redline | 43f0bae96ca7e25e4810ef59e650d57267bb91b486b817cb64012f636f13b49b

General

Target

engine734.exe
Size

1.0MB
MD5

ce69662000eca813ff07d53dc065706c
SHA1

60e6a815aa184f91d808af536108deaf6571f6cb
SHA256

43f0bae96ca7e25e4810ef59e650d57267bb91b486b817cb64012f636f13b49b
SHA512

ad509c8559a02da1d948c8286c0e5cd219fa4b1f4e6e4169a47d8a327d817ef934396dee65e47174b1b63f5ab5461b50467424c8bf31662bc9329104df0d74b7
SSDEEP

24576:yyMMMxGn7q2ZLqf4Az+B9C2j8LZalxQmmeFEfILJ:Z3Mx47RpqP24MlxQm/FEfY

Score

10^/10

redline mixa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.37:4138

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5929019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5929019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5929019.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a5929019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5929019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5929019.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2040	v4831388.exe
224	v6907871.exe
4376	a5929019.exe
4392	b4932092.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a5929019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5929019.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	engine734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	engine734.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4831388.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4831388.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6907871.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6907871.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4376	a5929019.exe
4376	a5929019.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	a5929019.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2040	1028	engine734.exe	86
PID 1028 wrote to memory of 2040	1028	engine734.exe	86
PID 1028 wrote to memory of 2040	1028	engine734.exe	86
PID 2040 wrote to memory of 224	2040	v4831388.exe	87
PID 2040 wrote to memory of 224	2040	v4831388.exe	87
PID 2040 wrote to memory of 224	2040	v4831388.exe	87
PID 224 wrote to memory of 4376	224	v6907871.exe	88
PID 224 wrote to memory of 4376	224	v6907871.exe	88
PID 224 wrote to memory of 4376	224	v6907871.exe	88
PID 224 wrote to memory of 4392	224	v6907871.exe	89
PID 224 wrote to memory of 4392	224	v6907871.exe	89
PID 224 wrote to memory of 4392	224	v6907871.exe	89

C:\Users\Admin\AppData\Local\Temp\engine734.exe
"C:\Users\Admin\AppData\Local\Temp\engine734.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4831388.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4831388.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6907871.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6907871.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5929019.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5929019.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4932092.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4932092.exe
      4⤵
      Executes dropped EXE
      PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4831388.exe

Filesize
750KB

MD5
765f9c01b90262fe994657fa9d584be3

SHA1
aa33ea0c3f72962957fb89ca918a2f8e8c24d679

SHA256
03844dfd79ac76c297c7adb81a51fb5bcce9dee859f46187c3c9c56fd38e1198

SHA512
47057e1e786c7838f69b9faab0f53ced82eb4796588754e426a09accb042ff8981af97f2e33174180e3dac73b908ac36915f8940542adc8ccef6d3feda493af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4831388.exe

Filesize
750KB

MD5
765f9c01b90262fe994657fa9d584be3

SHA1
aa33ea0c3f72962957fb89ca918a2f8e8c24d679

SHA256
03844dfd79ac76c297c7adb81a51fb5bcce9dee859f46187c3c9c56fd38e1198

SHA512
47057e1e786c7838f69b9faab0f53ced82eb4796588754e426a09accb042ff8981af97f2e33174180e3dac73b908ac36915f8940542adc8ccef6d3feda493af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6907871.exe

Filesize
306KB

MD5
e655cf68e11fb3420bd42ce66a06043f

SHA1
521763434af4e29c6e602bc732aaa444dc3b147a

SHA256
c2878542b60977205a19b7907da40877ebb604a643da35cd30c589f6081520de

SHA512
89bb0736c61cc51782a29e5b785fd83e11f904576195d0e8a275af21c4338f6b8cd58353cfcdaf465c4736ae6fa876b5918ed4b6893e007b00b36e23451f8b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6907871.exe

Filesize
306KB

MD5
e655cf68e11fb3420bd42ce66a06043f

SHA1
521763434af4e29c6e602bc732aaa444dc3b147a

SHA256
c2878542b60977205a19b7907da40877ebb604a643da35cd30c589f6081520de

SHA512
89bb0736c61cc51782a29e5b785fd83e11f904576195d0e8a275af21c4338f6b8cd58353cfcdaf465c4736ae6fa876b5918ed4b6893e007b00b36e23451f8b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5929019.exe

Filesize
186KB

MD5
8a58bb7867c918961fde0fc6ed363813

SHA1
8f431c3659f83aeb4a097a09447fa9976e06f30c

SHA256
893b0a2523d279f96da6168a1a5a579fd0e2d1aa4239f277118031668e81fa11

SHA512
7dfcd1e10e7fe679df1c23862c2d8fe983d4c047318dfa2bff11b7cb45b519d7c8cfe5fe99411268125c544d37f5860b1a43c67ddadfd40ef6c03ebe0186ff55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5929019.exe

Filesize
186KB

MD5
8a58bb7867c918961fde0fc6ed363813

SHA1
8f431c3659f83aeb4a097a09447fa9976e06f30c

SHA256
893b0a2523d279f96da6168a1a5a579fd0e2d1aa4239f277118031668e81fa11

SHA512
7dfcd1e10e7fe679df1c23862c2d8fe983d4c047318dfa2bff11b7cb45b519d7c8cfe5fe99411268125c544d37f5860b1a43c67ddadfd40ef6c03ebe0186ff55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4932092.exe

Filesize
145KB

MD5
3de0cc4186baca52961a2f58bcfb45de

SHA1
95b3bb39b1869fd6c53078821724f41ac745ae9e

SHA256
cc31a1183d9887bce8a7280f599f123dd773feb4702410716915c5f21c7057d8

SHA512
4623a7497734203c4a866264a58da8d9f754fff332d9bc535aecfb60626252a73cef688167328d6bef303ff0899749b9a87a98e28caa0e8a0aea316a3eb14c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4932092.exe

Filesize
145KB

MD5
3de0cc4186baca52961a2f58bcfb45de

SHA1
95b3bb39b1869fd6c53078821724f41ac745ae9e

SHA256
cc31a1183d9887bce8a7280f599f123dd773feb4702410716915c5f21c7057d8

SHA512
4623a7497734203c4a866264a58da8d9f754fff332d9bc535aecfb60626252a73cef688167328d6bef303ff0899749b9a87a98e28caa0e8a0aea316a3eb14c69

Download Submit
memory/4376-173-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/4376-185-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/4376-158-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/4376-159-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/4376-163-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/4376-161-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/4376-167-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/4376-165-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/4376-169-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/4376-171-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/4376-156-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/4376-175-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/4376-177-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/4376-179-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/4376-181-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/4376-157-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/4376-183-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/4376-186-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/4376-187-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/4376-188-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/4376-155-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/4376-154-0x0000000004BE0000-0x0000000005184000-memory.dmp

Filesize
5.6MB

Download
memory/4392-193-0x0000000000700000-0x000000000072A000-memory.dmp

Filesize
168KB

Download
memory/4392-194-0x00000000054E0000-0x0000000005AF8000-memory.dmp

Filesize
6.1MB

Download
memory/4392-195-0x0000000005060000-0x000000000516A000-memory.dmp

Filesize
1.0MB

Download
memory/4392-196-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/4392-197-0x0000000005000000-0x000000000503C000-memory.dmp

Filesize
240KB

Download
memory/4392-198-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/4392-199-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads