redline | 48b7a4339262c7a533bc2cb07408e5ab4a7b8ee2a0709de3beeac6b08f9b14c9

General

Target

48b7a4339262c7a533bc2cb07408e5ab4a7b8ee2a0709de3beeac6b08f9b14c9.exe
Size

581KB
MD5

6e6a02cd249d1cffdb8e29513be7c3d4
SHA1

e121bf3cf1dbc825ea84486e9c036386a6d35897
SHA256

48b7a4339262c7a533bc2cb07408e5ab4a7b8ee2a0709de3beeac6b08f9b14c9
SHA512

51e1c41306fdc93ae35eab38486fdd692a2ee494a7b6b0a22613750e6428685fade358449e3f81766c2ea706f7b46d1d1ef1faf0140e12c89170ed1bb3ad9a19
SSDEEP

12288:YMrny90Lq5ZcTWzVzwKMXt1MPJMbDWyV0Q7tqwt8:fyQqjjznMXg+DhvK

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6544935.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6544935.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a6544935.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6544935.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6544935.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6544935.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1800	v9529573.exe
2456	v4728162.exe
4236	a6544935.exe
212	b1165927.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6544935.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	48b7a4339262c7a533bc2cb07408e5ab4a7b8ee2a0709de3beeac6b08f9b14c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	48b7a4339262c7a533bc2cb07408e5ab4a7b8ee2a0709de3beeac6b08f9b14c9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9529573.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9529573.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4728162.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4728162.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4236	a6544935.exe
4236	a6544935.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe
212	b1165927.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4236	a6544935.exe
Token: SeDebugPrivilege	212	b1165927.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 1800	1828	48b7a4339262c7a533bc2cb07408e5ab4a7b8ee2a0709de3beeac6b08f9b14c9.exe	86
PID 1828 wrote to memory of 1800	1828	48b7a4339262c7a533bc2cb07408e5ab4a7b8ee2a0709de3beeac6b08f9b14c9.exe	86
PID 1828 wrote to memory of 1800	1828	48b7a4339262c7a533bc2cb07408e5ab4a7b8ee2a0709de3beeac6b08f9b14c9.exe	86
PID 1800 wrote to memory of 2456	1800	v9529573.exe	87
PID 1800 wrote to memory of 2456	1800	v9529573.exe	87
PID 1800 wrote to memory of 2456	1800	v9529573.exe	87
PID 2456 wrote to memory of 4236	2456	v4728162.exe	88
PID 2456 wrote to memory of 4236	2456	v4728162.exe	88
PID 2456 wrote to memory of 212	2456	v4728162.exe	93
PID 2456 wrote to memory of 212	2456	v4728162.exe	93
PID 2456 wrote to memory of 212	2456	v4728162.exe	93

C:\Users\Admin\AppData\Local\Temp\48b7a4339262c7a533bc2cb07408e5ab4a7b8ee2a0709de3beeac6b08f9b14c9.exe
"C:\Users\Admin\AppData\Local\Temp\48b7a4339262c7a533bc2cb07408e5ab4a7b8ee2a0709de3beeac6b08f9b14c9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9529573.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9529573.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4728162.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4728162.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6544935.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6544935.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4236
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1165927.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1165927.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9529573.exe

Filesize
377KB

MD5
7d5ec6c58a9adf50a9e8bc1da1d90f79

SHA1
8955aacebe83d321d6e06960191084e7d881eeb4

SHA256
d1fb6686afd9cb1e303449dbb273ec913d3fe82720cb9b8d8ebc9369a3d60b62

SHA512
c0acec37ad256f3dafc4dbef701dd0d42dafc531be3b6e84a5aa1a9a4d69f8ae8a6129b58b8fb20a0c169a43f9f3b92e13cb001a051811f59ad447f9d06e6e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9529573.exe

Filesize
377KB

MD5
7d5ec6c58a9adf50a9e8bc1da1d90f79

SHA1
8955aacebe83d321d6e06960191084e7d881eeb4

SHA256
d1fb6686afd9cb1e303449dbb273ec913d3fe82720cb9b8d8ebc9369a3d60b62

SHA512
c0acec37ad256f3dafc4dbef701dd0d42dafc531be3b6e84a5aa1a9a4d69f8ae8a6129b58b8fb20a0c169a43f9f3b92e13cb001a051811f59ad447f9d06e6e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4728162.exe

Filesize
206KB

MD5
a3b91233c920ad3bfd1c2bba2fd83e37

SHA1
612814f8cfbbed85c6658f5bb4562fb2cade4f71

SHA256
fb40f3e9fd030878b3456f472b85e778d5014d46820b43c556f22bb632683778

SHA512
98f6e4b43416afddb95aa275ebe6e1f72f3eb47d1ff8c46f5c6bbc368200ad89eb7fab7c8f25fc61f88dd28b0b2f93aa115b6b6066a8f809b2b894d152c73663

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4728162.exe

Filesize
206KB

MD5
a3b91233c920ad3bfd1c2bba2fd83e37

SHA1
612814f8cfbbed85c6658f5bb4562fb2cade4f71

SHA256
fb40f3e9fd030878b3456f472b85e778d5014d46820b43c556f22bb632683778

SHA512
98f6e4b43416afddb95aa275ebe6e1f72f3eb47d1ff8c46f5c6bbc368200ad89eb7fab7c8f25fc61f88dd28b0b2f93aa115b6b6066a8f809b2b894d152c73663

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6544935.exe

Filesize
11KB

MD5
72f6e5b3d37f8e459aa8d443f0dee42c

SHA1
b2bf68250386a762387d32d12fe9034773b3b274

SHA256
177dfde9f2a767310111bd9e285cf0b4134bb0753af04033a561fee4d45b817f

SHA512
323188ab51bc45876a804acaa2585522a1fd20a468d2b0112f5c90ec439ee63212036e1d892941766ec5abb23c8c2c9b93a8258129767b37455efa78a4230ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6544935.exe

Filesize
11KB

MD5
72f6e5b3d37f8e459aa8d443f0dee42c

SHA1
b2bf68250386a762387d32d12fe9034773b3b274

SHA256
177dfde9f2a767310111bd9e285cf0b4134bb0753af04033a561fee4d45b817f

SHA512
323188ab51bc45876a804acaa2585522a1fd20a468d2b0112f5c90ec439ee63212036e1d892941766ec5abb23c8c2c9b93a8258129767b37455efa78a4230ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1165927.exe

Filesize
172KB

MD5
6376d5b5ffc211bf51845ec627531abf

SHA1
aa3b960b4410bc97372c3965262e6524264fdd74

SHA256
6df8e1ac5b370062a9606fdaa30f380d7b35873f030f8cc5be9c05fc086081e7

SHA512
5e0d44b3098d8177aab7b85a98bc15b85272b239b3261da7998d39aec2e68bef950e1421dcd0f8967c5b710cb3bc56c946317a82e95b7d0a9158370eb25c2685

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1165927.exe

Filesize
172KB

MD5
6376d5b5ffc211bf51845ec627531abf

SHA1
aa3b960b4410bc97372c3965262e6524264fdd74

SHA256
6df8e1ac5b370062a9606fdaa30f380d7b35873f030f8cc5be9c05fc086081e7

SHA512
5e0d44b3098d8177aab7b85a98bc15b85272b239b3261da7998d39aec2e68bef950e1421dcd0f8967c5b710cb3bc56c946317a82e95b7d0a9158370eb25c2685

Download Submit
memory/212-160-0x000000000A9A0000-0x000000000AFB8000-memory.dmp

Filesize
6.1MB

Download
memory/212-165-0x000000000A750000-0x000000000A7C6000-memory.dmp

Filesize
472KB

Download
memory/212-172-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/212-161-0x000000000A4A0000-0x000000000A5AA000-memory.dmp

Filesize
1.0MB

Download
memory/212-162-0x000000000A3E0000-0x000000000A3F2000-memory.dmp

Filesize
72KB

Download
memory/212-163-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/212-164-0x000000000A440000-0x000000000A47C000-memory.dmp

Filesize
240KB

Download
memory/212-159-0x0000000000520000-0x0000000000550000-memory.dmp

Filesize
192KB

Download
memory/212-166-0x000000000A870000-0x000000000A902000-memory.dmp

Filesize
584KB

Download
memory/212-167-0x000000000A7D0000-0x000000000A836000-memory.dmp

Filesize
408KB

Download
memory/212-168-0x000000000B970000-0x000000000BF14000-memory.dmp

Filesize
5.6MB

Download
memory/212-169-0x000000000B460000-0x000000000B4B0000-memory.dmp

Filesize
320KB

Download
memory/212-170-0x000000000B690000-0x000000000B852000-memory.dmp

Filesize
1.8MB

Download
memory/212-171-0x000000000C450000-0x000000000C97C000-memory.dmp

Filesize
5.2MB

Download
memory/4236-154-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads