redline | 85a008e09de597dd77f65f1e4033877f335056b9a40d02c9ddfd7bcedbcc0043

General

Target

85a008e09de597dd77f65f1e4033877f335056b9a40d02c9ddfd7bcedbcc0043.exe
Size

580KB
MD5

1effb71bacb733e8a84ae6dd0494b62a
SHA1

5ee966b5a3d8b30b29de69acc230b8140ed31c33
SHA256

85a008e09de597dd77f65f1e4033877f335056b9a40d02c9ddfd7bcedbcc0043
SHA512

0749f1f37a28699ff3cf75e823eefb5052b443fa29c5f07eaaae70fa748815ba0d1a0a44d5d97a769a07de34e796f9dd9bc244c70338f686ad8ad06879694f4b
SSDEEP

12288:AMrxy90+WR5SsLGtTQHG9csOVRjYjvJLe9zPYhA+bypx:hy8zwUHG6RkrOrYfbC

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a1682547.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a1682547.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1682547.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1682547.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1682547.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1682547.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1682547.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v6538932.exev2031434.exea1682547.exeb8703118.exe

pid process

2628 v6538932.exe
4832 v2031434.exe
4808 a1682547.exe
1728 b8703118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a1682547.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1682547.exe

pid	process
2628	v6538932.exe
4832	v2031434.exe
4808	a1682547.exe
1728	b8703118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1682547.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v6538932.exev2031434.exe85a008e09de597dd77f65f1e4033877f335056b9a40d02c9ddfd7bcedbcc0043.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6538932.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2031434.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2031434.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	85a008e09de597dd77f65f1e4033877f335056b9a40d02c9ddfd7bcedbcc0043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	85a008e09de597dd77f65f1e4033877f335056b9a40d02c9ddfd7bcedbcc0043.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6538932.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

a1682547.exeb8703118.exe

pid	process
4808	a1682547.exe
4808	a1682547.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe
1728	b8703118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a1682547.exeb8703118.exe

description pid process

Token: SeDebugPrivilege 4808 a1682547.exe
Token: SeDebugPrivilege 1728 b8703118.exe

description	pid	process
Token: SeDebugPrivilege	4808	a1682547.exe
Token: SeDebugPrivilege	1728	b8703118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

85a008e09de597dd77f65f1e4033877f335056b9a40d02c9ddfd7bcedbcc0043.exev6538932.exev2031434.exe

description	pid	process	target process
PID 2312 wrote to memory of 2628	2312	85a008e09de597dd77f65f1e4033877f335056b9a40d02c9ddfd7bcedbcc0043.exe	v6538932.exe
PID 2312 wrote to memory of 2628	2312	85a008e09de597dd77f65f1e4033877f335056b9a40d02c9ddfd7bcedbcc0043.exe	v6538932.exe
PID 2312 wrote to memory of 2628	2312	85a008e09de597dd77f65f1e4033877f335056b9a40d02c9ddfd7bcedbcc0043.exe	v6538932.exe
PID 2628 wrote to memory of 4832	2628	v6538932.exe	v2031434.exe
PID 2628 wrote to memory of 4832	2628	v6538932.exe	v2031434.exe
PID 2628 wrote to memory of 4832	2628	v6538932.exe	v2031434.exe
PID 4832 wrote to memory of 4808	4832	v2031434.exe	a1682547.exe
PID 4832 wrote to memory of 4808	4832	v2031434.exe	a1682547.exe
PID 4832 wrote to memory of 1728	4832	v2031434.exe	b8703118.exe
PID 4832 wrote to memory of 1728	4832	v2031434.exe	b8703118.exe
PID 4832 wrote to memory of 1728	4832	v2031434.exe	b8703118.exe

C:\Users\Admin\AppData\Local\Temp\85a008e09de597dd77f65f1e4033877f335056b9a40d02c9ddfd7bcedbcc0043.exe
"C:\Users\Admin\AppData\Local\Temp\85a008e09de597dd77f65f1e4033877f335056b9a40d02c9ddfd7bcedbcc0043.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2312

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6538932.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6538932.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2031434.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2031434.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4832

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1682547.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1682547.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8703118.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8703118.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6538932.exe
Filesize
377KB

MD5
d56a12ab7639a80331cd8a84c0636cca

SHA1
1b0bf111d4a8174c7ed2345fceee0fc94cb35c6d

SHA256
e8852504a40ee8617b283bfc6d1e9e285abe57f5a6d03521d34903cef005cbde

SHA512
b56f9465225e89b24970c20b7de91d3229cb44b7fb82480e2580390f08f552e3bf28f51de426360de3b4594d82a1dc311013e8b439ba1498749adad5f50ce9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6538932.exe
Filesize
377KB

MD5
d56a12ab7639a80331cd8a84c0636cca

SHA1
1b0bf111d4a8174c7ed2345fceee0fc94cb35c6d

SHA256
e8852504a40ee8617b283bfc6d1e9e285abe57f5a6d03521d34903cef005cbde

SHA512
b56f9465225e89b24970c20b7de91d3229cb44b7fb82480e2580390f08f552e3bf28f51de426360de3b4594d82a1dc311013e8b439ba1498749adad5f50ce9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2031434.exe
Filesize
206KB

MD5
e233df12fb96c21de23255818224f3a6

SHA1
d89b43d4c9b18b4c751473069b3ee15535917094

SHA256
18940afad979b7fdd960910808eb52fc3a658531eb982b0c0b7a293ddc344038

SHA512
cc2ba32fe84effb9fe377a4954b9951e36d2e24ad4f9d91277585a494e17e8f5cbd2a10f8bdf148b29199ce16b32b52c2978fef26fa3533e8d656aae1f8768e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2031434.exe
Filesize
206KB

MD5
e233df12fb96c21de23255818224f3a6

SHA1
d89b43d4c9b18b4c751473069b3ee15535917094

SHA256
18940afad979b7fdd960910808eb52fc3a658531eb982b0c0b7a293ddc344038

SHA512
cc2ba32fe84effb9fe377a4954b9951e36d2e24ad4f9d91277585a494e17e8f5cbd2a10f8bdf148b29199ce16b32b52c2978fef26fa3533e8d656aae1f8768e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1682547.exe
Filesize
11KB

MD5
aaa3fc9114417153aab2b374046859be

SHA1
d5d79e66131e3db261c5e602bb7393b54c9cbb2c

SHA256
d44b79171014e84fe83d497132c84a0a4715d00b996776378f16fad3273290fd

SHA512
62425b90d040e90bfbc22cc26fad56923d5f5cdeb72efd9815590ad3649b5d4eac91d49767e83e195608bb9eca1bad9ae120ea6435f54d5cacdf893b4faf307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1682547.exe
Filesize
11KB

MD5
aaa3fc9114417153aab2b374046859be

SHA1
d5d79e66131e3db261c5e602bb7393b54c9cbb2c

SHA256
d44b79171014e84fe83d497132c84a0a4715d00b996776378f16fad3273290fd

SHA512
62425b90d040e90bfbc22cc26fad56923d5f5cdeb72efd9815590ad3649b5d4eac91d49767e83e195608bb9eca1bad9ae120ea6435f54d5cacdf893b4faf307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8703118.exe
Filesize
172KB

MD5
6c7095036311b676348dc2bb4ec33faf

SHA1
32b672b14a3a3ff9cd5aa1b29f245aad7aab5c34

SHA256
df8da36b80c00cf3fe9dd85a93b3435b004ddbcc527f68f9969b4cc54595b2f4

SHA512
83032b498f270581bf5de5365d74292916877ea1dcfe01c60b6b2a72a29e604377eb417fc4624195b9f527c168d8f049b1e881a1e0b08e34c9a3d5d53125d19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8703118.exe
Filesize
172KB

MD5
6c7095036311b676348dc2bb4ec33faf

SHA1
32b672b14a3a3ff9cd5aa1b29f245aad7aab5c34

SHA256
df8da36b80c00cf3fe9dd85a93b3435b004ddbcc527f68f9969b4cc54595b2f4

SHA512
83032b498f270581bf5de5365d74292916877ea1dcfe01c60b6b2a72a29e604377eb417fc4624195b9f527c168d8f049b1e881a1e0b08e34c9a3d5d53125d19d

Download Submit
memory/1728-160-0x000000000AC80000-0x000000000B298000-memory.dmp

Filesize
6.1MB

Download
memory/1728-165-0x000000000AA50000-0x000000000AAC6000-memory.dmp

Filesize
472KB

Download
memory/1728-172-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/1728-161-0x000000000A7A0000-0x000000000A8AA000-memory.dmp

Filesize
1.0MB

Download
memory/1728-162-0x000000000A6E0000-0x000000000A6F2000-memory.dmp

Filesize
72KB

Download
memory/1728-163-0x000000000A740000-0x000000000A77C000-memory.dmp

Filesize
240KB

Download
memory/1728-164-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/1728-159-0x0000000000820000-0x0000000000850000-memory.dmp

Filesize
192KB

Download
memory/1728-166-0x000000000AB70000-0x000000000AC02000-memory.dmp

Filesize
584KB

Download
memory/1728-167-0x000000000B850000-0x000000000BDF4000-memory.dmp

Filesize
5.6MB

Download
memory/1728-168-0x000000000AC10000-0x000000000AC76000-memory.dmp

Filesize
408KB

Download
memory/1728-169-0x000000000BFD0000-0x000000000C192000-memory.dmp

Filesize
1.8MB

Download
memory/1728-170-0x000000000C6D0000-0x000000000CBFC000-memory.dmp

Filesize
5.2MB

Download
memory/1728-171-0x000000000BF20000-0x000000000BF70000-memory.dmp

Filesize
320KB

Download
memory/4808-154-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads