redline | 632a3e893d53eaef3ffb221b125a75444df151d032ab7a55ce136490cdcfb751

General

Target

632a3e893d53eaef3ffb221b125a75444df151d032ab7a55ce136490cdcfb751.exe
Size

581KB
MD5

578446ac6d291de02ae9722211b9d923
SHA1

2e42c3d058f414f9c81e727556a3ae620b47c169
SHA256

632a3e893d53eaef3ffb221b125a75444df151d032ab7a55ce136490cdcfb751
SHA512

301a77c9591033381687fc5ed488f473fdc0fc79125783984e5398271219f19152738c078258a8c96faaa1c161c6211c2f3717bc1852cc74f3dfc0703f0c60a1
SSDEEP

12288:3Mrjy90Su+hTN5FcQ06RNTmZzknFr0HwIBsWK7eDpHbmIkp:gy5u+0QxRsa0nBsn7eap

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a2944245.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a2944245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2944245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2944245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2944245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2944245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2944245.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v9209461.exev3601145.exea2944245.exeb6894836.exe

pid process

840 v9209461.exe
1820 v3601145.exe
1640 a2944245.exe
1340 b6894836.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a2944245.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a2944245.exe

pid	process
840	v9209461.exe
1820	v3601145.exe
1640	a2944245.exe
1340	b6894836.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2944245.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v3601145.exe632a3e893d53eaef3ffb221b125a75444df151d032ab7a55ce136490cdcfb751.exev9209461.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3601145.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3601145.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	632a3e893d53eaef3ffb221b125a75444df151d032ab7a55ce136490cdcfb751.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	632a3e893d53eaef3ffb221b125a75444df151d032ab7a55ce136490cdcfb751.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9209461.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9209461.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

a2944245.exeb6894836.exe

pid	process
1640	a2944245.exe
1640	a2944245.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe
1340	b6894836.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a2944245.exeb6894836.exe

description pid process

Token: SeDebugPrivilege 1640 a2944245.exe
Token: SeDebugPrivilege 1340 b6894836.exe

description	pid	process
Token: SeDebugPrivilege	1640	a2944245.exe
Token: SeDebugPrivilege	1340	b6894836.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

632a3e893d53eaef3ffb221b125a75444df151d032ab7a55ce136490cdcfb751.exev9209461.exev3601145.exe

description	pid	process	target process
PID 3428 wrote to memory of 840	3428	632a3e893d53eaef3ffb221b125a75444df151d032ab7a55ce136490cdcfb751.exe	v9209461.exe
PID 3428 wrote to memory of 840	3428	632a3e893d53eaef3ffb221b125a75444df151d032ab7a55ce136490cdcfb751.exe	v9209461.exe
PID 3428 wrote to memory of 840	3428	632a3e893d53eaef3ffb221b125a75444df151d032ab7a55ce136490cdcfb751.exe	v9209461.exe
PID 840 wrote to memory of 1820	840	v9209461.exe	v3601145.exe
PID 840 wrote to memory of 1820	840	v9209461.exe	v3601145.exe
PID 840 wrote to memory of 1820	840	v9209461.exe	v3601145.exe
PID 1820 wrote to memory of 1640	1820	v3601145.exe	a2944245.exe
PID 1820 wrote to memory of 1640	1820	v3601145.exe	a2944245.exe
PID 1820 wrote to memory of 1340	1820	v3601145.exe	b6894836.exe
PID 1820 wrote to memory of 1340	1820	v3601145.exe	b6894836.exe
PID 1820 wrote to memory of 1340	1820	v3601145.exe	b6894836.exe

C:\Users\Admin\AppData\Local\Temp\632a3e893d53eaef3ffb221b125a75444df151d032ab7a55ce136490cdcfb751.exe
"C:\Users\Admin\AppData\Local\Temp\632a3e893d53eaef3ffb221b125a75444df151d032ab7a55ce136490cdcfb751.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3428

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9209461.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9209461.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3601145.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3601145.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2944245.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2944245.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6894836.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6894836.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9209461.exe
Filesize
377KB

MD5
98f9b5aace6baecc90ce0720b201bd77

SHA1
714dc60b480b6949c2e508a9046745b1772b64e4

SHA256
a3a71ecd7122001d98128cccbd495ed8f4f9f83adb81d342fd49c741692adccd

SHA512
b3b9f0416fe9ff0e55c838d4379f0a283e86e18a3668789300a581144764a068f025b870855de875993fe74b33ac97456c960d971118980aa108b037b26ef5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9209461.exe
Filesize
377KB

MD5
98f9b5aace6baecc90ce0720b201bd77

SHA1
714dc60b480b6949c2e508a9046745b1772b64e4

SHA256
a3a71ecd7122001d98128cccbd495ed8f4f9f83adb81d342fd49c741692adccd

SHA512
b3b9f0416fe9ff0e55c838d4379f0a283e86e18a3668789300a581144764a068f025b870855de875993fe74b33ac97456c960d971118980aa108b037b26ef5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3601145.exe
Filesize
206KB

MD5
8b290379e9ee4337b1c707e8c6add648

SHA1
9123a08d4afa81f5c4643fa1aff6014787cf9e1d

SHA256
0b7fc976661323f56ccc8889995ea206aeb06e57dad68f52641bd3d1321b0db7

SHA512
8ddaa4600a2805382677bca1d8fa4fbcc0527b102d6d8a1cb7a4aea8b03405e22eea9b18e0f3fb91098f52a776f91ce0d6d02a8a64547b21b24ee7677d9e0a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3601145.exe
Filesize
206KB

MD5
8b290379e9ee4337b1c707e8c6add648

SHA1
9123a08d4afa81f5c4643fa1aff6014787cf9e1d

SHA256
0b7fc976661323f56ccc8889995ea206aeb06e57dad68f52641bd3d1321b0db7

SHA512
8ddaa4600a2805382677bca1d8fa4fbcc0527b102d6d8a1cb7a4aea8b03405e22eea9b18e0f3fb91098f52a776f91ce0d6d02a8a64547b21b24ee7677d9e0a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2944245.exe
Filesize
11KB

MD5
1f2f308ceb6eac6f2787c88a29c7a6e7

SHA1
e98a4380b20ed7cad619fe8c43efdd07cb081433

SHA256
bfcf083dddea44cb6fad10433d9adeef196df49e9ac2a765585833445b2ceafc

SHA512
47bab6b1319b43156ebc53a03c73a951fcfe9b1e655c7cd779ec12b8608f0349ac8f2c1f46faa68c3a028af4f5c03a2ef441a98c5abfbaa7ee9eeccc4b511f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2944245.exe
Filesize
11KB

MD5
1f2f308ceb6eac6f2787c88a29c7a6e7

SHA1
e98a4380b20ed7cad619fe8c43efdd07cb081433

SHA256
bfcf083dddea44cb6fad10433d9adeef196df49e9ac2a765585833445b2ceafc

SHA512
47bab6b1319b43156ebc53a03c73a951fcfe9b1e655c7cd779ec12b8608f0349ac8f2c1f46faa68c3a028af4f5c03a2ef441a98c5abfbaa7ee9eeccc4b511f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6894836.exe
Filesize
172KB

MD5
649006311ae69e0f80869d0134ed50a5

SHA1
46cc538def518486d38ac9485721b0f085c1ba43

SHA256
26b23e73b8cb3b5f546af1eae91a70654c69405e89739ddb7a720a95b772b87f

SHA512
7b5893df6f7e52920c019aac554ddbbfaba0af4af32713687ce9fbb11fd3d57511a3de3352cb8d45610c901e697e253b8c399cbe8f947263599e4ee9b45fc349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6894836.exe
Filesize
172KB

MD5
649006311ae69e0f80869d0134ed50a5

SHA1
46cc538def518486d38ac9485721b0f085c1ba43

SHA256
26b23e73b8cb3b5f546af1eae91a70654c69405e89739ddb7a720a95b772b87f

SHA512
7b5893df6f7e52920c019aac554ddbbfaba0af4af32713687ce9fbb11fd3d57511a3de3352cb8d45610c901e697e253b8c399cbe8f947263599e4ee9b45fc349

Download Submit
memory/1340-160-0x000000000B080000-0x000000000B698000-memory.dmp

Filesize
6.1MB

Download
memory/1340-165-0x000000000AE70000-0x000000000AEE6000-memory.dmp

Filesize
472KB

Download
memory/1340-172-0x000000000C340000-0x000000000C390000-memory.dmp

Filesize
320KB

Download
memory/1340-161-0x000000000ABC0000-0x000000000ACCA000-memory.dmp

Filesize
1.0MB

Download
memory/1340-162-0x000000000AB00000-0x000000000AB12000-memory.dmp

Filesize
72KB

Download
memory/1340-164-0x000000000AB60000-0x000000000AB9C000-memory.dmp

Filesize
240KB

Download
memory/1340-163-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/1340-159-0x0000000000C40000-0x0000000000C70000-memory.dmp

Filesize
192KB

Download
memory/1340-166-0x000000000AF90000-0x000000000B022000-memory.dmp

Filesize
584KB

Download
memory/1340-167-0x000000000BC50000-0x000000000C1F4000-memory.dmp

Filesize
5.6MB

Download
memory/1340-168-0x000000000B7A0000-0x000000000B806000-memory.dmp

Filesize
408KB

Download
memory/1340-169-0x000000000C4D0000-0x000000000C692000-memory.dmp

Filesize
1.8MB

Download
memory/1340-170-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/1340-171-0x000000000CBD0000-0x000000000D0FC000-memory.dmp

Filesize
5.2MB

Download
memory/1640-154-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads