redline | 4d7f1d8e58a68eeaa131397babf259322e62f3e336bde692e155f700081e1047

General

Target

2482860.exe
Size

1.0MB
MD5

639a462f401e756dc2d4932e5817d182
SHA1

d7fb8aa1369504607400eba1fd67fd739e0a3bde
SHA256

4d7f1d8e58a68eeaa131397babf259322e62f3e336bde692e155f700081e1047
SHA512

ece964807697840927487f49f7a39fa410de853a3b6f48d563234e1c0ee2a4cdf6027930b383bee0eccc73cba250d4afab8b6390f2d44dbec269d3d9f8be41c3
SSDEEP

24576:7yBqg57br2UzveFs7q1hvdDg+fT6S+7dzjqabs6RL:u8g9br2UKi7q1hdbN+7tqb6

Score

10^/10

redline mixa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.37:4138

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a4418575.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4418575.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4418575.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4418575.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4418575.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4418575.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3572	v7202973.exe
3676	v4656528.exe
1276	a4418575.exe
2180	b2433476.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4418575.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a4418575.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7202973.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4656528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4656528.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2482860.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2482860.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7202973.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1276	a4418575.exe
1276	a4418575.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	a4418575.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 3572	3408	2482860.exe	84
PID 3408 wrote to memory of 3572	3408	2482860.exe	84
PID 3408 wrote to memory of 3572	3408	2482860.exe	84
PID 3572 wrote to memory of 3676	3572	v7202973.exe	85
PID 3572 wrote to memory of 3676	3572	v7202973.exe	85
PID 3572 wrote to memory of 3676	3572	v7202973.exe	85
PID 3676 wrote to memory of 1276	3676	v4656528.exe	86
PID 3676 wrote to memory of 1276	3676	v4656528.exe	86
PID 3676 wrote to memory of 1276	3676	v4656528.exe	86
PID 3676 wrote to memory of 2180	3676	v4656528.exe	87
PID 3676 wrote to memory of 2180	3676	v4656528.exe	87
PID 3676 wrote to memory of 2180	3676	v4656528.exe	87

C:\Users\Admin\AppData\Local\Temp\2482860.exe
"C:\Users\Admin\AppData\Local\Temp\2482860.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7202973.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7202973.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4656528.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4656528.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4418575.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4418575.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2433476.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2433476.exe
      4⤵
      Executes dropped EXE
      PID:2180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7202973.exe

Filesize
751KB

MD5
83c35fe65df6f19f36d8af3dff94e0b9

SHA1
c3dc5c5b7ed590f62b24270212df135d33771a85

SHA256
734c15bfa820118af735192bfdf41cb3fb8792d554cb53a51c43b1e8027d7ae8

SHA512
26a1c9893ec0588502b4aa4a79b21c6fa96fcf986dba67a7399f881ca21d699d0ca6d2e0ef3761b489a62090298c3d168b178444da03aeb40f9a2534902f456b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7202973.exe

Filesize
751KB

MD5
83c35fe65df6f19f36d8af3dff94e0b9

SHA1
c3dc5c5b7ed590f62b24270212df135d33771a85

SHA256
734c15bfa820118af735192bfdf41cb3fb8792d554cb53a51c43b1e8027d7ae8

SHA512
26a1c9893ec0588502b4aa4a79b21c6fa96fcf986dba67a7399f881ca21d699d0ca6d2e0ef3761b489a62090298c3d168b178444da03aeb40f9a2534902f456b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4656528.exe

Filesize
305KB

MD5
e68292726b922f9cceeead9b6fb4c36f

SHA1
5a76abc6b132070517a4c66a16a89b8426d0c851

SHA256
e4f6109a7be4575d50af232a4c66d75519744b2c115919c1bcdb2b48a4c6e687

SHA512
2997b63eaa367069837db0459bb6933a0c7b3cbf7c66d6ae448da9f6d67c5453ed1752664a7c21b82e0db08c06768fbfa808895968340b5a3693d6df5720edde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4656528.exe

Filesize
305KB

MD5
e68292726b922f9cceeead9b6fb4c36f

SHA1
5a76abc6b132070517a4c66a16a89b8426d0c851

SHA256
e4f6109a7be4575d50af232a4c66d75519744b2c115919c1bcdb2b48a4c6e687

SHA512
2997b63eaa367069837db0459bb6933a0c7b3cbf7c66d6ae448da9f6d67c5453ed1752664a7c21b82e0db08c06768fbfa808895968340b5a3693d6df5720edde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4418575.exe

Filesize
185KB

MD5
367cfb38598b41ad698f878cd217c943

SHA1
e3b6025c50330b1a75ec920d22dd6f0d79212f6b

SHA256
f477a250b81baa3147602f798291d4b603470f5eff99afdaf9ab264cbc300551

SHA512
1ae82e49cf3e845991c950165cee0da91513e7d9932e6935c642be9ab090780a3fcafdfb26cea7b57a1aff603777e22d5d495957756e0aacbd5347741b761a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4418575.exe

Filesize
185KB

MD5
367cfb38598b41ad698f878cd217c943

SHA1
e3b6025c50330b1a75ec920d22dd6f0d79212f6b

SHA256
f477a250b81baa3147602f798291d4b603470f5eff99afdaf9ab264cbc300551

SHA512
1ae82e49cf3e845991c950165cee0da91513e7d9932e6935c642be9ab090780a3fcafdfb26cea7b57a1aff603777e22d5d495957756e0aacbd5347741b761a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2433476.exe

Filesize
145KB

MD5
97c145a0988d07a111d293e4183c4944

SHA1
f0711ed2b3a9c84c1eaa61f472e637dabcf0d7cd

SHA256
82990dc10a2b1adfadb5d6a9c431df420f4e14e36d00fbdc9ede042125705f31

SHA512
f8fcc3a91ce572511e2e2e27c75ac041e53e8feb1873dc0dde79b96a7a6d32ffb3e7272ab948966edf4c0838a2d889aa0cf47487a05cac4ea160575bb2322e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2433476.exe

Filesize
145KB

MD5
97c145a0988d07a111d293e4183c4944

SHA1
f0711ed2b3a9c84c1eaa61f472e637dabcf0d7cd

SHA256
82990dc10a2b1adfadb5d6a9c431df420f4e14e36d00fbdc9ede042125705f31

SHA512
f8fcc3a91ce572511e2e2e27c75ac041e53e8feb1873dc0dde79b96a7a6d32ffb3e7272ab948966edf4c0838a2d889aa0cf47487a05cac4ea160575bb2322e0b

Download Submit
memory/1276-176-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/1276-184-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/1276-160-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/1276-162-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/1276-164-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/1276-166-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/1276-168-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/1276-170-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/1276-172-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/1276-174-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/1276-156-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/1276-178-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/1276-180-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/1276-182-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/1276-183-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/1276-158-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/1276-185-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/1276-186-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/1276-187-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/1276-188-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/1276-155-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/1276-154-0x0000000004A60000-0x0000000005004000-memory.dmp

Filesize
5.6MB

Download
memory/2180-193-0x0000000000940000-0x000000000096A000-memory.dmp

Filesize
168KB

Download
memory/2180-194-0x0000000005750000-0x0000000005D68000-memory.dmp

Filesize
6.1MB

Download
memory/2180-195-0x00000000052A0000-0x00000000053AA000-memory.dmp

Filesize
1.0MB

Download
memory/2180-196-0x00000000051D0000-0x00000000051E2000-memory.dmp

Filesize
72KB

Download
memory/2180-197-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/2180-198-0x0000000005230000-0x000000000526C000-memory.dmp

Filesize
240KB

Download
memory/2180-199-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads