redline | be3878e9e79d87addb5ba4998397575020de708facecac1c70f91e53b0bf1b35

General

Target

be3878e9e79d87addb5ba4998397575020de708facecac1c70f91e53b0bf1b35.exe
Size

1.0MB
MD5

17a6106b98c99d54b53caad884340706
SHA1

bc8a5d4e077a4e2e5c3444fa155f3b924c80ed63
SHA256

be3878e9e79d87addb5ba4998397575020de708facecac1c70f91e53b0bf1b35
SHA512

5705e4a0965af0d3aad4202c2c2be3629941b3b0f74d6b62beafb3b9626ab8e84714fd62550dc017bc885f704e4551c3c813d78ae87086b0e65c422d37a9135f
SSDEEP

24576:cyf7XAMkk9Ryq/0xU/eAKzyL6zqugQFOUgVa+T:LjXAMkcRyq/0xU/eTOLMqlta

Score

10^/10

redline mixa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.37:4138

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7475180.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7475180.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7475180.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a7475180.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7475180.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7475180.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4760	v1141863.exe
1496	v0923040.exe
1964	a7475180.exe
3176	b3418905.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a7475180.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7475180.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1141863.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0923040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0923040.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	be3878e9e79d87addb5ba4998397575020de708facecac1c70f91e53b0bf1b35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	be3878e9e79d87addb5ba4998397575020de708facecac1c70f91e53b0bf1b35.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1141863.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1964	a7475180.exe
1964	a7475180.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	a7475180.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 4760	4552	be3878e9e79d87addb5ba4998397575020de708facecac1c70f91e53b0bf1b35.exe	84
PID 4552 wrote to memory of 4760	4552	be3878e9e79d87addb5ba4998397575020de708facecac1c70f91e53b0bf1b35.exe	84
PID 4552 wrote to memory of 4760	4552	be3878e9e79d87addb5ba4998397575020de708facecac1c70f91e53b0bf1b35.exe	84
PID 4760 wrote to memory of 1496	4760	v1141863.exe	85
PID 4760 wrote to memory of 1496	4760	v1141863.exe	85
PID 4760 wrote to memory of 1496	4760	v1141863.exe	85
PID 1496 wrote to memory of 1964	1496	v0923040.exe	86
PID 1496 wrote to memory of 1964	1496	v0923040.exe	86
PID 1496 wrote to memory of 1964	1496	v0923040.exe	86
PID 1496 wrote to memory of 3176	1496	v0923040.exe	91
PID 1496 wrote to memory of 3176	1496	v0923040.exe	91
PID 1496 wrote to memory of 3176	1496	v0923040.exe	91

C:\Users\Admin\AppData\Local\Temp\be3878e9e79d87addb5ba4998397575020de708facecac1c70f91e53b0bf1b35.exe
"C:\Users\Admin\AppData\Local\Temp\be3878e9e79d87addb5ba4998397575020de708facecac1c70f91e53b0bf1b35.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1141863.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1141863.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0923040.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0923040.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7475180.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7475180.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3418905.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3418905.exe
      4⤵
      Executes dropped EXE
      PID:3176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1141863.exe

Filesize
750KB

MD5
c5178a3c6334bb5c907c813473bc4250

SHA1
0deb8ee81184b2bcfc1f3adfe598cc3fe2ec1136

SHA256
134bd53bda493572e753021255786e3b41ec0d111bd6b44a795fbd184d145b25

SHA512
834aa507efacb102fe7b4340675d05206bd91c8a77bb23a0dfc6a02a4dc682b195fbb80328c00efd0e9db88b88684d4a858d40af695a3e52adcb9fe35e596b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1141863.exe

Filesize
750KB

MD5
c5178a3c6334bb5c907c813473bc4250

SHA1
0deb8ee81184b2bcfc1f3adfe598cc3fe2ec1136

SHA256
134bd53bda493572e753021255786e3b41ec0d111bd6b44a795fbd184d145b25

SHA512
834aa507efacb102fe7b4340675d05206bd91c8a77bb23a0dfc6a02a4dc682b195fbb80328c00efd0e9db88b88684d4a858d40af695a3e52adcb9fe35e596b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0923040.exe

Filesize
306KB

MD5
b069110bd82a3c968a6ed3bd04d78390

SHA1
5b49ea0239f350d8e18c48e12f3c0254b57ce34f

SHA256
d4220882a7980558da6145d2ae1ee98b0c93e16ec402d2978f0b7ffab5251ae5

SHA512
fe621a8838d6e87aa81f866274ba7d7caa07b7df67ee03ea9c310b8bddcd349d9b8749618825cf638b5539f3152040575c016bfbac42c9b95571d18756e38239

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0923040.exe

Filesize
306KB

MD5
b069110bd82a3c968a6ed3bd04d78390

SHA1
5b49ea0239f350d8e18c48e12f3c0254b57ce34f

SHA256
d4220882a7980558da6145d2ae1ee98b0c93e16ec402d2978f0b7ffab5251ae5

SHA512
fe621a8838d6e87aa81f866274ba7d7caa07b7df67ee03ea9c310b8bddcd349d9b8749618825cf638b5539f3152040575c016bfbac42c9b95571d18756e38239

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7475180.exe

Filesize
186KB

MD5
582e1349ceb9e65c1c91ce3fbb64f25b

SHA1
4f09d039699735d888845acd925cda5cce000b83

SHA256
07f821dd9c60ddc39f5995ff6af30bb45da921be9f1ce88dbe8753791f4c7cf5

SHA512
dfa904416fcb30a7eed1df04237ee42c18541c03b5fe0f9ca5b9a209724349d79d56cfe3d6dad61757836fb6f85f4806a01c0c76e664eadd99cf9d7b6b8b0961

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7475180.exe

Filesize
186KB

MD5
582e1349ceb9e65c1c91ce3fbb64f25b

SHA1
4f09d039699735d888845acd925cda5cce000b83

SHA256
07f821dd9c60ddc39f5995ff6af30bb45da921be9f1ce88dbe8753791f4c7cf5

SHA512
dfa904416fcb30a7eed1df04237ee42c18541c03b5fe0f9ca5b9a209724349d79d56cfe3d6dad61757836fb6f85f4806a01c0c76e664eadd99cf9d7b6b8b0961

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3418905.exe

Filesize
145KB

MD5
0028cf26d6e9bf45fad076fe7b0d7b2f

SHA1
03c0afa267dddb8ce37c8d673b5e477712fbeac3

SHA256
e13f353e8f42e54b8ed7becaeecbc70aff46f42a010aa4d69401509bd7d22465

SHA512
1d26c29890d6a58229e0c963788c1e6bd0b3ecb54fba4617516078fd478f20ac56b29a6e2b647bbe00bc7e60a10fa672ccf39479047d51914cf104c4c13eaa12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3418905.exe

Filesize
145KB

MD5
0028cf26d6e9bf45fad076fe7b0d7b2f

SHA1
03c0afa267dddb8ce37c8d673b5e477712fbeac3

SHA256
e13f353e8f42e54b8ed7becaeecbc70aff46f42a010aa4d69401509bd7d22465

SHA512
1d26c29890d6a58229e0c963788c1e6bd0b3ecb54fba4617516078fd478f20ac56b29a6e2b647bbe00bc7e60a10fa672ccf39479047d51914cf104c4c13eaa12

Download Submit
memory/1964-172-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1964-182-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1964-160-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1964-162-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1964-164-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1964-166-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1964-168-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1964-170-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1964-156-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1964-174-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1964-176-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1964-178-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1964-180-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1964-158-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1964-183-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/1964-185-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/1964-186-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/1964-187-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/1964-155-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/1964-154-0x0000000004B50000-0x00000000050F4000-memory.dmp

Filesize
5.6MB

Download
memory/3176-191-0x0000000000980000-0x00000000009AA000-memory.dmp

Filesize
168KB

Download
memory/3176-192-0x0000000005930000-0x0000000005F48000-memory.dmp

Filesize
6.1MB

Download
memory/3176-193-0x0000000005420000-0x000000000552A000-memory.dmp

Filesize
1.0MB

Download
memory/3176-194-0x0000000005350000-0x0000000005362000-memory.dmp

Filesize
72KB

Download
memory/3176-195-0x0000000005530000-0x000000000556C000-memory.dmp

Filesize
240KB

Download
memory/3176-196-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3176-197-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads