redline | 2d7f3a3e69b1ed84522c13912ef6eb13d3553bacc429d665b64f94f017d4d02c

General

Target

2d7f3a3e69b1ed84522c13912ef6eb13d3553bacc429d665b64f94f017d4d02c.exe
Size

581KB
MD5

e45e3663dd69f561dfdd97358e7e71bc
SHA1

945dcd827fc0829203580f2c242c81b6386ca556
SHA256

2d7f3a3e69b1ed84522c13912ef6eb13d3553bacc429d665b64f94f017d4d02c
SHA512

6cec33698dc974a96e1417268941a51c7cc54ee821daf369164f4ac1096728ef823d503184227751bbed54d0a9ed2edcb5a62eeb42bf8d154919c4f011c83645
SSDEEP

12288:iMrSy90qKllt1uE+/SvB5cEr8W8J+S2p:Qyt6rkEOSvBlJK+J

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a0105908.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0105908.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0105908.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0105908.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0105908.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0105908.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0105908.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v0563019.exev0790900.exea0105908.exeb1430528.exe

pid process

3300 v0563019.exe
3944 v0790900.exe
3672 a0105908.exe
1104 b1430528.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a0105908.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0105908.exe

pid	process
3300	v0563019.exe
3944	v0790900.exe
3672	a0105908.exe
1104	b1430528.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0105908.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v0563019.exev0790900.exe2d7f3a3e69b1ed84522c13912ef6eb13d3553bacc429d665b64f94f017d4d02c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0563019.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0563019.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0790900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0790900.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2d7f3a3e69b1ed84522c13912ef6eb13d3553bacc429d665b64f94f017d4d02c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d7f3a3e69b1ed84522c13912ef6eb13d3553bacc429d665b64f94f017d4d02c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

a0105908.exeb1430528.exe

pid	process
3672	a0105908.exe
3672	a0105908.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe
1104	b1430528.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a0105908.exeb1430528.exe

description pid process

Token: SeDebugPrivilege 3672 a0105908.exe
Token: SeDebugPrivilege 1104 b1430528.exe

description	pid	process
Token: SeDebugPrivilege	3672	a0105908.exe
Token: SeDebugPrivilege	1104	b1430528.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2d7f3a3e69b1ed84522c13912ef6eb13d3553bacc429d665b64f94f017d4d02c.exev0563019.exev0790900.exe

description	pid	process	target process
PID 2616 wrote to memory of 3300	2616	2d7f3a3e69b1ed84522c13912ef6eb13d3553bacc429d665b64f94f017d4d02c.exe	v0563019.exe
PID 2616 wrote to memory of 3300	2616	2d7f3a3e69b1ed84522c13912ef6eb13d3553bacc429d665b64f94f017d4d02c.exe	v0563019.exe
PID 2616 wrote to memory of 3300	2616	2d7f3a3e69b1ed84522c13912ef6eb13d3553bacc429d665b64f94f017d4d02c.exe	v0563019.exe
PID 3300 wrote to memory of 3944	3300	v0563019.exe	v0790900.exe
PID 3300 wrote to memory of 3944	3300	v0563019.exe	v0790900.exe
PID 3300 wrote to memory of 3944	3300	v0563019.exe	v0790900.exe
PID 3944 wrote to memory of 3672	3944	v0790900.exe	a0105908.exe
PID 3944 wrote to memory of 3672	3944	v0790900.exe	a0105908.exe
PID 3944 wrote to memory of 1104	3944	v0790900.exe	b1430528.exe
PID 3944 wrote to memory of 1104	3944	v0790900.exe	b1430528.exe
PID 3944 wrote to memory of 1104	3944	v0790900.exe	b1430528.exe

C:\Users\Admin\AppData\Local\Temp\2d7f3a3e69b1ed84522c13912ef6eb13d3553bacc429d665b64f94f017d4d02c.exe
"C:\Users\Admin\AppData\Local\Temp\2d7f3a3e69b1ed84522c13912ef6eb13d3553bacc429d665b64f94f017d4d02c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2616

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0563019.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0563019.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3300

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0790900.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0790900.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0105908.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0105908.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1430528.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1430528.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0563019.exe
Filesize
377KB

MD5
a1824bc3d4411cc8b8fb1eca083192eb

SHA1
03c548e8ba63508634563bf69e6181841426edef

SHA256
10602c388694084f3f10f1fd6b80556b2276ef3e3d2538234c8315c0387798ac

SHA512
d1fbb020ac099f6afa5084f187231d80b3f657f885d7977317aea6916e0d8a8920942285e3308d742379689395d0632c4a3f019d4c09d92fd4cb7f5a4ea45943

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0563019.exe
Filesize
377KB

MD5
a1824bc3d4411cc8b8fb1eca083192eb

SHA1
03c548e8ba63508634563bf69e6181841426edef

SHA256
10602c388694084f3f10f1fd6b80556b2276ef3e3d2538234c8315c0387798ac

SHA512
d1fbb020ac099f6afa5084f187231d80b3f657f885d7977317aea6916e0d8a8920942285e3308d742379689395d0632c4a3f019d4c09d92fd4cb7f5a4ea45943

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0790900.exe
Filesize
206KB

MD5
f0e1b93ac8757e3951282246e7e17855

SHA1
11ee69e28a77716467cc2cbef271d88ac76e2978

SHA256
b963fcd8394ee94f918b13de42a301a25c4592238d4df46983e39097125f9166

SHA512
2986fe402ef8996b024802bf90640645602a892c6b68b229bbe9da3f071415c123e656fe2d37ceac12ff3b0cd30cdddf0f61abfc5302dd4d43cdfcc174621d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0790900.exe
Filesize
206KB

MD5
f0e1b93ac8757e3951282246e7e17855

SHA1
11ee69e28a77716467cc2cbef271d88ac76e2978

SHA256
b963fcd8394ee94f918b13de42a301a25c4592238d4df46983e39097125f9166

SHA512
2986fe402ef8996b024802bf90640645602a892c6b68b229bbe9da3f071415c123e656fe2d37ceac12ff3b0cd30cdddf0f61abfc5302dd4d43cdfcc174621d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0105908.exe
Filesize
11KB

MD5
15f135cf2acee48a17e8bc2429a08b1c

SHA1
a5e792032412f041936e0094707216870159e8de

SHA256
05e6dd501d4bad49269cb84654bf7cbf28afd8e846225fe85e67ce8518cd35ff

SHA512
1f03b5322f0ecff9116f1923c40cdbd27c5f8f10b872de860d1f6902fe82545bdeb605823d6d124f78c3bfce241e626c9d326565093ac883af416f6d06f32a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0105908.exe
Filesize
11KB

MD5
15f135cf2acee48a17e8bc2429a08b1c

SHA1
a5e792032412f041936e0094707216870159e8de

SHA256
05e6dd501d4bad49269cb84654bf7cbf28afd8e846225fe85e67ce8518cd35ff

SHA512
1f03b5322f0ecff9116f1923c40cdbd27c5f8f10b872de860d1f6902fe82545bdeb605823d6d124f78c3bfce241e626c9d326565093ac883af416f6d06f32a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1430528.exe
Filesize
172KB

MD5
070866ee2896528db6fad58bd537a01a

SHA1
dd2c23c73c6d999873010a0697e75aa4171c6d8d

SHA256
8924c3f9dbca640123c23ab4aa50bb5079d892b7c7e174cf461872d9c4609517

SHA512
1d0fdd8e7201b4f0d6354eb4f29f1bd61b0a28b18fb9198bb2d87a5d72ac2fab9b11184283e2c73e32140cc6b8facb8f2ce66a2e76aaedfd05b8a2dfed2f1bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1430528.exe
Filesize
172KB

MD5
070866ee2896528db6fad58bd537a01a

SHA1
dd2c23c73c6d999873010a0697e75aa4171c6d8d

SHA256
8924c3f9dbca640123c23ab4aa50bb5079d892b7c7e174cf461872d9c4609517

SHA512
1d0fdd8e7201b4f0d6354eb4f29f1bd61b0a28b18fb9198bb2d87a5d72ac2fab9b11184283e2c73e32140cc6b8facb8f2ce66a2e76aaedfd05b8a2dfed2f1bdb

Download Submit
memory/1104-160-0x000000000AD30000-0x000000000B348000-memory.dmp

Filesize
6.1MB

Download
memory/1104-165-0x000000000AC60000-0x000000000ACD6000-memory.dmp

Filesize
472KB

Download
memory/1104-172-0x000000000C8C0000-0x000000000CDEC000-memory.dmp

Filesize
5.2MB

Download
memory/1104-161-0x000000000A8B0000-0x000000000A9BA000-memory.dmp

Filesize
1.0MB

Download
memory/1104-162-0x000000000A7F0000-0x000000000A802000-memory.dmp

Filesize
72KB

Download
memory/1104-163-0x000000000A850000-0x000000000A88C000-memory.dmp

Filesize
240KB

Download
memory/1104-164-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/1104-159-0x0000000000930000-0x0000000000960000-memory.dmp

Filesize
192KB

Download
memory/1104-166-0x000000000B3F0000-0x000000000B482000-memory.dmp

Filesize
584KB

Download
memory/1104-167-0x000000000BA40000-0x000000000BFE4000-memory.dmp

Filesize
5.6MB

Download
memory/1104-168-0x000000000B490000-0x000000000B4F6000-memory.dmp

Filesize
408KB

Download
memory/1104-169-0x000000000B890000-0x000000000B8E0000-memory.dmp

Filesize
320KB

Download
memory/1104-170-0x000000000C1C0000-0x000000000C382000-memory.dmp

Filesize
1.8MB

Download
memory/1104-171-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/3672-154-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads