redline | 6bf4e6d596ed0c41732633c83e2241afb32e9cff426df3b8fc0801ae49e2d6c5

General

Target

6bf4e6d596ed0c41732633c83e2241afb32e9cff426df3b8fc0801ae49e2d6c5.exe
Size

767KB
MD5

d08d676a65ed68fc37a910f69eafc970
SHA1

80777e40806a2fe8fc9c7b442179acff8b051d5b
SHA256

6bf4e6d596ed0c41732633c83e2241afb32e9cff426df3b8fc0801ae49e2d6c5
SHA512

2abb353a67fda44179785b2f6c4a2c165c0661ab06c28391f2efaeaf34e66c2e83fb566f665d8dc7c045b098cd4add44c7dda7d941266244b2cc5cfc7f0b7b86
SSDEEP

12288:kMrKy90tZELCu/9wmqlYbeelEkEhESAtCh4t2pCOp/Sfnv+P3m+f3avaw4WhE88H:uyyZ6999qmbZFSWCqtw/Sfnvc2+PTw4p

Score

10^/10

redline mina evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mina

C2

83.97.73.122:19062

Attributes

auth_value
3d04bf4b8ba2a11c4dcf9df0e388fa05

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2504	v5435962.exe
2960	v7972180.exe
3896	a1948464.exe
4120	b0954682.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5435962.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7972180.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7972180.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6bf4e6d596ed0c41732633c83e2241afb32e9cff426df3b8fc0801ae49e2d6c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6bf4e6d596ed0c41732633c83e2241afb32e9cff426df3b8fc0801ae49e2d6c5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5435962.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3896 set thread context of 4388	3896	a1948464.exe	70

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4388	AppLaunch.exe
4388	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4388	AppLaunch.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2504	2468	6bf4e6d596ed0c41732633c83e2241afb32e9cff426df3b8fc0801ae49e2d6c5.exe	66
PID 2468 wrote to memory of 2504	2468	6bf4e6d596ed0c41732633c83e2241afb32e9cff426df3b8fc0801ae49e2d6c5.exe	66
PID 2468 wrote to memory of 2504	2468	6bf4e6d596ed0c41732633c83e2241afb32e9cff426df3b8fc0801ae49e2d6c5.exe	66
PID 2504 wrote to memory of 2960	2504	v5435962.exe	67
PID 2504 wrote to memory of 2960	2504	v5435962.exe	67
PID 2504 wrote to memory of 2960	2504	v5435962.exe	67
PID 2960 wrote to memory of 3896	2960	v7972180.exe	68
PID 2960 wrote to memory of 3896	2960	v7972180.exe	68
PID 2960 wrote to memory of 3896	2960	v7972180.exe	68
PID 3896 wrote to memory of 4388	3896	a1948464.exe	70
PID 3896 wrote to memory of 4388	3896	a1948464.exe	70
PID 3896 wrote to memory of 4388	3896	a1948464.exe	70
PID 3896 wrote to memory of 4388	3896	a1948464.exe	70
PID 3896 wrote to memory of 4388	3896	a1948464.exe	70
PID 2960 wrote to memory of 4120	2960	v7972180.exe	71
PID 2960 wrote to memory of 4120	2960	v7972180.exe	71
PID 2960 wrote to memory of 4120	2960	v7972180.exe	71

C:\Users\Admin\AppData\Local\Temp\6bf4e6d596ed0c41732633c83e2241afb32e9cff426df3b8fc0801ae49e2d6c5.exe
"C:\Users\Admin\AppData\Local\Temp\6bf4e6d596ed0c41732633c83e2241afb32e9cff426df3b8fc0801ae49e2d6c5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5435962.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5435962.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7972180.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7972180.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1948464.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1948464.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0954682.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0954682.exe
      4⤵
      Executes dropped EXE
      PID:4120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5435962.exe

Filesize
449KB

MD5
81a4a76f870dbfc44b13b33ea8380a6b

SHA1
32ccf8293c46519e7d964182c5d27b05ebf381c2

SHA256
9504fbb2bcd43d0633c4b41324b96805363e48a392873155c65d9faef3d92a73

SHA512
971a0cb2685e9383b1b5126592d65475cd0272281e18a7b983b73612253b3be5b89052968354b027bbd30db0c9142f8fbabcd2acb48e25cc95c4dd04fc641312

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5435962.exe

Filesize
449KB

MD5
81a4a76f870dbfc44b13b33ea8380a6b

SHA1
32ccf8293c46519e7d964182c5d27b05ebf381c2

SHA256
9504fbb2bcd43d0633c4b41324b96805363e48a392873155c65d9faef3d92a73

SHA512
971a0cb2685e9383b1b5126592d65475cd0272281e18a7b983b73612253b3be5b89052968354b027bbd30db0c9142f8fbabcd2acb48e25cc95c4dd04fc641312

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7972180.exe

Filesize
277KB

MD5
2e2dd0971611c1185b6ca6402995b11a

SHA1
e87be53e319c6a2cc9901f90751625ad5144a1cf

SHA256
066a6e062245679605b0fcaf47ce091eae62acf932c68a085d521c43a34f7a45

SHA512
d30ab0afbeb246f97c0e78f141df0973778bcf5af3a83bc35017b93eaa68f68ac72181682831e66c0be582f1d7a5677b318a04c3d8d71279c435a195bab7a445

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7972180.exe

Filesize
277KB

MD5
2e2dd0971611c1185b6ca6402995b11a

SHA1
e87be53e319c6a2cc9901f90751625ad5144a1cf

SHA256
066a6e062245679605b0fcaf47ce091eae62acf932c68a085d521c43a34f7a45

SHA512
d30ab0afbeb246f97c0e78f141df0973778bcf5af3a83bc35017b93eaa68f68ac72181682831e66c0be582f1d7a5677b318a04c3d8d71279c435a195bab7a445

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1948464.exe

Filesize
188KB

MD5
75e984ced00166665f5d2caf79637eeb

SHA1
823ed38855506813b5167e8069fc542c14518341

SHA256
b01675fedca60ffb5b2f341621827964f55323e93450c86f333e153203fde6fc

SHA512
0ba0ac2cc6b590af3776f4deffb4751806d529a6487677a201babd5bce17c2ca247283a357a2e367181cc700dccff78f635f2d4cfa57c64444594526ee57b9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1948464.exe

Filesize
188KB

MD5
75e984ced00166665f5d2caf79637eeb

SHA1
823ed38855506813b5167e8069fc542c14518341

SHA256
b01675fedca60ffb5b2f341621827964f55323e93450c86f333e153203fde6fc

SHA512
0ba0ac2cc6b590af3776f4deffb4751806d529a6487677a201babd5bce17c2ca247283a357a2e367181cc700dccff78f635f2d4cfa57c64444594526ee57b9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0954682.exe

Filesize
145KB

MD5
f6a634bdd2a53e622fcc2a2aa803a02d

SHA1
4a9b1e64e51fd140687ce83b0610b3cff4d03109

SHA256
55603ae50b4aa48bbb19bb56c46d5798dfef08022dfc3458e1a5873b7609f558

SHA512
7c372646e377117b342bf38fd358730fbaceb50aaa40b6fdf2ef738842389bfeb81f635a4c65655cae1ff8f40150ec76505b57669ecbe6097aa987db685ce59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0954682.exe

Filesize
145KB

MD5
f6a634bdd2a53e622fcc2a2aa803a02d

SHA1
4a9b1e64e51fd140687ce83b0610b3cff4d03109

SHA256
55603ae50b4aa48bbb19bb56c46d5798dfef08022dfc3458e1a5873b7609f558

SHA512
7c372646e377117b342bf38fd358730fbaceb50aaa40b6fdf2ef738842389bfeb81f635a4c65655cae1ff8f40150ec76505b57669ecbe6097aa987db685ce59f

Download Submit
memory/4120-154-0x0000000000930000-0x000000000095A000-memory.dmp

Filesize
168KB

Download
memory/4120-155-0x00000000056F0000-0x0000000005CF6000-memory.dmp

Filesize
6.0MB

Download
memory/4120-156-0x0000000005250000-0x000000000535A000-memory.dmp

Filesize
1.0MB

Download
memory/4120-157-0x0000000005180000-0x0000000005192000-memory.dmp

Filesize
72KB

Download
memory/4120-158-0x00000000051E0000-0x000000000521E000-memory.dmp

Filesize
248KB

Download
memory/4120-159-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/4120-160-0x0000000005360000-0x00000000053AB000-memory.dmp

Filesize
300KB

Download
memory/4388-143-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads