redline | 13f8ed3f1de03a6137a41929cb761febe08d4e8ef4fdd1dcc3e5e9e362675f8d

General

Target

13f8ed3f1de03a6137a41929cb761febe08d4e8ef4fdd1dcc3e5e9e362675f8d.exe
Size

580KB
MD5

13591ee226fa280b46766a5f57ff4c49
SHA1

5ff906d28367eac623ec0392dd63d05caaac8d52
SHA256

13f8ed3f1de03a6137a41929cb761febe08d4e8ef4fdd1dcc3e5e9e362675f8d
SHA512

e6b8aa804bc1951f574e6bfc85c2490d9570a8011bc9d104e4d342b6534e89b1171542cee43ff3cc7e2beda7481e45996edd507272ad100865d2089a624c6110
SSDEEP

12288:mMr9y90x4/Izehp92BXO6ArWr+JahjlZ76Ml:zyd/Izk0Be6jaaJlZ76Ml

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a7919054.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7919054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7919054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7919054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7919054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7919054.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v0187268.exev0612035.exea7919054.exeb4481224.exe

pid process

1000 v0187268.exe
3364 v0612035.exe
4472 a7919054.exe
5068 b4481224.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a7919054.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7919054.exe

pid	process
1000	v0187268.exe
3364	v0612035.exe
4472	a7919054.exe
5068	b4481224.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7919054.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

13f8ed3f1de03a6137a41929cb761febe08d4e8ef4fdd1dcc3e5e9e362675f8d.exev0187268.exev0612035.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	13f8ed3f1de03a6137a41929cb761febe08d4e8ef4fdd1dcc3e5e9e362675f8d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0187268.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0187268.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0612035.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0612035.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	13f8ed3f1de03a6137a41929cb761febe08d4e8ef4fdd1dcc3e5e9e362675f8d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

a7919054.exeb4481224.exe

pid	process
4472	a7919054.exe
4472	a7919054.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe
5068	b4481224.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a7919054.exeb4481224.exe

description pid process

Token: SeDebugPrivilege 4472 a7919054.exe
Token: SeDebugPrivilege 5068 b4481224.exe

description	pid	process
Token: SeDebugPrivilege	4472	a7919054.exe
Token: SeDebugPrivilege	5068	b4481224.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

13f8ed3f1de03a6137a41929cb761febe08d4e8ef4fdd1dcc3e5e9e362675f8d.exev0187268.exev0612035.exe

description	pid	process	target process
PID 3204 wrote to memory of 1000	3204	13f8ed3f1de03a6137a41929cb761febe08d4e8ef4fdd1dcc3e5e9e362675f8d.exe	v0187268.exe
PID 3204 wrote to memory of 1000	3204	13f8ed3f1de03a6137a41929cb761febe08d4e8ef4fdd1dcc3e5e9e362675f8d.exe	v0187268.exe
PID 3204 wrote to memory of 1000	3204	13f8ed3f1de03a6137a41929cb761febe08d4e8ef4fdd1dcc3e5e9e362675f8d.exe	v0187268.exe
PID 1000 wrote to memory of 3364	1000	v0187268.exe	v0612035.exe
PID 1000 wrote to memory of 3364	1000	v0187268.exe	v0612035.exe
PID 1000 wrote to memory of 3364	1000	v0187268.exe	v0612035.exe
PID 3364 wrote to memory of 4472	3364	v0612035.exe	a7919054.exe
PID 3364 wrote to memory of 4472	3364	v0612035.exe	a7919054.exe
PID 3364 wrote to memory of 5068	3364	v0612035.exe	b4481224.exe
PID 3364 wrote to memory of 5068	3364	v0612035.exe	b4481224.exe
PID 3364 wrote to memory of 5068	3364	v0612035.exe	b4481224.exe

C:\Users\Admin\AppData\Local\Temp\13f8ed3f1de03a6137a41929cb761febe08d4e8ef4fdd1dcc3e5e9e362675f8d.exe
"C:\Users\Admin\AppData\Local\Temp\13f8ed3f1de03a6137a41929cb761febe08d4e8ef4fdd1dcc3e5e9e362675f8d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3204

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0187268.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0187268.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0612035.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0612035.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7919054.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7919054.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4481224.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4481224.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0187268.exe
Filesize
377KB

MD5
f3c09f31699bd3c23017fd3a3a915156

SHA1
8fff328a3baa4fe7196e48792e4d8370ceb39784

SHA256
e3acc4de0136c891d3f0f9218066abc10b46de1284e2fb1dd6bf356457a8a12f

SHA512
69a803dcb31221f70969a47a8760df7c607c3c89dfb44bc131781be22bd86835807a2c9b8ef9807216142e038074114c5d04629ff4493ab632f78807caaabb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0187268.exe
Filesize
377KB

MD5
f3c09f31699bd3c23017fd3a3a915156

SHA1
8fff328a3baa4fe7196e48792e4d8370ceb39784

SHA256
e3acc4de0136c891d3f0f9218066abc10b46de1284e2fb1dd6bf356457a8a12f

SHA512
69a803dcb31221f70969a47a8760df7c607c3c89dfb44bc131781be22bd86835807a2c9b8ef9807216142e038074114c5d04629ff4493ab632f78807caaabb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0612035.exe
Filesize
206KB

MD5
2d4ed40fda39cd1a8eec70791e1d2f65

SHA1
0ac861e88f17693300f34d2305fb2f65a5915c7d

SHA256
78d75fbb13722cc22fc53f2b5a76ccda33be14c590ae925604045173ed1058c8

SHA512
7188987038c3167e3dcdceb95b7f766e25ba885865b24f68961bf5685fcf1c084e073d0f7b1d124654c3878c55ff5a8f77b5484adc8db72d418d6107bef60394

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0612035.exe
Filesize
206KB

MD5
2d4ed40fda39cd1a8eec70791e1d2f65

SHA1
0ac861e88f17693300f34d2305fb2f65a5915c7d

SHA256
78d75fbb13722cc22fc53f2b5a76ccda33be14c590ae925604045173ed1058c8

SHA512
7188987038c3167e3dcdceb95b7f766e25ba885865b24f68961bf5685fcf1c084e073d0f7b1d124654c3878c55ff5a8f77b5484adc8db72d418d6107bef60394

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7919054.exe
Filesize
11KB

MD5
ce87cbd393d973256a56185477416a4e

SHA1
b2f7712f2ebfbffa2862d86c558333109d4562bf

SHA256
92c0ad9fb84548bd8208f4065cc48b47c529d96be6ad85e3218b0ff5c2248635

SHA512
4bd8303126049dfaf519d21abb2a8f0cdc3a0b61bd2baab8fa0ce1e195ee77b8f96b325f5a4691b0980bb9eab06ce2cfe5555dc73aa91191dd4afb1dd719ebf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7919054.exe
Filesize
11KB

MD5
ce87cbd393d973256a56185477416a4e

SHA1
b2f7712f2ebfbffa2862d86c558333109d4562bf

SHA256
92c0ad9fb84548bd8208f4065cc48b47c529d96be6ad85e3218b0ff5c2248635

SHA512
4bd8303126049dfaf519d21abb2a8f0cdc3a0b61bd2baab8fa0ce1e195ee77b8f96b325f5a4691b0980bb9eab06ce2cfe5555dc73aa91191dd4afb1dd719ebf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4481224.exe
Filesize
172KB

MD5
5a650586e2b61767bd9aa4f0b629975a

SHA1
c4ce389c05f4aa6bc550f2df112571d620612ee0

SHA256
bce51b2729a9eb7e111b7afced9356ccc79a2e98cd5771f84750488221ed0195

SHA512
9d36f0f290037c6a03966ecdac3c186c6e0640334981f76d53948beec653d8b1a054679d93321b1109b62c49bc7ceedbc6fb349f6404709bf497c96e3d0e6576

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4481224.exe
Filesize
172KB

MD5
5a650586e2b61767bd9aa4f0b629975a

SHA1
c4ce389c05f4aa6bc550f2df112571d620612ee0

SHA256
bce51b2729a9eb7e111b7afced9356ccc79a2e98cd5771f84750488221ed0195

SHA512
9d36f0f290037c6a03966ecdac3c186c6e0640334981f76d53948beec653d8b1a054679d93321b1109b62c49bc7ceedbc6fb349f6404709bf497c96e3d0e6576

Download Submit
memory/4472-142-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/5068-150-0x0000000005180000-0x000000000528A000-memory.dmp

Filesize
1.0MB

Download
memory/5068-154-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/5068-149-0x0000000005680000-0x0000000005C86000-memory.dmp

Filesize
6.0MB

Download
memory/5068-147-0x0000000000660000-0x0000000000690000-memory.dmp

Filesize
192KB

Download
memory/5068-151-0x00000000050B0000-0x00000000050C2000-memory.dmp

Filesize
72KB

Download
memory/5068-152-0x0000000005110000-0x000000000514E000-memory.dmp

Filesize
248KB

Download
memory/5068-153-0x0000000005290000-0x00000000052DB000-memory.dmp

Filesize
300KB

Download
memory/5068-148-0x0000000000FD0000-0x0000000000FD6000-memory.dmp

Filesize
24KB

Download
memory/5068-155-0x0000000005430000-0x00000000054A6000-memory.dmp

Filesize
472KB

Download
memory/5068-156-0x0000000005550000-0x00000000055E2000-memory.dmp

Filesize
584KB

Download
memory/5068-157-0x00000000065A0000-0x0000000006A9E000-memory.dmp

Filesize
5.0MB

Download
memory/5068-158-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/5068-159-0x0000000006AA0000-0x0000000006C62000-memory.dmp

Filesize
1.8MB

Download
memory/5068-160-0x0000000008820000-0x0000000008D4C000-memory.dmp

Filesize
5.2MB

Download
memory/5068-161-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/5068-162-0x00000000064D0000-0x0000000006520000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads