redline | f935733f7ba4da8eb4d4216be9eee1c443a22b5c53017deb5cd2e39fcb92dee4

General

Target

f935733f7ba4da8eb4d4216be9eee1c443a22b5c53017deb5cd2e39fcb92dee4.exe
Size

1.0MB
MD5

bab107b1dc1865e95412b44b9a4657d6
SHA1

e1b131d3214651dea30e10cde6a7b9d97e267913
SHA256

f935733f7ba4da8eb4d4216be9eee1c443a22b5c53017deb5cd2e39fcb92dee4
SHA512

60f44f79b297fed45ed28e7925d3be9ea63241257e1504020ad7f3173f8dc1ceafa1f5d9a1aa51d8d9e86607013517c871380acda786192ade106c769f285361
SSDEEP

24576:NyuwUo6QQgbNqXAUgmEntTnhAqGP+Pc+YTpfcGba12k:ohU8Q8NqEmEtLCP+PcPRcWa12

Score

10^/10

redline mixa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.37:4138

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a0275063.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0275063.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0275063.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0275063.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0275063.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0275063.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2920	v8737367.exe
3748	v3213860.exe
3656	a0275063.exe
2632	b5702373.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a0275063.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0275063.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3213860.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f935733f7ba4da8eb4d4216be9eee1c443a22b5c53017deb5cd2e39fcb92dee4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f935733f7ba4da8eb4d4216be9eee1c443a22b5c53017deb5cd2e39fcb92dee4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8737367.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8737367.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3213860.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3656	a0275063.exe
3656	a0275063.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3656	a0275063.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2920	2292	f935733f7ba4da8eb4d4216be9eee1c443a22b5c53017deb5cd2e39fcb92dee4.exe	84
PID 2292 wrote to memory of 2920	2292	f935733f7ba4da8eb4d4216be9eee1c443a22b5c53017deb5cd2e39fcb92dee4.exe	84
PID 2292 wrote to memory of 2920	2292	f935733f7ba4da8eb4d4216be9eee1c443a22b5c53017deb5cd2e39fcb92dee4.exe	84
PID 2920 wrote to memory of 3748	2920	v8737367.exe	85
PID 2920 wrote to memory of 3748	2920	v8737367.exe	85
PID 2920 wrote to memory of 3748	2920	v8737367.exe	85
PID 3748 wrote to memory of 3656	3748	v3213860.exe	86
PID 3748 wrote to memory of 3656	3748	v3213860.exe	86
PID 3748 wrote to memory of 3656	3748	v3213860.exe	86
PID 3748 wrote to memory of 2632	3748	v3213860.exe	87
PID 3748 wrote to memory of 2632	3748	v3213860.exe	87
PID 3748 wrote to memory of 2632	3748	v3213860.exe	87

C:\Users\Admin\AppData\Local\Temp\f935733f7ba4da8eb4d4216be9eee1c443a22b5c53017deb5cd2e39fcb92dee4.exe
"C:\Users\Admin\AppData\Local\Temp\f935733f7ba4da8eb4d4216be9eee1c443a22b5c53017deb5cd2e39fcb92dee4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8737367.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8737367.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3213860.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3213860.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0275063.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0275063.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5702373.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5702373.exe
      4⤵
      Executes dropped EXE
      PID:2632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8737367.exe

Filesize
751KB

MD5
281a2fdc18ff6a24e2b0542ab36c8d3c

SHA1
1d8aad7e14f4fc4f6f971b6ae48a8d377df8886f

SHA256
073fdccd147986da0b9a45e1510ada3965abad2f2493e75ad8ef972a49170321

SHA512
d895c9edb2b11fb77ea207d85a2e7459687a7270a1cbfd8494c6a27bd902c86c8c949826a3e93fc6fdf70bd00ca104f51aef1e3422b610dde673ddadd6c39e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8737367.exe

Filesize
751KB

MD5
281a2fdc18ff6a24e2b0542ab36c8d3c

SHA1
1d8aad7e14f4fc4f6f971b6ae48a8d377df8886f

SHA256
073fdccd147986da0b9a45e1510ada3965abad2f2493e75ad8ef972a49170321

SHA512
d895c9edb2b11fb77ea207d85a2e7459687a7270a1cbfd8494c6a27bd902c86c8c949826a3e93fc6fdf70bd00ca104f51aef1e3422b610dde673ddadd6c39e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3213860.exe

Filesize
305KB

MD5
aa82afb62db8a14cab396868f9459f8c

SHA1
4b6c21ad9c499f0eaa10941716bd1ceaed9afc90

SHA256
810416b8902c61b35b7fa760d5119a032d869ecf22c37203b041a929a4c77bab

SHA512
22dd185ccb23231a6af2546718605edc48bd6cff8d8cc4c4ab0b98fb7cf401c25ec375dd960fecf68a65ca7495292ead148b6849bffeee5559ffc8eb4860a416

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3213860.exe

Filesize
305KB

MD5
aa82afb62db8a14cab396868f9459f8c

SHA1
4b6c21ad9c499f0eaa10941716bd1ceaed9afc90

SHA256
810416b8902c61b35b7fa760d5119a032d869ecf22c37203b041a929a4c77bab

SHA512
22dd185ccb23231a6af2546718605edc48bd6cff8d8cc4c4ab0b98fb7cf401c25ec375dd960fecf68a65ca7495292ead148b6849bffeee5559ffc8eb4860a416

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0275063.exe

Filesize
186KB

MD5
1faa8907fa6883980490c42cca95e458

SHA1
6c405834dfbbbb7b8a1ce183435b902af9fd7137

SHA256
6af6e6d9697ce62bdf36435526f615fb06ec2428c077b0703de73efbdfa91416

SHA512
02ee3f0d5730a8b40ae74ca4574782a36707d431e26a4406d7e92f4518b5487fbe7aeba27a0835ea99b2efa185ee4eaf7a96570702fcb41e6f81674f9079e594

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0275063.exe

Filesize
186KB

MD5
1faa8907fa6883980490c42cca95e458

SHA1
6c405834dfbbbb7b8a1ce183435b902af9fd7137

SHA256
6af6e6d9697ce62bdf36435526f615fb06ec2428c077b0703de73efbdfa91416

SHA512
02ee3f0d5730a8b40ae74ca4574782a36707d431e26a4406d7e92f4518b5487fbe7aeba27a0835ea99b2efa185ee4eaf7a96570702fcb41e6f81674f9079e594

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5702373.exe

Filesize
145KB

MD5
2894ca83bd4982704efceef7ac382038

SHA1
d563acc4d3e67228db78f2f9fb47946bc42bdfde

SHA256
39b92c20542d2dee0110e546668651c1ab324e08917b1c62fdd842f6e9ba2923

SHA512
e8cf88b9782f631caa5ba8391d05c2c20aaec01be4fc3eb7afb0c48189379b612e5b1dfc8b146ccd507a5c260ebf272b4df1d009ffa85b60daa871d18a191332

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5702373.exe

Filesize
145KB

MD5
2894ca83bd4982704efceef7ac382038

SHA1
d563acc4d3e67228db78f2f9fb47946bc42bdfde

SHA256
39b92c20542d2dee0110e546668651c1ab324e08917b1c62fdd842f6e9ba2923

SHA512
e8cf88b9782f631caa5ba8391d05c2c20aaec01be4fc3eb7afb0c48189379b612e5b1dfc8b146ccd507a5c260ebf272b4df1d009ffa85b60daa871d18a191332

Download Submit
memory/2632-199-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/2632-196-0x00000000053B0000-0x00000000053C2000-memory.dmp

Filesize
72KB

Download
memory/2632-195-0x0000000005480000-0x000000000558A000-memory.dmp

Filesize
1.0MB

Download
memory/2632-194-0x0000000005900000-0x0000000005F18000-memory.dmp

Filesize
6.1MB

Download
memory/2632-193-0x0000000000B20000-0x0000000000B4A000-memory.dmp

Filesize
168KB

Download
memory/2632-197-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/2632-198-0x0000000005410000-0x000000000544C000-memory.dmp

Filesize
240KB

Download
memory/3656-173-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3656-187-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3656-171-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3656-167-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3656-175-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3656-177-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3656-179-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3656-181-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3656-183-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3656-185-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3656-186-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3656-169-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3656-188-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3656-165-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3656-163-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3656-161-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3656-158-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3656-159-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3656-157-0x0000000004BE0000-0x0000000005184000-memory.dmp

Filesize
5.6MB

Download
memory/3656-156-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3656-155-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3656-154-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads