redline | b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462

General

Target

b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe
Size

581KB
MD5

52848004ea4103154bb8e43e8a8114a0
SHA1

f0d7daacc37707f6c1c5af28bcb62eb9f5128341
SHA256

b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462
SHA512

d83a6c94aa4ea9fae2a875b50582e2c0633b1153349ff2ffe80f30ed1fd938aaeee8c993800b5020f0a31b8283bae3a7fd9ee41b5f84aed1bdc621d54455111d
SSDEEP

12288:6MrDy90W3w5pCyOqw1HVZSzmIfzRNvxiKl20kVrjvHwT:ByPmXw1H/SiIfzzvxiKl2vf/+

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a5428548.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5428548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5428548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5428548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5428548.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5428548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5428548.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v8544755.exev7546864.exea5428548.exeb5824647.exe

pid process

1132 v8544755.exe
1708 v7546864.exe
668 a5428548.exe
3764 b5824647.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a5428548.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5428548.exe

pid	process
1132	v8544755.exe
1708	v7546864.exe
668	a5428548.exe
3764	b5824647.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5428548.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v8544755.exev7546864.exeb32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8544755.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8544755.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7546864.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7546864.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

a5428548.exeb5824647.exe

pid	process
668	a5428548.exe
668	a5428548.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe
3764	b5824647.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a5428548.exeb5824647.exe

description pid process

Token: SeDebugPrivilege 668 a5428548.exe
Token: SeDebugPrivilege 3764 b5824647.exe

description	pid	process
Token: SeDebugPrivilege	668	a5428548.exe
Token: SeDebugPrivilege	3764	b5824647.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exev8544755.exev7546864.exe

description	pid	process	target process
PID 1788 wrote to memory of 1132	1788	b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe	v8544755.exe
PID 1788 wrote to memory of 1132	1788	b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe	v8544755.exe
PID 1788 wrote to memory of 1132	1788	b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe	v8544755.exe
PID 1132 wrote to memory of 1708	1132	v8544755.exe	v7546864.exe
PID 1132 wrote to memory of 1708	1132	v8544755.exe	v7546864.exe
PID 1132 wrote to memory of 1708	1132	v8544755.exe	v7546864.exe
PID 1708 wrote to memory of 668	1708	v7546864.exe	a5428548.exe
PID 1708 wrote to memory of 668	1708	v7546864.exe	a5428548.exe
PID 1708 wrote to memory of 3764	1708	v7546864.exe	b5824647.exe
PID 1708 wrote to memory of 3764	1708	v7546864.exe	b5824647.exe
PID 1708 wrote to memory of 3764	1708	v7546864.exe	b5824647.exe

C:\Users\Admin\AppData\Local\Temp\b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe
"C:\Users\Admin\AppData\Local\Temp\b32961e850a340056f97ab33e084c51170fbb6f9a511f8d70b692179b7d35462.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8544755.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8544755.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7546864.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7546864.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5428548.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5428548.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5824647.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5824647.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8544755.exe

Filesize
378KB

MD5
6929d888535a6927661c6f9e6c90b915

SHA1
3f153a9bb9ba372639aa974d14c12caeba30b78d

SHA256
c27b92f32e9788a91116f6d7adb2b0b8be60f7d285849c620486f149a5212fc6

SHA512
5f75dde0ef2f83cb1a736bee9d8f1f3d17efeb55e9b697f360ec5269da1188827bcaa7e07c5dcfd781386b4357b12df8ccf87d356414a85090a0318d60c3691c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8544755.exe

Filesize
378KB

MD5
6929d888535a6927661c6f9e6c90b915

SHA1
3f153a9bb9ba372639aa974d14c12caeba30b78d

SHA256
c27b92f32e9788a91116f6d7adb2b0b8be60f7d285849c620486f149a5212fc6

SHA512
5f75dde0ef2f83cb1a736bee9d8f1f3d17efeb55e9b697f360ec5269da1188827bcaa7e07c5dcfd781386b4357b12df8ccf87d356414a85090a0318d60c3691c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7546864.exe

Filesize
206KB

MD5
95d0c37ead5df733dcc7889a61fc80b2

SHA1
44c3a7d92c81ccbcd35529557b3eaf706c19c562

SHA256
4689e12479f7c0cb41be73b6a148894361d737005a391ed02434ee6b3495fa53

SHA512
b8ed165175d29cbcb36526c1288ab27d8239bc386ec35f84c9ebdddaa6499b4bd3c324f58ecd73ea1dde8a0d2d847ef051fd64f0bf102ff645afa56f52dc4fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7546864.exe

Filesize
206KB

MD5
95d0c37ead5df733dcc7889a61fc80b2

SHA1
44c3a7d92c81ccbcd35529557b3eaf706c19c562

SHA256
4689e12479f7c0cb41be73b6a148894361d737005a391ed02434ee6b3495fa53

SHA512
b8ed165175d29cbcb36526c1288ab27d8239bc386ec35f84c9ebdddaa6499b4bd3c324f58ecd73ea1dde8a0d2d847ef051fd64f0bf102ff645afa56f52dc4fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5428548.exe

Filesize
11KB

MD5
d40d25877fc2e532a92dec2f42cc746b

SHA1
a7bc67d783582d65825a6a3f9974f54e4a087ac0

SHA256
7ba065644bec11de641557876b2fa2f7cf2b905b5d5982b5af03b3dd5b070728

SHA512
0766974f5b7c2cf86d8b68daceb6bf5e0978d17d403caf682029eab87ace30d963e870fc9121022a2ebdbd2495a3dc3b2e5b96730b3d6adfe5a387198add5860

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5428548.exe

Filesize
11KB

MD5
d40d25877fc2e532a92dec2f42cc746b

SHA1
a7bc67d783582d65825a6a3f9974f54e4a087ac0

SHA256
7ba065644bec11de641557876b2fa2f7cf2b905b5d5982b5af03b3dd5b070728

SHA512
0766974f5b7c2cf86d8b68daceb6bf5e0978d17d403caf682029eab87ace30d963e870fc9121022a2ebdbd2495a3dc3b2e5b96730b3d6adfe5a387198add5860

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5824647.exe

Filesize
172KB

MD5
67fa8ab50752b1087103560b2cd19f7f

SHA1
7949d594400cc3e61ec5a6dcc915ac1e5678fa0b

SHA256
cc43bcb4a58797e65ba198c1d01cd4a23fb1e106f9b3916d75b3c2bf9f83916b

SHA512
984d129f1ec41da7f5225085c1ce9a75333d6de0e1625bb0c9c634af80395d936d1a2d621c9fae2d9d5db8c38957e569d81b7e54ef7e3c7a5e7557d435dfe2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5824647.exe

Filesize
172KB

MD5
67fa8ab50752b1087103560b2cd19f7f

SHA1
7949d594400cc3e61ec5a6dcc915ac1e5678fa0b

SHA256
cc43bcb4a58797e65ba198c1d01cd4a23fb1e106f9b3916d75b3c2bf9f83916b

SHA512
984d129f1ec41da7f5225085c1ce9a75333d6de0e1625bb0c9c634af80395d936d1a2d621c9fae2d9d5db8c38957e569d81b7e54ef7e3c7a5e7557d435dfe2f0

Download Submit
memory/668-154-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/3764-160-0x000000000AD20000-0x000000000B338000-memory.dmp

Filesize
6.1MB

Download
memory/3764-166-0x000000000AC70000-0x000000000AD02000-memory.dmp

Filesize
584KB

Download
memory/3764-161-0x000000000A8A0000-0x000000000A9AA000-memory.dmp

Filesize
1.0MB

Download
memory/3764-162-0x000000000A7E0000-0x000000000A7F2000-memory.dmp

Filesize
72KB

Download
memory/3764-163-0x000000000A840000-0x000000000A87C000-memory.dmp

Filesize
240KB

Download
memory/3764-164-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/3764-165-0x000000000AB50000-0x000000000ABC6000-memory.dmp

Filesize
472KB

Download
memory/3764-159-0x0000000000920000-0x0000000000950000-memory.dmp

Filesize
192KB

Download
memory/3764-167-0x000000000B8F0000-0x000000000BE94000-memory.dmp

Filesize
5.6MB

Download
memory/3764-168-0x000000000B340000-0x000000000B3A6000-memory.dmp

Filesize
408KB

Download
memory/3764-169-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/3764-170-0x000000000B8A0000-0x000000000B8F0000-memory.dmp

Filesize
320KB

Download
memory/3764-171-0x000000000C170000-0x000000000C332000-memory.dmp

Filesize
1.8MB

Download
memory/3764-172-0x000000000C870000-0x000000000CD9C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads