redline | 3a724fa080005f1917e6ddd978e5fd4a75255f9ead7f653be7f1b6da3dd0a7a9

General

Target

3a724fa080005f1917e6ddd978e5fd4a75255f9ead7f653be7f1b6da3dd0a7a9.exe
Size

580KB
MD5

f3a9d9ed539faa1735c7d70eeb5b1f0b
SHA1

61b758463f23248bafb6ae467e9be0f870e1d34f
SHA256

3a724fa080005f1917e6ddd978e5fd4a75255f9ead7f653be7f1b6da3dd0a7a9
SHA512

9bf04e0e1a7fccdfd643de0eb9e6a47b32c8900eaa19aba4b9119a1256c07895e9077f112b9520b97eac6ab7d7eb1aee9cd667b74d6316e85459a72dfb17d1fb
SSDEEP

12288:fMr9y90EhZHd5U9u0bjDcMCwJKvm+aE5u:yyVU9u4y0+aE5u

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a3395480.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3395480.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a3395480.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3395480.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3395480.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3395480.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3395480.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v0331684.exev3355826.exea3395480.exeb1299828.exe

pid process

4828 v0331684.exe
624 v3355826.exe
4108 a3395480.exe
768 b1299828.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a3395480.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a3395480.exe

pid	process
4828	v0331684.exe
624	v3355826.exe
4108	a3395480.exe
768	b1299828.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3395480.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3a724fa080005f1917e6ddd978e5fd4a75255f9ead7f653be7f1b6da3dd0a7a9.exev0331684.exev3355826.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3a724fa080005f1917e6ddd978e5fd4a75255f9ead7f653be7f1b6da3dd0a7a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3a724fa080005f1917e6ddd978e5fd4a75255f9ead7f653be7f1b6da3dd0a7a9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0331684.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0331684.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3355826.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3355826.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

a3395480.exeb1299828.exe

pid	process
4108	a3395480.exe
4108	a3395480.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe
768	b1299828.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a3395480.exeb1299828.exe

description pid process

Token: SeDebugPrivilege 4108 a3395480.exe
Token: SeDebugPrivilege 768 b1299828.exe

description	pid	process
Token: SeDebugPrivilege	4108	a3395480.exe
Token: SeDebugPrivilege	768	b1299828.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

3a724fa080005f1917e6ddd978e5fd4a75255f9ead7f653be7f1b6da3dd0a7a9.exev0331684.exev3355826.exe

description	pid	process	target process
PID 4968 wrote to memory of 4828	4968	3a724fa080005f1917e6ddd978e5fd4a75255f9ead7f653be7f1b6da3dd0a7a9.exe	v0331684.exe
PID 4968 wrote to memory of 4828	4968	3a724fa080005f1917e6ddd978e5fd4a75255f9ead7f653be7f1b6da3dd0a7a9.exe	v0331684.exe
PID 4968 wrote to memory of 4828	4968	3a724fa080005f1917e6ddd978e5fd4a75255f9ead7f653be7f1b6da3dd0a7a9.exe	v0331684.exe
PID 4828 wrote to memory of 624	4828	v0331684.exe	v3355826.exe
PID 4828 wrote to memory of 624	4828	v0331684.exe	v3355826.exe
PID 4828 wrote to memory of 624	4828	v0331684.exe	v3355826.exe
PID 624 wrote to memory of 4108	624	v3355826.exe	a3395480.exe
PID 624 wrote to memory of 4108	624	v3355826.exe	a3395480.exe
PID 624 wrote to memory of 768	624	v3355826.exe	b1299828.exe
PID 624 wrote to memory of 768	624	v3355826.exe	b1299828.exe
PID 624 wrote to memory of 768	624	v3355826.exe	b1299828.exe

C:\Users\Admin\AppData\Local\Temp\3a724fa080005f1917e6ddd978e5fd4a75255f9ead7f653be7f1b6da3dd0a7a9.exe
"C:\Users\Admin\AppData\Local\Temp\3a724fa080005f1917e6ddd978e5fd4a75255f9ead7f653be7f1b6da3dd0a7a9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0331684.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0331684.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3355826.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3355826.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3395480.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3395480.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1299828.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1299828.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0331684.exe
Filesize
377KB

MD5
71d0c45c56ed1cf86ffddf1681a83ea6

SHA1
19ba2e30dfc9cab5b05fb90f8679b6ef66c6a41a

SHA256
4271ab4b04a5ec0b8d2df7d089dee53c19a79bdd8ad2952c0ec087e9c62753b3

SHA512
57bb60b4b2dd47ed15aee0e76034c98515e02134d9bae0f3f993b332db626c37840660bb259cc5ba25b1b6c6ecbf8c2a2045807352e3076692bfb056204e1979

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0331684.exe
Filesize
377KB

MD5
71d0c45c56ed1cf86ffddf1681a83ea6

SHA1
19ba2e30dfc9cab5b05fb90f8679b6ef66c6a41a

SHA256
4271ab4b04a5ec0b8d2df7d089dee53c19a79bdd8ad2952c0ec087e9c62753b3

SHA512
57bb60b4b2dd47ed15aee0e76034c98515e02134d9bae0f3f993b332db626c37840660bb259cc5ba25b1b6c6ecbf8c2a2045807352e3076692bfb056204e1979

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3355826.exe
Filesize
206KB

MD5
d3f1610edc309ec70ab7271a7429a018

SHA1
a376ab53e86fb24edab39254df5e28e2a36de7fa

SHA256
55f274aac84b090e3461933b13a3ef9ece0aaeec948b1dcfddb5eab90f9350b3

SHA512
357ec54c9783a8aa96918d02f423eebd64956bcf323c05baf4085fa4c5ac0ace62dd16f9000d7720e653513a7cb74249bdfb71f921453611e04e74ee8793ce02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3355826.exe
Filesize
206KB

MD5
d3f1610edc309ec70ab7271a7429a018

SHA1
a376ab53e86fb24edab39254df5e28e2a36de7fa

SHA256
55f274aac84b090e3461933b13a3ef9ece0aaeec948b1dcfddb5eab90f9350b3

SHA512
357ec54c9783a8aa96918d02f423eebd64956bcf323c05baf4085fa4c5ac0ace62dd16f9000d7720e653513a7cb74249bdfb71f921453611e04e74ee8793ce02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3395480.exe
Filesize
11KB

MD5
9f6f894f28c49d8b23913539aa186baa

SHA1
0368d75e4be14fe5199c313197341a5895c8c177

SHA256
04fd844840c0b0ba71606f6a7b45f08db11f09c6e5edbd0b2b4d721380d10368

SHA512
9757b094129caaba542ccf04879053135fe3a1e19ea5192ff30dd750d4d1e67f3bd566398670f958693c7310140738c24e757f8d2d561e9b40139b221791717c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3395480.exe
Filesize
11KB

MD5
9f6f894f28c49d8b23913539aa186baa

SHA1
0368d75e4be14fe5199c313197341a5895c8c177

SHA256
04fd844840c0b0ba71606f6a7b45f08db11f09c6e5edbd0b2b4d721380d10368

SHA512
9757b094129caaba542ccf04879053135fe3a1e19ea5192ff30dd750d4d1e67f3bd566398670f958693c7310140738c24e757f8d2d561e9b40139b221791717c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1299828.exe
Filesize
172KB

MD5
b82821ecf07cf3b91ac38df700ff6987

SHA1
41d3d93cba9cde6b4ec745de994bf32b62b8bcb4

SHA256
25f842d67bc9907e2c38faebe7d4dedb364af4d69d3f2effbeee6ed2e756404d

SHA512
2ea4583256bd27615c87ee162de04c60dde94fb7ff975caa0a1d854654d0fda44bdce879ee625a06c8826d3199ceb13a0c98ffeac7795fc3a79ed8f716cae9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1299828.exe
Filesize
172KB

MD5
b82821ecf07cf3b91ac38df700ff6987

SHA1
41d3d93cba9cde6b4ec745de994bf32b62b8bcb4

SHA256
25f842d67bc9907e2c38faebe7d4dedb364af4d69d3f2effbeee6ed2e756404d

SHA512
2ea4583256bd27615c87ee162de04c60dde94fb7ff975caa0a1d854654d0fda44bdce879ee625a06c8826d3199ceb13a0c98ffeac7795fc3a79ed8f716cae9cd

Download Submit
memory/768-160-0x000000000AED0000-0x000000000B4E8000-memory.dmp

Filesize
6.1MB

Download
memory/768-165-0x000000000ACA0000-0x000000000AD16000-memory.dmp

Filesize
472KB

Download
memory/768-172-0x000000000C2D0000-0x000000000C320000-memory.dmp

Filesize
320KB

Download
memory/768-161-0x000000000AA00000-0x000000000AB0A000-memory.dmp

Filesize
1.0MB

Download
memory/768-162-0x000000000A930000-0x000000000A942000-memory.dmp

Filesize
72KB

Download
memory/768-163-0x000000000A990000-0x000000000A9CC000-memory.dmp

Filesize
240KB

Download
memory/768-164-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/768-159-0x0000000000BB0000-0x0000000000BE0000-memory.dmp

Filesize
192KB

Download
memory/768-166-0x000000000ADC0000-0x000000000AE52000-memory.dmp

Filesize
584KB

Download
memory/768-167-0x000000000BBA0000-0x000000000C144000-memory.dmp

Filesize
5.6MB

Download
memory/768-168-0x000000000B5F0000-0x000000000B656000-memory.dmp

Filesize
408KB

Download
memory/768-169-0x000000000C320000-0x000000000C4E2000-memory.dmp

Filesize
1.8MB

Download
memory/768-170-0x000000000CA20000-0x000000000CF4C000-memory.dmp

Filesize
5.2MB

Download
memory/768-171-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/4108-154-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads