redline | b8f250170f82d9c4bae5b9ded897b56b07dc982ebb5f2ca8c10719476e37bded

General

Target

b8f250170f82d9c4bae5b9ded897b56b07dc982ebb5f2ca8c10719476e37bded.exe
Size

1.0MB
MD5

7eebfdc90ecf598ae579d07ca76523f6
SHA1

8ed00c43001dbcd163c84f44c11223962abef1a6
SHA256

b8f250170f82d9c4bae5b9ded897b56b07dc982ebb5f2ca8c10719476e37bded
SHA512

1dc6b677fa5447c7318431e2cc7e4373ab34b480855428180391fe8d9a328f00787d1117c288587370510e03b638925e06970534fccb19462c2c84767cabc6cb
SSDEEP

12288:0Mr/y90IOgZk8dILpGZMzRMRw/qrjmSZjxzg7hBqBV5yR7iwVsuK3EoTPiB92hRG:DyqAILphmgq3mSrp8R7ieK3EWUnTJ

Score

10^/10

redline meren evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

meren

C2

77.91.68.253:19065

Attributes

auth_value
a26557b435e44b55fdd4708fbba97d21

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7864341.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7864341.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a7864341.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7864341.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7864341.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7864341.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4160	v0270115.exe
1280	v7676735.exe
4356	a7864341.exe
3784	b7133760.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a7864341.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7864341.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0270115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0270115.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7676735.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7676735.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b8f250170f82d9c4bae5b9ded897b56b07dc982ebb5f2ca8c10719476e37bded.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b8f250170f82d9c4bae5b9ded897b56b07dc982ebb5f2ca8c10719476e37bded.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4356	a7864341.exe
4356	a7864341.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	a7864341.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 4160	3924	b8f250170f82d9c4bae5b9ded897b56b07dc982ebb5f2ca8c10719476e37bded.exe	81
PID 3924 wrote to memory of 4160	3924	b8f250170f82d9c4bae5b9ded897b56b07dc982ebb5f2ca8c10719476e37bded.exe	81
PID 3924 wrote to memory of 4160	3924	b8f250170f82d9c4bae5b9ded897b56b07dc982ebb5f2ca8c10719476e37bded.exe	81
PID 4160 wrote to memory of 1280	4160	v0270115.exe	82
PID 4160 wrote to memory of 1280	4160	v0270115.exe	82
PID 4160 wrote to memory of 1280	4160	v0270115.exe	82
PID 1280 wrote to memory of 4356	1280	v7676735.exe	83
PID 1280 wrote to memory of 4356	1280	v7676735.exe	83
PID 1280 wrote to memory of 4356	1280	v7676735.exe	83
PID 1280 wrote to memory of 3784	1280	v7676735.exe	86
PID 1280 wrote to memory of 3784	1280	v7676735.exe	86
PID 1280 wrote to memory of 3784	1280	v7676735.exe	86

C:\Users\Admin\AppData\Local\Temp\b8f250170f82d9c4bae5b9ded897b56b07dc982ebb5f2ca8c10719476e37bded.exe
"C:\Users\Admin\AppData\Local\Temp\b8f250170f82d9c4bae5b9ded897b56b07dc982ebb5f2ca8c10719476e37bded.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0270115.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0270115.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7676735.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7676735.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7864341.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7864341.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7133760.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7133760.exe
      4⤵
      Executes dropped EXE
      PID:3784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0270115.exe

Filesize
749KB

MD5
33db07ab49175e6d889f2d1ff4e3d4bf

SHA1
0deaefebe0587f82524bd8bd600542a8d1abbe95

SHA256
cc088452be7dcdc8ca74180b39a1eb4ecb62f89d0bf90b07ed7181aa6bc0e86d

SHA512
1061c2c503b6cfdcd44af5553553b2157581d4ee1fc4594af89194fce55cd2408c185a03c6225c65fc383509e532510ce3273e778d77eeb38f4beedfe4fe69e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0270115.exe

Filesize
749KB

MD5
33db07ab49175e6d889f2d1ff4e3d4bf

SHA1
0deaefebe0587f82524bd8bd600542a8d1abbe95

SHA256
cc088452be7dcdc8ca74180b39a1eb4ecb62f89d0bf90b07ed7181aa6bc0e86d

SHA512
1061c2c503b6cfdcd44af5553553b2157581d4ee1fc4594af89194fce55cd2408c185a03c6225c65fc383509e532510ce3273e778d77eeb38f4beedfe4fe69e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7676735.exe

Filesize
304KB

MD5
0981e439c92e24bbc8559dba4ee37687

SHA1
786685205de595e63075026946b691149d1af564

SHA256
2dcacf010cefa74d3c603a573e5471861907e94025614c39c3ca54c3a9b558f5

SHA512
19ac3bb743de8a096fb1ef3eab523accc27523bdece11dc540167dde73b6e6f89d96e3c1f9b1c8e241b64c4ef79ed09ab09887691cd8e30438ec2e5a1a307fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7676735.exe

Filesize
304KB

MD5
0981e439c92e24bbc8559dba4ee37687

SHA1
786685205de595e63075026946b691149d1af564

SHA256
2dcacf010cefa74d3c603a573e5471861907e94025614c39c3ca54c3a9b558f5

SHA512
19ac3bb743de8a096fb1ef3eab523accc27523bdece11dc540167dde73b6e6f89d96e3c1f9b1c8e241b64c4ef79ed09ab09887691cd8e30438ec2e5a1a307fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7864341.exe

Filesize
184KB

MD5
83a2784fe6f9639483a47d855ad813f0

SHA1
8477143e3725b980876da31d38685be55a82b3dc

SHA256
05e6d2b50d47d9b83e3c2fac860ce8578bcf372363b134f71c269a8968df7539

SHA512
e47c5034155362c0611946bda6628c485264a555e884da18a2b4a78911285be79e31024a495df3ae84037a72e96919830131fd30b67145826f8ec8858e860b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7864341.exe

Filesize
184KB

MD5
83a2784fe6f9639483a47d855ad813f0

SHA1
8477143e3725b980876da31d38685be55a82b3dc

SHA256
05e6d2b50d47d9b83e3c2fac860ce8578bcf372363b134f71c269a8968df7539

SHA512
e47c5034155362c0611946bda6628c485264a555e884da18a2b4a78911285be79e31024a495df3ae84037a72e96919830131fd30b67145826f8ec8858e860b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7133760.exe

Filesize
145KB

MD5
f155707fb595d84d7263756dcbc03f14

SHA1
9403d5630416b03b81427171f2176c09bfbb3bbd

SHA256
2b50c1396b77b81e26f722f6b4f17600e5c8effc1a4fd1228b1579723b38a860

SHA512
b6bf079619a1549bb1fc9558f918139f13c12dad671c814e982a76e454ed376a2709361ed45b4fafb72b72f32efcebfc55f3b426dbc6e2760dd86a25585a00b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7133760.exe

Filesize
145KB

MD5
f155707fb595d84d7263756dcbc03f14

SHA1
9403d5630416b03b81427171f2176c09bfbb3bbd

SHA256
2b50c1396b77b81e26f722f6b4f17600e5c8effc1a4fd1228b1579723b38a860

SHA512
b6bf079619a1549bb1fc9558f918139f13c12dad671c814e982a76e454ed376a2709361ed45b4fafb72b72f32efcebfc55f3b426dbc6e2760dd86a25585a00b4

Download Submit
memory/3784-199-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/3784-196-0x0000000005720000-0x0000000005732000-memory.dmp

Filesize
72KB

Download
memory/3784-195-0x00000000057F0000-0x00000000058FA000-memory.dmp

Filesize
1.0MB

Download
memory/3784-194-0x0000000005CB0000-0x00000000062C8000-memory.dmp

Filesize
6.1MB

Download
memory/3784-193-0x0000000000D50000-0x0000000000D7A000-memory.dmp

Filesize
168KB

Download
memory/3784-197-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/3784-198-0x0000000005900000-0x000000000593C000-memory.dmp

Filesize
240KB

Download
memory/4356-175-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4356-187-0x0000000002110000-0x0000000002120000-memory.dmp

Filesize
64KB

Download
memory/4356-173-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4356-169-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4356-177-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4356-179-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4356-181-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4356-183-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4356-184-0x0000000002110000-0x0000000002120000-memory.dmp

Filesize
64KB

Download
memory/4356-185-0x0000000002110000-0x0000000002120000-memory.dmp

Filesize
64KB

Download
memory/4356-186-0x0000000002110000-0x0000000002120000-memory.dmp

Filesize
64KB

Download
memory/4356-171-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4356-188-0x0000000002110000-0x0000000002120000-memory.dmp

Filesize
64KB

Download
memory/4356-167-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4356-165-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4356-163-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4356-161-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4356-159-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4356-157-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4356-156-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4356-155-0x0000000004920000-0x0000000004EC4000-memory.dmp

Filesize
5.6MB

Download
memory/4356-154-0x0000000002110000-0x0000000002120000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads