redline | e1ada95fd06785b65423ca19b460187844dac1118f4f44a9968bfd701530d625

General

Target

e1ada95fd06785b65423ca19b460187844dac1118f4f44a9968bfd701530d625.exe
Size

581KB
MD5

c0c6db4cc30282a43029ae848d3bd058
SHA1

e9f8d680b5311801cf9159858973c8ae57075908
SHA256

e1ada95fd06785b65423ca19b460187844dac1118f4f44a9968bfd701530d625
SHA512

d3e6e7915bef6a2e9a2b92243d5fa58de3461c3d73331c65ef3916bd3b96e7c5597d276d6875193c3269a62538fc0d096e59ca61b81773da470e08faa60a9115
SSDEEP

12288:GMrry90aSJYSD0ie/Jk7TxkrDbjpkN50U6AuUwyjHq:tyJM0x/JwuTjp650U6VnyG

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a3544428.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3544428.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3544428.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a3544428.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3544428.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3544428.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3544428.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v7888913.exev0452602.exea3544428.exeb5272416.exe

pid process

3332 v7888913.exe
1104 v0452602.exe
2976 a3544428.exe
2416 b5272416.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a3544428.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a3544428.exe

pid	process
3332	v7888913.exe
1104	v0452602.exe
2976	a3544428.exe
2416	b5272416.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3544428.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v7888913.exev0452602.exee1ada95fd06785b65423ca19b460187844dac1118f4f44a9968bfd701530d625.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7888913.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0452602.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0452602.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e1ada95fd06785b65423ca19b460187844dac1118f4f44a9968bfd701530d625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e1ada95fd06785b65423ca19b460187844dac1118f4f44a9968bfd701530d625.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7888913.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

a3544428.exeb5272416.exe

pid	process
2976	a3544428.exe
2976	a3544428.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe
2416	b5272416.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a3544428.exeb5272416.exe

description pid process

Token: SeDebugPrivilege 2976 a3544428.exe
Token: SeDebugPrivilege 2416 b5272416.exe

description	pid	process
Token: SeDebugPrivilege	2976	a3544428.exe
Token: SeDebugPrivilege	2416	b5272416.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

e1ada95fd06785b65423ca19b460187844dac1118f4f44a9968bfd701530d625.exev7888913.exev0452602.exe

description	pid	process	target process
PID 432 wrote to memory of 3332	432	e1ada95fd06785b65423ca19b460187844dac1118f4f44a9968bfd701530d625.exe	v7888913.exe
PID 432 wrote to memory of 3332	432	e1ada95fd06785b65423ca19b460187844dac1118f4f44a9968bfd701530d625.exe	v7888913.exe
PID 432 wrote to memory of 3332	432	e1ada95fd06785b65423ca19b460187844dac1118f4f44a9968bfd701530d625.exe	v7888913.exe
PID 3332 wrote to memory of 1104	3332	v7888913.exe	v0452602.exe
PID 3332 wrote to memory of 1104	3332	v7888913.exe	v0452602.exe
PID 3332 wrote to memory of 1104	3332	v7888913.exe	v0452602.exe
PID 1104 wrote to memory of 2976	1104	v0452602.exe	a3544428.exe
PID 1104 wrote to memory of 2976	1104	v0452602.exe	a3544428.exe
PID 1104 wrote to memory of 2416	1104	v0452602.exe	b5272416.exe
PID 1104 wrote to memory of 2416	1104	v0452602.exe	b5272416.exe
PID 1104 wrote to memory of 2416	1104	v0452602.exe	b5272416.exe

C:\Users\Admin\AppData\Local\Temp\e1ada95fd06785b65423ca19b460187844dac1118f4f44a9968bfd701530d625.exe
"C:\Users\Admin\AppData\Local\Temp\e1ada95fd06785b65423ca19b460187844dac1118f4f44a9968bfd701530d625.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7888913.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7888913.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3332

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0452602.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0452602.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3544428.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3544428.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5272416.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5272416.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7888913.exe
Filesize
377KB

MD5
6d6abfa46ebc6217a031828d19685a60

SHA1
c63b291119802d8856768dc5e81878d0005e8dc8

SHA256
80066c7433855e52eff85840efe5e3cdf7f9af2dda371cade0c49dd528ceef63

SHA512
ebf2d2f4fc68339d22cec23620f3e2c5571628add7b9f589e1457d663ef28f0c07163695845a49773dc7ea0ac4c7a26a1dd7f2b32f0cb3e7eee363565f3ff0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7888913.exe
Filesize
377KB

MD5
6d6abfa46ebc6217a031828d19685a60

SHA1
c63b291119802d8856768dc5e81878d0005e8dc8

SHA256
80066c7433855e52eff85840efe5e3cdf7f9af2dda371cade0c49dd528ceef63

SHA512
ebf2d2f4fc68339d22cec23620f3e2c5571628add7b9f589e1457d663ef28f0c07163695845a49773dc7ea0ac4c7a26a1dd7f2b32f0cb3e7eee363565f3ff0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0452602.exe
Filesize
206KB

MD5
64de85f15db6c1e801c8c5f3d248b134

SHA1
1f2df228af20c1ce8f89082f0da6325451665886

SHA256
c2180903b0b4fe9b3d6aacd3cca2b4c307e42771abb1c272c9f5775fa37394ee

SHA512
2a440775cf2fb93ef56a10eafd9c4b4b392de91c3c1877b5913721344022f8bb3ee13867e08653381f33ed5cbc36f3730389a0bce93e70a7c4016a13c705aa0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0452602.exe
Filesize
206KB

MD5
64de85f15db6c1e801c8c5f3d248b134

SHA1
1f2df228af20c1ce8f89082f0da6325451665886

SHA256
c2180903b0b4fe9b3d6aacd3cca2b4c307e42771abb1c272c9f5775fa37394ee

SHA512
2a440775cf2fb93ef56a10eafd9c4b4b392de91c3c1877b5913721344022f8bb3ee13867e08653381f33ed5cbc36f3730389a0bce93e70a7c4016a13c705aa0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3544428.exe
Filesize
11KB

MD5
8b6ba4a9bce622ab6c2382f237094790

SHA1
5aa259129e10b8aebcc3901f358d7691a9c7b489

SHA256
5f45ef1c639aa7a86920811f451d3dfd28dda4072095a33f45211a948697f863

SHA512
24323f4e99ce982f339585ee3fd38557d17d75082e73db51b98cc07e65486c0a25e917282147123c7f65c5ec472fd4a42fffc7a47c5e6017880635d112bdd7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3544428.exe
Filesize
11KB

MD5
8b6ba4a9bce622ab6c2382f237094790

SHA1
5aa259129e10b8aebcc3901f358d7691a9c7b489

SHA256
5f45ef1c639aa7a86920811f451d3dfd28dda4072095a33f45211a948697f863

SHA512
24323f4e99ce982f339585ee3fd38557d17d75082e73db51b98cc07e65486c0a25e917282147123c7f65c5ec472fd4a42fffc7a47c5e6017880635d112bdd7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5272416.exe
Filesize
172KB

MD5
6734338450034dc4aa747b8f426fc13a

SHA1
0929385fcd6b6701a1185770efc80fb4f4c9d59e

SHA256
278ac46a6193f05bf312dff7e9383479b33c49d0e20eb2bab5be75e699a44193

SHA512
d7d067702940b776415244ce5ee7692d0293cd3b0011993e5b568bc2260791c5cbcc6ff7b55d0bab35d3a741ee95170fab1d7fcf55fd9219aae9f740d12c111a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5272416.exe
Filesize
172KB

MD5
6734338450034dc4aa747b8f426fc13a

SHA1
0929385fcd6b6701a1185770efc80fb4f4c9d59e

SHA256
278ac46a6193f05bf312dff7e9383479b33c49d0e20eb2bab5be75e699a44193

SHA512
d7d067702940b776415244ce5ee7692d0293cd3b0011993e5b568bc2260791c5cbcc6ff7b55d0bab35d3a741ee95170fab1d7fcf55fd9219aae9f740d12c111a

Download Submit
memory/2416-160-0x000000000B040000-0x000000000B658000-memory.dmp

Filesize
6.1MB

Download
memory/2416-165-0x000000000AE00000-0x000000000AE76000-memory.dmp

Filesize
472KB

Download
memory/2416-172-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download
memory/2416-161-0x000000000AB50000-0x000000000AC5A000-memory.dmp

Filesize
1.0MB

Download
memory/2416-162-0x000000000AA90000-0x000000000AAA2000-memory.dmp

Filesize
72KB

Download
memory/2416-163-0x000000000AAF0000-0x000000000AB2C000-memory.dmp

Filesize
240KB

Download
memory/2416-164-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download
memory/2416-159-0x0000000000BD0000-0x0000000000C00000-memory.dmp

Filesize
192KB

Download
memory/2416-166-0x000000000AF20000-0x000000000AFB2000-memory.dmp

Filesize
584KB

Download
memory/2416-167-0x000000000BC10000-0x000000000C1B4000-memory.dmp

Filesize
5.6MB

Download
memory/2416-168-0x000000000AFC0000-0x000000000B026000-memory.dmp

Filesize
408KB

Download
memory/2416-169-0x000000000C490000-0x000000000C652000-memory.dmp

Filesize
1.8MB

Download
memory/2416-170-0x000000000CB90000-0x000000000D0BC000-memory.dmp

Filesize
5.2MB

Download
memory/2416-171-0x000000000C300000-0x000000000C350000-memory.dmp

Filesize
320KB

Download
memory/2976-154-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads