redline | c9c89cfb3d3239dd2e0402da23caa0f803be818f8557bb568a09afab20285b7b

General

Target

networking992.exe
Size

1.0MB
MD5

d95487f0e0bff3c3ab490116a194c958
SHA1

665262a1ab5225e67a0a75d0d44bf93a7eb3a573
SHA256

c9c89cfb3d3239dd2e0402da23caa0f803be818f8557bb568a09afab20285b7b
SHA512

1bf424c7554b71a691fcdb6d6c13a5f30ced42659521582aa1a739a175b9aa5a595da8e8ef08911b8f9dbd7e75a5a6db61327555eef5df80e9a53a9f1fa0e2e3
SSDEEP

24576:rycHy/2NUD8zFq6vYk2xNh6Le1bRnv2yg0iJnfQhA:ecSeNMgFq6ADxce1Myyhs

Score

10^/10

redline mixa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.37:4138

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7934065.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a7934065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7934065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7934065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7934065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7934065.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2420	v3611307.exe
1436	v7715084.exe
4672	a7934065.exe
4040	b6816992.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a7934065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7934065.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3611307.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7715084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7715084.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	networking992.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	networking992.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3611307.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4672	a7934065.exe
4672	a7934065.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4672	a7934065.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2420	1548	networking992.exe	85
PID 1548 wrote to memory of 2420	1548	networking992.exe	85
PID 1548 wrote to memory of 2420	1548	networking992.exe	85
PID 2420 wrote to memory of 1436	2420	v3611307.exe	86
PID 2420 wrote to memory of 1436	2420	v3611307.exe	86
PID 2420 wrote to memory of 1436	2420	v3611307.exe	86
PID 1436 wrote to memory of 4672	1436	v7715084.exe	87
PID 1436 wrote to memory of 4672	1436	v7715084.exe	87
PID 1436 wrote to memory of 4672	1436	v7715084.exe	87
PID 1436 wrote to memory of 4040	1436	v7715084.exe	88
PID 1436 wrote to memory of 4040	1436	v7715084.exe	88
PID 1436 wrote to memory of 4040	1436	v7715084.exe	88

C:\Users\Admin\AppData\Local\Temp\networking992.exe
"C:\Users\Admin\AppData\Local\Temp\networking992.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3611307.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3611307.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7715084.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7715084.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7934065.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7934065.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6816992.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6816992.exe
      4⤵
      Executes dropped EXE
      PID:4040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3611307.exe

Filesize
750KB

MD5
947525a6a0a1262885446ec3c32f288f

SHA1
976d2c6452d98b837a0f86f4329d9f0e57cb150b

SHA256
fd2c4b8e122f3b8e980414a40d1eaaea04417ed18d0e8acf867fbb661f236e98

SHA512
2db17e50cb9065b4e1bd96a2256636a4dfb4b85807ae0228483f38313db41ca0441b7eb4ff73499f72fec49547649eab49cb3971035ea08c5f1074715cb7efa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3611307.exe

Filesize
750KB

MD5
947525a6a0a1262885446ec3c32f288f

SHA1
976d2c6452d98b837a0f86f4329d9f0e57cb150b

SHA256
fd2c4b8e122f3b8e980414a40d1eaaea04417ed18d0e8acf867fbb661f236e98

SHA512
2db17e50cb9065b4e1bd96a2256636a4dfb4b85807ae0228483f38313db41ca0441b7eb4ff73499f72fec49547649eab49cb3971035ea08c5f1074715cb7efa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7715084.exe

Filesize
306KB

MD5
740fdcb2e6198a7fb68c6034d735a30b

SHA1
47cabf70d899e6e883a8862ac968235c75379770

SHA256
0add766601b420ba282063c7ecc75c63611c1d5bd193c4ad8338ed24d94a3a33

SHA512
1bb0b7f1b4e16282e1d61e8c06f50d747dfebe169d2b543c348a556c140a41ddb5dc34f3425c34a3ff5c2c599ad24a27b36919ca168e461d57d402739d4836d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7715084.exe

Filesize
306KB

MD5
740fdcb2e6198a7fb68c6034d735a30b

SHA1
47cabf70d899e6e883a8862ac968235c75379770

SHA256
0add766601b420ba282063c7ecc75c63611c1d5bd193c4ad8338ed24d94a3a33

SHA512
1bb0b7f1b4e16282e1d61e8c06f50d747dfebe169d2b543c348a556c140a41ddb5dc34f3425c34a3ff5c2c599ad24a27b36919ca168e461d57d402739d4836d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7934065.exe

Filesize
186KB

MD5
5f69f279b6130732e483136cb36b8c35

SHA1
5f220f6f8f5c6308386c01adcfecfaf7b5c78a42

SHA256
134121460c736242c52953f3e45df3940be8088c700e060ba15de3fa5bfb6083

SHA512
7f8ced0869ea692591e8216c6f0aeb9780693b768ce8a70b7721f81611e72c8281520d04d10f7d39890a855d5f8eba38c75797300d019333bf7e378d1b546ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7934065.exe

Filesize
186KB

MD5
5f69f279b6130732e483136cb36b8c35

SHA1
5f220f6f8f5c6308386c01adcfecfaf7b5c78a42

SHA256
134121460c736242c52953f3e45df3940be8088c700e060ba15de3fa5bfb6083

SHA512
7f8ced0869ea692591e8216c6f0aeb9780693b768ce8a70b7721f81611e72c8281520d04d10f7d39890a855d5f8eba38c75797300d019333bf7e378d1b546ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6816992.exe

Filesize
145KB

MD5
fa5e92966b1defe4a248651d2d58d2a0

SHA1
1742eeea2e391c7038ec720770a99958c85e0c8b

SHA256
e8821fe17025c680b6dd656623273c69d58b8b8199e6f966d46137f60ca89fe3

SHA512
21d871d29022cb895ef41e7d72dfbbcd1cd896177e428730910f264ab139189ab144c069dc8bae8c9dd294c99e6bf61225306b736310741e8e29f49a10a1fbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6816992.exe

Filesize
145KB

MD5
fa5e92966b1defe4a248651d2d58d2a0

SHA1
1742eeea2e391c7038ec720770a99958c85e0c8b

SHA256
e8821fe17025c680b6dd656623273c69d58b8b8199e6f966d46137f60ca89fe3

SHA512
21d871d29022cb895ef41e7d72dfbbcd1cd896177e428730910f264ab139189ab144c069dc8bae8c9dd294c99e6bf61225306b736310741e8e29f49a10a1fbb2

Download Submit
memory/4040-199-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4040-196-0x00000000048A0000-0x00000000048B2000-memory.dmp

Filesize
72KB

Download
memory/4040-195-0x0000000004970000-0x0000000004A7A000-memory.dmp

Filesize
1.0MB

Download
memory/4040-194-0x0000000004DF0000-0x0000000005408000-memory.dmp

Filesize
6.1MB

Download
memory/4040-193-0x0000000000010000-0x000000000003A000-memory.dmp

Filesize
168KB

Download
memory/4040-197-0x0000000004900000-0x000000000493C000-memory.dmp

Filesize
240KB

Download
memory/4040-198-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4672-173-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4672-187-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/4672-171-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4672-167-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4672-175-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4672-177-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4672-179-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4672-181-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4672-183-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4672-185-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4672-186-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/4672-169-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4672-188-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/4672-165-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4672-163-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4672-161-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4672-159-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4672-158-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4672-157-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/4672-156-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/4672-155-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/4672-154-0x0000000004AD0000-0x0000000005074000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads