redline | 8453c7a8c17598c7bfef05aa8ea0ab03d2c26490cb5eb90789aa29047402508c

General

Target

8453c7a8c17598c7bfef05aa8ea0ab03d2c26490cb5eb90789aa29047402508c.exe
Size

581KB
MD5

67cf2c6121c733832666746c1c1eb460
SHA1

1d4cdee83faf9a147e72b9f123fa595d4af120cd
SHA256

8453c7a8c17598c7bfef05aa8ea0ab03d2c26490cb5eb90789aa29047402508c
SHA512

d9cbed38c2976f9f64cc6c1eccda3f1b1d4631fafea4c43d2907a21d1a0fecac1e39b7f451f6e6baf1f1eb645b6279cca939844202acb4ff97f428811f86a6bc
SSDEEP

12288:WMr7y908gKDqrtRkLPI0REWPF62dGcrqqo9lB0EfMjzUjV:tyeKAnkLI0RvPF5UhlVUGV

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a8956228.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8956228.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8956228.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8956228.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8956228.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8956228.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v6303284.exev2529730.exea8956228.exeb9302014.exe

pid process

4660 v6303284.exe
5104 v2529730.exe
2160 a8956228.exe
4040 b9302014.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a8956228.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a8956228.exe

pid	process
4660	v6303284.exe
5104	v2529730.exe
2160	a8956228.exe
4040	b9302014.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8956228.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8453c7a8c17598c7bfef05aa8ea0ab03d2c26490cb5eb90789aa29047402508c.exev6303284.exev2529730.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8453c7a8c17598c7bfef05aa8ea0ab03d2c26490cb5eb90789aa29047402508c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8453c7a8c17598c7bfef05aa8ea0ab03d2c26490cb5eb90789aa29047402508c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6303284.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6303284.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2529730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2529730.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

a8956228.exeb9302014.exe

pid	process
2160	a8956228.exe
2160	a8956228.exe
4040	b9302014.exe
4040	b9302014.exe
4040	b9302014.exe
4040	b9302014.exe
4040	b9302014.exe
4040	b9302014.exe
4040	b9302014.exe
4040	b9302014.exe
4040	b9302014.exe
4040	b9302014.exe
4040	b9302014.exe
4040	b9302014.exe
4040	b9302014.exe
4040	b9302014.exe
4040	b9302014.exe
4040	b9302014.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a8956228.exeb9302014.exe

description pid process

Token: SeDebugPrivilege 2160 a8956228.exe
Token: SeDebugPrivilege 4040 b9302014.exe

description	pid	process
Token: SeDebugPrivilege	2160	a8956228.exe
Token: SeDebugPrivilege	4040	b9302014.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

8453c7a8c17598c7bfef05aa8ea0ab03d2c26490cb5eb90789aa29047402508c.exev6303284.exev2529730.exe

description	pid	process	target process
PID 4268 wrote to memory of 4660	4268	8453c7a8c17598c7bfef05aa8ea0ab03d2c26490cb5eb90789aa29047402508c.exe	v6303284.exe
PID 4268 wrote to memory of 4660	4268	8453c7a8c17598c7bfef05aa8ea0ab03d2c26490cb5eb90789aa29047402508c.exe	v6303284.exe
PID 4268 wrote to memory of 4660	4268	8453c7a8c17598c7bfef05aa8ea0ab03d2c26490cb5eb90789aa29047402508c.exe	v6303284.exe
PID 4660 wrote to memory of 5104	4660	v6303284.exe	v2529730.exe
PID 4660 wrote to memory of 5104	4660	v6303284.exe	v2529730.exe
PID 4660 wrote to memory of 5104	4660	v6303284.exe	v2529730.exe
PID 5104 wrote to memory of 2160	5104	v2529730.exe	a8956228.exe
PID 5104 wrote to memory of 2160	5104	v2529730.exe	a8956228.exe
PID 5104 wrote to memory of 4040	5104	v2529730.exe	b9302014.exe
PID 5104 wrote to memory of 4040	5104	v2529730.exe	b9302014.exe
PID 5104 wrote to memory of 4040	5104	v2529730.exe	b9302014.exe

C:\Users\Admin\AppData\Local\Temp\8453c7a8c17598c7bfef05aa8ea0ab03d2c26490cb5eb90789aa29047402508c.exe
"C:\Users\Admin\AppData\Local\Temp\8453c7a8c17598c7bfef05aa8ea0ab03d2c26490cb5eb90789aa29047402508c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6303284.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6303284.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4660

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2529730.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2529730.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5104

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8956228.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8956228.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9302014.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9302014.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6303284.exe

Filesize
377KB

MD5
158b51f59d34bd81a00fc05fec0736ea

SHA1
ab582737af08ace4d3b2cc42c4149908685f13d7

SHA256
a7fc4f1422ce78ad25a205ba90a9d5814d7a7155f496356c6abf50d7250d6d5f

SHA512
bff71e9326209ed1a97bd25a6768d02c83377f05de0742ee3f7b5bfcb38a94e1558977d1fcbf29707bd4e13eeaa8e128eb3ec7f7649ceaf70e6d67ce03dcd030

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6303284.exe

Filesize
377KB

MD5
158b51f59d34bd81a00fc05fec0736ea

SHA1
ab582737af08ace4d3b2cc42c4149908685f13d7

SHA256
a7fc4f1422ce78ad25a205ba90a9d5814d7a7155f496356c6abf50d7250d6d5f

SHA512
bff71e9326209ed1a97bd25a6768d02c83377f05de0742ee3f7b5bfcb38a94e1558977d1fcbf29707bd4e13eeaa8e128eb3ec7f7649ceaf70e6d67ce03dcd030

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2529730.exe

Filesize
206KB

MD5
eea29b1622855f476f65cd78e32b791c

SHA1
f25c3a2d8908bf687115ceee23a619f2130366f8

SHA256
33cbaed9699929573a4b52ee014f747465600742ba6d0185b036a37ceb959b88

SHA512
09f8ef2cc26012dc4590f55e7ac481698aabfabd942d20c87215b961525821d175064c61299a5b5f36d082a53b4fd4fe721c42a8aa9af4358166c089b2a2d1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2529730.exe

Filesize
206KB

MD5
eea29b1622855f476f65cd78e32b791c

SHA1
f25c3a2d8908bf687115ceee23a619f2130366f8

SHA256
33cbaed9699929573a4b52ee014f747465600742ba6d0185b036a37ceb959b88

SHA512
09f8ef2cc26012dc4590f55e7ac481698aabfabd942d20c87215b961525821d175064c61299a5b5f36d082a53b4fd4fe721c42a8aa9af4358166c089b2a2d1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8956228.exe

Filesize
11KB

MD5
b106d4440f5f040ff50060bd7934ae1c

SHA1
7b5c32459bf3de28a3e51be601ddeefeb944b9a8

SHA256
c908333bc1a8c50e9c99d81e9d8683e09c22226bd3b62659cdb7c8179b176917

SHA512
af2ce19f0ede1366733957c4d8029314c275c83128d7843ed28282872b85ad90373cd04fa0b012c9648690ec0b573ed64c2dc4383c6aa700236c6c1adc0220ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8956228.exe

Filesize
11KB

MD5
b106d4440f5f040ff50060bd7934ae1c

SHA1
7b5c32459bf3de28a3e51be601ddeefeb944b9a8

SHA256
c908333bc1a8c50e9c99d81e9d8683e09c22226bd3b62659cdb7c8179b176917

SHA512
af2ce19f0ede1366733957c4d8029314c275c83128d7843ed28282872b85ad90373cd04fa0b012c9648690ec0b573ed64c2dc4383c6aa700236c6c1adc0220ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9302014.exe

Filesize
172KB

MD5
13c33913372d50ff446ee03403ceb4b8

SHA1
624d06ccb1ecd7da08344002c16082e8397148df

SHA256
bd32691bfcf5dc40067057a345060d4de1f531e88e50b2583fe3413bb534043f

SHA512
4364739134e02c72f775ea6f085ea5607b60e58e1f6a00f34826f87cc5c7db0db5e5ab859f4619ef86559bf5049f3d402eda463c7269f708cdd78dc34b3b95e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9302014.exe

Filesize
172KB

MD5
13c33913372d50ff446ee03403ceb4b8

SHA1
624d06ccb1ecd7da08344002c16082e8397148df

SHA256
bd32691bfcf5dc40067057a345060d4de1f531e88e50b2583fe3413bb534043f

SHA512
4364739134e02c72f775ea6f085ea5607b60e58e1f6a00f34826f87cc5c7db0db5e5ab859f4619ef86559bf5049f3d402eda463c7269f708cdd78dc34b3b95e0

Download Submit
memory/2160-141-0x0000000000B60000-0x0000000000B6A000-memory.dmp

Filesize
40KB

Download
memory/4040-149-0x00000000057B0000-0x00000000058BA000-memory.dmp

Filesize
1.0MB

Download
memory/4040-153-0x0000000005640000-0x000000000568B000-memory.dmp

Filesize
300KB

Download
memory/4040-148-0x0000000005CB0000-0x00000000062B6000-memory.dmp

Filesize
6.0MB

Download
memory/4040-146-0x0000000000D10000-0x0000000000D40000-memory.dmp

Filesize
192KB

Download
memory/4040-150-0x0000000005620000-0x0000000005632000-memory.dmp

Filesize
72KB

Download
memory/4040-151-0x00000000056A0000-0x00000000056DE000-memory.dmp

Filesize
248KB

Download
memory/4040-152-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4040-147-0x0000000002F20000-0x0000000002F26000-memory.dmp

Filesize
24KB

Download
memory/4040-154-0x0000000005AA0000-0x0000000005B16000-memory.dmp

Filesize
472KB

Download
memory/4040-155-0x0000000005BC0000-0x0000000005C52000-memory.dmp

Filesize
584KB

Download
memory/4040-156-0x0000000006CD0000-0x00000000071CE000-memory.dmp

Filesize
5.0MB

Download
memory/4040-157-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/4040-158-0x00000000069B0000-0x0000000006B72000-memory.dmp

Filesize
1.8MB

Download
memory/4040-159-0x0000000008A20000-0x0000000008F4C000-memory.dmp

Filesize
5.2MB

Download
memory/4040-160-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4040-161-0x0000000006930000-0x0000000006980000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads