redline | 9ae9b9590d073d8dc43110edfe7d258fb0924adc7202e056bf4e874191d1075b

General

Target

83066dd9923343dfbce3af14e45c5918f9f569b4ba9e821c6e93ef50c39dbd5f.exe
Size

1022KB
MD5

fee8dda92140ae14ad16abf57c0b36b6
SHA1

85c18958da3c0ee90b0dff5d0124fb3abe9dc719
SHA256

83066dd9923343dfbce3af14e45c5918f9f569b4ba9e821c6e93ef50c39dbd5f
SHA512

4d5dd8e8e156153fcf2b0c0a1396dba7efd747133d5ea6b0566e556309625965a6396b88ba3b06d64994c322def3b7ebf0d679e976bcd856492d91479efb1c57
SSDEEP

24576:NyTNDKPWIrNZHHDoqZz3NnB35YxkCzV9Qgr2gKFBo+L6I:oTNudHHDoqZpR5MNeVY+L6

Score

10^/10

redline mixa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.37:4138

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9694928.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a9694928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9694928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9694928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9694928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9694928.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4948	v1744444.exe
4952	v2322770.exe
2824	a9694928.exe
4680	b5173788.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a9694928.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9694928.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	83066dd9923343dfbce3af14e45c5918f9f569b4ba9e821c6e93ef50c39dbd5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	83066dd9923343dfbce3af14e45c5918f9f569b4ba9e821c6e93ef50c39dbd5f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1744444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1744444.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2322770.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2322770.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2824	a9694928.exe
2824	a9694928.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	a9694928.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4948	5028	83066dd9923343dfbce3af14e45c5918f9f569b4ba9e821c6e93ef50c39dbd5f.exe	83
PID 5028 wrote to memory of 4948	5028	83066dd9923343dfbce3af14e45c5918f9f569b4ba9e821c6e93ef50c39dbd5f.exe	83
PID 5028 wrote to memory of 4948	5028	83066dd9923343dfbce3af14e45c5918f9f569b4ba9e821c6e93ef50c39dbd5f.exe	83
PID 4948 wrote to memory of 4952	4948	v1744444.exe	84
PID 4948 wrote to memory of 4952	4948	v1744444.exe	84
PID 4948 wrote to memory of 4952	4948	v1744444.exe	84
PID 4952 wrote to memory of 2824	4952	v2322770.exe	85
PID 4952 wrote to memory of 2824	4952	v2322770.exe	85
PID 4952 wrote to memory of 2824	4952	v2322770.exe	85
PID 4952 wrote to memory of 4680	4952	v2322770.exe	88
PID 4952 wrote to memory of 4680	4952	v2322770.exe	88
PID 4952 wrote to memory of 4680	4952	v2322770.exe	88

C:\Users\Admin\AppData\Local\Temp\83066dd9923343dfbce3af14e45c5918f9f569b4ba9e821c6e93ef50c39dbd5f.exe
"C:\Users\Admin\AppData\Local\Temp\83066dd9923343dfbce3af14e45c5918f9f569b4ba9e821c6e93ef50c39dbd5f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1744444.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1744444.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2322770.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2322770.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9694928.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9694928.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5173788.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5173788.exe
      4⤵
      Executes dropped EXE
      PID:4680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1744444.exe

Filesize
750KB

MD5
096f96e60b983cadbf7157e8d2bc5829

SHA1
5fc6774e1efab356c9740f65f5fb5c8c6ce98495

SHA256
847a1c11d023dafd2a8710130f7d4848cc2be9d885cc801794d24f74db48017d

SHA512
c5f5e4247098b7e0a11b436499f7e0b71f9c930aedda51cbc5e4d2e98123b10db5843084237479956eaaccfbb7c95b3f65626874e81961894628ea4968711dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1744444.exe

Filesize
750KB

MD5
096f96e60b983cadbf7157e8d2bc5829

SHA1
5fc6774e1efab356c9740f65f5fb5c8c6ce98495

SHA256
847a1c11d023dafd2a8710130f7d4848cc2be9d885cc801794d24f74db48017d

SHA512
c5f5e4247098b7e0a11b436499f7e0b71f9c930aedda51cbc5e4d2e98123b10db5843084237479956eaaccfbb7c95b3f65626874e81961894628ea4968711dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2322770.exe

Filesize
305KB

MD5
0d881ac20d764a2548844a2dc17d24b1

SHA1
10c78d0985769faa6ed68a036ed33d065cdd4e72

SHA256
e184818164e1c88dc24dbb7a33e3178534b15efa0893a9755f8af64c1b46cb17

SHA512
57f428e8552fbb8be6519ff29f39c10f116afa3ea6976c7e3b775f6cd101815897f5ade663f2ff52fe648b67fd51021b88ba8e73e4c9f6c0cf2d64ef576f6efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2322770.exe

Filesize
305KB

MD5
0d881ac20d764a2548844a2dc17d24b1

SHA1
10c78d0985769faa6ed68a036ed33d065cdd4e72

SHA256
e184818164e1c88dc24dbb7a33e3178534b15efa0893a9755f8af64c1b46cb17

SHA512
57f428e8552fbb8be6519ff29f39c10f116afa3ea6976c7e3b775f6cd101815897f5ade663f2ff52fe648b67fd51021b88ba8e73e4c9f6c0cf2d64ef576f6efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9694928.exe

Filesize
185KB

MD5
feff370e4dbbb02929b4db28f8d07604

SHA1
170c11505e9de17acf969864df9b09630983fe6b

SHA256
ef6442129b719eb6c06d6d1f8930b82151fceacc843db45369941d64caba4151

SHA512
f48d518ebeedf9cf19a2d697b237c23b43101458b0a29369c6481573fba745baf909911b6f1759fc6bf1128f7e817889b46c3aa40d1c06540dddcc207759f009

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9694928.exe

Filesize
185KB

MD5
feff370e4dbbb02929b4db28f8d07604

SHA1
170c11505e9de17acf969864df9b09630983fe6b

SHA256
ef6442129b719eb6c06d6d1f8930b82151fceacc843db45369941d64caba4151

SHA512
f48d518ebeedf9cf19a2d697b237c23b43101458b0a29369c6481573fba745baf909911b6f1759fc6bf1128f7e817889b46c3aa40d1c06540dddcc207759f009

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5173788.exe

Filesize
145KB

MD5
55d4e092295e75eb39e02f8c8f19e8b0

SHA1
16bf37f1fe86788392d04d80651a76f0f2aa623b

SHA256
11055d86a2d76f8c862ace1b5637871cace549119f70c8a02c7319255fdf133f

SHA512
dae80af257e2aacfe346ecdf91509ada3fdcdf7aee442cc47490bf87a11f4a92599a6d4dc41f64fcd7c0192ffafd8d69b91878eeda70e7e1012a2ddf5d028372

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5173788.exe

Filesize
145KB

MD5
55d4e092295e75eb39e02f8c8f19e8b0

SHA1
16bf37f1fe86788392d04d80651a76f0f2aa623b

SHA256
11055d86a2d76f8c862ace1b5637871cace549119f70c8a02c7319255fdf133f

SHA512
dae80af257e2aacfe346ecdf91509ada3fdcdf7aee442cc47490bf87a11f4a92599a6d4dc41f64fcd7c0192ffafd8d69b91878eeda70e7e1012a2ddf5d028372

Download Submit
memory/2824-154-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/2824-179-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2824-158-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2824-161-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2824-159-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2824-163-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2824-165-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2824-167-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2824-169-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2824-171-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2824-173-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2824-175-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2824-177-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2824-157-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/2824-181-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2824-183-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2824-185-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/2824-186-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/2824-187-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/2824-155-0x00000000049A0000-0x0000000004F44000-memory.dmp

Filesize
5.6MB

Download
memory/2824-156-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/4680-192-0x0000000000E10000-0x0000000000E3A000-memory.dmp

Filesize
168KB

Download
memory/4680-193-0x0000000005C60000-0x0000000006278000-memory.dmp

Filesize
6.1MB

Download
memory/4680-194-0x0000000005770000-0x000000000587A000-memory.dmp

Filesize
1.0MB

Download
memory/4680-195-0x00000000056A0000-0x00000000056B2000-memory.dmp

Filesize
72KB

Download
memory/4680-196-0x0000000005700000-0x000000000573C000-memory.dmp

Filesize
240KB

Download
memory/4680-197-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/4680-198-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads