redline | 0132c101423fa2b115a816d8af7885526f7113321b27c78088990da08e9a634b

General

Target

editor307.exe
Size

1.0MB
MD5

174ca1152c5569b07f50fcc4a7013ef3
SHA1

cb7a78d66be98157b4ef311ef5ec9117d6fb7c5f
SHA256

0132c101423fa2b115a816d8af7885526f7113321b27c78088990da08e9a634b
SHA512

024d25e91cb164b8d920c5658542b489fc936cf74b096e44ea86046e0e726201802b8931a48c9dcb5a13171834567786b347ed2f8bbe04458d75013731dd4f8e
SSDEEP

24576:qydvg+omjTkScyaGq9mw7Uy6cOklrDafpyD1:xdvhomjTpcyJq9mw7U8LIG

Score

10^/10

redline mixa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.37:4138

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1482469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1482469.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a1482469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1482469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1482469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1482469.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3916	v7397416.exe
4940	v6581417.exe
4964	a1482469.exe
1932	b6263688.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a1482469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1482469.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6581417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6581417.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	editor307.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	editor307.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7397416.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7397416.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4964	a1482469.exe
4964	a1482469.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	a1482469.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 3916	2224	editor307.exe	84
PID 2224 wrote to memory of 3916	2224	editor307.exe	84
PID 2224 wrote to memory of 3916	2224	editor307.exe	84
PID 3916 wrote to memory of 4940	3916	v7397416.exe	85
PID 3916 wrote to memory of 4940	3916	v7397416.exe	85
PID 3916 wrote to memory of 4940	3916	v7397416.exe	85
PID 4940 wrote to memory of 4964	4940	v6581417.exe	86
PID 4940 wrote to memory of 4964	4940	v6581417.exe	86
PID 4940 wrote to memory of 4964	4940	v6581417.exe	86
PID 4940 wrote to memory of 1932	4940	v6581417.exe	87
PID 4940 wrote to memory of 1932	4940	v6581417.exe	87
PID 4940 wrote to memory of 1932	4940	v6581417.exe	87

C:\Users\Admin\AppData\Local\Temp\editor307.exe
"C:\Users\Admin\AppData\Local\Temp\editor307.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7397416.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7397416.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6581417.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6581417.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1482469.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1482469.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6263688.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6263688.exe
      4⤵
      Executes dropped EXE
      PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7397416.exe

Filesize
750KB

MD5
dd3d0ba4b930479d955943f6cf0e066d

SHA1
2c7955d9d78fc7b8d8f3c732a44021c788b22a6e

SHA256
ffc147a4e1c208fc44a897db7a8704c54d386e0e32bd79afa4c1d99459f61c54

SHA512
6922294425e6dffe4628ef360b3edb21c6c450fd6ba365c6a97bdebf6b5ad4940e9397566c7bdfc47593aa02f24f5b3daa083c288547ee01e6903f948d9fdb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7397416.exe

Filesize
750KB

MD5
dd3d0ba4b930479d955943f6cf0e066d

SHA1
2c7955d9d78fc7b8d8f3c732a44021c788b22a6e

SHA256
ffc147a4e1c208fc44a897db7a8704c54d386e0e32bd79afa4c1d99459f61c54

SHA512
6922294425e6dffe4628ef360b3edb21c6c450fd6ba365c6a97bdebf6b5ad4940e9397566c7bdfc47593aa02f24f5b3daa083c288547ee01e6903f948d9fdb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6581417.exe

Filesize
306KB

MD5
dc60892e69496c81b27ac5e487f4b894

SHA1
b62fa79020b9656d8a6130f52e021d6401f2c928

SHA256
7dab6f54f1771b91c65f996bb5128bb9cea7edacd2f333fd9b0f925050609b43

SHA512
dfa58814f38185ba486cd394255eb2626915f3d50b8976d47c654547a40d4fd478806d6e2b5106d27fd474f7dfa7dda29ba609a88f3be254bca9fcae7f654e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6581417.exe

Filesize
306KB

MD5
dc60892e69496c81b27ac5e487f4b894

SHA1
b62fa79020b9656d8a6130f52e021d6401f2c928

SHA256
7dab6f54f1771b91c65f996bb5128bb9cea7edacd2f333fd9b0f925050609b43

SHA512
dfa58814f38185ba486cd394255eb2626915f3d50b8976d47c654547a40d4fd478806d6e2b5106d27fd474f7dfa7dda29ba609a88f3be254bca9fcae7f654e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1482469.exe

Filesize
186KB

MD5
47b3215fc38e513c01039d103576f1d7

SHA1
0768d1d696748fb930ef8183095bbbf33735c706

SHA256
40a8c3ebe4198364633a5c5dd69641cb6b72d5425e3b0bdda7a876b5cd7e9a98

SHA512
c21d16b2988f80ecd45047b53e7119ea089632485652483316a430f83c0578de6cbb6f1ab3a8d448abfcf9b20ca112f583ed3cd83a4e3b882dc2fb0c87983c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1482469.exe

Filesize
186KB

MD5
47b3215fc38e513c01039d103576f1d7

SHA1
0768d1d696748fb930ef8183095bbbf33735c706

SHA256
40a8c3ebe4198364633a5c5dd69641cb6b72d5425e3b0bdda7a876b5cd7e9a98

SHA512
c21d16b2988f80ecd45047b53e7119ea089632485652483316a430f83c0578de6cbb6f1ab3a8d448abfcf9b20ca112f583ed3cd83a4e3b882dc2fb0c87983c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6263688.exe

Filesize
145KB

MD5
2415512e441f390fd969422145f5b5c1

SHA1
c45aa0725c4d667aeb06d95a85ce15f03693d762

SHA256
90c86f81638e8bbccbaa44afc991aef119af40154afe276cc7195882d107500d

SHA512
42baf58c563d3c2d2297651cc3614f73359a6e7d81a25fff5c718901563deabae37ef848c2a123f7897c59fb5e6c4fd5f3af188b4137614afeb14f70bf4a8671

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6263688.exe

Filesize
145KB

MD5
2415512e441f390fd969422145f5b5c1

SHA1
c45aa0725c4d667aeb06d95a85ce15f03693d762

SHA256
90c86f81638e8bbccbaa44afc991aef119af40154afe276cc7195882d107500d

SHA512
42baf58c563d3c2d2297651cc3614f73359a6e7d81a25fff5c718901563deabae37ef848c2a123f7897c59fb5e6c4fd5f3af188b4137614afeb14f70bf4a8671

Download Submit
memory/1932-199-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/1932-196-0x00000000056B0000-0x00000000056C2000-memory.dmp

Filesize
72KB

Download
memory/1932-195-0x0000000005780000-0x000000000588A000-memory.dmp

Filesize
1.0MB

Download
memory/1932-194-0x0000000005C40000-0x0000000006258000-memory.dmp

Filesize
6.1MB

Download
memory/1932-193-0x0000000000CE0000-0x0000000000D0A000-memory.dmp

Filesize
168KB

Download
memory/1932-197-0x0000000005710000-0x000000000574C000-memory.dmp

Filesize
240KB

Download
memory/1932-198-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/4964-173-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4964-187-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/4964-171-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4964-167-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4964-175-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4964-177-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4964-179-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4964-181-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4964-183-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4964-185-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4964-186-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/4964-169-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4964-188-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/4964-165-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4964-163-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4964-161-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4964-157-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/4964-159-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/4964-158-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4964-156-0x0000000004F20000-0x0000000004F36000-memory.dmp

Filesize
88KB

Download
memory/4964-155-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/4964-154-0x0000000004920000-0x0000000004EC4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads