redline | f400406675e078e6465430676ab8efc736fe42d52d38fb02c7829840d301e317

General

Target

f400406675e078e6465430676ab8efc736fe42d52d38fb02c7829840d301e317.exe
Size

580KB
MD5

3d33cc4a4007bf7d7e26dae656fab795
SHA1

e908a0268e62aa3cbc70fb40276eccde98455106
SHA256

f400406675e078e6465430676ab8efc736fe42d52d38fb02c7829840d301e317
SHA512

67e5f38d74a6bdbfcec27519ac441cd576d8537fdc31d52876aedd5c8f415ce042e10b4d45e7bc24c31963f0afcc7c508ac2de5a3991a6aa4a400b44faf9b7b9
SSDEEP

12288:aMrWy90/gB9v1iFA7j8cZMdxSTjRGBsD7FKWvUkxxJI3ZB:MylNSi8cydANGBiAWFxx4

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a5581629.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5581629.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5581629.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5581629.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5581629.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5581629.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v4640148.exev5539219.exea5581629.exeb8421290.exe

pid process

1500 v4640148.exe
1788 v5539219.exe
4940 a5581629.exe
2032 b8421290.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a5581629.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5581629.exe

pid	process
1500	v4640148.exe
1788	v5539219.exe
4940	a5581629.exe
2032	b8421290.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5581629.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f400406675e078e6465430676ab8efc736fe42d52d38fb02c7829840d301e317.exev4640148.exev5539219.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f400406675e078e6465430676ab8efc736fe42d52d38fb02c7829840d301e317.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4640148.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4640148.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5539219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5539219.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f400406675e078e6465430676ab8efc736fe42d52d38fb02c7829840d301e317.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

a5581629.exeb8421290.exe

pid	process
4940	a5581629.exe
4940	a5581629.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe
2032	b8421290.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a5581629.exeb8421290.exe

description pid process

Token: SeDebugPrivilege 4940 a5581629.exe
Token: SeDebugPrivilege 2032 b8421290.exe

description	pid	process
Token: SeDebugPrivilege	4940	a5581629.exe
Token: SeDebugPrivilege	2032	b8421290.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f400406675e078e6465430676ab8efc736fe42d52d38fb02c7829840d301e317.exev4640148.exev5539219.exe

description	pid	process	target process
PID 1232 wrote to memory of 1500	1232	f400406675e078e6465430676ab8efc736fe42d52d38fb02c7829840d301e317.exe	v4640148.exe
PID 1232 wrote to memory of 1500	1232	f400406675e078e6465430676ab8efc736fe42d52d38fb02c7829840d301e317.exe	v4640148.exe
PID 1232 wrote to memory of 1500	1232	f400406675e078e6465430676ab8efc736fe42d52d38fb02c7829840d301e317.exe	v4640148.exe
PID 1500 wrote to memory of 1788	1500	v4640148.exe	v5539219.exe
PID 1500 wrote to memory of 1788	1500	v4640148.exe	v5539219.exe
PID 1500 wrote to memory of 1788	1500	v4640148.exe	v5539219.exe
PID 1788 wrote to memory of 4940	1788	v5539219.exe	a5581629.exe
PID 1788 wrote to memory of 4940	1788	v5539219.exe	a5581629.exe
PID 1788 wrote to memory of 2032	1788	v5539219.exe	b8421290.exe
PID 1788 wrote to memory of 2032	1788	v5539219.exe	b8421290.exe
PID 1788 wrote to memory of 2032	1788	v5539219.exe	b8421290.exe

C:\Users\Admin\AppData\Local\Temp\f400406675e078e6465430676ab8efc736fe42d52d38fb02c7829840d301e317.exe
"C:\Users\Admin\AppData\Local\Temp\f400406675e078e6465430676ab8efc736fe42d52d38fb02c7829840d301e317.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4640148.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4640148.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5539219.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5539219.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5581629.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5581629.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8421290.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8421290.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4640148.exe
Filesize
378KB

MD5
08310e1252404cb9eb0c95405916b4e6

SHA1
a2e753db164b1064f92753ebe43f00cdda5faddb

SHA256
e9a223064eb629045c3df2be145cb4e4b87aa4612bb9f516bfab57000b5ed73b

SHA512
5d8f9f6ed2aed8d18be191aa1cb69c91fdfc43f8b9f98a0da6f76287276f82ac5682f8fd0ace0ea51631efdb0321c4aa205cc9adb4e012e21bc3a0b29d4dc6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4640148.exe
Filesize
378KB

MD5
08310e1252404cb9eb0c95405916b4e6

SHA1
a2e753db164b1064f92753ebe43f00cdda5faddb

SHA256
e9a223064eb629045c3df2be145cb4e4b87aa4612bb9f516bfab57000b5ed73b

SHA512
5d8f9f6ed2aed8d18be191aa1cb69c91fdfc43f8b9f98a0da6f76287276f82ac5682f8fd0ace0ea51631efdb0321c4aa205cc9adb4e012e21bc3a0b29d4dc6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5539219.exe
Filesize
206KB

MD5
1a59af8cfe51430ba3232b6440be2258

SHA1
45981b180827d80e9461c6127e0c4732819c4379

SHA256
b3116bcb09056ee96110b042701d78450dac078a8e0383a70b0a5aff4f8309e4

SHA512
827219098cc9c702f719b28fb95bdd0a21d12f4ae50e53434dfb2dd32ac6f7432da58cb03c30942111672e84fdb0ae3bda2d1596de5fdc0c932f474b0ca0b724

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5539219.exe
Filesize
206KB

MD5
1a59af8cfe51430ba3232b6440be2258

SHA1
45981b180827d80e9461c6127e0c4732819c4379

SHA256
b3116bcb09056ee96110b042701d78450dac078a8e0383a70b0a5aff4f8309e4

SHA512
827219098cc9c702f719b28fb95bdd0a21d12f4ae50e53434dfb2dd32ac6f7432da58cb03c30942111672e84fdb0ae3bda2d1596de5fdc0c932f474b0ca0b724

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5581629.exe
Filesize
11KB

MD5
7718786682a8337d7648a66452f38451

SHA1
8c920f18fcba96bf298b6b4fedc106d41bffc15d

SHA256
bfaddfa17ef956d9ff60aa9a7e934ceb72aaa5d3fa44f25301dc311cb84f7062

SHA512
3b5ebf59a31776f85d2c69d054e67e39643b0953501149559892a09281470458ffbb1791a954b846289490b940e766a573804711fece9c66e1fd496ba1e59106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5581629.exe
Filesize
11KB

MD5
7718786682a8337d7648a66452f38451

SHA1
8c920f18fcba96bf298b6b4fedc106d41bffc15d

SHA256
bfaddfa17ef956d9ff60aa9a7e934ceb72aaa5d3fa44f25301dc311cb84f7062

SHA512
3b5ebf59a31776f85d2c69d054e67e39643b0953501149559892a09281470458ffbb1791a954b846289490b940e766a573804711fece9c66e1fd496ba1e59106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8421290.exe
Filesize
172KB

MD5
30aa28ce8fe7e0306c6c23f43a8188be

SHA1
c5e75ac0d08b223833df143725f403b2f5ad518b

SHA256
b6756eac7497c8eaf1f8d0d8860e84ed6c4204a3c061367ea4304c641e2f68f0

SHA512
d3b2f2bda8634daf0e1f98ece78e4aefc40ac2d644cdef9ee2d7e71f998f2f70da9e78b14366c25a21cc45714bca832acb0888c21bbc33aabf8c52c0721d0578

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8421290.exe
Filesize
172KB

MD5
30aa28ce8fe7e0306c6c23f43a8188be

SHA1
c5e75ac0d08b223833df143725f403b2f5ad518b

SHA256
b6756eac7497c8eaf1f8d0d8860e84ed6c4204a3c061367ea4304c641e2f68f0

SHA512
d3b2f2bda8634daf0e1f98ece78e4aefc40ac2d644cdef9ee2d7e71f998f2f70da9e78b14366c25a21cc45714bca832acb0888c21bbc33aabf8c52c0721d0578

Download Submit
memory/2032-156-0x000000000AE40000-0x000000000AED2000-memory.dmp

Filesize
584KB

Download
memory/2032-155-0x000000000A680000-0x000000000A6F6000-memory.dmp

Filesize
472KB

Download
memory/2032-148-0x0000000004D80000-0x0000000004D86000-memory.dmp

Filesize
24KB

Download
memory/2032-149-0x000000000A790000-0x000000000AD96000-memory.dmp

Filesize
6.0MB

Download
memory/2032-150-0x000000000A2D0000-0x000000000A3DA000-memory.dmp

Filesize
1.0MB

Download
memory/2032-151-0x000000000A200000-0x000000000A212000-memory.dmp

Filesize
72KB

Download
memory/2032-152-0x000000000A260000-0x000000000A29E000-memory.dmp

Filesize
248KB

Download
memory/2032-153-0x000000000A3E0000-0x000000000A42B000-memory.dmp

Filesize
300KB

Download
memory/2032-154-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/2032-147-0x00000000004D0000-0x0000000000500000-memory.dmp

Filesize
192KB

Download
memory/2032-162-0x000000000B370000-0x000000000B3C0000-memory.dmp

Filesize
320KB

Download
memory/2032-157-0x000000000A700000-0x000000000A766000-memory.dmp

Filesize
408KB

Download
memory/2032-158-0x000000000B6E0000-0x000000000BBDE000-memory.dmp

Filesize
5.0MB

Download
memory/2032-159-0x000000000B460000-0x000000000B622000-memory.dmp

Filesize
1.8MB

Download
memory/2032-160-0x000000000C110000-0x000000000C63C000-memory.dmp

Filesize
5.2MB

Download
memory/2032-161-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4940-142-0x0000000000D90000-0x0000000000D9A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads