redline | 077ae7c99c7e1837764942d288608479d1540a621dd391b7ef47b8cbfed150ed

General

Target

077ae7c99c7e1837764942d288608479d1540a621dd391b7ef47b8cbfed150ed.exe
Size

753KB
MD5

ee555a95d8aa2ec84d67803e4859d848
SHA1

c6b145cb9c0f0d3b7600d0773c1dedcfff02d804
SHA256

077ae7c99c7e1837764942d288608479d1540a621dd391b7ef47b8cbfed150ed
SHA512

96d26d14958289d2e8a9b3719d5005bbac745a28c15dbb2bae8f2cfd11b51321ca098651d561899c229f4a4d73ad50c578176e0c7d33ead0d26f71a0090c0239
SSDEEP

12288:2MrPy90AVHiI7jsmcYTe09Nscuj611GuXAitEbR4Won/XG9w:lytV/7jns/GwitE14Wrw

Score

10^/10

redline mars evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mars

C2

83.97.73.127:19045

Attributes

auth_value
91bd3682cfb50cdc64b6009eb977b766

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3956	v7556112.exe
4840	v3188395.exe
2104	a6485194.exe
3548	b0789794.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7556112.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3188395.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3188395.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	077ae7c99c7e1837764942d288608479d1540a621dd391b7ef47b8cbfed150ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	077ae7c99c7e1837764942d288608479d1540a621dd391b7ef47b8cbfed150ed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7556112.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2104 set thread context of 2092	2104	a6485194.exe	70

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2092	AppLaunch.exe
2092	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	AppLaunch.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 3956	4100	077ae7c99c7e1837764942d288608479d1540a621dd391b7ef47b8cbfed150ed.exe	66
PID 4100 wrote to memory of 3956	4100	077ae7c99c7e1837764942d288608479d1540a621dd391b7ef47b8cbfed150ed.exe	66
PID 4100 wrote to memory of 3956	4100	077ae7c99c7e1837764942d288608479d1540a621dd391b7ef47b8cbfed150ed.exe	66
PID 3956 wrote to memory of 4840	3956	v7556112.exe	67
PID 3956 wrote to memory of 4840	3956	v7556112.exe	67
PID 3956 wrote to memory of 4840	3956	v7556112.exe	67
PID 4840 wrote to memory of 2104	4840	v3188395.exe	68
PID 4840 wrote to memory of 2104	4840	v3188395.exe	68
PID 4840 wrote to memory of 2104	4840	v3188395.exe	68
PID 2104 wrote to memory of 2092	2104	a6485194.exe	70
PID 2104 wrote to memory of 2092	2104	a6485194.exe	70
PID 2104 wrote to memory of 2092	2104	a6485194.exe	70
PID 2104 wrote to memory of 2092	2104	a6485194.exe	70
PID 2104 wrote to memory of 2092	2104	a6485194.exe	70
PID 4840 wrote to memory of 3548	4840	v3188395.exe	71
PID 4840 wrote to memory of 3548	4840	v3188395.exe	71
PID 4840 wrote to memory of 3548	4840	v3188395.exe	71

C:\Users\Admin\AppData\Local\Temp\077ae7c99c7e1837764942d288608479d1540a621dd391b7ef47b8cbfed150ed.exe
"C:\Users\Admin\AppData\Local\Temp\077ae7c99c7e1837764942d288608479d1540a621dd391b7ef47b8cbfed150ed.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7556112.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7556112.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3188395.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3188395.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6485194.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6485194.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0789794.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0789794.exe
      4⤵
      Executes dropped EXE
      PID:3548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7556112.exe

Filesize
445KB

MD5
a3f81d9eb17c64fa94f7066a476d9943

SHA1
3aef0c0868965af74a07054534f75ff8dc70f763

SHA256
a52a6f4ea34d8c07d8cf97c9694fa762acac8b8d6503a20a365ec29e640a6288

SHA512
cd97c49cd706456637ff9774e23d04d69f06ba7fa20cd685e0dc5d574e71aaaf10e5ca6d0d7e826a5e8252642fc8ccba8e08f9d717e0994b37f185fb5e65ee66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7556112.exe

Filesize
445KB

MD5
a3f81d9eb17c64fa94f7066a476d9943

SHA1
3aef0c0868965af74a07054534f75ff8dc70f763

SHA256
a52a6f4ea34d8c07d8cf97c9694fa762acac8b8d6503a20a365ec29e640a6288

SHA512
cd97c49cd706456637ff9774e23d04d69f06ba7fa20cd685e0dc5d574e71aaaf10e5ca6d0d7e826a5e8252642fc8ccba8e08f9d717e0994b37f185fb5e65ee66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3188395.exe

Filesize
273KB

MD5
92393fd756210d985cec36c0220c7b29

SHA1
a49487427bd87952d613579f312cfcef8d883f66

SHA256
7193daf7aaa2d16d8bc4afced71473610609e4e08798da7d8b505cba6dea7578

SHA512
f5dcf0e2463b8149ddb85c4146115f3e63fba83042c7b8bb90b05b3e0e688c5abeddd92c434b66b0987c997dc0f8ae371c978833c110f827ad6ee3d11319df6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3188395.exe

Filesize
273KB

MD5
92393fd756210d985cec36c0220c7b29

SHA1
a49487427bd87952d613579f312cfcef8d883f66

SHA256
7193daf7aaa2d16d8bc4afced71473610609e4e08798da7d8b505cba6dea7578

SHA512
f5dcf0e2463b8149ddb85c4146115f3e63fba83042c7b8bb90b05b3e0e688c5abeddd92c434b66b0987c997dc0f8ae371c978833c110f827ad6ee3d11319df6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6485194.exe

Filesize
145KB

MD5
47b4e9dc417da192c4c4fedcf4aeee37

SHA1
d1db786d7f5ea00aff187bbc28621667deb2da93

SHA256
330a5e55a3c16fb5b779351245a385704c90fac21e2577fa70c0e6e8cb9f0715

SHA512
515bb13aff9926dac2d2cb912c221b1b4a15a3f80b7a931f11183e7c75d5297c862e60eea3aa455c9dfd039b26ee8aa7fead1f1a9d84852f8d73a957115a020d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6485194.exe

Filesize
145KB

MD5
47b4e9dc417da192c4c4fedcf4aeee37

SHA1
d1db786d7f5ea00aff187bbc28621667deb2da93

SHA256
330a5e55a3c16fb5b779351245a385704c90fac21e2577fa70c0e6e8cb9f0715

SHA512
515bb13aff9926dac2d2cb912c221b1b4a15a3f80b7a931f11183e7c75d5297c862e60eea3aa455c9dfd039b26ee8aa7fead1f1a9d84852f8d73a957115a020d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0789794.exe

Filesize
168KB

MD5
a1848d889e05740b569679ef4e34b0f3

SHA1
eb878b5cdd6cbd3043eeb7ab920d3bdcfa74841a

SHA256
1f612a9e100fe0ff9d6fe6746a0c57099b7ecbae4c6477eb6d82e70fa5d00e73

SHA512
cb9bbc506bf5ef48bf583e3619523389dfe9f74cdb79861a0ffdec42d64592ade6f69e63a197b23f9e77dba60a92871cf96080d831296fc0b4499fb292f327a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0789794.exe

Filesize
168KB

MD5
a1848d889e05740b569679ef4e34b0f3

SHA1
eb878b5cdd6cbd3043eeb7ab920d3bdcfa74841a

SHA256
1f612a9e100fe0ff9d6fe6746a0c57099b7ecbae4c6477eb6d82e70fa5d00e73

SHA512
cb9bbc506bf5ef48bf583e3619523389dfe9f74cdb79861a0ffdec42d64592ade6f69e63a197b23f9e77dba60a92871cf96080d831296fc0b4499fb292f327a8

Download Submit
memory/2092-137-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3548-148-0x0000000000CB0000-0x0000000000CDE000-memory.dmp

Filesize
184KB

Download
memory/3548-149-0x0000000002F10000-0x0000000002F16000-memory.dmp

Filesize
24KB

Download
memory/3548-150-0x000000000B010000-0x000000000B616000-memory.dmp

Filesize
6.0MB

Download
memory/3548-151-0x000000000AB10000-0x000000000AC1A000-memory.dmp

Filesize
1.0MB

Download
memory/3548-152-0x0000000005550000-0x0000000005562000-memory.dmp

Filesize
72KB

Download
memory/3548-153-0x000000000AA40000-0x000000000AA7E000-memory.dmp

Filesize
248KB

Download
memory/3548-154-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/3548-155-0x000000000AA90000-0x000000000AADB000-memory.dmp

Filesize
300KB

Download
memory/3548-178-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads