redline | 1e674e8f362386ca1be61af5cb5e9cd8b043b98ba33f7ef1377898cbab2f70b5

General

Target

1e674e8f362386ca1be61af5cb5e9cd8b043b98ba33f7ef1377898cbab2f70b5.exe
Size

580KB
MD5

da9117e3e0d477494774b16ee143a653
SHA1

f65f531098d08fec2723028713b3fc4fa3f82736
SHA256

1e674e8f362386ca1be61af5cb5e9cd8b043b98ba33f7ef1377898cbab2f70b5
SHA512

d97a37b1b909fd7a68503cf036a570ac2f0d453e70967b7fe357f41f869de309c52f6848832454da9abbf9452070f6fddf0e22b64700657d7fa6c7f0c5d1e58a
SSDEEP

12288:dMrZy90ouSjCvtVdX76AbtJhG7rI1WjKe3pZczwb06LUwo8XbjYe:IyQjLbtJWP3ptQ6LnoUjYe

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a3398282.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3398282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3398282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3398282.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a3398282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3398282.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3398282.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v5764735.exev9223371.exea3398282.exeb4511450.exe

pid process

3740 v5764735.exe
3080 v9223371.exe
4428 a3398282.exe
1288 b4511450.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a3398282.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a3398282.exe

pid	process
3740	v5764735.exe
3080	v9223371.exe
4428	a3398282.exe
1288	b4511450.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3398282.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1e674e8f362386ca1be61af5cb5e9cd8b043b98ba33f7ef1377898cbab2f70b5.exev5764735.exev9223371.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1e674e8f362386ca1be61af5cb5e9cd8b043b98ba33f7ef1377898cbab2f70b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1e674e8f362386ca1be61af5cb5e9cd8b043b98ba33f7ef1377898cbab2f70b5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5764735.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5764735.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9223371.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9223371.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

a3398282.exeb4511450.exe

pid	process
4428	a3398282.exe
4428	a3398282.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe
1288	b4511450.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a3398282.exeb4511450.exe

description pid process

Token: SeDebugPrivilege 4428 a3398282.exe
Token: SeDebugPrivilege 1288 b4511450.exe

description	pid	process
Token: SeDebugPrivilege	4428	a3398282.exe
Token: SeDebugPrivilege	1288	b4511450.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1e674e8f362386ca1be61af5cb5e9cd8b043b98ba33f7ef1377898cbab2f70b5.exev5764735.exev9223371.exe

description	pid	process	target process
PID 4896 wrote to memory of 3740	4896	1e674e8f362386ca1be61af5cb5e9cd8b043b98ba33f7ef1377898cbab2f70b5.exe	v5764735.exe
PID 4896 wrote to memory of 3740	4896	1e674e8f362386ca1be61af5cb5e9cd8b043b98ba33f7ef1377898cbab2f70b5.exe	v5764735.exe
PID 4896 wrote to memory of 3740	4896	1e674e8f362386ca1be61af5cb5e9cd8b043b98ba33f7ef1377898cbab2f70b5.exe	v5764735.exe
PID 3740 wrote to memory of 3080	3740	v5764735.exe	v9223371.exe
PID 3740 wrote to memory of 3080	3740	v5764735.exe	v9223371.exe
PID 3740 wrote to memory of 3080	3740	v5764735.exe	v9223371.exe
PID 3080 wrote to memory of 4428	3080	v9223371.exe	a3398282.exe
PID 3080 wrote to memory of 4428	3080	v9223371.exe	a3398282.exe
PID 3080 wrote to memory of 1288	3080	v9223371.exe	b4511450.exe
PID 3080 wrote to memory of 1288	3080	v9223371.exe	b4511450.exe
PID 3080 wrote to memory of 1288	3080	v9223371.exe	b4511450.exe

C:\Users\Admin\AppData\Local\Temp\1e674e8f362386ca1be61af5cb5e9cd8b043b98ba33f7ef1377898cbab2f70b5.exe
"C:\Users\Admin\AppData\Local\Temp\1e674e8f362386ca1be61af5cb5e9cd8b043b98ba33f7ef1377898cbab2f70b5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5764735.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5764735.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3740

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9223371.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9223371.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3398282.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3398282.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4511450.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4511450.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5764735.exe
Filesize
377KB

MD5
49ee05ca10f194ff8fa0702a5efadce5

SHA1
3d64e4eb23b06ad14e59e9ef4a323a7a31aec4f0

SHA256
98f3bbd34fdd218a01cdc6c2a82bd9fd9f53fec06bfd549ceef3bf7fbc93051a

SHA512
9e6bd830144bb6199cb4858239832826ca1f88065fa79f20720455828c34fa1f181025fa3bb144842c8c697482e1888e0d811ec9e900c624ebfecd8bd8b099f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5764735.exe
Filesize
377KB

MD5
49ee05ca10f194ff8fa0702a5efadce5

SHA1
3d64e4eb23b06ad14e59e9ef4a323a7a31aec4f0

SHA256
98f3bbd34fdd218a01cdc6c2a82bd9fd9f53fec06bfd549ceef3bf7fbc93051a

SHA512
9e6bd830144bb6199cb4858239832826ca1f88065fa79f20720455828c34fa1f181025fa3bb144842c8c697482e1888e0d811ec9e900c624ebfecd8bd8b099f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9223371.exe
Filesize
206KB

MD5
e1e5a8c421e68b460a29cb14aa137e33

SHA1
c0e82a48a5cce71d8e3e0b5bd006aedeec0ab260

SHA256
5dd2691dec44ad8ca4eb43164b26508ce1ba859ad7a794230ce98c1029de5a6b

SHA512
a3a73d212a13affb44fdf30f5e52a5f400096951e83fb7e0bad68dd832c8c8ad787cd902453770845b7807913ee040445131c23c563dcc60fed20905e5d0ac42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9223371.exe
Filesize
206KB

MD5
e1e5a8c421e68b460a29cb14aa137e33

SHA1
c0e82a48a5cce71d8e3e0b5bd006aedeec0ab260

SHA256
5dd2691dec44ad8ca4eb43164b26508ce1ba859ad7a794230ce98c1029de5a6b

SHA512
a3a73d212a13affb44fdf30f5e52a5f400096951e83fb7e0bad68dd832c8c8ad787cd902453770845b7807913ee040445131c23c563dcc60fed20905e5d0ac42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3398282.exe
Filesize
11KB

MD5
a1c448accf2f716fcbe604827d31155f

SHA1
75ada21ed96b4a53a87447df511681c3328856a4

SHA256
cd477c9eafcbf38dfd2db68b92159857c2899066f59b9b27eee4fa1b840f1c27

SHA512
fdc18935d4c1e948240c8f17d3ce138b7e3d502c7b23b9c92b1e5f1afb4b4182dd51cbc2ba5cc1860b91bd2be2dd5d4d7e76aee7df1f10aedbfff236bc7dce8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3398282.exe
Filesize
11KB

MD5
a1c448accf2f716fcbe604827d31155f

SHA1
75ada21ed96b4a53a87447df511681c3328856a4

SHA256
cd477c9eafcbf38dfd2db68b92159857c2899066f59b9b27eee4fa1b840f1c27

SHA512
fdc18935d4c1e948240c8f17d3ce138b7e3d502c7b23b9c92b1e5f1afb4b4182dd51cbc2ba5cc1860b91bd2be2dd5d4d7e76aee7df1f10aedbfff236bc7dce8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4511450.exe
Filesize
172KB

MD5
35140db4564d4f9426bfa7ff5e5bd2ef

SHA1
26812720711114529f19709b5de26a184cb1daab

SHA256
c407662e9d29e406ccf988cfdc8690492e48679fb6bfc7e9cd9e6a174fcc0053

SHA512
d61e30baed43408e145612d54299b9c99d43c9bb233bf6b9712ec7989d649b9a77f2b1d461d3979e4b26388704012c03ee511ba3059e26d2e35789430e52fb5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4511450.exe
Filesize
172KB

MD5
35140db4564d4f9426bfa7ff5e5bd2ef

SHA1
26812720711114529f19709b5de26a184cb1daab

SHA256
c407662e9d29e406ccf988cfdc8690492e48679fb6bfc7e9cd9e6a174fcc0053

SHA512
d61e30baed43408e145612d54299b9c99d43c9bb233bf6b9712ec7989d649b9a77f2b1d461d3979e4b26388704012c03ee511ba3059e26d2e35789430e52fb5c

Download Submit
memory/1288-160-0x000000000AE50000-0x000000000B468000-memory.dmp

Filesize
6.1MB

Download
memory/1288-165-0x000000000AC60000-0x000000000ACD6000-memory.dmp

Filesize
472KB

Download
memory/1288-172-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/1288-161-0x000000000A9B0000-0x000000000AABA000-memory.dmp

Filesize
1.0MB

Download
memory/1288-162-0x000000000A8F0000-0x000000000A902000-memory.dmp

Filesize
72KB

Download
memory/1288-163-0x000000000A950000-0x000000000A98C000-memory.dmp

Filesize
240KB

Download
memory/1288-164-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/1288-159-0x0000000000A30000-0x0000000000A60000-memory.dmp

Filesize
192KB

Download
memory/1288-166-0x000000000AD80000-0x000000000AE12000-memory.dmp

Filesize
584KB

Download
memory/1288-167-0x000000000BA20000-0x000000000BFC4000-memory.dmp

Filesize
5.6MB

Download
memory/1288-168-0x000000000B470000-0x000000000B4D6000-memory.dmp

Filesize
408KB

Download
memory/1288-169-0x000000000B980000-0x000000000B9D0000-memory.dmp

Filesize
320KB

Download
memory/1288-170-0x000000000C2A0000-0x000000000C462000-memory.dmp

Filesize
1.8MB

Download
memory/1288-171-0x000000000C9A0000-0x000000000CECC000-memory.dmp

Filesize
5.2MB

Download
memory/4428-154-0x0000000000F50000-0x0000000000F5A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads