redline | acd0a83232eae05d90ddfd3c2bbf9476d507f9f494c0ead059490110447ea9ee

General

Target

acd0a83232eae05d90ddfd3c2bbf9476d507f9f494c0ead059490110447ea9ee.exe
Size

581KB
MD5

5f1c78c0f5f3706b8fc71a54e85bb0a7
SHA1

5b6a31dab3049dcdbaf65e21888890fa59963b05
SHA256

acd0a83232eae05d90ddfd3c2bbf9476d507f9f494c0ead059490110447ea9ee
SHA512

eded6023939e0a4f2704224b0242fbf3e297b1aadeed50ec726e2543741e5fac4f5dffdf49fbde2d0a691bad42b13f2df612356530d70daa902e1b5f746484e8
SSDEEP

12288:oMr3y90cZD8fWN1U237ZTXrvEFgboEHRUG7OPbw3YsE:/yjwfW137ZT/7xUKOPcosE

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a5762507.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5762507.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5762507.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5762507.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5762507.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5762507.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v8616584.exev4386539.exea5762507.exeb8488688.exe

pid process

5028 v8616584.exe
4436 v4386539.exe
3108 a5762507.exe
4664 b8488688.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a5762507.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5762507.exe

pid	process
5028	v8616584.exe
4436	v4386539.exe
3108	a5762507.exe
4664	b8488688.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5762507.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v4386539.exeacd0a83232eae05d90ddfd3c2bbf9476d507f9f494c0ead059490110447ea9ee.exev8616584.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4386539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4386539.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	acd0a83232eae05d90ddfd3c2bbf9476d507f9f494c0ead059490110447ea9ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	acd0a83232eae05d90ddfd3c2bbf9476d507f9f494c0ead059490110447ea9ee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8616584.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8616584.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

a5762507.exeb8488688.exe

pid	process
3108	a5762507.exe
3108	a5762507.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe
4664	b8488688.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a5762507.exeb8488688.exe

description pid process

Token: SeDebugPrivilege 3108 a5762507.exe
Token: SeDebugPrivilege 4664 b8488688.exe

description	pid	process
Token: SeDebugPrivilege	3108	a5762507.exe
Token: SeDebugPrivilege	4664	b8488688.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

acd0a83232eae05d90ddfd3c2bbf9476d507f9f494c0ead059490110447ea9ee.exev8616584.exev4386539.exe

description	pid	process	target process
PID 3944 wrote to memory of 5028	3944	acd0a83232eae05d90ddfd3c2bbf9476d507f9f494c0ead059490110447ea9ee.exe	v8616584.exe
PID 3944 wrote to memory of 5028	3944	acd0a83232eae05d90ddfd3c2bbf9476d507f9f494c0ead059490110447ea9ee.exe	v8616584.exe
PID 3944 wrote to memory of 5028	3944	acd0a83232eae05d90ddfd3c2bbf9476d507f9f494c0ead059490110447ea9ee.exe	v8616584.exe
PID 5028 wrote to memory of 4436	5028	v8616584.exe	v4386539.exe
PID 5028 wrote to memory of 4436	5028	v8616584.exe	v4386539.exe
PID 5028 wrote to memory of 4436	5028	v8616584.exe	v4386539.exe
PID 4436 wrote to memory of 3108	4436	v4386539.exe	a5762507.exe
PID 4436 wrote to memory of 3108	4436	v4386539.exe	a5762507.exe
PID 4436 wrote to memory of 4664	4436	v4386539.exe	b8488688.exe
PID 4436 wrote to memory of 4664	4436	v4386539.exe	b8488688.exe
PID 4436 wrote to memory of 4664	4436	v4386539.exe	b8488688.exe

C:\Users\Admin\AppData\Local\Temp\acd0a83232eae05d90ddfd3c2bbf9476d507f9f494c0ead059490110447ea9ee.exe
"C:\Users\Admin\AppData\Local\Temp\acd0a83232eae05d90ddfd3c2bbf9476d507f9f494c0ead059490110447ea9ee.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8616584.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8616584.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5028

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4386539.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4386539.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4436

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5762507.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5762507.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8488688.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8488688.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8616584.exe
Filesize
378KB

MD5
9d2f2732abe59f49ffe4f0e2234f583d

SHA1
fe57ee11ca0364989f318ec426a9d0a074351b03

SHA256
bff6ebbc0cdb53e2739bab5d384c5f7845ff5f5dbc8739ef0460bf8dbd67cc9f

SHA512
c94fc5a9a45b2399c7360aea1ab844a7767516e83a0e893bfcbd9924e16716e9041b36b06c9b81332dcab20e2c07ae50b73c646bcf3b8add91e981ae2d3d7c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8616584.exe
Filesize
378KB

MD5
9d2f2732abe59f49ffe4f0e2234f583d

SHA1
fe57ee11ca0364989f318ec426a9d0a074351b03

SHA256
bff6ebbc0cdb53e2739bab5d384c5f7845ff5f5dbc8739ef0460bf8dbd67cc9f

SHA512
c94fc5a9a45b2399c7360aea1ab844a7767516e83a0e893bfcbd9924e16716e9041b36b06c9b81332dcab20e2c07ae50b73c646bcf3b8add91e981ae2d3d7c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4386539.exe
Filesize
206KB

MD5
731b96f6b5f1157997f0e56d99d0ced9

SHA1
847478a07fca04b316ff1d44bf8f0546997c7acd

SHA256
8d38bba6521b792bf8b68fbb0c375d037b8b92aa81b2579b921153f55334c9ee

SHA512
bf42942c042f32eb8bdfce892572e8d4d76029723128168047ee1e23c147b30c6c522454aaac2f80749faeacefe40ff1c5a6fb9b493a831fbfe8a1e1d6a9c752

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4386539.exe
Filesize
206KB

MD5
731b96f6b5f1157997f0e56d99d0ced9

SHA1
847478a07fca04b316ff1d44bf8f0546997c7acd

SHA256
8d38bba6521b792bf8b68fbb0c375d037b8b92aa81b2579b921153f55334c9ee

SHA512
bf42942c042f32eb8bdfce892572e8d4d76029723128168047ee1e23c147b30c6c522454aaac2f80749faeacefe40ff1c5a6fb9b493a831fbfe8a1e1d6a9c752

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5762507.exe
Filesize
11KB

MD5
717b130616ffd1580bfa9e62e50a9e93

SHA1
7aa51b76df5766a4bb76c83c78507e1722e9c088

SHA256
0b30aca408d955ab9104af1855ce4bec554206b548f2bdbba7d0e130e9b675c8

SHA512
403abee13b351bbdc3e8e748d80fdbd822a899fdb3c6c15e6fc792a6f26749d8c1dad2eec99a5855469787ffef786435b92c8d7914f8753d809b76611728f0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5762507.exe
Filesize
11KB

MD5
717b130616ffd1580bfa9e62e50a9e93

SHA1
7aa51b76df5766a4bb76c83c78507e1722e9c088

SHA256
0b30aca408d955ab9104af1855ce4bec554206b548f2bdbba7d0e130e9b675c8

SHA512
403abee13b351bbdc3e8e748d80fdbd822a899fdb3c6c15e6fc792a6f26749d8c1dad2eec99a5855469787ffef786435b92c8d7914f8753d809b76611728f0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8488688.exe
Filesize
172KB

MD5
91712a2996951fcf706d41f82a4e5d70

SHA1
d6c8a8de8cc81dd3e9824dafc22ca2527af835c5

SHA256
8b1b73de1655094f442e1b96e9fce61f16323de0b5b843bbe4c0a87e34c74504

SHA512
94d48fc477e15934527e59b6edd27219c3299dd7480f4a399d8b6449aca6d78fa5ff6d94b8d9f1d57a8bf3d6840170103286f557ccaefe4d292084c33635465f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8488688.exe
Filesize
172KB

MD5
91712a2996951fcf706d41f82a4e5d70

SHA1
d6c8a8de8cc81dd3e9824dafc22ca2527af835c5

SHA256
8b1b73de1655094f442e1b96e9fce61f16323de0b5b843bbe4c0a87e34c74504

SHA512
94d48fc477e15934527e59b6edd27219c3299dd7480f4a399d8b6449aca6d78fa5ff6d94b8d9f1d57a8bf3d6840170103286f557ccaefe4d292084c33635465f

Download Submit
memory/3108-141-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/4664-149-0x00000000058F0000-0x00000000059FA000-memory.dmp

Filesize
1.0MB

Download
memory/4664-153-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/4664-148-0x0000000005DD0000-0x00000000063D6000-memory.dmp

Filesize
6.0MB

Download
memory/4664-146-0x0000000000DD0000-0x0000000000E00000-memory.dmp

Filesize
192KB

Download
memory/4664-150-0x0000000005820000-0x0000000005832000-memory.dmp

Filesize
72KB

Download
memory/4664-151-0x0000000005880000-0x00000000058BE000-memory.dmp

Filesize
248KB

Download
memory/4664-152-0x0000000005A00000-0x0000000005A4B000-memory.dmp

Filesize
300KB

Download
memory/4664-147-0x0000000001620000-0x0000000001626000-memory.dmp

Filesize
24KB

Download
memory/4664-154-0x0000000005BA0000-0x0000000005C16000-memory.dmp

Filesize
472KB

Download
memory/4664-155-0x0000000005CC0000-0x0000000005D52000-memory.dmp

Filesize
584KB

Download
memory/4664-156-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/4664-157-0x0000000006EF0000-0x00000000073EE000-memory.dmp

Filesize
5.0MB

Download
memory/4664-158-0x0000000006C80000-0x0000000006E42000-memory.dmp

Filesize
1.8MB

Download
memory/4664-159-0x0000000008F70000-0x000000000949C000-memory.dmp

Filesize
5.2MB

Download
memory/4664-160-0x0000000006B20000-0x0000000006B70000-memory.dmp

Filesize
320KB

Download
memory/4664-161-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads