redline | 19eb0614a4685452e76bc27754deac90a12a51f18597838b36869fd7ab806652

General

Target

19eb0614a4685452e76bc27754deac90a12a51f18597838b36869fd7ab806652.exe
Size

580KB
MD5

145e222dfac482f12f4a3a2cf0bf0037
SHA1

fd640d0793b2cec29d049fc79be3ee7242077f9a
SHA256

19eb0614a4685452e76bc27754deac90a12a51f18597838b36869fd7ab806652
SHA512

542326064b1a45406fa9107c6afaa311f96d6ccf2c9a1ad8f89c3904434a16af3200a6cc38c4ad139c98d6380f4b4013c25e3377372ced96ea8830621d08876f
SSDEEP

12288:LMrSy90lYLiFimTmKpQScvOZEkCv7WrCgXrau6MCw1NS:VyRi8CCfk1CgTuw1k

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a0728282.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0728282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0728282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0728282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0728282.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0728282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0728282.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v6493607.exev4704473.exea0728282.exeb0865255.exe

pid process

2064 v6493607.exe
1192 v4704473.exe
640 a0728282.exe
1032 b0865255.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a0728282.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0728282.exe

pid	process
2064	v6493607.exe
1192	v4704473.exe
640	a0728282.exe
1032	b0865255.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0728282.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v4704473.exe19eb0614a4685452e76bc27754deac90a12a51f18597838b36869fd7ab806652.exev6493607.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4704473.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	19eb0614a4685452e76bc27754deac90a12a51f18597838b36869fd7ab806652.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	19eb0614a4685452e76bc27754deac90a12a51f18597838b36869fd7ab806652.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6493607.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6493607.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4704473.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

a0728282.exeb0865255.exe

pid	process
640	a0728282.exe
640	a0728282.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe
1032	b0865255.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a0728282.exeb0865255.exe

description pid process

Token: SeDebugPrivilege 640 a0728282.exe
Token: SeDebugPrivilege 1032 b0865255.exe

description	pid	process
Token: SeDebugPrivilege	640	a0728282.exe
Token: SeDebugPrivilege	1032	b0865255.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

19eb0614a4685452e76bc27754deac90a12a51f18597838b36869fd7ab806652.exev6493607.exev4704473.exe

description	pid	process	target process
PID 3720 wrote to memory of 2064	3720	19eb0614a4685452e76bc27754deac90a12a51f18597838b36869fd7ab806652.exe	v6493607.exe
PID 3720 wrote to memory of 2064	3720	19eb0614a4685452e76bc27754deac90a12a51f18597838b36869fd7ab806652.exe	v6493607.exe
PID 3720 wrote to memory of 2064	3720	19eb0614a4685452e76bc27754deac90a12a51f18597838b36869fd7ab806652.exe	v6493607.exe
PID 2064 wrote to memory of 1192	2064	v6493607.exe	v4704473.exe
PID 2064 wrote to memory of 1192	2064	v6493607.exe	v4704473.exe
PID 2064 wrote to memory of 1192	2064	v6493607.exe	v4704473.exe
PID 1192 wrote to memory of 640	1192	v4704473.exe	a0728282.exe
PID 1192 wrote to memory of 640	1192	v4704473.exe	a0728282.exe
PID 1192 wrote to memory of 1032	1192	v4704473.exe	b0865255.exe
PID 1192 wrote to memory of 1032	1192	v4704473.exe	b0865255.exe
PID 1192 wrote to memory of 1032	1192	v4704473.exe	b0865255.exe

C:\Users\Admin\AppData\Local\Temp\19eb0614a4685452e76bc27754deac90a12a51f18597838b36869fd7ab806652.exe
"C:\Users\Admin\AppData\Local\Temp\19eb0614a4685452e76bc27754deac90a12a51f18597838b36869fd7ab806652.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3720

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6493607.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6493607.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4704473.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4704473.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0728282.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0728282.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0865255.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0865255.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6493607.exe
Filesize
377KB

MD5
d612673681d19016bbf2dc3f579b4b9d

SHA1
d761306c7f168d65c232b3cf389e06454a622666

SHA256
c19737875632f2f47d9e6e10b198d0978bd5c858677985474ccea827c9f5c1cd

SHA512
4c1ae56b36b32c549b58d40636816cbc3b6fccbbd2dfd8c37db993cd9c7f7c77a6ccd81a876e66f446e9f2e018ee857e028f2121c027e82465911617ef51362b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6493607.exe
Filesize
377KB

MD5
d612673681d19016bbf2dc3f579b4b9d

SHA1
d761306c7f168d65c232b3cf389e06454a622666

SHA256
c19737875632f2f47d9e6e10b198d0978bd5c858677985474ccea827c9f5c1cd

SHA512
4c1ae56b36b32c549b58d40636816cbc3b6fccbbd2dfd8c37db993cd9c7f7c77a6ccd81a876e66f446e9f2e018ee857e028f2121c027e82465911617ef51362b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4704473.exe
Filesize
206KB

MD5
49a275bdd5e2dc094f409b58b21ac74d

SHA1
a369ca41e44157677c3f68e5358154a36a34b3da

SHA256
0f9bd76c3e94413cc2f2e9ff32d72df38e0f2aaab111eda2c458b0bbead57e72

SHA512
2981a43002ea261ea10928d48bf6c8c1d984fc3fb4c9092477b8ab61bab2755a001619f15b40d2b82774537d92525f104a21f04a94593caba2cb6515166c8004

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4704473.exe
Filesize
206KB

MD5
49a275bdd5e2dc094f409b58b21ac74d

SHA1
a369ca41e44157677c3f68e5358154a36a34b3da

SHA256
0f9bd76c3e94413cc2f2e9ff32d72df38e0f2aaab111eda2c458b0bbead57e72

SHA512
2981a43002ea261ea10928d48bf6c8c1d984fc3fb4c9092477b8ab61bab2755a001619f15b40d2b82774537d92525f104a21f04a94593caba2cb6515166c8004

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0728282.exe
Filesize
11KB

MD5
926401d28f2d419dd13ae4176ec862f7

SHA1
fb7637099ab685a43294536062ea62e28f915d25

SHA256
2af10a84aa25d352e2e2c6903062c5edcdb79c12a76f8794a1e26c8713e62bbf

SHA512
ad9bed0a4436af434503c55e5c51ead97de81db3bab912beb4f183b2de15b2977caf3710a5e04f456611130a965ace76c4388ca1073c71cd67d0becc04d275d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0728282.exe
Filesize
11KB

MD5
926401d28f2d419dd13ae4176ec862f7

SHA1
fb7637099ab685a43294536062ea62e28f915d25

SHA256
2af10a84aa25d352e2e2c6903062c5edcdb79c12a76f8794a1e26c8713e62bbf

SHA512
ad9bed0a4436af434503c55e5c51ead97de81db3bab912beb4f183b2de15b2977caf3710a5e04f456611130a965ace76c4388ca1073c71cd67d0becc04d275d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0865255.exe
Filesize
172KB

MD5
15a5e9e974bf26ec5d0b393fb6488f4d

SHA1
aa43734b0658d59d7ea2a616f23bf7fef9c00b67

SHA256
3ab96fb52a0df463ffba521e50391b61b579866ed2ea32831555f6d0a18871f3

SHA512
e391c1450b8db89bfd50a69ac6b62168b143ad000976425c7de8937673977c1b98c9750b924bc6934b90ff6576dfdc9d7b8d21f3945fffbb2a47c903174eeb91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0865255.exe
Filesize
172KB

MD5
15a5e9e974bf26ec5d0b393fb6488f4d

SHA1
aa43734b0658d59d7ea2a616f23bf7fef9c00b67

SHA256
3ab96fb52a0df463ffba521e50391b61b579866ed2ea32831555f6d0a18871f3

SHA512
e391c1450b8db89bfd50a69ac6b62168b143ad000976425c7de8937673977c1b98c9750b924bc6934b90ff6576dfdc9d7b8d21f3945fffbb2a47c903174eeb91

Download Submit
memory/640-154-0x0000000000910000-0x000000000091A000-memory.dmp

Filesize
40KB

Download
memory/1032-160-0x000000000A460000-0x000000000AA78000-memory.dmp

Filesize
6.1MB

Download
memory/1032-166-0x000000000AB20000-0x000000000ABB2000-memory.dmp

Filesize
584KB

Download
memory/1032-161-0x0000000009FE0000-0x000000000A0EA000-memory.dmp

Filesize
1.0MB

Download
memory/1032-162-0x0000000009F20000-0x0000000009F32000-memory.dmp

Filesize
72KB

Download
memory/1032-163-0x0000000009F80000-0x0000000009FBC000-memory.dmp

Filesize
240KB

Download
memory/1032-164-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/1032-165-0x000000000A290000-0x000000000A306000-memory.dmp

Filesize
472KB

Download
memory/1032-159-0x0000000000060000-0x0000000000090000-memory.dmp

Filesize
192KB

Download
memory/1032-167-0x000000000AA80000-0x000000000AAE6000-memory.dmp

Filesize
408KB

Download
memory/1032-168-0x000000000B470000-0x000000000BA14000-memory.dmp

Filesize
5.6MB

Download
memory/1032-169-0x000000000B0B0000-0x000000000B100000-memory.dmp

Filesize
320KB

Download
memory/1032-170-0x000000000BA20000-0x000000000BBE2000-memory.dmp

Filesize
1.8MB

Download
memory/1032-171-0x000000000C120000-0x000000000C64C000-memory.dmp

Filesize
5.2MB

Download
memory/1032-172-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads