redline | 6830e3b51297c44b91df684d33288c400c9ebd437119e6f87691393ccce0e06f

General

Target

6830e3b51297c44b91df684d33288c400c9ebd437119e6f87691393ccce0e06f.exe
Size

581KB
MD5

442172682178483617394a4f808d68fd
SHA1

92e579b14e8bbec962ea54e19d9c8066a755a1c1
SHA256

6830e3b51297c44b91df684d33288c400c9ebd437119e6f87691393ccce0e06f
SHA512

9d61eab110523f7838ca67f30c2f553a5072a932f2d88788bf64748254d727b01ed98f9e007de2b95b985d1faa97f2cb9a1d79738096db5444a4b10aa2a0ff48
SSDEEP

12288:9MrLy90cEMduDZ7EdBjI+7bmVb2OGhaob7U0iR:+yhMZSHmV6OKacU

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a0694660.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0694660.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0694660.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0694660.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0694660.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0694660.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0694660.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v7946730.exev0621795.exea0694660.exeb1321054.exe

pid process

4232 v7946730.exe
3636 v0621795.exe
4880 a0694660.exe
4792 b1321054.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a0694660.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0694660.exe

pid	process
4232	v7946730.exe
3636	v0621795.exe
4880	a0694660.exe
4792	b1321054.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0694660.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6830e3b51297c44b91df684d33288c400c9ebd437119e6f87691393ccce0e06f.exev7946730.exev0621795.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6830e3b51297c44b91df684d33288c400c9ebd437119e6f87691393ccce0e06f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6830e3b51297c44b91df684d33288c400c9ebd437119e6f87691393ccce0e06f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7946730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7946730.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0621795.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0621795.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

a0694660.exeb1321054.exe

pid	process
4880	a0694660.exe
4880	a0694660.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe
4792	b1321054.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a0694660.exeb1321054.exe

description pid process

Token: SeDebugPrivilege 4880 a0694660.exe
Token: SeDebugPrivilege 4792 b1321054.exe

description	pid	process
Token: SeDebugPrivilege	4880	a0694660.exe
Token: SeDebugPrivilege	4792	b1321054.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

6830e3b51297c44b91df684d33288c400c9ebd437119e6f87691393ccce0e06f.exev7946730.exev0621795.exe

description	pid	process	target process
PID 2960 wrote to memory of 4232	2960	6830e3b51297c44b91df684d33288c400c9ebd437119e6f87691393ccce0e06f.exe	v7946730.exe
PID 2960 wrote to memory of 4232	2960	6830e3b51297c44b91df684d33288c400c9ebd437119e6f87691393ccce0e06f.exe	v7946730.exe
PID 2960 wrote to memory of 4232	2960	6830e3b51297c44b91df684d33288c400c9ebd437119e6f87691393ccce0e06f.exe	v7946730.exe
PID 4232 wrote to memory of 3636	4232	v7946730.exe	v0621795.exe
PID 4232 wrote to memory of 3636	4232	v7946730.exe	v0621795.exe
PID 4232 wrote to memory of 3636	4232	v7946730.exe	v0621795.exe
PID 3636 wrote to memory of 4880	3636	v0621795.exe	a0694660.exe
PID 3636 wrote to memory of 4880	3636	v0621795.exe	a0694660.exe
PID 3636 wrote to memory of 4792	3636	v0621795.exe	b1321054.exe
PID 3636 wrote to memory of 4792	3636	v0621795.exe	b1321054.exe
PID 3636 wrote to memory of 4792	3636	v0621795.exe	b1321054.exe

C:\Users\Admin\AppData\Local\Temp\6830e3b51297c44b91df684d33288c400c9ebd437119e6f87691393ccce0e06f.exe
"C:\Users\Admin\AppData\Local\Temp\6830e3b51297c44b91df684d33288c400c9ebd437119e6f87691393ccce0e06f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946730.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946730.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4232

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0621795.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0621795.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0694660.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0694660.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1321054.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1321054.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946730.exe
Filesize
377KB

MD5
6a03092f67d89889b468ed598f2cf14c

SHA1
bd7d0263d2c1e0f59d436e0fc082cd73fbe29634

SHA256
618be4ea36a0c7d811966d52572b1ee364f4754c5d652d0512daefa91f1491c3

SHA512
312bb3d5c531b262ca3c11b27fb73a926f69f3ec3ae44dec94e50c24e6c9a0bb5a40fdb467c49118ef9dcafdb9f047c92361b1e469079cb54fe9064487735656

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7946730.exe
Filesize
377KB

MD5
6a03092f67d89889b468ed598f2cf14c

SHA1
bd7d0263d2c1e0f59d436e0fc082cd73fbe29634

SHA256
618be4ea36a0c7d811966d52572b1ee364f4754c5d652d0512daefa91f1491c3

SHA512
312bb3d5c531b262ca3c11b27fb73a926f69f3ec3ae44dec94e50c24e6c9a0bb5a40fdb467c49118ef9dcafdb9f047c92361b1e469079cb54fe9064487735656

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0621795.exe
Filesize
206KB

MD5
c81b90044b68a43096d2cd48e4a78640

SHA1
4f2509039e00c02ec005a0335fbfa87deca5330d

SHA256
1e443af1763ce40b6289adc3d0127fe3ada5c92651bcfddec9e93944f75dba95

SHA512
a0b2fcf5450bc743b1ca65670b0e3f38b8def521da5cf303024621a975904f462afd5dae9a3120354afb0f6c71b4ba13a86aa374f9d22691f72864f6b3c7c345

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0621795.exe
Filesize
206KB

MD5
c81b90044b68a43096d2cd48e4a78640

SHA1
4f2509039e00c02ec005a0335fbfa87deca5330d

SHA256
1e443af1763ce40b6289adc3d0127fe3ada5c92651bcfddec9e93944f75dba95

SHA512
a0b2fcf5450bc743b1ca65670b0e3f38b8def521da5cf303024621a975904f462afd5dae9a3120354afb0f6c71b4ba13a86aa374f9d22691f72864f6b3c7c345

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0694660.exe
Filesize
11KB

MD5
47d5c86e75767f13480f9baf67b522d4

SHA1
073fcc4f1ebedd251981c2d2f9643984701fb186

SHA256
105235b53041f057a0304f1b4f4973ce8259b289e47bd6e727cd2580b10ca7c2

SHA512
7f74a1387eaa283cd8c85e68a2e49f422da5a350b5bb74eff1339912071e05a280b648a3431948aac6534c686f1f8ea1b07913c4ebdb697484f35b2d7fbf5fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0694660.exe
Filesize
11KB

MD5
47d5c86e75767f13480f9baf67b522d4

SHA1
073fcc4f1ebedd251981c2d2f9643984701fb186

SHA256
105235b53041f057a0304f1b4f4973ce8259b289e47bd6e727cd2580b10ca7c2

SHA512
7f74a1387eaa283cd8c85e68a2e49f422da5a350b5bb74eff1339912071e05a280b648a3431948aac6534c686f1f8ea1b07913c4ebdb697484f35b2d7fbf5fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1321054.exe
Filesize
172KB

MD5
fd820af17e638a2f7d06b18db7d40ea1

SHA1
c3c01b0d2fca282378b83a045ea1d8c0739ff14b

SHA256
dd7415826127d215893561411ccd6a17ce0e6390e5af838a740a9aa2f550236f

SHA512
77a510c61285173f0a051fa0a6419bf3c8b8475e9d443930f3666697a5362a8df29f4aabdfc48614fa667e0116fe85a89a9d8422db49da5465424aa46711355e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1321054.exe
Filesize
172KB

MD5
fd820af17e638a2f7d06b18db7d40ea1

SHA1
c3c01b0d2fca282378b83a045ea1d8c0739ff14b

SHA256
dd7415826127d215893561411ccd6a17ce0e6390e5af838a740a9aa2f550236f

SHA512
77a510c61285173f0a051fa0a6419bf3c8b8475e9d443930f3666697a5362a8df29f4aabdfc48614fa667e0116fe85a89a9d8422db49da5465424aa46711355e

Download Submit
memory/4792-160-0x000000000A4D0000-0x000000000AAE8000-memory.dmp

Filesize
6.1MB

Download
memory/4792-165-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4792-172-0x000000000B9F0000-0x000000000BA40000-memory.dmp

Filesize
320KB

Download
memory/4792-161-0x000000000A030000-0x000000000A13A000-memory.dmp

Filesize
1.0MB

Download
memory/4792-162-0x0000000009F70000-0x0000000009F82000-memory.dmp

Filesize
72KB

Download
memory/4792-163-0x0000000009FD0000-0x000000000A00C000-memory.dmp

Filesize
240KB

Download
memory/4792-164-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4792-159-0x00000000000B0000-0x00000000000E0000-memory.dmp

Filesize
192KB

Download
memory/4792-166-0x000000000A350000-0x000000000A3C6000-memory.dmp

Filesize
472KB

Download
memory/4792-167-0x000000000A3D0000-0x000000000A462000-memory.dmp

Filesize
584KB

Download
memory/4792-168-0x000000000B0A0000-0x000000000B644000-memory.dmp

Filesize
5.6MB

Download
memory/4792-169-0x000000000ABF0000-0x000000000AC56000-memory.dmp

Filesize
408KB

Download
memory/4792-170-0x000000000B820000-0x000000000B9E2000-memory.dmp

Filesize
1.8MB

Download
memory/4792-171-0x000000000BF20000-0x000000000C44C000-memory.dmp

Filesize
5.2MB

Download
memory/4880-154-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads