redline | d9982bb1b1416a5c479616995a063dda81888e559552e7dc7e7330eee3501917

General

Target

d9982bb1b1416a5c479616995a063dda81888e559552e7dc7e7330eee3501917.exe
Size

884KB
MD5

fe28bdcd022c221a8c0b029bbb08f6c3
SHA1

a04b37ce9c3820c6e7e9835d03d7b4c93885e2c5
SHA256

d9982bb1b1416a5c479616995a063dda81888e559552e7dc7e7330eee3501917
SHA512

5772129de834fdfe413e135fb4fd259a19f543037bd29f74a73f95ecb251162259752f7b2c0a87b3f251dbae93ef04e0a74a2c5f2758c8854b15204ea9a80752
SSDEEP

12288:BMrZy90znxmLsqq2JCs27xC7ERwqlfn8L7pJrwQ1sDhoR58VNLv+fXqJjYKDNRgQ:Eyimoqzws2UE2qV8ZbBReVF+kjYKJDF

Score

10^/10

redline mixa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.75:4132

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2101820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2101820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2101820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2101820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2101820.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a2101820.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
580	v4065940.exe
448	v9195235.exe
1552	a2101820.exe
1824	b1716849.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a2101820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2101820.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4065940.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4065940.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9195235.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9195235.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d9982bb1b1416a5c479616995a063dda81888e559552e7dc7e7330eee3501917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d9982bb1b1416a5c479616995a063dda81888e559552e7dc7e7330eee3501917.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1552	a2101820.exe
1552	a2101820.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	a2101820.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 580	4680	d9982bb1b1416a5c479616995a063dda81888e559552e7dc7e7330eee3501917.exe	82
PID 4680 wrote to memory of 580	4680	d9982bb1b1416a5c479616995a063dda81888e559552e7dc7e7330eee3501917.exe	82
PID 4680 wrote to memory of 580	4680	d9982bb1b1416a5c479616995a063dda81888e559552e7dc7e7330eee3501917.exe	82
PID 580 wrote to memory of 448	580	v4065940.exe	83
PID 580 wrote to memory of 448	580	v4065940.exe	83
PID 580 wrote to memory of 448	580	v4065940.exe	83
PID 448 wrote to memory of 1552	448	v9195235.exe	84
PID 448 wrote to memory of 1552	448	v9195235.exe	84
PID 448 wrote to memory of 1552	448	v9195235.exe	84
PID 448 wrote to memory of 1824	448	v9195235.exe	86
PID 448 wrote to memory of 1824	448	v9195235.exe	86
PID 448 wrote to memory of 1824	448	v9195235.exe	86

C:\Users\Admin\AppData\Local\Temp\d9982bb1b1416a5c479616995a063dda81888e559552e7dc7e7330eee3501917.exe
"C:\Users\Admin\AppData\Local\Temp\d9982bb1b1416a5c479616995a063dda81888e559552e7dc7e7330eee3501917.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4065940.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4065940.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9195235.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9195235.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2101820.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2101820.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1716849.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1716849.exe
      4⤵
      Executes dropped EXE
      PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4065940.exe

Filesize
488KB

MD5
40f0cda29f09eb9ae8b3ed7f5dcf2aee

SHA1
775bf8f3c88b0287e280b32c1426954cbb38a5a9

SHA256
96e0c4d5c6531db8c140013470270820928d16d330def92f9fba4e70868162ed

SHA512
2e09ef0e7f157c0750769955c5d6c9e8c28d8a94f8e632b077fbaadff38db80d24b1e03c97f888bc56af029e23367f6c1c78cb07b372c13f4b2c327bf248aab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4065940.exe

Filesize
488KB

MD5
40f0cda29f09eb9ae8b3ed7f5dcf2aee

SHA1
775bf8f3c88b0287e280b32c1426954cbb38a5a9

SHA256
96e0c4d5c6531db8c140013470270820928d16d330def92f9fba4e70868162ed

SHA512
2e09ef0e7f157c0750769955c5d6c9e8c28d8a94f8e632b077fbaadff38db80d24b1e03c97f888bc56af029e23367f6c1c78cb07b372c13f4b2c327bf248aab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9195235.exe

Filesize
316KB

MD5
d9bc2fd84f1647f03e6900b1c3440069

SHA1
39c2315eaa671f77f610fe76feaa2fddc5d495c4

SHA256
c47ef924901959fbb5c135726d0304b8350f1dac8e172d1cc88e404a8a5b06e3

SHA512
cfb38890b0d86fae9df7d143c5416a5bca4fad286995747e5840795f63955dbbc0e712eb922d1c1b6fa6d2cf998945bf3053e57b5d0f4127045988039301de35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9195235.exe

Filesize
316KB

MD5
d9bc2fd84f1647f03e6900b1c3440069

SHA1
39c2315eaa671f77f610fe76feaa2fddc5d495c4

SHA256
c47ef924901959fbb5c135726d0304b8350f1dac8e172d1cc88e404a8a5b06e3

SHA512
cfb38890b0d86fae9df7d143c5416a5bca4fad286995747e5840795f63955dbbc0e712eb922d1c1b6fa6d2cf998945bf3053e57b5d0f4127045988039301de35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2101820.exe

Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2101820.exe

Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1716849.exe

Filesize
168KB

MD5
fb4f34bc9ed9c2eac72b8eb9c9b0049a

SHA1
7921c772ce23c902a626b523e1f172e911a96679

SHA256
5a81b46dba595e21e6ca5b4210a9ed81377ea228ef13fa76dcb23fa32f1ce714

SHA512
bdec19a430ee801fc1437f03f07d8860c3816d3de4dc5e65bf4928327883cea2fb7abcdcafe449ebbe4630f21aac7763b94e1842a3b383e785f8570e760f57e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1716849.exe

Filesize
168KB

MD5
fb4f34bc9ed9c2eac72b8eb9c9b0049a

SHA1
7921c772ce23c902a626b523e1f172e911a96679

SHA256
5a81b46dba595e21e6ca5b4210a9ed81377ea228ef13fa76dcb23fa32f1ce714

SHA512
bdec19a430ee801fc1437f03f07d8860c3816d3de4dc5e65bf4928327883cea2fb7abcdcafe449ebbe4630f21aac7763b94e1842a3b383e785f8570e760f57e3

Download Submit
memory/1552-173-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1552-183-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1552-158-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1552-159-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1552-161-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1552-163-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1552-165-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1552-167-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1552-169-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1552-171-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1552-157-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/1552-175-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1552-177-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1552-179-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1552-181-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1552-156-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/1552-185-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/1552-186-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/1552-187-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/1552-188-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/1552-155-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/1552-154-0x00000000049F0000-0x0000000004F94000-memory.dmp

Filesize
5.6MB

Download
memory/1824-193-0x0000000000580000-0x00000000005AE000-memory.dmp

Filesize
184KB

Download
memory/1824-194-0x000000000AAE0000-0x000000000B0F8000-memory.dmp

Filesize
6.1MB

Download
memory/1824-195-0x000000000A640000-0x000000000A74A000-memory.dmp

Filesize
1.0MB

Download
memory/1824-196-0x000000000A570000-0x000000000A582000-memory.dmp

Filesize
72KB

Download
memory/1824-197-0x000000000A5D0000-0x000000000A60C000-memory.dmp

Filesize
240KB

Download
memory/1824-198-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/1824-199-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads