redline | 460cfbcf6bc9e1cdeb5a8bede21265e9f5176ec7d7c68fe145a5669006f79b96

General

Target

460cfbcf6bc9e1cdeb5a8bede21265e9f5176ec7d7c68fe145a5669006f79b96.exe
Size

756KB
MD5

f0318fa5008e6223635d23415a9135b3
SHA1

cb81b78e0be00141dca864e6b944a09c8214cad1
SHA256

460cfbcf6bc9e1cdeb5a8bede21265e9f5176ec7d7c68fe145a5669006f79b96
SHA512

c36c866aa4c06fa09608852111480069c8dfdd54fc3c096ef5edbb3244660bfaddbe845d7d62fccc70f4a8a2a6c363d1d8b64d1b9262db2fbf9b7044f2bf9568
SSDEEP

12288:+Mrby901sDKTWjeMHOto3REqLG6sz+CM3kmtOFcV2/wcIOqWm2YQyvI:VytKLboG6szPstJcDqr2YQ+I

Score

10^/10

redline mars evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mars

C2

83.97.73.127:19045

Attributes

auth_value
91bd3682cfb50cdc64b6009eb977b766

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
244	v3946836.exe
3572	v3792893.exe
4008	a7548374.exe
2644	b8269249.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	460cfbcf6bc9e1cdeb5a8bede21265e9f5176ec7d7c68fe145a5669006f79b96.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3946836.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3946836.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3792893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3792893.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	460cfbcf6bc9e1cdeb5a8bede21265e9f5176ec7d7c68fe145a5669006f79b96.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4008 set thread context of 704	4008	a7548374.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
704	AppLaunch.exe
704	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	704	AppLaunch.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 244	2188	460cfbcf6bc9e1cdeb5a8bede21265e9f5176ec7d7c68fe145a5669006f79b96.exe	85
PID 2188 wrote to memory of 244	2188	460cfbcf6bc9e1cdeb5a8bede21265e9f5176ec7d7c68fe145a5669006f79b96.exe	85
PID 2188 wrote to memory of 244	2188	460cfbcf6bc9e1cdeb5a8bede21265e9f5176ec7d7c68fe145a5669006f79b96.exe	85
PID 244 wrote to memory of 3572	244	v3946836.exe	86
PID 244 wrote to memory of 3572	244	v3946836.exe	86
PID 244 wrote to memory of 3572	244	v3946836.exe	86
PID 3572 wrote to memory of 4008	3572	v3792893.exe	87
PID 3572 wrote to memory of 4008	3572	v3792893.exe	87
PID 3572 wrote to memory of 4008	3572	v3792893.exe	87
PID 4008 wrote to memory of 704	4008	a7548374.exe	89
PID 4008 wrote to memory of 704	4008	a7548374.exe	89
PID 4008 wrote to memory of 704	4008	a7548374.exe	89
PID 4008 wrote to memory of 704	4008	a7548374.exe	89
PID 4008 wrote to memory of 704	4008	a7548374.exe	89
PID 3572 wrote to memory of 2644	3572	v3792893.exe	90
PID 3572 wrote to memory of 2644	3572	v3792893.exe	90
PID 3572 wrote to memory of 2644	3572	v3792893.exe	90

C:\Users\Admin\AppData\Local\Temp\460cfbcf6bc9e1cdeb5a8bede21265e9f5176ec7d7c68fe145a5669006f79b96.exe
"C:\Users\Admin\AppData\Local\Temp\460cfbcf6bc9e1cdeb5a8bede21265e9f5176ec7d7c68fe145a5669006f79b96.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3946836.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3946836.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:244
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3792893.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3792893.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7548374.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7548374.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4008
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8269249.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8269249.exe
      4⤵
      Executes dropped EXE
      PID:2644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3946836.exe

Filesize
446KB

MD5
4fbb8fdc69117a3eb7226c93ba50486a

SHA1
7a3a8bdcda3852104a815babb16f7bc50d617bd5

SHA256
695631adb06e601b3abf67357771a4f74456577f5afbf155e8a8aaa2e3706091

SHA512
5fe0b6649d76111754f429d4df234189fd5cf8cb5662456c01a7b986ab119d954b7ef8e6505e0caf9571eb18e60303cf4413842313cd0b36ae6b917102828779

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3946836.exe

Filesize
446KB

MD5
4fbb8fdc69117a3eb7226c93ba50486a

SHA1
7a3a8bdcda3852104a815babb16f7bc50d617bd5

SHA256
695631adb06e601b3abf67357771a4f74456577f5afbf155e8a8aaa2e3706091

SHA512
5fe0b6649d76111754f429d4df234189fd5cf8cb5662456c01a7b986ab119d954b7ef8e6505e0caf9571eb18e60303cf4413842313cd0b36ae6b917102828779

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3792893.exe

Filesize
274KB

MD5
82ecd12a6ab52d6e6d8ccf272180f41f

SHA1
32800d7dd6f9267575279363792ce7a9b395df37

SHA256
1cc13ccb057e2f7026c3cf236eda734b2c726eb13246d4316b1771ce32ec7f7f

SHA512
b3bb811c2130ea8de4c58b6c9f16365374e3b7015296d7c517ec31b36ef1596d081a343a4c5a6474261493bb822e402c6b0269b698a84275de15b73857550269

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3792893.exe

Filesize
274KB

MD5
82ecd12a6ab52d6e6d8ccf272180f41f

SHA1
32800d7dd6f9267575279363792ce7a9b395df37

SHA256
1cc13ccb057e2f7026c3cf236eda734b2c726eb13246d4316b1771ce32ec7f7f

SHA512
b3bb811c2130ea8de4c58b6c9f16365374e3b7015296d7c517ec31b36ef1596d081a343a4c5a6474261493bb822e402c6b0269b698a84275de15b73857550269

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7548374.exe

Filesize
145KB

MD5
f3d95048cb4252de54d44e7e081cb54a

SHA1
b29181b32d19a6e5325d24d98edc000183a8f82e

SHA256
49affce6cc57a0709bf5f029d6012a08ace8b267eaa86c74af528979d8dd39d9

SHA512
22c1f3fc05d44ddae790d6826ba1c0c2082e513a285b1c6c2f9acfd42b06dc2e5446a2cb500b688b6107be00bb2d021f3bb83fb0e019c1829e7e638af59b8be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7548374.exe

Filesize
145KB

MD5
f3d95048cb4252de54d44e7e081cb54a

SHA1
b29181b32d19a6e5325d24d98edc000183a8f82e

SHA256
49affce6cc57a0709bf5f029d6012a08ace8b267eaa86c74af528979d8dd39d9

SHA512
22c1f3fc05d44ddae790d6826ba1c0c2082e513a285b1c6c2f9acfd42b06dc2e5446a2cb500b688b6107be00bb2d021f3bb83fb0e019c1829e7e638af59b8be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8269249.exe

Filesize
168KB

MD5
bfada8bc94a9cf5faef097f44c1dffe1

SHA1
7cbb738bbb63f8adf2bbdc109ebeeced87f8b611

SHA256
9d71cd25b5e6be8103015bc55f45d3249dd13ccaf6ec28f7f8a29d991a06d50c

SHA512
54c65e708527a3e50c6212e970fd93223712f6be0a88c6df4b82b964df41d523e16e44baa33d4902d08a1de39580e066ad60e03bd966e5dc0a4bb314a5a3c094

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8269249.exe

Filesize
168KB

MD5
bfada8bc94a9cf5faef097f44c1dffe1

SHA1
7cbb738bbb63f8adf2bbdc109ebeeced87f8b611

SHA256
9d71cd25b5e6be8103015bc55f45d3249dd13ccaf6ec28f7f8a29d991a06d50c

SHA512
54c65e708527a3e50c6212e970fd93223712f6be0a88c6df4b82b964df41d523e16e44baa33d4902d08a1de39580e066ad60e03bd966e5dc0a4bb314a5a3c094

Download Submit
memory/704-154-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/2644-162-0x0000000000B20000-0x0000000000B4E000-memory.dmp

Filesize
184KB

Download
memory/2644-163-0x000000000ADE0000-0x000000000B3F8000-memory.dmp

Filesize
6.1MB

Download
memory/2644-164-0x000000000A960000-0x000000000AA6A000-memory.dmp

Filesize
1.0MB

Download
memory/2644-165-0x000000000A890000-0x000000000A8A2000-memory.dmp

Filesize
72KB

Download
memory/2644-166-0x000000000A8F0000-0x000000000A92C000-memory.dmp

Filesize
240KB

Download
memory/2644-167-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/2644-169-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads