redline | fd56e39158e012bce51649320586bd4b0546692b81653eb6d0d24b66b592f9c5

General

Target

fd56e39158e012bce51649320586bd4b0546692b81653eb6d0d24b66b592f9c5.exe
Size

1.0MB
MD5

47c3b7bf2b773fcbeca5381006a17916
SHA1

3cad7a83776e1f23cb7da92e97fc2fb63a5b8dda
SHA256

fd56e39158e012bce51649320586bd4b0546692b81653eb6d0d24b66b592f9c5
SHA512

27f319fc76cc6c3e9e7bc764ebfa31a456b9e73f32f36337bcc125d0fe0ce5505212318294cd5d266d2bba94c376f52b89d4b00dba38498bba34b9ff1d99215d
SSDEEP

24576:lyBxoXux/WzwLqdNLY2LvtAzWsu5gDTYQBOCdRdjUuZ3vjwzLYOmm:AjoX+/W0LqdNLYMvtVsw8BOC1UM/UzL

Score

10^/10

redline mixa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.37:4138

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a4972393.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4972393.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4972393.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4972393.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4972393.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4972393.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2656	v2131064.exe
1704	v9457071.exe
1344	a4972393.exe
4616	b3720924.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a4972393.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4972393.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2131064.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9457071.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9457071.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fd56e39158e012bce51649320586bd4b0546692b81653eb6d0d24b66b592f9c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fd56e39158e012bce51649320586bd4b0546692b81653eb6d0d24b66b592f9c5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2131064.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1344	a4972393.exe
1344	a4972393.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	a4972393.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 2656	384	fd56e39158e012bce51649320586bd4b0546692b81653eb6d0d24b66b592f9c5.exe	84
PID 384 wrote to memory of 2656	384	fd56e39158e012bce51649320586bd4b0546692b81653eb6d0d24b66b592f9c5.exe	84
PID 384 wrote to memory of 2656	384	fd56e39158e012bce51649320586bd4b0546692b81653eb6d0d24b66b592f9c5.exe	84
PID 2656 wrote to memory of 1704	2656	v2131064.exe	85
PID 2656 wrote to memory of 1704	2656	v2131064.exe	85
PID 2656 wrote to memory of 1704	2656	v2131064.exe	85
PID 1704 wrote to memory of 1344	1704	v9457071.exe	86
PID 1704 wrote to memory of 1344	1704	v9457071.exe	86
PID 1704 wrote to memory of 1344	1704	v9457071.exe	86
PID 1704 wrote to memory of 4616	1704	v9457071.exe	89
PID 1704 wrote to memory of 4616	1704	v9457071.exe	89
PID 1704 wrote to memory of 4616	1704	v9457071.exe	89

C:\Users\Admin\AppData\Local\Temp\fd56e39158e012bce51649320586bd4b0546692b81653eb6d0d24b66b592f9c5.exe
"C:\Users\Admin\AppData\Local\Temp\fd56e39158e012bce51649320586bd4b0546692b81653eb6d0d24b66b592f9c5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2131064.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2131064.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9457071.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9457071.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4972393.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4972393.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3720924.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3720924.exe
      4⤵
      Executes dropped EXE
      PID:4616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2131064.exe

Filesize
751KB

MD5
a63becbd675cf7c8095549ac27e3ec9c

SHA1
bc1221bcdbc96c7f20bd89a81e0c7a311b7c629a

SHA256
7fb871f2547bffc0c1b2bf5dd7e88f2ecd1b853334acc2829ea043ac2826b53d

SHA512
b9c78bd69f6c0448f6c83127937998f8d6f69d33deef4d7311e94cad4edfbb1ef01400d9e6c8415ec86b711dcb5c51c86fa0aa900002abf3d9e53cc0c025d61c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2131064.exe

Filesize
751KB

MD5
a63becbd675cf7c8095549ac27e3ec9c

SHA1
bc1221bcdbc96c7f20bd89a81e0c7a311b7c629a

SHA256
7fb871f2547bffc0c1b2bf5dd7e88f2ecd1b853334acc2829ea043ac2826b53d

SHA512
b9c78bd69f6c0448f6c83127937998f8d6f69d33deef4d7311e94cad4edfbb1ef01400d9e6c8415ec86b711dcb5c51c86fa0aa900002abf3d9e53cc0c025d61c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9457071.exe

Filesize
306KB

MD5
1f4672bd322e351b78ab98d0cf7ef80d

SHA1
d815b4e2040ea8e29d37e45a2a25dcaec3a3b497

SHA256
c3c3cb1d078b4f7206b9ff0a277ce11e3dea1ed3349aeaa369c0f142aaa9bc87

SHA512
5d757fee3bab54aaecb5be3cc10d00cf552ad677fa191781c56bcd6af4c5b6b2d7a164134a7c55fbb7dcb3f2721c6d714c993de82db45797befa4b6085c7da8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9457071.exe

Filesize
306KB

MD5
1f4672bd322e351b78ab98d0cf7ef80d

SHA1
d815b4e2040ea8e29d37e45a2a25dcaec3a3b497

SHA256
c3c3cb1d078b4f7206b9ff0a277ce11e3dea1ed3349aeaa369c0f142aaa9bc87

SHA512
5d757fee3bab54aaecb5be3cc10d00cf552ad677fa191781c56bcd6af4c5b6b2d7a164134a7c55fbb7dcb3f2721c6d714c993de82db45797befa4b6085c7da8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4972393.exe

Filesize
185KB

MD5
2a625d8ebba2ce1a588c785b880f2449

SHA1
e2d27bfd827892c91a3ebbc7fdb645211b45131f

SHA256
92c5ef93cea70260772c3b916fb43c0639c624277adac3b0b9f3faed153f3054

SHA512
38a0f8ff7c10598ed40bb22935e06329f3567dea82fc4bdd3c69bcd3752ad07afc014ce95a69ea93fce1f896e155c9ef0ac448ab48ac74245f32bdad5d91154d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4972393.exe

Filesize
185KB

MD5
2a625d8ebba2ce1a588c785b880f2449

SHA1
e2d27bfd827892c91a3ebbc7fdb645211b45131f

SHA256
92c5ef93cea70260772c3b916fb43c0639c624277adac3b0b9f3faed153f3054

SHA512
38a0f8ff7c10598ed40bb22935e06329f3567dea82fc4bdd3c69bcd3752ad07afc014ce95a69ea93fce1f896e155c9ef0ac448ab48ac74245f32bdad5d91154d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3720924.exe

Filesize
145KB

MD5
18d9add5cd5aab51e14dc29362628783

SHA1
ea497adc831551a4fda2d32b9eb61551c9e50413

SHA256
d5ba31159a00fac8b88c722017b5a12f8975dfffe0c723a49182c7b244af8151

SHA512
8797b52058666645f03c2ed763f9681a790cb269786e1d658845a32bf5bab6af5c5e0d7037481d491ff688e870675e0360200c401da2f849c450b84577677d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3720924.exe

Filesize
145KB

MD5
18d9add5cd5aab51e14dc29362628783

SHA1
ea497adc831551a4fda2d32b9eb61551c9e50413

SHA256
d5ba31159a00fac8b88c722017b5a12f8975dfffe0c723a49182c7b244af8151

SHA512
8797b52058666645f03c2ed763f9681a790cb269786e1d658845a32bf5bab6af5c5e0d7037481d491ff688e870675e0360200c401da2f849c450b84577677d3f

Download Submit
memory/1344-157-0x0000000004CE0000-0x0000000005284000-memory.dmp

Filesize
5.6MB

Download
memory/1344-179-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1344-158-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1344-159-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1344-161-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1344-163-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1344-165-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1344-167-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1344-169-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1344-171-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1344-175-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1344-173-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1344-177-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1344-156-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/1344-181-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1344-183-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1344-185-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1344-186-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/1344-187-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/1344-155-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/1344-154-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/4616-192-0x00000000007F0000-0x000000000081A000-memory.dmp

Filesize
168KB

Download
memory/4616-193-0x00000000056D0000-0x0000000005CE8000-memory.dmp

Filesize
6.1MB

Download
memory/4616-194-0x00000000051C0000-0x00000000052CA000-memory.dmp

Filesize
1.0MB

Download
memory/4616-195-0x0000000002B30000-0x0000000002B42000-memory.dmp

Filesize
72KB

Download
memory/4616-196-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4616-197-0x00000000050F0000-0x000000000512C000-memory.dmp

Filesize
240KB

Download
memory/4616-198-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads