redline | b27d983e1f00286a3301e8104c95ce0db23437aadafa9d6169a1f1af47e66c4f

General

Target

b27d983e1f00286a3301e8104c95ce0db23437aadafa9d6169a1f1af47e66c4f.exe
Size

1022KB
MD5

d55fb4d5d34be82121fe53c3a62ec4c4
SHA1

da2f4405b3eabce48bb402b3c28d3a53a72a3e59
SHA256

b27d983e1f00286a3301e8104c95ce0db23437aadafa9d6169a1f1af47e66c4f
SHA512

cc9a5abee6c0aefc29d83fca435d4b266b8cbe9a92d61258981613dc8a33cd332e12758354414c8aff019a826fa5e15993ac847c1e1cf947d65e12d04fdcffa7
SSDEEP

24576:UytxWt5i44hH+V6qt4IWQhjs6ChVcojVoqI7q3oc2DLox4:jDWTShH+V6qtN/ChVcojVoqI7qW

Score

10^/10

redline mixa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.37:4138

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a0527515.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0527515.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0527515.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0527515.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0527515.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0527515.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2052	v9450872.exe
5108	v7980230.exe
700	a0527515.exe
676	b1085092.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a0527515.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0527515.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9450872.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9450872.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7980230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7980230.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b27d983e1f00286a3301e8104c95ce0db23437aadafa9d6169a1f1af47e66c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b27d983e1f00286a3301e8104c95ce0db23437aadafa9d6169a1f1af47e66c4f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
700	a0527515.exe
700	a0527515.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	700	a0527515.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 2052	4648	b27d983e1f00286a3301e8104c95ce0db23437aadafa9d6169a1f1af47e66c4f.exe	85
PID 4648 wrote to memory of 2052	4648	b27d983e1f00286a3301e8104c95ce0db23437aadafa9d6169a1f1af47e66c4f.exe	85
PID 4648 wrote to memory of 2052	4648	b27d983e1f00286a3301e8104c95ce0db23437aadafa9d6169a1f1af47e66c4f.exe	85
PID 2052 wrote to memory of 5108	2052	v9450872.exe	86
PID 2052 wrote to memory of 5108	2052	v9450872.exe	86
PID 2052 wrote to memory of 5108	2052	v9450872.exe	86
PID 5108 wrote to memory of 700	5108	v7980230.exe	87
PID 5108 wrote to memory of 700	5108	v7980230.exe	87
PID 5108 wrote to memory of 700	5108	v7980230.exe	87
PID 5108 wrote to memory of 676	5108	v7980230.exe	88
PID 5108 wrote to memory of 676	5108	v7980230.exe	88
PID 5108 wrote to memory of 676	5108	v7980230.exe	88

C:\Users\Admin\AppData\Local\Temp\b27d983e1f00286a3301e8104c95ce0db23437aadafa9d6169a1f1af47e66c4f.exe
"C:\Users\Admin\AppData\Local\Temp\b27d983e1f00286a3301e8104c95ce0db23437aadafa9d6169a1f1af47e66c4f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9450872.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9450872.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7980230.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7980230.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0527515.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0527515.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:700
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1085092.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1085092.exe
      4⤵
      Executes dropped EXE
      PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9450872.exe

Filesize
750KB

MD5
96184aa4b2564a3cf6647a8c0b22d456

SHA1
0deae497ff515a0450f27b27bcad448ab4b6b345

SHA256
60a6e26f6a9d27bd9f97951ba38733b6b987be01ccab57c72e3cb766398ee130

SHA512
25e1b5f84d7c2db27d09c9aaf442ab377cff95ec4901e726a2a865865407dd67d06669813e3fa50d72b68497eb6e09204f53fffe398ea082f6fa36ab652b204a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9450872.exe

Filesize
750KB

MD5
96184aa4b2564a3cf6647a8c0b22d456

SHA1
0deae497ff515a0450f27b27bcad448ab4b6b345

SHA256
60a6e26f6a9d27bd9f97951ba38733b6b987be01ccab57c72e3cb766398ee130

SHA512
25e1b5f84d7c2db27d09c9aaf442ab377cff95ec4901e726a2a865865407dd67d06669813e3fa50d72b68497eb6e09204f53fffe398ea082f6fa36ab652b204a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7980230.exe

Filesize
306KB

MD5
ad0b20e9f11d13849ed8fb0dbfbd6ec1

SHA1
d7fc0276ccc8a550c07f53e256ed2685730f9213

SHA256
b90fd07f68051de11a2f702df4fc16e03a5265b0034e0c111b8d4a9ab3400931

SHA512
140353f54b7be815c4e1749cbd92937d0c8d32bcee90d53df7a4dec2dc0d9b7ebe78974a022cc18377c530ff763f4ea3d083eb5d3d0b7b69ca3f5b0a95e12a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7980230.exe

Filesize
306KB

MD5
ad0b20e9f11d13849ed8fb0dbfbd6ec1

SHA1
d7fc0276ccc8a550c07f53e256ed2685730f9213

SHA256
b90fd07f68051de11a2f702df4fc16e03a5265b0034e0c111b8d4a9ab3400931

SHA512
140353f54b7be815c4e1749cbd92937d0c8d32bcee90d53df7a4dec2dc0d9b7ebe78974a022cc18377c530ff763f4ea3d083eb5d3d0b7b69ca3f5b0a95e12a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0527515.exe

Filesize
185KB

MD5
8cc8ae26cd95c9bb92e76fd9e283c4ec

SHA1
dd0dd5bfb7028fce831b26f2fbd30b10bdc5f2bd

SHA256
2a27bb4a9cbb53d896419434cab8cafc844e9c38e876f56428949c3a28389985

SHA512
db4fea877a7f4ed7e5cb96f1d0037462e1b4e9448fbeff14c2c4e25b345459e348df4af197b8b8432c0fdcc4afd165477778d911f246c34efcd8aeaa3828cefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0527515.exe

Filesize
185KB

MD5
8cc8ae26cd95c9bb92e76fd9e283c4ec

SHA1
dd0dd5bfb7028fce831b26f2fbd30b10bdc5f2bd

SHA256
2a27bb4a9cbb53d896419434cab8cafc844e9c38e876f56428949c3a28389985

SHA512
db4fea877a7f4ed7e5cb96f1d0037462e1b4e9448fbeff14c2c4e25b345459e348df4af197b8b8432c0fdcc4afd165477778d911f246c34efcd8aeaa3828cefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1085092.exe

Filesize
145KB

MD5
24bd30a11dfb293302f23e8ad08d86ed

SHA1
78a2bfdd6916f9967c34544b0128010ec5a3ff8a

SHA256
c168da70dea2124f45539591ff211327d36c3f747faa8a58b75919bf2fc24cd7

SHA512
1cfbdab28960673278e651a7a669886e6ba3a1f546ff3b873ca4e9535b7648d472ce2b0ed900de7cd2a95a55201f3cd9f8d8a148808c6741c8a992859b39c113

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1085092.exe

Filesize
145KB

MD5
24bd30a11dfb293302f23e8ad08d86ed

SHA1
78a2bfdd6916f9967c34544b0128010ec5a3ff8a

SHA256
c168da70dea2124f45539591ff211327d36c3f747faa8a58b75919bf2fc24cd7

SHA512
1cfbdab28960673278e651a7a669886e6ba3a1f546ff3b873ca4e9535b7648d472ce2b0ed900de7cd2a95a55201f3cd9f8d8a148808c6741c8a992859b39c113

Download Submit
memory/676-198-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/676-197-0x00000000053E0000-0x000000000541C000-memory.dmp

Filesize
240KB

Download
memory/676-196-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/676-195-0x0000000005380000-0x0000000005392000-memory.dmp

Filesize
72KB

Download
memory/676-194-0x0000000005450000-0x000000000555A000-memory.dmp

Filesize
1.0MB

Download
memory/676-193-0x00000000058D0000-0x0000000005EE8000-memory.dmp

Filesize
6.1MB

Download
memory/676-192-0x00000000009B0000-0x00000000009DA000-memory.dmp

Filesize
168KB

Download
memory/700-157-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/700-187-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/700-172-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/700-174-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/700-176-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/700-178-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/700-180-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/700-182-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/700-184-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/700-185-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/700-186-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/700-170-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/700-168-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/700-166-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/700-164-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/700-162-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/700-160-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/700-158-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/700-156-0x0000000004B40000-0x00000000050E4000-memory.dmp

Filesize
5.6MB

Download
memory/700-155-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/700-154-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads