redline | 28153a3179c28ed7fa930190a59aa653088a0768e7db3a7d2ed927d275dd9545

General

Target

28153a3179c28ed7fa930190a59aa653088a0768e7db3a7d2ed927d275dd9545.exe
Size

581KB
MD5

e70e8dd2f2a949f1a73438c0f498de1c
SHA1

40ce5995dd5cffd9d698a448d426552e97222f0a
SHA256

28153a3179c28ed7fa930190a59aa653088a0768e7db3a7d2ed927d275dd9545
SHA512

c25c2d67e6170e9ede05ba67d81a6c6bcc6b58f3015a577a09e35786373276adeaecc1958ea600614b2fc260bf052e022e723f1e1430b7695b5e9cecf492e6f5
SSDEEP

12288:RMrFy90LNRlNsFmw633onPfQGpMvr6Rt6f2VwerUzGd3JmMh3t:8ymDNF33onpMvr5uL448Mh3t

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a4503013.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4503013.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4503013.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4503013.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4503013.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4503013.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a4503013.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v0163337.exev5262794.exea4503013.exeb1864269.exe

pid process

1128 v0163337.exe
1452 v5262794.exe
1740 a4503013.exe
3864 b1864269.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a4503013.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a4503013.exe

pid	process
1128	v0163337.exe
1452	v5262794.exe
1740	a4503013.exe
3864	b1864269.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4503013.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

28153a3179c28ed7fa930190a59aa653088a0768e7db3a7d2ed927d275dd9545.exev0163337.exev5262794.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	28153a3179c28ed7fa930190a59aa653088a0768e7db3a7d2ed927d275dd9545.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0163337.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0163337.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5262794.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5262794.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	28153a3179c28ed7fa930190a59aa653088a0768e7db3a7d2ed927d275dd9545.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

a4503013.exeb1864269.exe

pid	process
1740	a4503013.exe
1740	a4503013.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe
3864	b1864269.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a4503013.exeb1864269.exe

description pid process

Token: SeDebugPrivilege 1740 a4503013.exe
Token: SeDebugPrivilege 3864 b1864269.exe

description	pid	process
Token: SeDebugPrivilege	1740	a4503013.exe
Token: SeDebugPrivilege	3864	b1864269.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

28153a3179c28ed7fa930190a59aa653088a0768e7db3a7d2ed927d275dd9545.exev0163337.exev5262794.exe

description	pid	process	target process
PID 3280 wrote to memory of 1128	3280	28153a3179c28ed7fa930190a59aa653088a0768e7db3a7d2ed927d275dd9545.exe	v0163337.exe
PID 3280 wrote to memory of 1128	3280	28153a3179c28ed7fa930190a59aa653088a0768e7db3a7d2ed927d275dd9545.exe	v0163337.exe
PID 3280 wrote to memory of 1128	3280	28153a3179c28ed7fa930190a59aa653088a0768e7db3a7d2ed927d275dd9545.exe	v0163337.exe
PID 1128 wrote to memory of 1452	1128	v0163337.exe	v5262794.exe
PID 1128 wrote to memory of 1452	1128	v0163337.exe	v5262794.exe
PID 1128 wrote to memory of 1452	1128	v0163337.exe	v5262794.exe
PID 1452 wrote to memory of 1740	1452	v5262794.exe	a4503013.exe
PID 1452 wrote to memory of 1740	1452	v5262794.exe	a4503013.exe
PID 1452 wrote to memory of 3864	1452	v5262794.exe	b1864269.exe
PID 1452 wrote to memory of 3864	1452	v5262794.exe	b1864269.exe
PID 1452 wrote to memory of 3864	1452	v5262794.exe	b1864269.exe

C:\Users\Admin\AppData\Local\Temp\28153a3179c28ed7fa930190a59aa653088a0768e7db3a7d2ed927d275dd9545.exe
"C:\Users\Admin\AppData\Local\Temp\28153a3179c28ed7fa930190a59aa653088a0768e7db3a7d2ed927d275dd9545.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3280

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0163337.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0163337.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5262794.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5262794.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4503013.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4503013.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1864269.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1864269.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0163337.exe
Filesize
377KB

MD5
d54f5d86752783d875f97f490ee9c4ee

SHA1
2d2f410d3385c6ef998e7472f37d3d02d1645a6d

SHA256
72c376e5219ba56b7f2e1fd2e4bb7aca990ad559756b2d3a637bcb387f3704f7

SHA512
895f2d5be2aa6956aba029e4b5cb0eb5cdfec41157864746b01d125a6803955df708dc9180f8ea17a586f2e0f3bc138e19a2c42132aa6a2daf56ee78464b208b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0163337.exe
Filesize
377KB

MD5
d54f5d86752783d875f97f490ee9c4ee

SHA1
2d2f410d3385c6ef998e7472f37d3d02d1645a6d

SHA256
72c376e5219ba56b7f2e1fd2e4bb7aca990ad559756b2d3a637bcb387f3704f7

SHA512
895f2d5be2aa6956aba029e4b5cb0eb5cdfec41157864746b01d125a6803955df708dc9180f8ea17a586f2e0f3bc138e19a2c42132aa6a2daf56ee78464b208b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5262794.exe
Filesize
206KB

MD5
6bf27e6ba7e468255f00253cda2e6555

SHA1
54d1b0f418b6213f07bdb1ff9db0227f100661c5

SHA256
39e48736209532427294c3d9d981a95bbdebd0cb733f913d8e9ab913cde3ad50

SHA512
fe5853001f1b4f163a4c10d51be33b28e9306e9f4f2ee23b8e144842a774e3362faccddd1b6a02b8d98b594248e3c512f269947976b4f0bf7a81d670bff6dce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5262794.exe
Filesize
206KB

MD5
6bf27e6ba7e468255f00253cda2e6555

SHA1
54d1b0f418b6213f07bdb1ff9db0227f100661c5

SHA256
39e48736209532427294c3d9d981a95bbdebd0cb733f913d8e9ab913cde3ad50

SHA512
fe5853001f1b4f163a4c10d51be33b28e9306e9f4f2ee23b8e144842a774e3362faccddd1b6a02b8d98b594248e3c512f269947976b4f0bf7a81d670bff6dce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4503013.exe
Filesize
11KB

MD5
544e4d6d23e9db6da1b8753cfc5b9775

SHA1
0191aa084984865635388d451d5369efaa28ad2b

SHA256
71dcd99212242a8d684df4ad27a98f03c256dc9e0294d6a848091249fc22b517

SHA512
ba827a17c670991d64dbc75b12e42a5961f6238b21aa80f788c89ef4c52e2c4de14377977340f9e583fac6f3aec9d38d589b74315072f1e2f0602c638566c15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4503013.exe
Filesize
11KB

MD5
544e4d6d23e9db6da1b8753cfc5b9775

SHA1
0191aa084984865635388d451d5369efaa28ad2b

SHA256
71dcd99212242a8d684df4ad27a98f03c256dc9e0294d6a848091249fc22b517

SHA512
ba827a17c670991d64dbc75b12e42a5961f6238b21aa80f788c89ef4c52e2c4de14377977340f9e583fac6f3aec9d38d589b74315072f1e2f0602c638566c15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1864269.exe
Filesize
172KB

MD5
b32047d717888012646378aa1cb85150

SHA1
29a00294ffee7acda851aec1f688d5f1bbd0735b

SHA256
f0e11578c56fa3ed2a95790a329b9fc215966581b756013d10225b0f0e85a5c6

SHA512
c9d7479c99ebcb863a2161251e801172a98d8311b24faaab82ee22d5aa55ca7344c2e028429bda0f5473d4d302213ee53789624ff6a268ae0fc5e98fb7d95bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1864269.exe
Filesize
172KB

MD5
b32047d717888012646378aa1cb85150

SHA1
29a00294ffee7acda851aec1f688d5f1bbd0735b

SHA256
f0e11578c56fa3ed2a95790a329b9fc215966581b756013d10225b0f0e85a5c6

SHA512
c9d7479c99ebcb863a2161251e801172a98d8311b24faaab82ee22d5aa55ca7344c2e028429bda0f5473d4d302213ee53789624ff6a268ae0fc5e98fb7d95bfc

Download Submit
memory/1740-154-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/3864-160-0x000000000A690000-0x000000000ACA8000-memory.dmp

Filesize
6.1MB

Download
memory/3864-166-0x000000000A5C0000-0x000000000A652000-memory.dmp

Filesize
584KB

Download
memory/3864-161-0x000000000A1F0000-0x000000000A2FA000-memory.dmp

Filesize
1.0MB

Download
memory/3864-162-0x000000000A130000-0x000000000A142000-memory.dmp

Filesize
72KB

Download
memory/3864-163-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/3864-164-0x000000000A190000-0x000000000A1CC000-memory.dmp

Filesize
240KB

Download
memory/3864-165-0x000000000A4A0000-0x000000000A516000-memory.dmp

Filesize
472KB

Download
memory/3864-159-0x0000000000270000-0x00000000002A0000-memory.dmp

Filesize
192KB

Download
memory/3864-167-0x000000000B360000-0x000000000B904000-memory.dmp

Filesize
5.6MB

Download
memory/3864-168-0x000000000ADB0000-0x000000000AE16000-memory.dmp

Filesize
408KB

Download
memory/3864-169-0x000000000BAE0000-0x000000000BCA2000-memory.dmp

Filesize
1.8MB

Download
memory/3864-170-0x000000000C1E0000-0x000000000C70C000-memory.dmp

Filesize
5.2MB

Download
memory/3864-171-0x000000000B2A0000-0x000000000B2F0000-memory.dmp

Filesize
320KB

Download
memory/3864-172-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads