redline | 25f9fa0c0bda7ec46c931caa308cea1abf8220ef7bb46f7ec576a7a964ff36ad

General

Target

25f9fa0c0bda7ec46c931caa308cea1abf8220ef7bb46f7ec576a7a964ff36ad.exe
Size

580KB
MD5

7732e10eb10bab5e9eda47ffabd909c3
SHA1

da88680b8cea482d22f45eefb68a00e01fafc427
SHA256

25f9fa0c0bda7ec46c931caa308cea1abf8220ef7bb46f7ec576a7a964ff36ad
SHA512

51e2a6c2b30cabe5fc42097714be6040810c78b2aa96b0741532e546d05d9ceb8e96d36c1465585b83156493d2da38f0652a041dd115695fe0e6ddef06da6576
SSDEEP

12288:1MrEy90+hPj0psBGhy4TsHSmITerPfT1dP0WNJ5Sw8yRmGps:Ryzh5BQySGSxebrfNJmyIG6

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a1167496.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1167496.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a1167496.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1167496.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1167496.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1167496.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1167496.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v3010864.exev5627664.exea1167496.exeb5513066.exe

pid process

2152 v3010864.exe
5000 v5627664.exe
1292 a1167496.exe
4328 b5513066.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a1167496.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1167496.exe

pid	process
2152	v3010864.exe
5000	v5627664.exe
1292	a1167496.exe
4328	b5513066.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1167496.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

25f9fa0c0bda7ec46c931caa308cea1abf8220ef7bb46f7ec576a7a964ff36ad.exev3010864.exev5627664.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	25f9fa0c0bda7ec46c931caa308cea1abf8220ef7bb46f7ec576a7a964ff36ad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3010864.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3010864.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5627664.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5627664.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	25f9fa0c0bda7ec46c931caa308cea1abf8220ef7bb46f7ec576a7a964ff36ad.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

a1167496.exeb5513066.exe

pid	process
1292	a1167496.exe
1292	a1167496.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe
4328	b5513066.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a1167496.exeb5513066.exe

description pid process

Token: SeDebugPrivilege 1292 a1167496.exe
Token: SeDebugPrivilege 4328 b5513066.exe

description	pid	process
Token: SeDebugPrivilege	1292	a1167496.exe
Token: SeDebugPrivilege	4328	b5513066.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

25f9fa0c0bda7ec46c931caa308cea1abf8220ef7bb46f7ec576a7a964ff36ad.exev3010864.exev5627664.exe

description	pid	process	target process
PID 1884 wrote to memory of 2152	1884	25f9fa0c0bda7ec46c931caa308cea1abf8220ef7bb46f7ec576a7a964ff36ad.exe	v3010864.exe
PID 1884 wrote to memory of 2152	1884	25f9fa0c0bda7ec46c931caa308cea1abf8220ef7bb46f7ec576a7a964ff36ad.exe	v3010864.exe
PID 1884 wrote to memory of 2152	1884	25f9fa0c0bda7ec46c931caa308cea1abf8220ef7bb46f7ec576a7a964ff36ad.exe	v3010864.exe
PID 2152 wrote to memory of 5000	2152	v3010864.exe	v5627664.exe
PID 2152 wrote to memory of 5000	2152	v3010864.exe	v5627664.exe
PID 2152 wrote to memory of 5000	2152	v3010864.exe	v5627664.exe
PID 5000 wrote to memory of 1292	5000	v5627664.exe	a1167496.exe
PID 5000 wrote to memory of 1292	5000	v5627664.exe	a1167496.exe
PID 5000 wrote to memory of 4328	5000	v5627664.exe	b5513066.exe
PID 5000 wrote to memory of 4328	5000	v5627664.exe	b5513066.exe
PID 5000 wrote to memory of 4328	5000	v5627664.exe	b5513066.exe

C:\Users\Admin\AppData\Local\Temp\25f9fa0c0bda7ec46c931caa308cea1abf8220ef7bb46f7ec576a7a964ff36ad.exe
"C:\Users\Admin\AppData\Local\Temp\25f9fa0c0bda7ec46c931caa308cea1abf8220ef7bb46f7ec576a7a964ff36ad.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3010864.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3010864.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5627664.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5627664.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1167496.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1167496.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5513066.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5513066.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3010864.exe

Filesize
377KB

MD5
23b56bb712a6e79004c0169340c22765

SHA1
b3f96a45f5c3850f053e0865fa05699c8767c6a0

SHA256
b5e05bf31b8e092421087fbe68d303a398044699e9c9f4642c4e2817ded14cdc

SHA512
25325e9c683413d26f6cf5372eeb67e5bba0630f8364b529519ae02b3a6872adca49eaff3bd943648e0ea7430d9396c7ab3f3fbd7ed08ef98d377bcd6155615d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3010864.exe

Filesize
377KB

MD5
23b56bb712a6e79004c0169340c22765

SHA1
b3f96a45f5c3850f053e0865fa05699c8767c6a0

SHA256
b5e05bf31b8e092421087fbe68d303a398044699e9c9f4642c4e2817ded14cdc

SHA512
25325e9c683413d26f6cf5372eeb67e5bba0630f8364b529519ae02b3a6872adca49eaff3bd943648e0ea7430d9396c7ab3f3fbd7ed08ef98d377bcd6155615d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5627664.exe

Filesize
206KB

MD5
3f200b50a57cd5a666c34c4fcd81bd23

SHA1
135e530834751818ffc304dcfdc42b0d90fd6b3a

SHA256
0932c2531483576fb58ab16d27e1720e3cf3b3ddf8bc773700381c0deb3df321

SHA512
904418a4b1c6686e6cc08ec5db557b202303e257220b95a5849988eda11410b3b76bf0bf60ce37d1a18d3e2fcd9d94230310f52ab0c4a71e4479f80be79e56fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5627664.exe

Filesize
206KB

MD5
3f200b50a57cd5a666c34c4fcd81bd23

SHA1
135e530834751818ffc304dcfdc42b0d90fd6b3a

SHA256
0932c2531483576fb58ab16d27e1720e3cf3b3ddf8bc773700381c0deb3df321

SHA512
904418a4b1c6686e6cc08ec5db557b202303e257220b95a5849988eda11410b3b76bf0bf60ce37d1a18d3e2fcd9d94230310f52ab0c4a71e4479f80be79e56fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1167496.exe

Filesize
11KB

MD5
f1d69ae29322e0d720f2bdd18edd4d01

SHA1
2d829e412ca2eb5da7a48959bc71bda958d03974

SHA256
63eb6de577bd7e2fec5d194fe8baef5dca4ab3acedd14456481ff5230c83be2a

SHA512
2a0556d937c005050a5193b3d2658313416abc35acf506946477aaa1f0f801bb177637c2762e4773fd84d7b339d4a60f7eef808637b06826b88c33a82791a735

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1167496.exe

Filesize
11KB

MD5
f1d69ae29322e0d720f2bdd18edd4d01

SHA1
2d829e412ca2eb5da7a48959bc71bda958d03974

SHA256
63eb6de577bd7e2fec5d194fe8baef5dca4ab3acedd14456481ff5230c83be2a

SHA512
2a0556d937c005050a5193b3d2658313416abc35acf506946477aaa1f0f801bb177637c2762e4773fd84d7b339d4a60f7eef808637b06826b88c33a82791a735

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5513066.exe

Filesize
172KB

MD5
31b096a9581d561b7364e5972dec1de0

SHA1
62501cddbe5651db938ff49eedebb0876c730cfe

SHA256
4934f0f9d3c3b4d80e76df184e85b583ace9465d6d980effe52161f5ee8bacec

SHA512
ebd9fc6890c0110f6a04f3e4f725587ed5903defb4c5235a94b8adfbe20d2c36d4e9e428b03924403173512314ed6b037e1e38ff2c408403b533b7b46a0c599b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5513066.exe

Filesize
172KB

MD5
31b096a9581d561b7364e5972dec1de0

SHA1
62501cddbe5651db938ff49eedebb0876c730cfe

SHA256
4934f0f9d3c3b4d80e76df184e85b583ace9465d6d980effe52161f5ee8bacec

SHA512
ebd9fc6890c0110f6a04f3e4f725587ed5903defb4c5235a94b8adfbe20d2c36d4e9e428b03924403173512314ed6b037e1e38ff2c408403b533b7b46a0c599b

Download Submit
memory/1292-154-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/4328-160-0x000000000ADB0000-0x000000000B3C8000-memory.dmp

Filesize
6.1MB

Download
memory/4328-166-0x000000000B470000-0x000000000B502000-memory.dmp

Filesize
584KB

Download
memory/4328-161-0x000000000A8F0000-0x000000000A9FA000-memory.dmp

Filesize
1.0MB

Download
memory/4328-162-0x000000000A830000-0x000000000A842000-memory.dmp

Filesize
72KB

Download
memory/4328-163-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/4328-164-0x000000000A890000-0x000000000A8CC000-memory.dmp

Filesize
240KB

Download
memory/4328-165-0x000000000ACA0000-0x000000000AD16000-memory.dmp

Filesize
472KB

Download
memory/4328-159-0x0000000000970000-0x00000000009A0000-memory.dmp

Filesize
192KB

Download
memory/4328-167-0x000000000BAC0000-0x000000000C064000-memory.dmp

Filesize
5.6MB

Download
memory/4328-168-0x000000000B3D0000-0x000000000B436000-memory.dmp

Filesize
408KB

Download
memory/4328-169-0x000000000B8F0000-0x000000000B940000-memory.dmp

Filesize
320KB

Download
memory/4328-170-0x000000000C240000-0x000000000C402000-memory.dmp

Filesize
1.8MB

Download
memory/4328-171-0x000000000C940000-0x000000000CE6C000-memory.dmp

Filesize
5.2MB

Download
memory/4328-172-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads