redline | 399c54c2eee7682054160b286afb63afdf46995224531f4d2f13f68df90f865f

General

Target

62263263167.exe
Size

1.0MB
MD5

e7a5b9384e98d5824908250151350ab9
SHA1

d8fa0e261190fe467a0f995ea374336ce4202d7e
SHA256

399c54c2eee7682054160b286afb63afdf46995224531f4d2f13f68df90f865f
SHA512

586d8b33547748c2c69b86888cde3a5290e75b453a0a5db8e6faf0b2d4e142782f7942cded609eb53003f2b002a516c5e0f1d75c01835fd20203a140b7cbcf77
SSDEEP

24576:JyGzT/ZbdDh4h5kBqFR8jVNZKA2/LynKPxTj07uBhNupXCf:8UT/ZpD6h5qqFR8hI/yKPxc7u/4

Score

10^/10

redline mixa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.37:4138

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4979988.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4979988.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4979988.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a4979988.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4979988.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4979988.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1508	v4737552.exe
1224	v3408182.exe
2932	a4979988.exe
756	b2410683.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a4979988.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4979988.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3408182.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3408182.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	62263263167.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	62263263167.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4737552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4737552.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2932	a4979988.exe
2932	a4979988.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	a4979988.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 1508	3820	62263263167.exe	84
PID 3820 wrote to memory of 1508	3820	62263263167.exe	84
PID 3820 wrote to memory of 1508	3820	62263263167.exe	84
PID 1508 wrote to memory of 1224	1508	v4737552.exe	85
PID 1508 wrote to memory of 1224	1508	v4737552.exe	85
PID 1508 wrote to memory of 1224	1508	v4737552.exe	85
PID 1224 wrote to memory of 2932	1224	v3408182.exe	86
PID 1224 wrote to memory of 2932	1224	v3408182.exe	86
PID 1224 wrote to memory of 2932	1224	v3408182.exe	86
PID 1224 wrote to memory of 756	1224	v3408182.exe	87
PID 1224 wrote to memory of 756	1224	v3408182.exe	87
PID 1224 wrote to memory of 756	1224	v3408182.exe	87

C:\Users\Admin\AppData\Local\Temp\62263263167.exe
"C:\Users\Admin\AppData\Local\Temp\62263263167.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4737552.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4737552.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3408182.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3408182.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4979988.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4979988.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2410683.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2410683.exe
      4⤵
      Executes dropped EXE
      PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4737552.exe

Filesize
750KB

MD5
6c39f304f011fb4e37da902bc7492335

SHA1
a4b0ca855482acf8e396a23ce3863d71092f023c

SHA256
af7bf73aa1ef3b228bb4568438df70fcf90ff86514c838810bd989f6405b34ec

SHA512
a0d617cabccd90b4c43782ccd400bc2c83739e133eeb028765f6b6ad85aad332f855709dd93224904d5b0085c9715375d44e42de2054520c39599d812de35a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4737552.exe

Filesize
750KB

MD5
6c39f304f011fb4e37da902bc7492335

SHA1
a4b0ca855482acf8e396a23ce3863d71092f023c

SHA256
af7bf73aa1ef3b228bb4568438df70fcf90ff86514c838810bd989f6405b34ec

SHA512
a0d617cabccd90b4c43782ccd400bc2c83739e133eeb028765f6b6ad85aad332f855709dd93224904d5b0085c9715375d44e42de2054520c39599d812de35a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3408182.exe

Filesize
306KB

MD5
b651bdeed6389373ac44ab7de014727a

SHA1
e310ce17d2ba9c288a80833a7bc8e0255c925181

SHA256
a6d4e59659000be2c46c138198bf7f10534ec55754d53eb75db3fbdf0f4cd7a0

SHA512
5135d5d038c72dd022debbb4acbd1fb141b67028dd82879835683d23164b4aa17bce21c64af368b5208a60185c35bcaf15d33d161c831905ab94dd65cc1146ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3408182.exe

Filesize
306KB

MD5
b651bdeed6389373ac44ab7de014727a

SHA1
e310ce17d2ba9c288a80833a7bc8e0255c925181

SHA256
a6d4e59659000be2c46c138198bf7f10534ec55754d53eb75db3fbdf0f4cd7a0

SHA512
5135d5d038c72dd022debbb4acbd1fb141b67028dd82879835683d23164b4aa17bce21c64af368b5208a60185c35bcaf15d33d161c831905ab94dd65cc1146ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4979988.exe

Filesize
186KB

MD5
f090ed698ba64c6c799545878d27ae94

SHA1
68f3acab6d66227594308237a4905fdc8d3642dc

SHA256
0908fba4a129abb44e884df1eb42733b49c7c91637f26b51e7204cd943518095

SHA512
aec029142535a8554740ddcddf89c16974fdb36f04cae9b7fca62fb3eb582588171dc23e27d35a562379f768816126e7c5bb52b4931e8d98cea6d09bec614fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4979988.exe

Filesize
186KB

MD5
f090ed698ba64c6c799545878d27ae94

SHA1
68f3acab6d66227594308237a4905fdc8d3642dc

SHA256
0908fba4a129abb44e884df1eb42733b49c7c91637f26b51e7204cd943518095

SHA512
aec029142535a8554740ddcddf89c16974fdb36f04cae9b7fca62fb3eb582588171dc23e27d35a562379f768816126e7c5bb52b4931e8d98cea6d09bec614fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2410683.exe

Filesize
145KB

MD5
fa04e1cb745d792c45793109f24d7f88

SHA1
9dcdfd4565dd6b19c58b03aec7b8182d3f4ab204

SHA256
6d4ae791eb8ac7121d7057cd17137fb37eced4b4657283a07d0882bd52fb3ff2

SHA512
73585a6d345fc93ddfb6d91b78d591fd315f303247fa89ff78b3b72b3bdcb76ffd2a6084bffb4dc5b09fc6cccc1e67fa8dc0eb630e184fdd74b743ef1030f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2410683.exe

Filesize
145KB

MD5
fa04e1cb745d792c45793109f24d7f88

SHA1
9dcdfd4565dd6b19c58b03aec7b8182d3f4ab204

SHA256
6d4ae791eb8ac7121d7057cd17137fb37eced4b4657283a07d0882bd52fb3ff2

SHA512
73585a6d345fc93ddfb6d91b78d591fd315f303247fa89ff78b3b72b3bdcb76ffd2a6084bffb4dc5b09fc6cccc1e67fa8dc0eb630e184fdd74b743ef1030f3a2

Download Submit
memory/756-199-0x0000000005BB0000-0x0000000005BC0000-memory.dmp

Filesize
64KB

Download
memory/756-196-0x00000000058C0000-0x00000000058D2000-memory.dmp

Filesize
72KB

Download
memory/756-195-0x0000000005990000-0x0000000005A9A000-memory.dmp

Filesize
1.0MB

Download
memory/756-194-0x0000000005E10000-0x0000000006428000-memory.dmp

Filesize
6.1MB

Download
memory/756-193-0x0000000000EF0000-0x0000000000F1A000-memory.dmp

Filesize
168KB

Download
memory/756-197-0x0000000005920000-0x000000000595C000-memory.dmp

Filesize
240KB

Download
memory/756-198-0x0000000005BB0000-0x0000000005BC0000-memory.dmp

Filesize
64KB

Download
memory/2932-174-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-187-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2932-172-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-168-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-176-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-178-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-180-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-182-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-184-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-185-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2932-186-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2932-170-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-189-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2932-166-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-164-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-162-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-160-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-158-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-157-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2932-156-0x0000000004B70000-0x0000000005114000-memory.dmp

Filesize
5.6MB

Download
memory/2932-155-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/2932-154-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads