redline | ebebb7a0e4f0a8514b0b1e142d7e17fe0b6c336970066567601aa7ec17b4d13a

General

Target

tmp.exe
Size

627KB
MD5

d2def0084106d6e71ec3f01bf112d82e
SHA1

2480ff75eb470c56db4762545b3d70a1a79696b3
SHA256

ebebb7a0e4f0a8514b0b1e142d7e17fe0b6c336970066567601aa7ec17b4d13a
SHA512

32c910ddd3a22fe236e0ec2df8ee0e70106063559064ead304770f6d066dcaa6464e812d9222c4f5bf1061a9a2e93ae9980ed7cb38486cccc9176494b14abb0c
SSDEEP

12288:cMrMy90qYyW041SoNPrKVbFIWffdpo2nyKZxcLcgM/RFC/Z8auqD:Iy7odSoVrqd3fy9Lcg0RFCR8av

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v5387363.exev6541230.exea7621364.exeb3511224.exe

pid process

1548 v5387363.exe
1432 v6541230.exe
468 a7621364.exe
4552 b3511224.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1548	v5387363.exe
1432	v6541230.exe
468	a7621364.exe
4552	b3511224.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exev5387363.exev6541230.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	tmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5387363.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5387363.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6541230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6541230.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

a7621364.exe

description pid process target process

PID 468 set thread context of 2896 468 a7621364.exe AppLaunch.exe

description	pid	process	target process
PID 468 set thread context of 2896	468	a7621364.exe	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

AppLaunch.exeb3511224.exe

pid	process
2896	AppLaunch.exe
2896	AppLaunch.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe
4552	b3511224.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AppLaunch.exeb3511224.exe

description pid process

Token: SeDebugPrivilege 2896 AppLaunch.exe
Token: SeDebugPrivilege 4552 b3511224.exe

description	pid	process
Token: SeDebugPrivilege	2896	AppLaunch.exe
Token: SeDebugPrivilege	4552	b3511224.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

tmp.exev5387363.exev6541230.exea7621364.exe

description	pid	process	target process
PID 1664 wrote to memory of 1548	1664	tmp.exe	v5387363.exe
PID 1664 wrote to memory of 1548	1664	tmp.exe	v5387363.exe
PID 1664 wrote to memory of 1548	1664	tmp.exe	v5387363.exe
PID 1548 wrote to memory of 1432	1548	v5387363.exe	v6541230.exe
PID 1548 wrote to memory of 1432	1548	v5387363.exe	v6541230.exe
PID 1548 wrote to memory of 1432	1548	v5387363.exe	v6541230.exe
PID 1432 wrote to memory of 468	1432	v6541230.exe	a7621364.exe
PID 1432 wrote to memory of 468	1432	v6541230.exe	a7621364.exe
PID 1432 wrote to memory of 468	1432	v6541230.exe	a7621364.exe
PID 468 wrote to memory of 2896	468	a7621364.exe	AppLaunch.exe
PID 468 wrote to memory of 2896	468	a7621364.exe	AppLaunch.exe
PID 468 wrote to memory of 2896	468	a7621364.exe	AppLaunch.exe
PID 468 wrote to memory of 2896	468	a7621364.exe	AppLaunch.exe
PID 468 wrote to memory of 2896	468	a7621364.exe	AppLaunch.exe
PID 1432 wrote to memory of 4552	1432	v6541230.exe	b3511224.exe
PID 1432 wrote to memory of 4552	1432	v6541230.exe	b3511224.exe
PID 1432 wrote to memory of 4552	1432	v6541230.exe	b3511224.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5387363.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5387363.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6541230.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6541230.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7621364.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7621364.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3511224.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3511224.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5387363.exe

Filesize
425KB

MD5
d67bbeee039b8d650bcd1065abc87961

SHA1
f9301c877e491f0750d38f66d2e7448f1b551743

SHA256
aab805e421a7eb381e46f363c5ee5dbfd997f847560c24e449a017c360645072

SHA512
44da3ec7e40bbc9e136f70841530bdd91f5dd1715cb8860bac65ea296608e339dae429fcec7a005908654f724c4dc9850da05ccc1e8f7e59373e8a0d78d37acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5387363.exe

Filesize
425KB

MD5
d67bbeee039b8d650bcd1065abc87961

SHA1
f9301c877e491f0750d38f66d2e7448f1b551743

SHA256
aab805e421a7eb381e46f363c5ee5dbfd997f847560c24e449a017c360645072

SHA512
44da3ec7e40bbc9e136f70841530bdd91f5dd1715cb8860bac65ea296608e339dae429fcec7a005908654f724c4dc9850da05ccc1e8f7e59373e8a0d78d37acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6541230.exe

Filesize
254KB

MD5
7f991f72157b903cac0c69532f65c422

SHA1
06209f2c7341ef82195e0c480753caed0dd4eed4

SHA256
ef4c5bf7b4cc7fb3fe1c6cbb4893f90807d9916b9630333cf623338071d7c1a6

SHA512
f2434e058d98a37bbb856bddc6a59ab7fe96b40e8325e9662fc2c92490a7cd27b3848251c1b60d958029e63e84cdb70f576352e818b73924db2cf68491a7d7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6541230.exe

Filesize
254KB

MD5
7f991f72157b903cac0c69532f65c422

SHA1
06209f2c7341ef82195e0c480753caed0dd4eed4

SHA256
ef4c5bf7b4cc7fb3fe1c6cbb4893f90807d9916b9630333cf623338071d7c1a6

SHA512
f2434e058d98a37bbb856bddc6a59ab7fe96b40e8325e9662fc2c92490a7cd27b3848251c1b60d958029e63e84cdb70f576352e818b73924db2cf68491a7d7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7621364.exe

Filesize
108KB

MD5
edd967e9176e91837da5d1ddcee897c0

SHA1
a68799909279d6b3040300701808b71c5e1995c4

SHA256
fe4842288e041020243b724386e9167707db41abf362a9f2aa784b5979c3f805

SHA512
56a5f6e5bbef59ac1e8cd05d7d0967c320d02d9e6480aac860503193e6efbaba549fa7e49f8a2d43ff6b42ea7092efe57e5fcd94a0be343c8c329a44e12a53f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7621364.exe

Filesize
108KB

MD5
edd967e9176e91837da5d1ddcee897c0

SHA1
a68799909279d6b3040300701808b71c5e1995c4

SHA256
fe4842288e041020243b724386e9167707db41abf362a9f2aa784b5979c3f805

SHA512
56a5f6e5bbef59ac1e8cd05d7d0967c320d02d9e6480aac860503193e6efbaba549fa7e49f8a2d43ff6b42ea7092efe57e5fcd94a0be343c8c329a44e12a53f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3511224.exe

Filesize
172KB

MD5
d1925563c6a3da713c97baead6741903

SHA1
d9f680d3e0af2ef7fdc5d6e490a65c10abe47840

SHA256
147591c3ea3dd79c626062a17dc718441cd98728a5adf7a82bf207a263e7355f

SHA512
26fa7b5cd63f7aa36f65eec66ddb5690e4d93cc45bc124bb04b4890297dfcdfee59bc3c42272da11b56ddff895193cbe9a8cbf95c2a75253e7c4b0b684cded60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3511224.exe

Filesize
172KB

MD5
d1925563c6a3da713c97baead6741903

SHA1
d9f680d3e0af2ef7fdc5d6e490a65c10abe47840

SHA256
147591c3ea3dd79c626062a17dc718441cd98728a5adf7a82bf207a263e7355f

SHA512
26fa7b5cd63f7aa36f65eec66ddb5690e4d93cc45bc124bb04b4890297dfcdfee59bc3c42272da11b56ddff895193cbe9a8cbf95c2a75253e7c4b0b684cded60

Download Submit
memory/2896-154-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/4552-163-0x000000000B1F0000-0x000000000B808000-memory.dmp

Filesize
6.1MB

Download
memory/4552-169-0x000000000B8B0000-0x000000000B942000-memory.dmp

Filesize
584KB

Download
memory/4552-164-0x000000000AD40000-0x000000000AE4A000-memory.dmp

Filesize
1.0MB

Download
memory/4552-165-0x000000000AC80000-0x000000000AC92000-memory.dmp

Filesize
72KB

Download
memory/4552-166-0x000000000ACE0000-0x000000000AD1C000-memory.dmp

Filesize
240KB

Download
memory/4552-167-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/4552-168-0x000000000B0F0000-0x000000000B166000-memory.dmp

Filesize
472KB

Download
memory/4552-162-0x0000000000DC0000-0x0000000000DF0000-memory.dmp

Filesize
192KB

Download
memory/4552-170-0x000000000BF00000-0x000000000C4A4000-memory.dmp

Filesize
5.6MB

Download
memory/4552-171-0x000000000B810000-0x000000000B876000-memory.dmp

Filesize
408KB

Download
memory/4552-173-0x000000000BE30000-0x000000000BE80000-memory.dmp

Filesize
320KB

Download
memory/4552-174-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/4552-175-0x000000000C680000-0x000000000C842000-memory.dmp

Filesize
1.8MB

Download
memory/4552-176-0x000000000CD80000-0x000000000D2AC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads