redline | 0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad

General

Target

0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe
Size

1.0MB
MD5

e8eb299aab88f4a9f0e810741bb16b34
SHA1

5eef9d9aecfceb363ad2c01d7b3b09582c84e394
SHA256

0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad
SHA512

fd0fae772e86c2542b9a2137f97ef06bd689fa263638b025b263ff5c1fcd382abd9596e2a9df449aa8818e5247d93fd9be38b7f7621f42676e18cc46264d04fe
SSDEEP

24576:Sy9C28aBd3KBmNnScreojy9VA+GvH2splenZbSu4TBO3UnBW:5A23Bd33Nn5nyVA+IH2ZOTBOM

Score

10^/10

redline musor evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

musor

C2

185.161.248.25:4132

Attributes

auth_value
b044e31277d21cb0a56d9461e5e741d5

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6676004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6676004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6676004.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a6676004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6676004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6676004.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3956	v2892900.exe
2724	v3003153.exe
4712	a6676004.exe
4904	b2502552.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a6676004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6676004.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2892900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2892900.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3003153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3003153.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4712	a6676004.exe
4712	a6676004.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4712	a6676004.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 3956	1820	0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe	82
PID 1820 wrote to memory of 3956	1820	0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe	82
PID 1820 wrote to memory of 3956	1820	0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe	82
PID 3956 wrote to memory of 2724	3956	v2892900.exe	83
PID 3956 wrote to memory of 2724	3956	v2892900.exe	83
PID 3956 wrote to memory of 2724	3956	v2892900.exe	83
PID 2724 wrote to memory of 4712	2724	v3003153.exe	84
PID 2724 wrote to memory of 4712	2724	v3003153.exe	84
PID 2724 wrote to memory of 4712	2724	v3003153.exe	84
PID 2724 wrote to memory of 4904	2724	v3003153.exe	85
PID 2724 wrote to memory of 4904	2724	v3003153.exe	85
PID 2724 wrote to memory of 4904	2724	v3003153.exe	85

C:\Users\Admin\AppData\Local\Temp\0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe
"C:\Users\Admin\AppData\Local\Temp\0c797cd9fe6719a8503ba2bd241a6278e056c10b14caa06a5d2dcfbd1fdbd3ad.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2892900.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2892900.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3003153.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3003153.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6676004.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6676004.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2502552.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2502552.exe
      4⤵
      Executes dropped EXE
      PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2892900.exe

Filesize
749KB

MD5
6c9a8f494c48b6e625987633ea5b6306

SHA1
65be67aff4f194e9426e1c18ace510e50ea62e39

SHA256
2aa18f8e62c90e794fd1553d537359d552ac7d35f6f5582485516a31a92cfc13

SHA512
aaf717fc3ab3ed8a9976a755636165e90ac94c2ea76ee1eaf8f38b5759003879e26b23c8170fccc0336c8aed07b474492910c283cd639b8413ec6efb80cce0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2892900.exe

Filesize
749KB

MD5
6c9a8f494c48b6e625987633ea5b6306

SHA1
65be67aff4f194e9426e1c18ace510e50ea62e39

SHA256
2aa18f8e62c90e794fd1553d537359d552ac7d35f6f5582485516a31a92cfc13

SHA512
aaf717fc3ab3ed8a9976a755636165e90ac94c2ea76ee1eaf8f38b5759003879e26b23c8170fccc0336c8aed07b474492910c283cd639b8413ec6efb80cce0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3003153.exe

Filesize
305KB

MD5
bc080dd4c547fd19d35f89cd4024f0be

SHA1
e7e54446a2bfd1273d37d273ffc4424dd6db28ca

SHA256
31d75834b41827987b9bce707dc02810f73880ff7f7888f00a8bc07c8c1a81aa

SHA512
0523f73505bad7852cc25320be99729983201afad9989a5d26e3c9dfb50e0476d694901007c36bf2768914f2bd4760801e3a4e6d6aebe6f1b8813e0f11599471

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3003153.exe

Filesize
305KB

MD5
bc080dd4c547fd19d35f89cd4024f0be

SHA1
e7e54446a2bfd1273d37d273ffc4424dd6db28ca

SHA256
31d75834b41827987b9bce707dc02810f73880ff7f7888f00a8bc07c8c1a81aa

SHA512
0523f73505bad7852cc25320be99729983201afad9989a5d26e3c9dfb50e0476d694901007c36bf2768914f2bd4760801e3a4e6d6aebe6f1b8813e0f11599471

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6676004.exe

Filesize
183KB

MD5
ce58e10273d08479be30eea081b640ab

SHA1
6bdd3164025b479e8810b9ac39b32ecdbdabc299

SHA256
d04bdda05ffbdea140fdf0475bbad5e536d0a04e56584f355d88ce54680a526b

SHA512
d3995aa53567d9e7ddf6e4b82309977b6b662d238fe1391528ba1c50db1f46e699513a48fab0dbe7126f42b750e53457477198e833de062fc2d0eaccb0cda899

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6676004.exe

Filesize
183KB

MD5
ce58e10273d08479be30eea081b640ab

SHA1
6bdd3164025b479e8810b9ac39b32ecdbdabc299

SHA256
d04bdda05ffbdea140fdf0475bbad5e536d0a04e56584f355d88ce54680a526b

SHA512
d3995aa53567d9e7ddf6e4b82309977b6b662d238fe1391528ba1c50db1f46e699513a48fab0dbe7126f42b750e53457477198e833de062fc2d0eaccb0cda899

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2502552.exe

Filesize
145KB

MD5
686e6efed0ac2e9ac27d4722971bcca9

SHA1
ce989ccc962d6999537d4d4f0fe77b839df6bc8e

SHA256
f2b9e5ce317bce2bf647080533c2b3cc24551dcf64444eb6f7bd38186222daac

SHA512
523158e80eb89efcc3acb0153917e53a400031c9baec0661611a426cf8b2e32472d02316be35026e0b1c27e828d79d44192bcf0c4e6cb009dedca7325d0d72be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2502552.exe

Filesize
145KB

MD5
686e6efed0ac2e9ac27d4722971bcca9

SHA1
ce989ccc962d6999537d4d4f0fe77b839df6bc8e

SHA256
f2b9e5ce317bce2bf647080533c2b3cc24551dcf64444eb6f7bd38186222daac

SHA512
523158e80eb89efcc3acb0153917e53a400031c9baec0661611a426cf8b2e32472d02316be35026e0b1c27e828d79d44192bcf0c4e6cb009dedca7325d0d72be

Download Submit
memory/4712-173-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4712-183-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4712-158-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4712-159-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4712-161-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4712-163-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4712-165-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4712-167-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4712-169-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4712-171-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4712-156-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/4712-177-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4712-175-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4712-179-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4712-181-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4712-157-0x0000000004AA0000-0x0000000005044000-memory.dmp

Filesize
5.6MB

Download
memory/4712-185-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4712-186-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/4712-187-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/4712-188-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/4712-155-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/4712-154-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/4904-193-0x0000000000CC0000-0x0000000000CEA000-memory.dmp

Filesize
168KB

Download
memory/4904-194-0x0000000005C00000-0x0000000006218000-memory.dmp

Filesize
6.1MB

Download
memory/4904-195-0x0000000005760000-0x000000000586A000-memory.dmp

Filesize
1.0MB

Download
memory/4904-196-0x0000000005690000-0x00000000056A2000-memory.dmp

Filesize
72KB

Download
memory/4904-197-0x0000000005720000-0x000000000575C000-memory.dmp

Filesize
240KB

Download
memory/4904-198-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/4904-199-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads