redline | 5e69dbb4f7aa15117e6527a0e69de7a94bfc1cea590a401ff734fc34a5711538

General

Target

5e69dbb4f7aa15117e6527a0e69de7a94bfc1cea590a401ff734fc34a5711538.exe
Size

581KB
MD5

662c5ac0edba1723ab0501f081652345
SHA1

bcf288f72548d6fe6f19c43a230892201f2ca298
SHA256

5e69dbb4f7aa15117e6527a0e69de7a94bfc1cea590a401ff734fc34a5711538
SHA512

8cec945266747a7dfe63d03568581105fe8aa468911c4daf7aeea679d7b31460c08aac1951894d74e4d30b58256b561fe638d5d1f398feaf01ba288adfd51edb
SSDEEP

12288:lMrQy90BtAavUoCPEtfY91OYgQz1aAmbip4:FyUfvvtw9EQz1fmGp4

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a2441698.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2441698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2441698.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a2441698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2441698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2441698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2441698.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v3580945.exev4852591.exea2441698.exeb1831578.exe

pid process

3164 v3580945.exe
4980 v4852591.exe
1660 a2441698.exe
3820 b1831578.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a2441698.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a2441698.exe

pid	process
3164	v3580945.exe
4980	v4852591.exe
1660	a2441698.exe
3820	b1831578.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2441698.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e69dbb4f7aa15117e6527a0e69de7a94bfc1cea590a401ff734fc34a5711538.exev3580945.exev4852591.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5e69dbb4f7aa15117e6527a0e69de7a94bfc1cea590a401ff734fc34a5711538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e69dbb4f7aa15117e6527a0e69de7a94bfc1cea590a401ff734fc34a5711538.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3580945.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3580945.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4852591.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4852591.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

a2441698.exeb1831578.exe

pid	process
1660	a2441698.exe
1660	a2441698.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe
3820	b1831578.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a2441698.exeb1831578.exe

description pid process

Token: SeDebugPrivilege 1660 a2441698.exe
Token: SeDebugPrivilege 3820 b1831578.exe

description	pid	process
Token: SeDebugPrivilege	1660	a2441698.exe
Token: SeDebugPrivilege	3820	b1831578.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

5e69dbb4f7aa15117e6527a0e69de7a94bfc1cea590a401ff734fc34a5711538.exev3580945.exev4852591.exe

description	pid	process	target process
PID 4120 wrote to memory of 3164	4120	5e69dbb4f7aa15117e6527a0e69de7a94bfc1cea590a401ff734fc34a5711538.exe	v3580945.exe
PID 4120 wrote to memory of 3164	4120	5e69dbb4f7aa15117e6527a0e69de7a94bfc1cea590a401ff734fc34a5711538.exe	v3580945.exe
PID 4120 wrote to memory of 3164	4120	5e69dbb4f7aa15117e6527a0e69de7a94bfc1cea590a401ff734fc34a5711538.exe	v3580945.exe
PID 3164 wrote to memory of 4980	3164	v3580945.exe	v4852591.exe
PID 3164 wrote to memory of 4980	3164	v3580945.exe	v4852591.exe
PID 3164 wrote to memory of 4980	3164	v3580945.exe	v4852591.exe
PID 4980 wrote to memory of 1660	4980	v4852591.exe	a2441698.exe
PID 4980 wrote to memory of 1660	4980	v4852591.exe	a2441698.exe
PID 4980 wrote to memory of 3820	4980	v4852591.exe	b1831578.exe
PID 4980 wrote to memory of 3820	4980	v4852591.exe	b1831578.exe
PID 4980 wrote to memory of 3820	4980	v4852591.exe	b1831578.exe

C:\Users\Admin\AppData\Local\Temp\5e69dbb4f7aa15117e6527a0e69de7a94bfc1cea590a401ff734fc34a5711538.exe
"C:\Users\Admin\AppData\Local\Temp\5e69dbb4f7aa15117e6527a0e69de7a94bfc1cea590a401ff734fc34a5711538.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4120

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3580945.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3580945.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3164

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4852591.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4852591.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2441698.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2441698.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1831578.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1831578.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3580945.exe
Filesize
377KB

MD5
b616183e02752c96b23d8da4d8e41d80

SHA1
a710a33035626e666fc310c4efb8106d62d5d9d4

SHA256
cba6a3f67eac2479d63b537f2dfeca0b5d18af621afa5110ca38b548bce94b81

SHA512
5b74caa221aa1ecb14b5b2c2530f0f4be90030d95ded8e1f23eca0a79461505e7b13d5969ebf6904e478ad0618e28e9f9ae78062e19396e1f2e47130da5d4714

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3580945.exe
Filesize
377KB

MD5
b616183e02752c96b23d8da4d8e41d80

SHA1
a710a33035626e666fc310c4efb8106d62d5d9d4

SHA256
cba6a3f67eac2479d63b537f2dfeca0b5d18af621afa5110ca38b548bce94b81

SHA512
5b74caa221aa1ecb14b5b2c2530f0f4be90030d95ded8e1f23eca0a79461505e7b13d5969ebf6904e478ad0618e28e9f9ae78062e19396e1f2e47130da5d4714

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4852591.exe
Filesize
206KB

MD5
3e889d6c69272ed176523988aa78b620

SHA1
242ff8af5a84cc185c225b5dcf14a989b136359a

SHA256
26960f1cfc23cef6b26a6b6756da6ba0a20ac743bd434fe44dc4329de760ce72

SHA512
dbe9fba24ec20ccce7b2d6d888f11cbc6b39559809a399159a89d8cffb3bb17e7d39806915549fb5bacb92df863030f3ad0f851f4082aea3bd321443ab10f35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4852591.exe
Filesize
206KB

MD5
3e889d6c69272ed176523988aa78b620

SHA1
242ff8af5a84cc185c225b5dcf14a989b136359a

SHA256
26960f1cfc23cef6b26a6b6756da6ba0a20ac743bd434fe44dc4329de760ce72

SHA512
dbe9fba24ec20ccce7b2d6d888f11cbc6b39559809a399159a89d8cffb3bb17e7d39806915549fb5bacb92df863030f3ad0f851f4082aea3bd321443ab10f35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2441698.exe
Filesize
11KB

MD5
f3e8146d85121910da2fd1a88e617784

SHA1
7140831370a0f2038c5f6bd9af5babc0dd9e6c8a

SHA256
884e3fb676fe3119ea691aec8ed0d39a66debe26c89c2ac810b5d31e2602353c

SHA512
f9210d03beb58c41ae0b5575552c79410150e3981ea33754ded6d00cc757359df7b666646ed39fa8b037545cf215f04f722de534e904dd940f41cb1cabf68c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2441698.exe
Filesize
11KB

MD5
f3e8146d85121910da2fd1a88e617784

SHA1
7140831370a0f2038c5f6bd9af5babc0dd9e6c8a

SHA256
884e3fb676fe3119ea691aec8ed0d39a66debe26c89c2ac810b5d31e2602353c

SHA512
f9210d03beb58c41ae0b5575552c79410150e3981ea33754ded6d00cc757359df7b666646ed39fa8b037545cf215f04f722de534e904dd940f41cb1cabf68c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1831578.exe
Filesize
172KB

MD5
62c121fe524d76897ce3ebb09c84cccc

SHA1
225ce469a6f35c179a3f0c1a573b6e04c4d8b0f1

SHA256
e2284c3c4e70f7a7d8cc580034e2ceefe02d79facfcbb2465ae92f0195d50fb9

SHA512
a208ec224551103d82a289bffd6096008623579c9fe7f593e3bb1d188109c96108b3797fc9da1f3c221521728adb540bda2da91cb349a1b18fe84a6dae626ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1831578.exe
Filesize
172KB

MD5
62c121fe524d76897ce3ebb09c84cccc

SHA1
225ce469a6f35c179a3f0c1a573b6e04c4d8b0f1

SHA256
e2284c3c4e70f7a7d8cc580034e2ceefe02d79facfcbb2465ae92f0195d50fb9

SHA512
a208ec224551103d82a289bffd6096008623579c9fe7f593e3bb1d188109c96108b3797fc9da1f3c221521728adb540bda2da91cb349a1b18fe84a6dae626ee0

Download Submit
memory/1660-154-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/3820-160-0x000000000AA90000-0x000000000B0A8000-memory.dmp

Filesize
6.1MB

Download
memory/3820-166-0x000000000A9E0000-0x000000000AA72000-memory.dmp

Filesize
584KB

Download
memory/3820-161-0x000000000A610000-0x000000000A71A000-memory.dmp

Filesize
1.0MB

Download
memory/3820-162-0x000000000A550000-0x000000000A562000-memory.dmp

Filesize
72KB

Download
memory/3820-163-0x000000000A5B0000-0x000000000A5EC000-memory.dmp

Filesize
240KB

Download
memory/3820-164-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/3820-165-0x000000000A8C0000-0x000000000A936000-memory.dmp

Filesize
472KB

Download
memory/3820-159-0x0000000000690000-0x00000000006C0000-memory.dmp

Filesize
192KB

Download
memory/3820-167-0x000000000B660000-0x000000000BC04000-memory.dmp

Filesize
5.6MB

Download
memory/3820-168-0x000000000B220000-0x000000000B286000-memory.dmp

Filesize
408KB

Download
memory/3820-169-0x000000000BD10000-0x000000000BD60000-memory.dmp

Filesize
320KB

Download
memory/3820-170-0x000000000BF30000-0x000000000C0F2000-memory.dmp

Filesize
1.8MB

Download
memory/3820-171-0x000000000C630000-0x000000000CB5C000-memory.dmp

Filesize
5.2MB

Download
memory/3820-172-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads