redline | 86f3a75d3c1fdb2c101a9fd830930f91254e0dd70a353007b0719abafbf22c25

General

Target

2454.exe
Size

1.0MB
MD5

a2e3ada01f6c8ce8724a7903064f21ea
SHA1

38199193c3d02408b937b32167e38bb9fae1c6f6
SHA256

86f3a75d3c1fdb2c101a9fd830930f91254e0dd70a353007b0719abafbf22c25
SHA512

72e0173bbf937ed30d6359c42f1489218d46695732f55504356f68ba94c179009829c8af004c4270e19954965faf75559aeb3f70f8e2e81cacd9993d59604bf9
SSDEEP

24576:/yX0i0tabVsXRmBOmfeGxi5LsxZWk1GekCjGeKJ:KkikLXRMGGxiZkZNjtK

Score

10^/10

redline meren evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

meren

C2

77.91.68.253:19065

Attributes

auth_value
a26557b435e44b55fdd4708fbba97d21

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6461916.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6461916.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6461916.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a6461916.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6461916.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6461916.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4932	v7210358.exe
4268	v8773196.exe
4280	a6461916.exe
1588	b9249219.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a6461916.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6461916.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2454.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7210358.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7210358.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8773196.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8773196.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2454.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4280	a6461916.exe
4280	a6461916.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4280	a6461916.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 4932	4576	2454.exe	84
PID 4576 wrote to memory of 4932	4576	2454.exe	84
PID 4576 wrote to memory of 4932	4576	2454.exe	84
PID 4932 wrote to memory of 4268	4932	v7210358.exe	85
PID 4932 wrote to memory of 4268	4932	v7210358.exe	85
PID 4932 wrote to memory of 4268	4932	v7210358.exe	85
PID 4268 wrote to memory of 4280	4268	v8773196.exe	86
PID 4268 wrote to memory of 4280	4268	v8773196.exe	86
PID 4268 wrote to memory of 4280	4268	v8773196.exe	86
PID 4268 wrote to memory of 1588	4268	v8773196.exe	87
PID 4268 wrote to memory of 1588	4268	v8773196.exe	87
PID 4268 wrote to memory of 1588	4268	v8773196.exe	87

C:\Users\Admin\AppData\Local\Temp\2454.exe
"C:\Users\Admin\AppData\Local\Temp\2454.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7210358.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7210358.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8773196.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8773196.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6461916.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6461916.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9249219.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9249219.exe
      4⤵
      Executes dropped EXE
      PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7210358.exe

Filesize
749KB

MD5
ad34eba2c2f3b4abbd912a4d812da842

SHA1
6ef94d130315bf1b8d5c053da3a328ee347d0ae9

SHA256
839ace289e14414aa707664722de9a97d5313ebf13b441fbb67a9d0adf141088

SHA512
2cf5dc22a8c2b19de7964cec4f53d27392af7dd863b345e8910c5afa895b54e036d9107805b7c4ac3e154a9ddaf54ed3056dc8a7a44bf62b0f23aa56f467ac9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7210358.exe

Filesize
749KB

MD5
ad34eba2c2f3b4abbd912a4d812da842

SHA1
6ef94d130315bf1b8d5c053da3a328ee347d0ae9

SHA256
839ace289e14414aa707664722de9a97d5313ebf13b441fbb67a9d0adf141088

SHA512
2cf5dc22a8c2b19de7964cec4f53d27392af7dd863b345e8910c5afa895b54e036d9107805b7c4ac3e154a9ddaf54ed3056dc8a7a44bf62b0f23aa56f467ac9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8773196.exe

Filesize
304KB

MD5
f479fef38f010fac216e0a555ab77f3b

SHA1
4dd31e069407a733a302b72f22863bd5791c3bc3

SHA256
3930da0be90c21f96c347340bd4539209cb8176d584ae772885627936ede0f4e

SHA512
86102732de2e89aac36a3cc387d451ee28e1bc54e5fb7e19ea880f836499a706eafcfd0805016f7095827f84a3cad03e12630f83de0ce779fc5a2b99cf3360af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8773196.exe

Filesize
304KB

MD5
f479fef38f010fac216e0a555ab77f3b

SHA1
4dd31e069407a733a302b72f22863bd5791c3bc3

SHA256
3930da0be90c21f96c347340bd4539209cb8176d584ae772885627936ede0f4e

SHA512
86102732de2e89aac36a3cc387d451ee28e1bc54e5fb7e19ea880f836499a706eafcfd0805016f7095827f84a3cad03e12630f83de0ce779fc5a2b99cf3360af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6461916.exe

Filesize
184KB

MD5
9d72824609f845f8dd6729fb784b941d

SHA1
38c240b3e32512ba0c8cc4c6b4e29899c69316a7

SHA256
2b8417fdb30ed15db7d8e8d0678b943017761053f379170649640a3c772bfe2e

SHA512
b803538fe1f32fe023336ceb77033b470840d7cc774a73997c75037a8876713ab07bc102fc11a9d1719ca64968d05450b21d3a1936ad902f650111ccbb8ee341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6461916.exe

Filesize
184KB

MD5
9d72824609f845f8dd6729fb784b941d

SHA1
38c240b3e32512ba0c8cc4c6b4e29899c69316a7

SHA256
2b8417fdb30ed15db7d8e8d0678b943017761053f379170649640a3c772bfe2e

SHA512
b803538fe1f32fe023336ceb77033b470840d7cc774a73997c75037a8876713ab07bc102fc11a9d1719ca64968d05450b21d3a1936ad902f650111ccbb8ee341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9249219.exe

Filesize
145KB

MD5
e6093c507d4e9685110f01e9b4e39870

SHA1
f774126cd3da7eacbebdc210fac15262be4ddc9d

SHA256
032b3a840216350f9ad1395e63cdd8a36065a6c7c1beded71a40a7699dafc0ac

SHA512
e49299bb3b7b6094dddbe0122c9160fab680cd15cbf2dcfae434e66f66d07a3256dc61d7a54b371d6f844ba5dbf4af11c42c5c5ad27ad70f5ea85dd38d060566

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9249219.exe

Filesize
145KB

MD5
e6093c507d4e9685110f01e9b4e39870

SHA1
f774126cd3da7eacbebdc210fac15262be4ddc9d

SHA256
032b3a840216350f9ad1395e63cdd8a36065a6c7c1beded71a40a7699dafc0ac

SHA512
e49299bb3b7b6094dddbe0122c9160fab680cd15cbf2dcfae434e66f66d07a3256dc61d7a54b371d6f844ba5dbf4af11c42c5c5ad27ad70f5ea85dd38d060566

Download Submit
memory/1588-196-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/1588-193-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/1588-192-0x0000000004E20000-0x0000000004F2A000-memory.dmp

Filesize
1.0MB

Download
memory/1588-191-0x00000000052A0000-0x00000000058B8000-memory.dmp

Filesize
6.1MB

Download
memory/1588-190-0x0000000000380000-0x00000000003AA000-memory.dmp

Filesize
168KB

Download
memory/1588-194-0x0000000004DB0000-0x0000000004DEC000-memory.dmp

Filesize
240KB

Download
memory/1588-195-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/4280-172-0x0000000002750000-0x0000000002766000-memory.dmp

Filesize
88KB

Download
memory/4280-185-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4280-174-0x0000000002750000-0x0000000002766000-memory.dmp

Filesize
88KB

Download
memory/4280-176-0x0000000002750000-0x0000000002766000-memory.dmp

Filesize
88KB

Download
memory/4280-178-0x0000000002750000-0x0000000002766000-memory.dmp

Filesize
88KB

Download
memory/4280-180-0x0000000002750000-0x0000000002766000-memory.dmp

Filesize
88KB

Download
memory/4280-182-0x0000000002750000-0x0000000002766000-memory.dmp

Filesize
88KB

Download
memory/4280-183-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4280-184-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4280-170-0x0000000002750000-0x0000000002766000-memory.dmp

Filesize
88KB

Download
memory/4280-168-0x0000000002750000-0x0000000002766000-memory.dmp

Filesize
88KB

Download
memory/4280-166-0x0000000002750000-0x0000000002766000-memory.dmp

Filesize
88KB

Download
memory/4280-164-0x0000000002750000-0x0000000002766000-memory.dmp

Filesize
88KB

Download
memory/4280-162-0x0000000002750000-0x0000000002766000-memory.dmp

Filesize
88KB

Download
memory/4280-160-0x0000000002750000-0x0000000002766000-memory.dmp

Filesize
88KB

Download
memory/4280-158-0x0000000002750000-0x0000000002766000-memory.dmp

Filesize
88KB

Download
memory/4280-156-0x0000000002750000-0x0000000002766000-memory.dmp

Filesize
88KB

Download
memory/4280-155-0x0000000002750000-0x0000000002766000-memory.dmp

Filesize
88KB

Download
memory/4280-154-0x0000000004BC0000-0x0000000005164000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads