redline | 16c2dc9769e16e29878d5bbcf899987b4ddbbd0ec0a3482fa071dcbabc5e4c41

General

Target

16c2dc9769e16e29878d5bbcf899987b4ddbbd0ec0a3482fa071dcbabc5e4c41.exe
Size

581KB
MD5

eb6b535f119cdf35f5ee1583380562ff
SHA1

95a3a109a1e0877eb6f88fb5bb26e3079b4337b9
SHA256

16c2dc9769e16e29878d5bbcf899987b4ddbbd0ec0a3482fa071dcbabc5e4c41
SHA512

abeb648c1dbd3e25ad390ed0add30664c5b4e3aba857b3ba69a931c39ffe57ba21aad542af3982e41806d481c01fd6490b102d6bcd0be2c67728d8628f8cc878
SSDEEP

12288:SMrBy90K67peJGVjSrCZ8bfqrZTrdpaIq3SByjkTB0h0:zy/WeJECSrBriLSBygl20

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a6387054.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6387054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6387054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6387054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6387054.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6387054.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v7145587.exev7660956.exea6387054.exeb9240864.exe

pid process

4120 v7145587.exe
4116 v7660956.exe
5040 a6387054.exe
1624 b9240864.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a6387054.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a6387054.exe

pid	process
4120	v7145587.exe
4116	v7660956.exe
5040	a6387054.exe
1624	b9240864.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6387054.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v7660956.exe16c2dc9769e16e29878d5bbcf899987b4ddbbd0ec0a3482fa071dcbabc5e4c41.exev7145587.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7660956.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7660956.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	16c2dc9769e16e29878d5bbcf899987b4ddbbd0ec0a3482fa071dcbabc5e4c41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	16c2dc9769e16e29878d5bbcf899987b4ddbbd0ec0a3482fa071dcbabc5e4c41.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7145587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7145587.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

a6387054.exeb9240864.exe

pid	process
5040	a6387054.exe
5040	a6387054.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe
1624	b9240864.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a6387054.exeb9240864.exe

description pid process

Token: SeDebugPrivilege 5040 a6387054.exe
Token: SeDebugPrivilege 1624 b9240864.exe

description	pid	process
Token: SeDebugPrivilege	5040	a6387054.exe
Token: SeDebugPrivilege	1624	b9240864.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

16c2dc9769e16e29878d5bbcf899987b4ddbbd0ec0a3482fa071dcbabc5e4c41.exev7145587.exev7660956.exe

description	pid	process	target process
PID 3192 wrote to memory of 4120	3192	16c2dc9769e16e29878d5bbcf899987b4ddbbd0ec0a3482fa071dcbabc5e4c41.exe	v7145587.exe
PID 3192 wrote to memory of 4120	3192	16c2dc9769e16e29878d5bbcf899987b4ddbbd0ec0a3482fa071dcbabc5e4c41.exe	v7145587.exe
PID 3192 wrote to memory of 4120	3192	16c2dc9769e16e29878d5bbcf899987b4ddbbd0ec0a3482fa071dcbabc5e4c41.exe	v7145587.exe
PID 4120 wrote to memory of 4116	4120	v7145587.exe	v7660956.exe
PID 4120 wrote to memory of 4116	4120	v7145587.exe	v7660956.exe
PID 4120 wrote to memory of 4116	4120	v7145587.exe	v7660956.exe
PID 4116 wrote to memory of 5040	4116	v7660956.exe	a6387054.exe
PID 4116 wrote to memory of 5040	4116	v7660956.exe	a6387054.exe
PID 4116 wrote to memory of 1624	4116	v7660956.exe	b9240864.exe
PID 4116 wrote to memory of 1624	4116	v7660956.exe	b9240864.exe
PID 4116 wrote to memory of 1624	4116	v7660956.exe	b9240864.exe

C:\Users\Admin\AppData\Local\Temp\16c2dc9769e16e29878d5bbcf899987b4ddbbd0ec0a3482fa071dcbabc5e4c41.exe
"C:\Users\Admin\AppData\Local\Temp\16c2dc9769e16e29878d5bbcf899987b4ddbbd0ec0a3482fa071dcbabc5e4c41.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7145587.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7145587.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4120

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7660956.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7660956.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6387054.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6387054.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9240864.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9240864.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7145587.exe

Filesize
377KB

MD5
9ac8482d4e5a9fd728d58c9f607527bf

SHA1
05aa9a1aaa98906b6a77d3c2d9798e6cdcbc8872

SHA256
8f97f918e4f443929931d069c2b524ace152c9dde7339be592e08f5cc24f256a

SHA512
201722f2949f380324be23dc2646d0da61099237eccb830bdbc60fe6d366d3784e96291b7c52d5a904e403d1bb58b6b6b69701db912955378443efc841b482f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7145587.exe

Filesize
377KB

MD5
9ac8482d4e5a9fd728d58c9f607527bf

SHA1
05aa9a1aaa98906b6a77d3c2d9798e6cdcbc8872

SHA256
8f97f918e4f443929931d069c2b524ace152c9dde7339be592e08f5cc24f256a

SHA512
201722f2949f380324be23dc2646d0da61099237eccb830bdbc60fe6d366d3784e96291b7c52d5a904e403d1bb58b6b6b69701db912955378443efc841b482f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7660956.exe

Filesize
206KB

MD5
112677ede98a26860d14a9eb369c8fa4

SHA1
f5a6b591b06a5da8badee8570a4c0c4a3fb4e9d9

SHA256
6b783ce6b0738b9fc64015bdcbe5953800057382db251e570b9cc36c393c5672

SHA512
731fcabc6b18cab062985e11e5027d1355f66ff95b25382fcd9311c3f3c3e5f1374d84d6400221cbfaeec9f1f8e45f8f1090c11a3e16f355a7c3ee414aab20be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7660956.exe

Filesize
206KB

MD5
112677ede98a26860d14a9eb369c8fa4

SHA1
f5a6b591b06a5da8badee8570a4c0c4a3fb4e9d9

SHA256
6b783ce6b0738b9fc64015bdcbe5953800057382db251e570b9cc36c393c5672

SHA512
731fcabc6b18cab062985e11e5027d1355f66ff95b25382fcd9311c3f3c3e5f1374d84d6400221cbfaeec9f1f8e45f8f1090c11a3e16f355a7c3ee414aab20be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6387054.exe

Filesize
11KB

MD5
a602bd44739b3b900f9884bdee981e3e

SHA1
b9e4d73d2a498a8e9351655ddc69cf0e6e390bd9

SHA256
e80799311992b7f915a783ef98dc8e16ad5641ac45318b9bf6eed1bb447164f9

SHA512
1f7e4e102fa99a7ad7c5725d9d642ea5a4fabcc0bd13bdef40b6dc25501c6403a0208c163afe037b74ecc7140ead984388e7d1f4bb24a475fcb8e7e31a61ee6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6387054.exe

Filesize
11KB

MD5
a602bd44739b3b900f9884bdee981e3e

SHA1
b9e4d73d2a498a8e9351655ddc69cf0e6e390bd9

SHA256
e80799311992b7f915a783ef98dc8e16ad5641ac45318b9bf6eed1bb447164f9

SHA512
1f7e4e102fa99a7ad7c5725d9d642ea5a4fabcc0bd13bdef40b6dc25501c6403a0208c163afe037b74ecc7140ead984388e7d1f4bb24a475fcb8e7e31a61ee6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9240864.exe

Filesize
172KB

MD5
f5d5c784995b59cf20195413479b578c

SHA1
888452629eb77e7e14716c0e00b835c2bfa2aea0

SHA256
0604977f35ca18d3196b713df06bc0452f111105eb79e26c9c1a5156cb93d924

SHA512
1d1cec840e6ca25ee657092ad45ed97520e1def4169e26c5fc15d4e3b2b42987a58345217d257879cc12b835eb9fb857e5125411e97e2fd61a2abb07eab6cf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9240864.exe

Filesize
172KB

MD5
f5d5c784995b59cf20195413479b578c

SHA1
888452629eb77e7e14716c0e00b835c2bfa2aea0

SHA256
0604977f35ca18d3196b713df06bc0452f111105eb79e26c9c1a5156cb93d924

SHA512
1d1cec840e6ca25ee657092ad45ed97520e1def4169e26c5fc15d4e3b2b42987a58345217d257879cc12b835eb9fb857e5125411e97e2fd61a2abb07eab6cf6a

Download Submit
memory/1624-153-0x0000000005950000-0x00000000059E2000-memory.dmp

Filesize
584KB

Download
memory/1624-150-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/1624-145-0x0000000002D50000-0x0000000002D56000-memory.dmp

Filesize
24KB

Download
memory/1624-146-0x0000000005B90000-0x0000000006196000-memory.dmp

Filesize
6.0MB

Download
memory/1624-147-0x0000000005690000-0x000000000579A000-memory.dmp

Filesize
1.0MB

Download
memory/1624-148-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/1624-149-0x00000000054D0000-0x000000000550E000-memory.dmp

Filesize
248KB

Download
memory/1624-144-0x0000000000BA0000-0x0000000000BD0000-memory.dmp

Filesize
192KB

Download
memory/1624-151-0x0000000005510000-0x000000000555B000-memory.dmp

Filesize
300KB

Download
memory/1624-152-0x0000000005830000-0x00000000058A6000-memory.dmp

Filesize
472KB

Download
memory/1624-158-0x0000000008900000-0x0000000008E2C000-memory.dmp

Filesize
5.2MB

Download
memory/1624-154-0x0000000006BB0000-0x00000000070AE000-memory.dmp

Filesize
5.0MB

Download
memory/1624-155-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/1624-156-0x0000000006520000-0x0000000006570000-memory.dmp

Filesize
320KB

Download
memory/1624-157-0x0000000006980000-0x0000000006B42000-memory.dmp

Filesize
1.8MB

Download
memory/5040-139-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads