redline | 4f3100dccaa57120626e0a1e4892df02e9a122e6f9e5fea9e4ddfd9633529f70

General

Target

4f3100dccaa57120626e0a1e4892df02e9a122e6f9e5fea9e4ddfd9633529f70.exe
Size

581KB
MD5

e7f60019629fb8178a96593826879cde
SHA1

4fa1189d592ce6e44170f8d2441612000e94b1ab
SHA256

4f3100dccaa57120626e0a1e4892df02e9a122e6f9e5fea9e4ddfd9633529f70
SHA512

93a0118b949a45e3092ffe057bd3818f4da4f105e29a6a4f46339f5e61a06eb920ebcd60e7537cccc9c7b17e48558cdf5ea43f33be1593adbd52eec4eccbfe69
SSDEEP

12288:vMr9y90OkdzgNylWmClS5XPjPwoO2l1Lv2y7TjqysYKiKMGSKIkg:Syzk0VS5UoOmT2kjqyvoSz5

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a9346956.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9346956.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9346956.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9346956.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9346956.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9346956.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9346956.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v6873698.exev8502846.exea9346956.exeb5509823.exe

pid process

2476 v6873698.exe
4656 v8502846.exe
3396 a9346956.exe
1440 b5509823.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a9346956.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a9346956.exe

pid	process
2476	v6873698.exe
4656	v8502846.exe
3396	a9346956.exe
1440	b5509823.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9346956.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v8502846.exe4f3100dccaa57120626e0a1e4892df02e9a122e6f9e5fea9e4ddfd9633529f70.exev6873698.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8502846.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8502846.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4f3100dccaa57120626e0a1e4892df02e9a122e6f9e5fea9e4ddfd9633529f70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4f3100dccaa57120626e0a1e4892df02e9a122e6f9e5fea9e4ddfd9633529f70.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6873698.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6873698.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

a9346956.exeb5509823.exe

pid	process
3396	a9346956.exe
3396	a9346956.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe
1440	b5509823.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a9346956.exeb5509823.exe

description pid process

Token: SeDebugPrivilege 3396 a9346956.exe
Token: SeDebugPrivilege 1440 b5509823.exe

description	pid	process
Token: SeDebugPrivilege	3396	a9346956.exe
Token: SeDebugPrivilege	1440	b5509823.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

4f3100dccaa57120626e0a1e4892df02e9a122e6f9e5fea9e4ddfd9633529f70.exev6873698.exev8502846.exe

description	pid	process	target process
PID 4960 wrote to memory of 2476	4960	4f3100dccaa57120626e0a1e4892df02e9a122e6f9e5fea9e4ddfd9633529f70.exe	v6873698.exe
PID 4960 wrote to memory of 2476	4960	4f3100dccaa57120626e0a1e4892df02e9a122e6f9e5fea9e4ddfd9633529f70.exe	v6873698.exe
PID 4960 wrote to memory of 2476	4960	4f3100dccaa57120626e0a1e4892df02e9a122e6f9e5fea9e4ddfd9633529f70.exe	v6873698.exe
PID 2476 wrote to memory of 4656	2476	v6873698.exe	v8502846.exe
PID 2476 wrote to memory of 4656	2476	v6873698.exe	v8502846.exe
PID 2476 wrote to memory of 4656	2476	v6873698.exe	v8502846.exe
PID 4656 wrote to memory of 3396	4656	v8502846.exe	a9346956.exe
PID 4656 wrote to memory of 3396	4656	v8502846.exe	a9346956.exe
PID 4656 wrote to memory of 1440	4656	v8502846.exe	b5509823.exe
PID 4656 wrote to memory of 1440	4656	v8502846.exe	b5509823.exe
PID 4656 wrote to memory of 1440	4656	v8502846.exe	b5509823.exe

C:\Users\Admin\AppData\Local\Temp\4f3100dccaa57120626e0a1e4892df02e9a122e6f9e5fea9e4ddfd9633529f70.exe
"C:\Users\Admin\AppData\Local\Temp\4f3100dccaa57120626e0a1e4892df02e9a122e6f9e5fea9e4ddfd9633529f70.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6873698.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6873698.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8502846.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8502846.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9346956.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9346956.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5509823.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5509823.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6873698.exe
Filesize
377KB

MD5
9b09a8d7edee3c139e780312608bd1f2

SHA1
9367a8b9dee18dfda8f9fdbd52f9b125b32c3c5f

SHA256
8df8631364752e5c8856d88d1b79ac092304229b01cdd20fa3a7144cbb044f68

SHA512
0346a99e016fb0f74232613b4772bdb9bef41c145e0fee8b22fd538e9a3aa5e0b8d05f9913236cc32c3b4ceaf650aadac926e425131f5f457e764b5059012190

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6873698.exe
Filesize
377KB

MD5
9b09a8d7edee3c139e780312608bd1f2

SHA1
9367a8b9dee18dfda8f9fdbd52f9b125b32c3c5f

SHA256
8df8631364752e5c8856d88d1b79ac092304229b01cdd20fa3a7144cbb044f68

SHA512
0346a99e016fb0f74232613b4772bdb9bef41c145e0fee8b22fd538e9a3aa5e0b8d05f9913236cc32c3b4ceaf650aadac926e425131f5f457e764b5059012190

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8502846.exe
Filesize
206KB

MD5
5c8d18ad724c6f54f1d00f932bd6bb4b

SHA1
672ec5a578077cc0d82622dab1000da94bcd0339

SHA256
c79da9556d2f0acddf26e570ce6929f5be50eca1f8a7fcc88b7fc7d6c7d6e991

SHA512
eff9646c330e7a1ea8aec11897d7d1f18bce01abc7e587fb07db5d7c479e932177b8509ed27b4740bbc02ec3c8a83c1196826c6ddf45c6853557beb5a157a873

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8502846.exe
Filesize
206KB

MD5
5c8d18ad724c6f54f1d00f932bd6bb4b

SHA1
672ec5a578077cc0d82622dab1000da94bcd0339

SHA256
c79da9556d2f0acddf26e570ce6929f5be50eca1f8a7fcc88b7fc7d6c7d6e991

SHA512
eff9646c330e7a1ea8aec11897d7d1f18bce01abc7e587fb07db5d7c479e932177b8509ed27b4740bbc02ec3c8a83c1196826c6ddf45c6853557beb5a157a873

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9346956.exe
Filesize
11KB

MD5
f30d06fd5f5aff12cf50f850bd7aeaf2

SHA1
048dd0d1f82fd02edd858d722f51255e7b6a93ac

SHA256
166fff7e2ac9ca6040feb8699ce165b0701046ce3f43be90d1a12e48c6434358

SHA512
1f692964f390b3735011b336ec061e432156a76cab0128988e7ec48afae03af09bf1e2a42ad84d9316cb773837505ef4250c80f2480e86b66a01e6b18853b37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9346956.exe
Filesize
11KB

MD5
f30d06fd5f5aff12cf50f850bd7aeaf2

SHA1
048dd0d1f82fd02edd858d722f51255e7b6a93ac

SHA256
166fff7e2ac9ca6040feb8699ce165b0701046ce3f43be90d1a12e48c6434358

SHA512
1f692964f390b3735011b336ec061e432156a76cab0128988e7ec48afae03af09bf1e2a42ad84d9316cb773837505ef4250c80f2480e86b66a01e6b18853b37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5509823.exe
Filesize
172KB

MD5
2e1cffd6718e2ec2beb29dfbd2879e8a

SHA1
8452ba311847cc91974a6bf6d53396606c9d889d

SHA256
8410bdd50da714399072c7a8ebbc5c2f82c33b2b95fa81a9adb0e6ee3e317b9a

SHA512
59164fe0bb99fba2086e1df1ceccedc97271fdd5060a3d30d8e3a9db08361b0da22708e150b07802f7c3da380490d5138100d63699c502a0e031fb1b273ae53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5509823.exe
Filesize
172KB

MD5
2e1cffd6718e2ec2beb29dfbd2879e8a

SHA1
8452ba311847cc91974a6bf6d53396606c9d889d

SHA256
8410bdd50da714399072c7a8ebbc5c2f82c33b2b95fa81a9adb0e6ee3e317b9a

SHA512
59164fe0bb99fba2086e1df1ceccedc97271fdd5060a3d30d8e3a9db08361b0da22708e150b07802f7c3da380490d5138100d63699c502a0e031fb1b273ae53a

Download Submit
memory/1440-160-0x000000000AB10000-0x000000000B128000-memory.dmp

Filesize
6.1MB

Download
memory/1440-165-0x000000000A860000-0x000000000A8D6000-memory.dmp

Filesize
472KB

Download
memory/1440-172-0x000000000B7C0000-0x000000000B810000-memory.dmp

Filesize
320KB

Download
memory/1440-161-0x000000000A600000-0x000000000A70A000-memory.dmp

Filesize
1.0MB

Download
memory/1440-162-0x000000000A4F0000-0x000000000A502000-memory.dmp

Filesize
72KB

Download
memory/1440-163-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/1440-164-0x000000000A550000-0x000000000A58C000-memory.dmp

Filesize
240KB

Download
memory/1440-159-0x0000000000770000-0x00000000007A0000-memory.dmp

Filesize
192KB

Download
memory/1440-166-0x000000000A980000-0x000000000AA12000-memory.dmp

Filesize
584KB

Download
memory/1440-167-0x000000000A8E0000-0x000000000A946000-memory.dmp

Filesize
408KB

Download
memory/1440-168-0x000000000BAE0000-0x000000000C084000-memory.dmp

Filesize
5.6MB

Download
memory/1440-169-0x000000000B860000-0x000000000BA22000-memory.dmp

Filesize
1.8MB

Download
memory/1440-170-0x000000000C5C0000-0x000000000CAEC000-memory.dmp

Filesize
5.2MB

Download
memory/1440-171-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/3396-154-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads