee5e09e059

SHA256
5548f3a812a89123fedd34c16c2a1f2313a7a7c952ef0bd885f13ec58e0e64ac

SHA512
7a6758b7ad2b5723e7fedf02b12c0c91929ae94b155e8a6a6887c69bf5271bf5c6d2132c7ebbde8d8b2485a2a1f59ebb91e4064cde05d6e50df8e5e9d08810db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8856240.exe

Filesize
316KB

MD5
8b5c03a132ee31315816b786db1e2fe4

SHA1
843824fc98f47fe6e8fc6f5151f8cc01e2bd1069

SHA256
496018ddc00a9adb961af41c5beaa19f5e1bb09a268e5aa8a42b13e48df77a59

SHA512
4a45f04f74ee2778d7e1152ba81537e49bb66de1db3ae6bde6142e1c881fb71065c3c50595645e7cf076db4b13c1ab706ab7b3c484da884dd86485bb93a1db8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8856240.exe

Filesize
316KB

MD5
8b5c03a132ee31315816b786db1e2fe4

SHA1
843824fc98f47fe6e8fc6f5151f8cc01e2bd1069

SHA256
496018ddc00a9adb961af41c5beaa19f5e1bb09a268e5aa8a42b13e48df77a59

SHA512
4a45f04f74ee2778d7e1152ba81537e49bb66de1db3ae6bde6142e1c881fb71065c3c50595645e7cf076db4b13c1ab706ab7b3c484da884dd86485bb93a1db8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1574710.exe

Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1574710.exe

Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0939035.exe

Filesize
168KB

MD5
8f3b0079083dce58c99a0db9f6d18f4e

SHA1
3f01aff2262a8558c2643e659629afc951064845

SHA256
100b9063b26f9e79d4d233a81803ff0024888b5437e8d8db0c66c71c546a03be

SHA512
75351b16206ecb8f41d720aafd0370d340f330a74962f5a577072e2637c8e19bd0c81aec13c1563be30b77cf012dbac36f8401018798139ecac30491e43826d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0939035.exe

Filesize
168KB

MD5
8f3b0079083dce58c99a0db9f6d18f4e

SHA1
3f01aff2262a8558c2643e659629afc951064845

SHA256
100b9063b26f9e79d4d233a81803ff0024888b5437e8d8db0c66c71c546a03be

SHA512
75351b16206ecb8f41d720aafd0370d340f330a74962f5a577072e2637c8e19bd0c81aec13c1563be30b77cf012dbac36f8401018798139ecac30491e43826d9

Download Submit
memory/456-201-0x000000000AFA0000-0x000000000B016000-memory.dmp

Filesize
472KB

Download
memory/456-200-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/456-202-0x000000000B020000-0x000000000B0B2000-memory.dmp

Filesize
584KB

Download
memory/456-199-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/456-198-0x000000000AD60000-0x000000000AD9C000-memory.dmp

Filesize
240KB

Download
memory/456-197-0x000000000AD00000-0x000000000AD12000-memory.dmp

Filesize
72KB

Download
memory/456-196-0x000000000ADD0000-0x000000000AEDA000-memory.dmp

Filesize
1.0MB

Download
memory/456-195-0x000000000B2D0000-0x000000000B8E8000-memory.dmp

Filesize
6.1MB

Download
memory/456-194-0x0000000000F90000-0x0000000000FBE000-memory.dmp

Filesize
184KB

Download
memory/456-203-0x000000000B0C0000-0x000000000B126000-memory.dmp

Filesize
408KB

Download
memory/2484-159-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/2484-171-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/2484-175-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/2484-177-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/2484-179-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/2484-181-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/2484-183-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/2484-185-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/2484-187-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/2484-189-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/2484-169-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/2484-173-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/2484-167-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/2484-165-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/2484-163-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/2484-162-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/2484-161-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/2484-160-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/2484-158-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/2484-157-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/2484-156-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/2484-155-0x0000000004910000-0x0000000004EB4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads