redline | 0e1cca2b4e872f270317eaa4f3e9b5784966eba9b485b671c2b2c501780b99cb

General

Target

0e1cca2b4e872f270317eaa4f3e9b5784966eba9b485b671c2b2c501780b99cb.exe
Size

580KB
MD5

6dc2b06a4e18771aca44829ff6db94e5
SHA1

654052fcb737d63783a8df369444969c7c40f1d0
SHA256

0e1cca2b4e872f270317eaa4f3e9b5784966eba9b485b671c2b2c501780b99cb
SHA512

c50711baa83f1f4be276bb061a50b2d900791af9a66afc8dcd9c3fd5d6e59018f798aa63995766317c419f88e9b9b57d2b91dccb6debb8209274bff6ae485e5c
SSDEEP

6144:KNy+bnr+jp0yN90QEio0WBX+sIh8kWTnxNNqRpstHURnMK/2oQUSVAb21mXzBCVZ:LMrTy90YzIkMmp68Xz46JBOQ4yZ5i

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a7316628.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7316628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7316628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7316628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7316628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7316628.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7316628.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v3070604.exev9283619.exea7316628.exeb7533084.exe

pid process

1908 v3070604.exe
1788 v9283619.exe
1316 a7316628.exe
1868 b7533084.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a7316628.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7316628.exe

pid	process
1908	v3070604.exe
1788	v9283619.exe
1316	a7316628.exe
1868	b7533084.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7316628.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0e1cca2b4e872f270317eaa4f3e9b5784966eba9b485b671c2b2c501780b99cb.exev3070604.exev9283619.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0e1cca2b4e872f270317eaa4f3e9b5784966eba9b485b671c2b2c501780b99cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0e1cca2b4e872f270317eaa4f3e9b5784966eba9b485b671c2b2c501780b99cb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3070604.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3070604.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9283619.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9283619.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

a7316628.exeb7533084.exe

pid	process
1316	a7316628.exe
1316	a7316628.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe
1868	b7533084.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a7316628.exeb7533084.exe

description pid process

Token: SeDebugPrivilege 1316 a7316628.exe
Token: SeDebugPrivilege 1868 b7533084.exe

description	pid	process
Token: SeDebugPrivilege	1316	a7316628.exe
Token: SeDebugPrivilege	1868	b7533084.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

0e1cca2b4e872f270317eaa4f3e9b5784966eba9b485b671c2b2c501780b99cb.exev3070604.exev9283619.exe

description	pid	process	target process
PID 2132 wrote to memory of 1908	2132	0e1cca2b4e872f270317eaa4f3e9b5784966eba9b485b671c2b2c501780b99cb.exe	v3070604.exe
PID 2132 wrote to memory of 1908	2132	0e1cca2b4e872f270317eaa4f3e9b5784966eba9b485b671c2b2c501780b99cb.exe	v3070604.exe
PID 2132 wrote to memory of 1908	2132	0e1cca2b4e872f270317eaa4f3e9b5784966eba9b485b671c2b2c501780b99cb.exe	v3070604.exe
PID 1908 wrote to memory of 1788	1908	v3070604.exe	v9283619.exe
PID 1908 wrote to memory of 1788	1908	v3070604.exe	v9283619.exe
PID 1908 wrote to memory of 1788	1908	v3070604.exe	v9283619.exe
PID 1788 wrote to memory of 1316	1788	v9283619.exe	a7316628.exe
PID 1788 wrote to memory of 1316	1788	v9283619.exe	a7316628.exe
PID 1788 wrote to memory of 1868	1788	v9283619.exe	b7533084.exe
PID 1788 wrote to memory of 1868	1788	v9283619.exe	b7533084.exe
PID 1788 wrote to memory of 1868	1788	v9283619.exe	b7533084.exe

C:\Users\Admin\AppData\Local\Temp\0e1cca2b4e872f270317eaa4f3e9b5784966eba9b485b671c2b2c501780b99cb.exe
"C:\Users\Admin\AppData\Local\Temp\0e1cca2b4e872f270317eaa4f3e9b5784966eba9b485b671c2b2c501780b99cb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3070604.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3070604.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9283619.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9283619.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7316628.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7316628.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7533084.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7533084.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3070604.exe
Filesize
377KB

MD5
f9e3fc12aa4f654bdd74726cf9ea61d9

SHA1
bac3a9d5341d2c104c4ffae8965d409084846727

SHA256
53decd01864e996c737c1620e45e1c4b1daa3ed7fccb13b6893ca074c807351a

SHA512
10954f5e3265a1ff70c4b45ea7a64051bd965988e4f38adc2f117da99eb8c6aa85cdf11de8d30981890101e8e3e63161182e9d17b88b0f7e22b38b8fa317af06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3070604.exe
Filesize
377KB

MD5
f9e3fc12aa4f654bdd74726cf9ea61d9

SHA1
bac3a9d5341d2c104c4ffae8965d409084846727

SHA256
53decd01864e996c737c1620e45e1c4b1daa3ed7fccb13b6893ca074c807351a

SHA512
10954f5e3265a1ff70c4b45ea7a64051bd965988e4f38adc2f117da99eb8c6aa85cdf11de8d30981890101e8e3e63161182e9d17b88b0f7e22b38b8fa317af06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9283619.exe
Filesize
206KB

MD5
0923d3a285fb0eb762778f18a1c2c1c2

SHA1
20d7e525f0b1e68b05d69c1f3f4814ee26e83831

SHA256
3b72a94b8491abfd8924f89cd29168096ebef438a75bd89376b81c08b8ab1ef6

SHA512
5c1cfb73ef11316500eedaf8e134bd2b8c212693c9f91ca11b27b995f912532fb25958916752fec29c23ada97922322a167735644000911efb72de3101df0e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9283619.exe
Filesize
206KB

MD5
0923d3a285fb0eb762778f18a1c2c1c2

SHA1
20d7e525f0b1e68b05d69c1f3f4814ee26e83831

SHA256
3b72a94b8491abfd8924f89cd29168096ebef438a75bd89376b81c08b8ab1ef6

SHA512
5c1cfb73ef11316500eedaf8e134bd2b8c212693c9f91ca11b27b995f912532fb25958916752fec29c23ada97922322a167735644000911efb72de3101df0e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7316628.exe
Filesize
11KB

MD5
3cb1768049acea810f774e5322411bc2

SHA1
e04d19f0127e366611919b226a2e34b7b655299c

SHA256
df99b1482b471387ab39fd89a701dd9a7027d1ca8e6970b7e46329d257df369a

SHA512
caf238337af1288f8fbf76ba8fa9dfe788828cf1a1185355cdfb7c890fd28be00b02ab923b1d294a8aac3a08ec615d8e9e2e87f44ef6c651d7cd7ea151f6cb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7316628.exe
Filesize
11KB

MD5
3cb1768049acea810f774e5322411bc2

SHA1
e04d19f0127e366611919b226a2e34b7b655299c

SHA256
df99b1482b471387ab39fd89a701dd9a7027d1ca8e6970b7e46329d257df369a

SHA512
caf238337af1288f8fbf76ba8fa9dfe788828cf1a1185355cdfb7c890fd28be00b02ab923b1d294a8aac3a08ec615d8e9e2e87f44ef6c651d7cd7ea151f6cb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7533084.exe
Filesize
172KB

MD5
37cf86501b84a00b39493476217a2cb1

SHA1
491471f4af21522d12660f2c097fd0826e1fc6ae

SHA256
f065facefc6c2e714f7bed6c711822e34de4eed0853c5b2003581cc0c6c5e6b2

SHA512
4d40464aa1b658ed145602397a7350f60d8d8c88304d08af1b794180fd39d94d04793555f7973e375fb267bac7b022be371ad67b73876e70c32ced9db663ae43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7533084.exe
Filesize
172KB

MD5
37cf86501b84a00b39493476217a2cb1

SHA1
491471f4af21522d12660f2c097fd0826e1fc6ae

SHA256
f065facefc6c2e714f7bed6c711822e34de4eed0853c5b2003581cc0c6c5e6b2

SHA512
4d40464aa1b658ed145602397a7350f60d8d8c88304d08af1b794180fd39d94d04793555f7973e375fb267bac7b022be371ad67b73876e70c32ced9db663ae43

Download Submit
memory/1316-154-0x0000000000050000-0x000000000005A000-memory.dmp

Filesize
40KB

Download
memory/1868-160-0x000000000A640000-0x000000000AC58000-memory.dmp

Filesize
6.1MB

Download
memory/1868-166-0x000000000A4E0000-0x000000000A572000-memory.dmp

Filesize
584KB

Download
memory/1868-161-0x000000000A130000-0x000000000A23A000-memory.dmp

Filesize
1.0MB

Download
memory/1868-162-0x000000000A050000-0x000000000A062000-memory.dmp

Filesize
72KB

Download
memory/1868-163-0x000000000A0B0000-0x000000000A0EC000-memory.dmp

Filesize
240KB

Download
memory/1868-164-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/1868-165-0x000000000A3C0000-0x000000000A436000-memory.dmp

Filesize
472KB

Download
memory/1868-159-0x0000000000190000-0x00000000001C0000-memory.dmp

Filesize
192KB

Download
memory/1868-167-0x000000000B210000-0x000000000B7B4000-memory.dmp

Filesize
5.6MB

Download
memory/1868-168-0x000000000A580000-0x000000000A5E6000-memory.dmp

Filesize
408KB

Download
memory/1868-169-0x000000000B990000-0x000000000BB52000-memory.dmp

Filesize
1.8MB

Download
memory/1868-170-0x000000000C090000-0x000000000C5BC000-memory.dmp

Filesize
5.2MB

Download
memory/1868-171-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/1868-172-0x000000000B8C0000-0x000000000B910000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads