redline | 1def82d880275e7396b16aa0bcaf58d19972741d854044f354f49321fbb06981

General

Target

1def82d880275e7396b16aa0bcaf58d19972741d854044f354f49321fbb06981.exe
Size

581KB
MD5

7a82bf3ed8b6fe6e21c2198ee991b535
SHA1

94a6743420cd05e6cd67469f422e37af13d76b50
SHA256

1def82d880275e7396b16aa0bcaf58d19972741d854044f354f49321fbb06981
SHA512

4fce6ac57b785a6a80d75196edb815e31a8446dfea70d2b39a390283146a7d1629926bf8623ca0e9a274b60a036644fc1543e4daf6c785068cb18f9e31f67ee7
SSDEEP

12288:QMrby90U9vqPduQszAAiUtfToDRzANshE0pMWT8JUhsiFE3EiC:byriduB9DVToDJA8OdJUhq8

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a2900151.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a2900151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2900151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2900151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2900151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2900151.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2900151.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v2894578.exev3652098.exea2900151.exeb8785544.exe

pid process

2812 v2894578.exe
1944 v3652098.exe
1808 a2900151.exe
1752 b8785544.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a2900151.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a2900151.exe

pid	process
2812	v2894578.exe
1944	v3652098.exe
1808	a2900151.exe
1752	b8785544.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2900151.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1def82d880275e7396b16aa0bcaf58d19972741d854044f354f49321fbb06981.exev2894578.exev3652098.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1def82d880275e7396b16aa0bcaf58d19972741d854044f354f49321fbb06981.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1def82d880275e7396b16aa0bcaf58d19972741d854044f354f49321fbb06981.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2894578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2894578.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3652098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3652098.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

a2900151.exeb8785544.exe

pid	process
1808	a2900151.exe
1808	a2900151.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe
1752	b8785544.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a2900151.exeb8785544.exe

description pid process

Token: SeDebugPrivilege 1808 a2900151.exe
Token: SeDebugPrivilege 1752 b8785544.exe

description	pid	process
Token: SeDebugPrivilege	1808	a2900151.exe
Token: SeDebugPrivilege	1752	b8785544.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1def82d880275e7396b16aa0bcaf58d19972741d854044f354f49321fbb06981.exev2894578.exev3652098.exe

description	pid	process	target process
PID 392 wrote to memory of 2812	392	1def82d880275e7396b16aa0bcaf58d19972741d854044f354f49321fbb06981.exe	v2894578.exe
PID 392 wrote to memory of 2812	392	1def82d880275e7396b16aa0bcaf58d19972741d854044f354f49321fbb06981.exe	v2894578.exe
PID 392 wrote to memory of 2812	392	1def82d880275e7396b16aa0bcaf58d19972741d854044f354f49321fbb06981.exe	v2894578.exe
PID 2812 wrote to memory of 1944	2812	v2894578.exe	v3652098.exe
PID 2812 wrote to memory of 1944	2812	v2894578.exe	v3652098.exe
PID 2812 wrote to memory of 1944	2812	v2894578.exe	v3652098.exe
PID 1944 wrote to memory of 1808	1944	v3652098.exe	a2900151.exe
PID 1944 wrote to memory of 1808	1944	v3652098.exe	a2900151.exe
PID 1944 wrote to memory of 1752	1944	v3652098.exe	b8785544.exe
PID 1944 wrote to memory of 1752	1944	v3652098.exe	b8785544.exe
PID 1944 wrote to memory of 1752	1944	v3652098.exe	b8785544.exe

C:\Users\Admin\AppData\Local\Temp\1def82d880275e7396b16aa0bcaf58d19972741d854044f354f49321fbb06981.exe
"C:\Users\Admin\AppData\Local\Temp\1def82d880275e7396b16aa0bcaf58d19972741d854044f354f49321fbb06981.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2894578.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2894578.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3652098.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3652098.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2900151.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2900151.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8785544.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8785544.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2894578.exe
Filesize
378KB

MD5
41683b42667ac465ad3d67d35ab410f6

SHA1
eb0478259b31afad5a18de855cf050415d71abc6

SHA256
4ef38ede8c675489d8be47e665c16a613897b8563f619dcc529c9c1a5d8b494f

SHA512
69c9d88547769ab85327787e1c29b42d8539b18329aee5fb18f496528089ea90d59af529f6a5d8b050b77b9de64ec1d7ce46618fe3915a5dd0051c5172b2404a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2894578.exe
Filesize
378KB

MD5
41683b42667ac465ad3d67d35ab410f6

SHA1
eb0478259b31afad5a18de855cf050415d71abc6

SHA256
4ef38ede8c675489d8be47e665c16a613897b8563f619dcc529c9c1a5d8b494f

SHA512
69c9d88547769ab85327787e1c29b42d8539b18329aee5fb18f496528089ea90d59af529f6a5d8b050b77b9de64ec1d7ce46618fe3915a5dd0051c5172b2404a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3652098.exe
Filesize
206KB

MD5
c2cd4d2bcfe3f1c3972c4b7db8db04d0

SHA1
90c6e386048dcba5c4df5820d3ea8c4b9987c341

SHA256
e0e73c66a86cd43d6eba8515e62663acee702171bb48baf3f33ff51e4bfea38e

SHA512
9d956fc7b38726a3848c98e5167d8be23166d4a01ebf2ce95d8c34c134c87dcb1151832f3d5d0d36a449c0f8dc3d4f9a0654a8233c04c330aa090823a83408d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3652098.exe
Filesize
206KB

MD5
c2cd4d2bcfe3f1c3972c4b7db8db04d0

SHA1
90c6e386048dcba5c4df5820d3ea8c4b9987c341

SHA256
e0e73c66a86cd43d6eba8515e62663acee702171bb48baf3f33ff51e4bfea38e

SHA512
9d956fc7b38726a3848c98e5167d8be23166d4a01ebf2ce95d8c34c134c87dcb1151832f3d5d0d36a449c0f8dc3d4f9a0654a8233c04c330aa090823a83408d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2900151.exe
Filesize
11KB

MD5
1e5542be3ca32a24101f1dbe5c0c3f08

SHA1
076a3d1bbfdf610846fb8d05b4ed928a0a9796ec

SHA256
23679cf7090d3436a4ecd46edbdc6919a94c7d4c5e80463d667b42f6b304648e

SHA512
33b01a21e3d12216af21ccd9182851c4a8cf4a69dbc6aa89e294bce89686963161603f24cbe209a4a5175649406048f27e7e614a298554721af51126feb89f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2900151.exe
Filesize
11KB

MD5
1e5542be3ca32a24101f1dbe5c0c3f08

SHA1
076a3d1bbfdf610846fb8d05b4ed928a0a9796ec

SHA256
23679cf7090d3436a4ecd46edbdc6919a94c7d4c5e80463d667b42f6b304648e

SHA512
33b01a21e3d12216af21ccd9182851c4a8cf4a69dbc6aa89e294bce89686963161603f24cbe209a4a5175649406048f27e7e614a298554721af51126feb89f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8785544.exe
Filesize
172KB

MD5
98e56166a6c3c78445aa37b4db16a881

SHA1
c9b07f7c0e1db1e75a821a8a1f73d25ef57bd23d

SHA256
c57199c25b008ae2f7ec367586741f3d2806618e851832ffebf97ec79ee1afa6

SHA512
d1165913dc92a477ba16e6a7b9670a8662a6eb1241af59ee368977b738fda688d847e73b93ae74096eb9bf36f319c3fbb980b0afb424beec543b54e750b70ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8785544.exe
Filesize
172KB

MD5
98e56166a6c3c78445aa37b4db16a881

SHA1
c9b07f7c0e1db1e75a821a8a1f73d25ef57bd23d

SHA256
c57199c25b008ae2f7ec367586741f3d2806618e851832ffebf97ec79ee1afa6

SHA512
d1165913dc92a477ba16e6a7b9670a8662a6eb1241af59ee368977b738fda688d847e73b93ae74096eb9bf36f319c3fbb980b0afb424beec543b54e750b70ae1

Download Submit
memory/1752-160-0x000000000A870000-0x000000000AE88000-memory.dmp

Filesize
6.1MB

Download
memory/1752-165-0x000000000A550000-0x000000000A5C6000-memory.dmp

Filesize
472KB

Download
memory/1752-172-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1752-161-0x000000000A360000-0x000000000A46A000-memory.dmp

Filesize
1.0MB

Download
memory/1752-162-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/1752-163-0x000000000A250000-0x000000000A28C000-memory.dmp

Filesize
240KB

Download
memory/1752-164-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1752-159-0x0000000000320000-0x0000000000350000-memory.dmp

Filesize
192KB

Download
memory/1752-166-0x000000000A670000-0x000000000A702000-memory.dmp

Filesize
584KB

Download
memory/1752-167-0x000000000A5D0000-0x000000000A636000-memory.dmp

Filesize
408KB

Download
memory/1752-168-0x000000000B740000-0x000000000BCE4000-memory.dmp

Filesize
5.6MB

Download
memory/1752-169-0x000000000BCF0000-0x000000000BEB2000-memory.dmp

Filesize
1.8MB

Download
memory/1752-170-0x000000000C3F0000-0x000000000C91C000-memory.dmp

Filesize
5.2MB

Download
memory/1752-171-0x000000000B480000-0x000000000B4D0000-memory.dmp

Filesize
320KB

Download
memory/1808-154-0x0000000000C70000-0x0000000000C7A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads