redline | 16dfead29562dac483625a09f7b9396b8d1606473a412f2695379bbe027d7fff

General

Target

16dfead29562dac483625a09f7b9396b8d1606473a412f2695379bbe027d7fff.exe
Size

580KB
MD5

34af66fbb8ac9a96442b943710b913a9
SHA1

7c6a42463781b5982880bb89cd2b2f8a6248c03d
SHA256

16dfead29562dac483625a09f7b9396b8d1606473a412f2695379bbe027d7fff
SHA512

dccc8a7207cc858222479211fc9bc37e71dc89885007580fbc8daf331fea6a49f3bab67e84b5845ab42a9ab54b22859ae4151cc89c264231cac7ef9957ec8c11
SSDEEP

12288:RMrAy90h3dX3FBJuv0aLusXe/GFHGGCUuDh3Lh9VCor2gDtc/:NyYnbTsXe/GFmxDh3Lh9VCor2cq/

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a6214196.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a6214196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6214196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6214196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6214196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6214196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6214196.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v6577499.exev3411629.exea6214196.exeb6721890.exe

pid process

1148 v6577499.exe
1564 v3411629.exe
2264 a6214196.exe
656 b6721890.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a6214196.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a6214196.exe

pid	process
1148	v6577499.exe
1564	v3411629.exe
2264	a6214196.exe
656	b6721890.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6214196.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

16dfead29562dac483625a09f7b9396b8d1606473a412f2695379bbe027d7fff.exev6577499.exev3411629.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	16dfead29562dac483625a09f7b9396b8d1606473a412f2695379bbe027d7fff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	16dfead29562dac483625a09f7b9396b8d1606473a412f2695379bbe027d7fff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6577499.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6577499.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3411629.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3411629.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

a6214196.exeb6721890.exe

pid	process
2264	a6214196.exe
2264	a6214196.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe
656	b6721890.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a6214196.exeb6721890.exe

description pid process

Token: SeDebugPrivilege 2264 a6214196.exe
Token: SeDebugPrivilege 656 b6721890.exe

description	pid	process
Token: SeDebugPrivilege	2264	a6214196.exe
Token: SeDebugPrivilege	656	b6721890.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

16dfead29562dac483625a09f7b9396b8d1606473a412f2695379bbe027d7fff.exev6577499.exev3411629.exe

description	pid	process	target process
PID 1436 wrote to memory of 1148	1436	16dfead29562dac483625a09f7b9396b8d1606473a412f2695379bbe027d7fff.exe	v6577499.exe
PID 1436 wrote to memory of 1148	1436	16dfead29562dac483625a09f7b9396b8d1606473a412f2695379bbe027d7fff.exe	v6577499.exe
PID 1436 wrote to memory of 1148	1436	16dfead29562dac483625a09f7b9396b8d1606473a412f2695379bbe027d7fff.exe	v6577499.exe
PID 1148 wrote to memory of 1564	1148	v6577499.exe	v3411629.exe
PID 1148 wrote to memory of 1564	1148	v6577499.exe	v3411629.exe
PID 1148 wrote to memory of 1564	1148	v6577499.exe	v3411629.exe
PID 1564 wrote to memory of 2264	1564	v3411629.exe	a6214196.exe
PID 1564 wrote to memory of 2264	1564	v3411629.exe	a6214196.exe
PID 1564 wrote to memory of 656	1564	v3411629.exe	b6721890.exe
PID 1564 wrote to memory of 656	1564	v3411629.exe	b6721890.exe
PID 1564 wrote to memory of 656	1564	v3411629.exe	b6721890.exe

C:\Users\Admin\AppData\Local\Temp\16dfead29562dac483625a09f7b9396b8d1606473a412f2695379bbe027d7fff.exe
"C:\Users\Admin\AppData\Local\Temp\16dfead29562dac483625a09f7b9396b8d1606473a412f2695379bbe027d7fff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6577499.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6577499.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3411629.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3411629.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6214196.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6214196.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6721890.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6721890.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6577499.exe

Filesize
377KB

MD5
45c4b770f418e80871ea2881054b95fd

SHA1
d4edc4f40fda9a5677b31d4c5a86ed743a628a39

SHA256
7bf04842958a10cfa6fb42c3a4e34ed14a0a509298b4b6412ff064709345daaf

SHA512
712887810acb07e69d526bf30aad6ba08db64e42df0a19bc5f70700b1e5be0feef8cf65b47a0d031bf60f9f1632855a52b674406145d41e77629d2cc45026b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6577499.exe

Filesize
377KB

MD5
45c4b770f418e80871ea2881054b95fd

SHA1
d4edc4f40fda9a5677b31d4c5a86ed743a628a39

SHA256
7bf04842958a10cfa6fb42c3a4e34ed14a0a509298b4b6412ff064709345daaf

SHA512
712887810acb07e69d526bf30aad6ba08db64e42df0a19bc5f70700b1e5be0feef8cf65b47a0d031bf60f9f1632855a52b674406145d41e77629d2cc45026b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3411629.exe

Filesize
206KB

MD5
09531d996f2783ef5a1a7d240953328e

SHA1
df73e848492f6b9194aa15830704619179a98a5e

SHA256
6319e32fcd47c885def22d89737af2f3598bf7cab820b6f8d8959155b7f2efa3

SHA512
4298eb3f130689b839ac32d5fd63e3df4bb0a2297e32184bb9b115fb110e5fbb6641d027b43769f182befb2af19d59b62f7c6a3b53a3b7be61a4928ec659be1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3411629.exe

Filesize
206KB

MD5
09531d996f2783ef5a1a7d240953328e

SHA1
df73e848492f6b9194aa15830704619179a98a5e

SHA256
6319e32fcd47c885def22d89737af2f3598bf7cab820b6f8d8959155b7f2efa3

SHA512
4298eb3f130689b839ac32d5fd63e3df4bb0a2297e32184bb9b115fb110e5fbb6641d027b43769f182befb2af19d59b62f7c6a3b53a3b7be61a4928ec659be1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6214196.exe

Filesize
11KB

MD5
ed1ba6d74bf7642668f8b1d978b28b89

SHA1
dd5baac07a8b671ab0f4c9d2e1b12faf8af6802d

SHA256
d7f85a984a1ced01655ee44317983a7be977de2d9ad1da5de2a865f62d605f8d

SHA512
104469cb324f00de67a65e51102d36e139d13f81936a6f93afb52d2a77436934adaf27b97f7035c7a5eb529d146edc5bf916131d25193ad844ede8ea2d201e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6214196.exe

Filesize
11KB

MD5
ed1ba6d74bf7642668f8b1d978b28b89

SHA1
dd5baac07a8b671ab0f4c9d2e1b12faf8af6802d

SHA256
d7f85a984a1ced01655ee44317983a7be977de2d9ad1da5de2a865f62d605f8d

SHA512
104469cb324f00de67a65e51102d36e139d13f81936a6f93afb52d2a77436934adaf27b97f7035c7a5eb529d146edc5bf916131d25193ad844ede8ea2d201e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6721890.exe

Filesize
172KB

MD5
ad5cb18c71d87eb4a00007213c2be448

SHA1
d6eec547b13435bdad277b290ea37fbd0e0f0f62

SHA256
688e7b5879ff750506b1309b5ec60370a8a614450ccac747acd54217ffe13cc2

SHA512
435bbcd014bfaee1cdb64dbe2fb311dd27bb8745ff4d5b23c0fa37a23dcf8edca9547085110d48932c916dfec1b2a04c1ca7025f3bd4f3c1e03abcbec6fa1007

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6721890.exe

Filesize
172KB

MD5
ad5cb18c71d87eb4a00007213c2be448

SHA1
d6eec547b13435bdad277b290ea37fbd0e0f0f62

SHA256
688e7b5879ff750506b1309b5ec60370a8a614450ccac747acd54217ffe13cc2

SHA512
435bbcd014bfaee1cdb64dbe2fb311dd27bb8745ff4d5b23c0fa37a23dcf8edca9547085110d48932c916dfec1b2a04c1ca7025f3bd4f3c1e03abcbec6fa1007

Download Submit
memory/656-160-0x000000000A430000-0x000000000AA48000-memory.dmp

Filesize
6.1MB

Download
memory/656-165-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/656-172-0x000000000C140000-0x000000000C66C000-memory.dmp

Filesize
5.2MB

Download
memory/656-161-0x0000000009FB0000-0x000000000A0BA000-memory.dmp

Filesize
1.0MB

Download
memory/656-162-0x0000000009EF0000-0x0000000009F02000-memory.dmp

Filesize
72KB

Download
memory/656-163-0x0000000009F50000-0x0000000009F8C000-memory.dmp

Filesize
240KB

Download
memory/656-164-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/656-159-0x0000000000030000-0x0000000000060000-memory.dmp

Filesize
192KB

Download
memory/656-166-0x000000000AC20000-0x000000000AC96000-memory.dmp

Filesize
472KB

Download
memory/656-167-0x000000000AD40000-0x000000000ADD2000-memory.dmp

Filesize
584KB

Download
memory/656-168-0x000000000ACA0000-0x000000000AD06000-memory.dmp

Filesize
408KB

Download
memory/656-169-0x000000000B490000-0x000000000BA34000-memory.dmp

Filesize
5.6MB

Download
memory/656-170-0x000000000AFB0000-0x000000000B000000-memory.dmp

Filesize
320KB

Download
memory/656-171-0x000000000BA40000-0x000000000BC02000-memory.dmp

Filesize
1.8MB

Download
memory/2264-154-0x00000000009D0000-0x00000000009DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads