redline | 0060cb94540c33d36d58e92cc10a9e0d8bf3fd605df84fd8f94bb51b70c18177

General

Target

0060cb94540c33d36d58e92cc10a9e0d8bf3fd605df84fd8f94bb51b70c18177.exe
Size

1.1MB
MD5

e01c15e0b09754a9752126e3651e0e0d
SHA1

f71c4365b3b9ecd75b963e8ed3a232675e89d4de
SHA256

0060cb94540c33d36d58e92cc10a9e0d8bf3fd605df84fd8f94bb51b70c18177
SHA512

3aae2023fcc648ff8c7c6060e7e338b862587a203900dfb574438334270572801db365331901d4d3697c6b79a2c2de5e990b4d4062b33e737c401495a5475946
SSDEEP

24576:4y0RxNUig5KMnXFZsjjlofPa3CLJX4bB5joXozjpbNB9ebcC4DvV:/0vNUtKW1kSfPaE47cGBeYCcv

Score

10^/10

redline muxan evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

muxan

C2

185.161.248.75:4132

Attributes

auth_value
d605be949bb645b0759bf765eb7e6a47

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a4184148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4184148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4184148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4184148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4184148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4184148.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4064	v6062549.exe
3416	v1951156.exe
320	a4184148.exe
3260	b8670542.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a4184148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4184148.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1951156.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0060cb94540c33d36d58e92cc10a9e0d8bf3fd605df84fd8f94bb51b70c18177.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0060cb94540c33d36d58e92cc10a9e0d8bf3fd605df84fd8f94bb51b70c18177.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6062549.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6062549.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1951156.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
916	sc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
320	a4184148.exe
320	a4184148.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	a4184148.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 4064	4900	0060cb94540c33d36d58e92cc10a9e0d8bf3fd605df84fd8f94bb51b70c18177.exe	88
PID 4900 wrote to memory of 4064	4900	0060cb94540c33d36d58e92cc10a9e0d8bf3fd605df84fd8f94bb51b70c18177.exe	88
PID 4900 wrote to memory of 4064	4900	0060cb94540c33d36d58e92cc10a9e0d8bf3fd605df84fd8f94bb51b70c18177.exe	88
PID 4064 wrote to memory of 3416	4064	v6062549.exe	89
PID 4064 wrote to memory of 3416	4064	v6062549.exe	89
PID 4064 wrote to memory of 3416	4064	v6062549.exe	89
PID 3416 wrote to memory of 320	3416	v1951156.exe	90
PID 3416 wrote to memory of 320	3416	v1951156.exe	90
PID 3416 wrote to memory of 320	3416	v1951156.exe	90
PID 3416 wrote to memory of 3260	3416	v1951156.exe	94
PID 3416 wrote to memory of 3260	3416	v1951156.exe	94
PID 3416 wrote to memory of 3260	3416	v1951156.exe	94

C:\Users\Admin\AppData\Local\Temp\0060cb94540c33d36d58e92cc10a9e0d8bf3fd605df84fd8f94bb51b70c18177.exe
"C:\Users\Admin\AppData\Local\Temp\0060cb94540c33d36d58e92cc10a9e0d8bf3fd605df84fd8f94bb51b70c18177.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6062549.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6062549.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1951156.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1951156.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4184148.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4184148.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:320
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8670542.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8670542.exe
      4⤵
      Executes dropped EXE
      PID:3260

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6062549.exe

Filesize
751KB

MD5
b00e176543bc3d767982e522c74239de

SHA1
6f6c244567e7867cc88a6ee08dbfd9ed202b0a54

SHA256
0d854056b97e64d1d92f12aeec3659dd9feb082453dee8053b573fe2e9d16a6c

SHA512
26c35bd1114bfc86205424fbb0afc70537ab08dd69ae82c93b3bbd57fe86ce8bfe929a6818cbb358ebdb7e8cd6756c76955c8b8d8342062ee7233fa073f5ee4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6062549.exe

Filesize
751KB

MD5
b00e176543bc3d767982e522c74239de

SHA1
6f6c244567e7867cc88a6ee08dbfd9ed202b0a54

SHA256
0d854056b97e64d1d92f12aeec3659dd9feb082453dee8053b573fe2e9d16a6c

SHA512
26c35bd1114bfc86205424fbb0afc70537ab08dd69ae82c93b3bbd57fe86ce8bfe929a6818cbb358ebdb7e8cd6756c76955c8b8d8342062ee7233fa073f5ee4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1951156.exe

Filesize
306KB

MD5
7f3ddcaafd96e466bc7d48e23d7fdd2a

SHA1
767a0c05898262c2b0ff6bb15ee26abb716a6312

SHA256
fcb0100d52830d84e9781a1e845074c8368d5e94c4b7403e5c40935bd7c755f4

SHA512
e9e0d27f039cba37ca591dd435e03d63e45e274c6a5f37339b51b267fbb2cb5222c4ec5ee35cef77cdd4a7e36d1c8091d5c0892eb1b15463ccf2c8cc8c523c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1951156.exe

Filesize
306KB

MD5
7f3ddcaafd96e466bc7d48e23d7fdd2a

SHA1
767a0c05898262c2b0ff6bb15ee26abb716a6312

SHA256
fcb0100d52830d84e9781a1e845074c8368d5e94c4b7403e5c40935bd7c755f4

SHA512
e9e0d27f039cba37ca591dd435e03d63e45e274c6a5f37339b51b267fbb2cb5222c4ec5ee35cef77cdd4a7e36d1c8091d5c0892eb1b15463ccf2c8cc8c523c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4184148.exe

Filesize
184KB

MD5
ad270c225253397a94e059f8a748e5f6

SHA1
a0d894442b84c8c144d3f6b54584526eaa38721f

SHA256
a756b2b16e4cd0a5351b00161f35838cf7cdcc8d0c336a6cee5fc2b1901045e3

SHA512
3f7b6bc6aff73629f007c65b1d9e31ad1f0da58ab62f668deac0649417dc2e2c6456828eca9b5adcad463a9a47e9eb0f4693ba0c2f42bbd2a1fc8aa8373096e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4184148.exe

Filesize
184KB

MD5
ad270c225253397a94e059f8a748e5f6

SHA1
a0d894442b84c8c144d3f6b54584526eaa38721f

SHA256
a756b2b16e4cd0a5351b00161f35838cf7cdcc8d0c336a6cee5fc2b1901045e3

SHA512
3f7b6bc6aff73629f007c65b1d9e31ad1f0da58ab62f668deac0649417dc2e2c6456828eca9b5adcad463a9a47e9eb0f4693ba0c2f42bbd2a1fc8aa8373096e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8670542.exe

Filesize
145KB

MD5
4cbf2961598f91de542ea519c9e194fd

SHA1
3b5b75abb4d6d8b032b41abbc6caec463bdc28c8

SHA256
a94d900e73927967ae3cd9c783bd48c1d176f6bfdddaff74b0b43bd5c2c5a568

SHA512
12b7ce9bfbf9b76c2a7171ca2d577e7ed96b123eaa0683017f85f1155b00112d636237f989ba5852b1a91b35f1a8c3a1e15ac3e16850e61d4d9031116dcb6520

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8670542.exe

Filesize
145KB

MD5
4cbf2961598f91de542ea519c9e194fd

SHA1
3b5b75abb4d6d8b032b41abbc6caec463bdc28c8

SHA256
a94d900e73927967ae3cd9c783bd48c1d176f6bfdddaff74b0b43bd5c2c5a568

SHA512
12b7ce9bfbf9b76c2a7171ca2d577e7ed96b123eaa0683017f85f1155b00112d636237f989ba5852b1a91b35f1a8c3a1e15ac3e16850e61d4d9031116dcb6520

Download Submit
memory/320-174-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/320-183-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/320-160-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/320-162-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/320-164-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/320-166-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/320-168-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/320-170-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/320-171-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/320-172-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/320-156-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/320-175-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/320-177-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/320-179-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/320-181-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/320-158-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/320-185-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/320-186-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/320-187-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/320-188-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/320-155-0x00000000025B0000-0x00000000025C7000-memory.dmp

Filesize
92KB

Download
memory/320-154-0x0000000004CB0000-0x0000000005254000-memory.dmp

Filesize
5.6MB

Download
memory/3260-193-0x0000000000A90000-0x0000000000ABA000-memory.dmp

Filesize
168KB

Download
memory/3260-194-0x00000000059F0000-0x0000000006008000-memory.dmp

Filesize
6.1MB

Download
memory/3260-195-0x0000000005530000-0x000000000563A000-memory.dmp

Filesize
1.0MB

Download
memory/3260-196-0x0000000005460000-0x0000000005472000-memory.dmp

Filesize
72KB

Download
memory/3260-197-0x00000000054C0000-0x00000000054FC000-memory.dmp

Filesize
240KB

Download
memory/3260-198-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/3260-199-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads