redline | 741016cc122506710d11ca226ab36257a02481e36193c75775b1985b9d01e84b

General

Target

741016cc122506710d11ca226ab36257a02481e36193c75775b1985b9d01e84b.exe
Size

1.0MB
MD5

7a8faffed123ebc592314c0de1a688ea
SHA1

1ecc8c183781e85da1bd4c0d11073c8bba62544d
SHA256

741016cc122506710d11ca226ab36257a02481e36193c75775b1985b9d01e84b
SHA512

b5dafaa69c9943d7c00fa96f86f98e8c54a812c0ff8148d548e8531f82997ae41b01951d1342dcbf213a17bcc8204424d1f8a5b4a320805ba83d22e9e508c304
SSDEEP

24576:xyfKEYSJYVhTcK7eqASdh7qa2mTz9KdEj81JLEV9EbRLxp8:kcxz77eqXdh7b2AKGjeJYVkp

Score

10^/10

redline mixa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.37:4138

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0660276.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0660276.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0660276.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0660276.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0660276.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a0660276.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
844	v2083983.exe
4844	v5268650.exe
4476	a0660276.exe
4524	b4817465.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a0660276.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0660276.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2083983.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5268650.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5268650.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	741016cc122506710d11ca226ab36257a02481e36193c75775b1985b9d01e84b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	741016cc122506710d11ca226ab36257a02481e36193c75775b1985b9d01e84b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2083983.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4476	a0660276.exe
4476	a0660276.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4476	a0660276.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 844	4900	741016cc122506710d11ca226ab36257a02481e36193c75775b1985b9d01e84b.exe	83
PID 4900 wrote to memory of 844	4900	741016cc122506710d11ca226ab36257a02481e36193c75775b1985b9d01e84b.exe	83
PID 4900 wrote to memory of 844	4900	741016cc122506710d11ca226ab36257a02481e36193c75775b1985b9d01e84b.exe	83
PID 844 wrote to memory of 4844	844	v2083983.exe	84
PID 844 wrote to memory of 4844	844	v2083983.exe	84
PID 844 wrote to memory of 4844	844	v2083983.exe	84
PID 4844 wrote to memory of 4476	4844	v5268650.exe	85
PID 4844 wrote to memory of 4476	4844	v5268650.exe	85
PID 4844 wrote to memory of 4476	4844	v5268650.exe	85
PID 4844 wrote to memory of 4524	4844	v5268650.exe	88
PID 4844 wrote to memory of 4524	4844	v5268650.exe	88
PID 4844 wrote to memory of 4524	4844	v5268650.exe	88

C:\Users\Admin\AppData\Local\Temp\741016cc122506710d11ca226ab36257a02481e36193c75775b1985b9d01e84b.exe
"C:\Users\Admin\AppData\Local\Temp\741016cc122506710d11ca226ab36257a02481e36193c75775b1985b9d01e84b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2083983.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2083983.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5268650.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5268650.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0660276.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0660276.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4817465.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4817465.exe
      4⤵
      Executes dropped EXE
      PID:4524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2083983.exe

Filesize
750KB

MD5
933f623efedf9ae49e35adf25fdef24b

SHA1
5c51a4ac9b727d05c9fe0d9c102c9536ae6b9acd

SHA256
a84be76d504e85334c256792fdc5ca7fdde96275b566caeef5752150ab5b4892

SHA512
aeb3c7d7181536e0b8daf9ea7cee47aff6aa2dda6f86aed4724a1f7733a55b27eb1b7ba4462f02f8b78da7d8cc7cfcb04cb639aedb24b91dcfad80358579ca9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2083983.exe

Filesize
750KB

MD5
933f623efedf9ae49e35adf25fdef24b

SHA1
5c51a4ac9b727d05c9fe0d9c102c9536ae6b9acd

SHA256
a84be76d504e85334c256792fdc5ca7fdde96275b566caeef5752150ab5b4892

SHA512
aeb3c7d7181536e0b8daf9ea7cee47aff6aa2dda6f86aed4724a1f7733a55b27eb1b7ba4462f02f8b78da7d8cc7cfcb04cb639aedb24b91dcfad80358579ca9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5268650.exe

Filesize
306KB

MD5
ba7a42b09ebf494f9dd6864aa6763a96

SHA1
603cca0df1718995bd4a9f984687ce86b6adf071

SHA256
08fb1cb6bf5d2777b0b93e220d57b8acb508d2a68a722a95294ea84f918defac

SHA512
72ca0b08be122bc727b9c24d254e4997b50caff9cfadb75d80454bbfba1e3f44d442a3e43efb98944396ec408adb581ec40f117f8a724ce4e198ed003e3db4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5268650.exe

Filesize
306KB

MD5
ba7a42b09ebf494f9dd6864aa6763a96

SHA1
603cca0df1718995bd4a9f984687ce86b6adf071

SHA256
08fb1cb6bf5d2777b0b93e220d57b8acb508d2a68a722a95294ea84f918defac

SHA512
72ca0b08be122bc727b9c24d254e4997b50caff9cfadb75d80454bbfba1e3f44d442a3e43efb98944396ec408adb581ec40f117f8a724ce4e198ed003e3db4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0660276.exe

Filesize
186KB

MD5
4ed2e0b8948b281ee4e9c40517302230

SHA1
759444867e775604fdfce535a1550fd0afdb2e19

SHA256
aaf51ac47fdabc810353eca10d4ff3bc58f81dd390989e758161e1c757c82b14

SHA512
b0db2f46f4284490c3ff68fb0da25a791730fca944258df8512dd95de46ba845411ebd9d40fbc2e8b82aeea28e85379bb361231253fc4290bf2878ffc7686b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0660276.exe

Filesize
186KB

MD5
4ed2e0b8948b281ee4e9c40517302230

SHA1
759444867e775604fdfce535a1550fd0afdb2e19

SHA256
aaf51ac47fdabc810353eca10d4ff3bc58f81dd390989e758161e1c757c82b14

SHA512
b0db2f46f4284490c3ff68fb0da25a791730fca944258df8512dd95de46ba845411ebd9d40fbc2e8b82aeea28e85379bb361231253fc4290bf2878ffc7686b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4817465.exe

Filesize
145KB

MD5
b7900f29e9f9e421920ba0b40f73a6df

SHA1
8089b2ac5d4e6e711255c673397e3dd0c0af0e17

SHA256
04e241ba2a2dc96ebff4d416937cb12eac3225631d2861691548ed971352f395

SHA512
eeef0f64e9145e3201b47d2880acc845f8af5d2c26d3925dafc6abbc0661ac22a2b72384b00ef3b168e29f9a2a92c311be18554901e2f2d4b4ad73a36182efa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4817465.exe

Filesize
145KB

MD5
b7900f29e9f9e421920ba0b40f73a6df

SHA1
8089b2ac5d4e6e711255c673397e3dd0c0af0e17

SHA256
04e241ba2a2dc96ebff4d416937cb12eac3225631d2861691548ed971352f395

SHA512
eeef0f64e9145e3201b47d2880acc845f8af5d2c26d3925dafc6abbc0661ac22a2b72384b00ef3b168e29f9a2a92c311be18554901e2f2d4b4ad73a36182efa2

Download Submit
memory/4476-176-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4476-184-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4476-160-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4476-162-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4476-164-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4476-166-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4476-168-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4476-170-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4476-172-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4476-174-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4476-156-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4476-178-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4476-180-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4476-182-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4476-183-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4476-158-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4476-185-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4476-186-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4476-187-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4476-188-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4476-155-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4476-154-0x0000000004B40000-0x00000000050E4000-memory.dmp

Filesize
5.6MB

Download
memory/4524-193-0x0000000000AF0000-0x0000000000B1A000-memory.dmp

Filesize
168KB

Download
memory/4524-194-0x0000000005A60000-0x0000000006078000-memory.dmp

Filesize
6.1MB

Download
memory/4524-195-0x0000000005590000-0x000000000569A000-memory.dmp

Filesize
1.0MB

Download
memory/4524-196-0x00000000054C0000-0x00000000054D2000-memory.dmp

Filesize
72KB

Download
memory/4524-197-0x0000000005530000-0x000000000556C000-memory.dmp

Filesize
240KB

Download
memory/4524-198-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/4524-199-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads