redline | ac87768a533f3811348106024f4dc4b96d370d069ccf3e2c7b8b0d9114ed2364

General

Target

ac87768a533f3811348106024f4dc4b96d370d069ccf3e2c7b8b0d9114ed2364.exe
Size

1.1MB
MD5

baf8af00b76a7ed5543419563aac93fc
SHA1

179121e33701e2b5a000e1565517489bb4a3c103
SHA256

ac87768a533f3811348106024f4dc4b96d370d069ccf3e2c7b8b0d9114ed2364
SHA512

d5f0344612c4ed9ce82e99d701de959ebedc0c27fab3725098e6412019b79ebc5f5ad07c93c2c475ee78abda453ab5cae0a42fd4d92437fd1dc5ba0e81b50730
SSDEEP

24576:Kyfjmc4gxefex+1plnUiHN6yhSnPOmDJAFF72fO39vtoT8:Ryc4gzGnUiHN6ySnWGsFifONvWT

Score

10^/10

redline lays evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lays

C2

185.161.248.75:4132

Attributes

auth_value
239cb507c4bb32e630b1bee63365fe29

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o7033701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o7033701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o7033701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o7033701.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o7033701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o7033701.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1404	z3411729.exe
2100	z1431615.exe
4276	o7033701.exe
3984	p5249893.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o7033701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o7033701.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1431615.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ac87768a533f3811348106024f4dc4b96d370d069ccf3e2c7b8b0d9114ed2364.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ac87768a533f3811348106024f4dc4b96d370d069ccf3e2c7b8b0d9114ed2364.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3411729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3411729.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1431615.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2152	sc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4276	o7033701.exe
4276	o7033701.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4276	o7033701.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 1404	384	ac87768a533f3811348106024f4dc4b96d370d069ccf3e2c7b8b0d9114ed2364.exe	83
PID 384 wrote to memory of 1404	384	ac87768a533f3811348106024f4dc4b96d370d069ccf3e2c7b8b0d9114ed2364.exe	83
PID 384 wrote to memory of 1404	384	ac87768a533f3811348106024f4dc4b96d370d069ccf3e2c7b8b0d9114ed2364.exe	83
PID 1404 wrote to memory of 2100	1404	z3411729.exe	84
PID 1404 wrote to memory of 2100	1404	z3411729.exe	84
PID 1404 wrote to memory of 2100	1404	z3411729.exe	84
PID 2100 wrote to memory of 4276	2100	z1431615.exe	85
PID 2100 wrote to memory of 4276	2100	z1431615.exe	85
PID 2100 wrote to memory of 4276	2100	z1431615.exe	85
PID 2100 wrote to memory of 3984	2100	z1431615.exe	89
PID 2100 wrote to memory of 3984	2100	z1431615.exe	89
PID 2100 wrote to memory of 3984	2100	z1431615.exe	89

C:\Users\Admin\AppData\Local\Temp\ac87768a533f3811348106024f4dc4b96d370d069ccf3e2c7b8b0d9114ed2364.exe
"C:\Users\Admin\AppData\Local\Temp\ac87768a533f3811348106024f4dc4b96d370d069ccf3e2c7b8b0d9114ed2364.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3411729.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3411729.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1431615.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1431615.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7033701.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7033701.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4276
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5249893.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5249893.exe
      4⤵
      Executes dropped EXE
      PID:3984

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3411729.exe

Filesize
703KB

MD5
5eebc8709d9399ed635f87b03b065e1d

SHA1
b2f82012808837aa11271f39852cf832775b457d

SHA256
e3c3b85aaeff22b1e53bd1cb76b5f2da5ac90f8fd4822a64df9d94542101d32f

SHA512
0c12e865b88ca08efeea562cda4efd20663f655ce66f30ec8ce8d0d1e7229725610c92407dacb3aa1504c072cd4a892fbde65d7641b2ce15fc9b5be3800649f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3411729.exe

Filesize
703KB

MD5
5eebc8709d9399ed635f87b03b065e1d

SHA1
b2f82012808837aa11271f39852cf832775b457d

SHA256
e3c3b85aaeff22b1e53bd1cb76b5f2da5ac90f8fd4822a64df9d94542101d32f

SHA512
0c12e865b88ca08efeea562cda4efd20663f655ce66f30ec8ce8d0d1e7229725610c92407dacb3aa1504c072cd4a892fbde65d7641b2ce15fc9b5be3800649f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1431615.exe

Filesize
306KB

MD5
1777f2fd9567b5cd392fa39eebce80d8

SHA1
54d48111599785cbc6de48a6694d6a1042f0783c

SHA256
5c2f78fe91d1210df5e8bd100b3b4b90eb39365697bb3172561ef348cdb83361

SHA512
104055840c6c21fc1c77b8e7417fee52d387bc0bbbaab698be6031ebc7ad190d7dd1ff94d0e614be4f0590d79e1090707fc15e6e82eb2385a1c0ed7d1a83ed32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1431615.exe

Filesize
306KB

MD5
1777f2fd9567b5cd392fa39eebce80d8

SHA1
54d48111599785cbc6de48a6694d6a1042f0783c

SHA256
5c2f78fe91d1210df5e8bd100b3b4b90eb39365697bb3172561ef348cdb83361

SHA512
104055840c6c21fc1c77b8e7417fee52d387bc0bbbaab698be6031ebc7ad190d7dd1ff94d0e614be4f0590d79e1090707fc15e6e82eb2385a1c0ed7d1a83ed32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7033701.exe

Filesize
185KB

MD5
077599959f67f793fb698e62d06816ea

SHA1
641ecbe73ee35dcf6d8863b2298642a51114f041

SHA256
25dcc3d8f7aa6cda23b5adc4fd419b258daf8e1402e5e3c26bdc7a9d9b8a8e47

SHA512
93f8a3c1fd6335e6bf812108e190263f93c9a0e77477ad03275e5e4a8fd42b26d6af42de200fab2bd4a11f39b0556da2b297277327ed2191162fc9da1dce5216

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7033701.exe

Filesize
185KB

MD5
077599959f67f793fb698e62d06816ea

SHA1
641ecbe73ee35dcf6d8863b2298642a51114f041

SHA256
25dcc3d8f7aa6cda23b5adc4fd419b258daf8e1402e5e3c26bdc7a9d9b8a8e47

SHA512
93f8a3c1fd6335e6bf812108e190263f93c9a0e77477ad03275e5e4a8fd42b26d6af42de200fab2bd4a11f39b0556da2b297277327ed2191162fc9da1dce5216

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5249893.exe

Filesize
145KB

MD5
740df2727ab09ed7da8bdbbc44348728

SHA1
0d006a01d890b011d27e748f7243d0e75a085336

SHA256
29233a15a8c716db5f74fb8a144754c549e35486704500ae882042dea714b533

SHA512
341889737a73dd641d4234aebca89223d259f4059a2270d195f0354f94d0120f0cd278de8a0670c3ca317cfffb59e103d32c8149ce450f845a69553527d8349a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p5249893.exe

Filesize
145KB

MD5
740df2727ab09ed7da8bdbbc44348728

SHA1
0d006a01d890b011d27e748f7243d0e75a085336

SHA256
29233a15a8c716db5f74fb8a144754c549e35486704500ae882042dea714b533

SHA512
341889737a73dd641d4234aebca89223d259f4059a2270d195f0354f94d0120f0cd278de8a0670c3ca317cfffb59e103d32c8149ce450f845a69553527d8349a

Download Submit
memory/3984-199-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/3984-196-0x0000000005460000-0x0000000005472000-memory.dmp

Filesize
72KB

Download
memory/3984-195-0x0000000005530000-0x000000000563A000-memory.dmp

Filesize
1.0MB

Download
memory/3984-194-0x00000000059E0000-0x0000000005FF8000-memory.dmp

Filesize
6.1MB

Download
memory/3984-193-0x0000000000BD0000-0x0000000000BFA000-memory.dmp

Filesize
168KB

Download
memory/3984-197-0x00000000054C0000-0x00000000054FC000-memory.dmp

Filesize
240KB

Download
memory/3984-198-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/4276-176-0x0000000002370000-0x0000000002387000-memory.dmp

Filesize
92KB

Download
memory/4276-187-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4276-174-0x0000000002370000-0x0000000002387000-memory.dmp

Filesize
92KB

Download
memory/4276-170-0x0000000002370000-0x0000000002387000-memory.dmp

Filesize
92KB

Download
memory/4276-178-0x0000000002370000-0x0000000002387000-memory.dmp

Filesize
92KB

Download
memory/4276-180-0x0000000002370000-0x0000000002387000-memory.dmp

Filesize
92KB

Download
memory/4276-182-0x0000000002370000-0x0000000002387000-memory.dmp

Filesize
92KB

Download
memory/4276-183-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4276-184-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4276-185-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4276-186-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4276-172-0x0000000002370000-0x0000000002387000-memory.dmp

Filesize
92KB

Download
memory/4276-188-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4276-168-0x0000000002370000-0x0000000002387000-memory.dmp

Filesize
92KB

Download
memory/4276-166-0x0000000002370000-0x0000000002387000-memory.dmp

Filesize
92KB

Download
memory/4276-164-0x0000000002370000-0x0000000002387000-memory.dmp

Filesize
92KB

Download
memory/4276-162-0x0000000002370000-0x0000000002387000-memory.dmp

Filesize
92KB

Download
memory/4276-158-0x0000000002370000-0x0000000002387000-memory.dmp

Filesize
92KB

Download
memory/4276-160-0x0000000002370000-0x0000000002387000-memory.dmp

Filesize
92KB

Download
memory/4276-156-0x0000000002370000-0x0000000002387000-memory.dmp

Filesize
92KB

Download
memory/4276-155-0x0000000002370000-0x0000000002387000-memory.dmp

Filesize
92KB

Download
memory/4276-154-0x0000000004B90000-0x0000000005134000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads