redline | 2ffc593536c148006089228f17ec90d9f794ba6797723555cbd4d9940d6eda15

General

Target

2ffc593536c148006089228f17ec90d9f794ba6797723555cbd4d9940d6eda15.exe
Size

1.0MB
MD5

663f25aad82a5880dce8a850284db1ee
SHA1

9f30755695dda0e9c5f83b6144e641e6b581de77
SHA256

2ffc593536c148006089228f17ec90d9f794ba6797723555cbd4d9940d6eda15
SHA512

71d6dd3d220877986f6855213cef3e350671b058ff8d9c016ff2de8cd412bd56b6fb3287295c6f7237fccf0dc23f45093f60bb73d833f8904e9c744c6344d222
SSDEEP

24576:dyT1V74WQUohqIj+lWlHJghaJfBEyTWYUH0uMV7Nnl:4jc1ThqwHJgofJTF4MV7

Score

10^/10

redline maxa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxa

C2

77.91.124.251:19065

Attributes

auth_value
3c06ec6b3eea9db7536a57bcc13f5bef

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a9416342.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9416342.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9416342.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9416342.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9416342.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9416342.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4544	v3014609.exe
2164	v3272786.exe
1276	a9416342.exe
4672	b8901319.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a9416342.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9416342.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2ffc593536c148006089228f17ec90d9f794ba6797723555cbd4d9940d6eda15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2ffc593536c148006089228f17ec90d9f794ba6797723555cbd4d9940d6eda15.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3014609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3014609.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3272786.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3272786.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1276	a9416342.exe
1276	a9416342.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	a9416342.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 4544	2348	2ffc593536c148006089228f17ec90d9f794ba6797723555cbd4d9940d6eda15.exe	82
PID 2348 wrote to memory of 4544	2348	2ffc593536c148006089228f17ec90d9f794ba6797723555cbd4d9940d6eda15.exe	82
PID 2348 wrote to memory of 4544	2348	2ffc593536c148006089228f17ec90d9f794ba6797723555cbd4d9940d6eda15.exe	82
PID 4544 wrote to memory of 2164	4544	v3014609.exe	83
PID 4544 wrote to memory of 2164	4544	v3014609.exe	83
PID 4544 wrote to memory of 2164	4544	v3014609.exe	83
PID 2164 wrote to memory of 1276	2164	v3272786.exe	84
PID 2164 wrote to memory of 1276	2164	v3272786.exe	84
PID 2164 wrote to memory of 1276	2164	v3272786.exe	84
PID 2164 wrote to memory of 4672	2164	v3272786.exe	85
PID 2164 wrote to memory of 4672	2164	v3272786.exe	85
PID 2164 wrote to memory of 4672	2164	v3272786.exe	85

C:\Users\Admin\AppData\Local\Temp\2ffc593536c148006089228f17ec90d9f794ba6797723555cbd4d9940d6eda15.exe
"C:\Users\Admin\AppData\Local\Temp\2ffc593536c148006089228f17ec90d9f794ba6797723555cbd4d9940d6eda15.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3014609.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3014609.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3272786.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3272786.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9416342.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9416342.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8901319.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8901319.exe
      4⤵
      Executes dropped EXE
      PID:4672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3014609.exe

Filesize
751KB

MD5
a344f1b3319584d3e84f14ad717870d6

SHA1
ac3c7b7ef97d86fa4fd52bb1eeb64a25e9b01057

SHA256
078f61aacf1a3ea4d622e60425e64b7dd891aa8e9160cc528dbda200a3aab06d

SHA512
43e5c9bd9e145b8b2a896f85e396babc8289f15c7ab1463ee3256d1af03c39dc16ca8aad7975b871ef492b0e387e4c36879494926fb999d37d56c9846341cd0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3014609.exe

Filesize
751KB

MD5
a344f1b3319584d3e84f14ad717870d6

SHA1
ac3c7b7ef97d86fa4fd52bb1eeb64a25e9b01057

SHA256
078f61aacf1a3ea4d622e60425e64b7dd891aa8e9160cc528dbda200a3aab06d

SHA512
43e5c9bd9e145b8b2a896f85e396babc8289f15c7ab1463ee3256d1af03c39dc16ca8aad7975b871ef492b0e387e4c36879494926fb999d37d56c9846341cd0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3272786.exe

Filesize
305KB

MD5
a3a97785fa1ccf6cf9438016791b92f3

SHA1
7516c603fd2826cbb3f3f40885ec9b8e3ccf5e1f

SHA256
b26b8945da9330eb1815cf9c47e6732d7df81ec8eb516f5c44d37269937ec1c4

SHA512
763fdc02e1b304f059ec4cfd2f04a95efe503486fb3cff5ae711c2344451cf7747fddd5415f3c448eca407d5ad66ce1ef2b702c359c0155d526cb2012fa02ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3272786.exe

Filesize
305KB

MD5
a3a97785fa1ccf6cf9438016791b92f3

SHA1
7516c603fd2826cbb3f3f40885ec9b8e3ccf5e1f

SHA256
b26b8945da9330eb1815cf9c47e6732d7df81ec8eb516f5c44d37269937ec1c4

SHA512
763fdc02e1b304f059ec4cfd2f04a95efe503486fb3cff5ae711c2344451cf7747fddd5415f3c448eca407d5ad66ce1ef2b702c359c0155d526cb2012fa02ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9416342.exe

Filesize
184KB

MD5
2ceefc4686731187b8be2fc731207507

SHA1
285db8ab25c9928d87ac65f641b2c507058f4486

SHA256
a2d5549df795483eb88175f497c78cf3bd7ba95be55f1c8fe107f057b2eda9f5

SHA512
0fc903ef97a423638acd44fbe59480edab18ba56d6e324d588057e74a585b5247950b757b9363f1ccb8a68d097870db893909971a6b6f600fe7e93ad62c9fa25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9416342.exe

Filesize
184KB

MD5
2ceefc4686731187b8be2fc731207507

SHA1
285db8ab25c9928d87ac65f641b2c507058f4486

SHA256
a2d5549df795483eb88175f497c78cf3bd7ba95be55f1c8fe107f057b2eda9f5

SHA512
0fc903ef97a423638acd44fbe59480edab18ba56d6e324d588057e74a585b5247950b757b9363f1ccb8a68d097870db893909971a6b6f600fe7e93ad62c9fa25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8901319.exe

Filesize
145KB

MD5
876a9648c5ef81adeab0e3150cd80115

SHA1
9521d9c0231c1d253840ef1d8552cdc966c02166

SHA256
c28fa4cee88d9f862c2d6484dcc402156541b837b6a874d1a4848f2d08d2e0fe

SHA512
321ee1a84abbe42d1efcfb556f851146c5917e6c45857ab691a5ceeed3fe361ec4b9fae60642d2c5b8ecf0cee624eedf0b60d5ba6af66f225d35551b532302ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8901319.exe

Filesize
145KB

MD5
876a9648c5ef81adeab0e3150cd80115

SHA1
9521d9c0231c1d253840ef1d8552cdc966c02166

SHA256
c28fa4cee88d9f862c2d6484dcc402156541b837b6a874d1a4848f2d08d2e0fe

SHA512
321ee1a84abbe42d1efcfb556f851146c5917e6c45857ab691a5ceeed3fe361ec4b9fae60642d2c5b8ecf0cee624eedf0b60d5ba6af66f225d35551b532302ab

Download Submit
memory/1276-170-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1276-180-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1276-158-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1276-160-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1276-162-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1276-164-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1276-168-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1276-166-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1276-156-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/1276-172-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1276-174-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1276-176-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1276-178-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1276-157-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1276-184-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1276-182-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/1276-185-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/1276-186-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/1276-155-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/1276-154-0x0000000004920000-0x0000000004EC4000-memory.dmp

Filesize
5.6MB

Download
memory/4672-191-0x0000000000710000-0x000000000073A000-memory.dmp

Filesize
168KB

Download
memory/4672-192-0x0000000005640000-0x0000000005C58000-memory.dmp

Filesize
6.1MB

Download
memory/4672-193-0x00000000051B0000-0x00000000052BA000-memory.dmp

Filesize
1.0MB

Download
memory/4672-194-0x00000000050E0000-0x00000000050F2000-memory.dmp

Filesize
72KB

Download
memory/4672-195-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/4672-196-0x0000000005140000-0x000000000517C000-memory.dmp

Filesize
240KB

Download
memory/4672-197-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads