redline | 5dffc7254a3daeec3b53cd052ce09422f89b2b2b96d42ed83441fd63750b74be

General

Target

5dffc7254a3daeec3b53cd052ce09422f89b2b2b96d42ed83441fd63750b74be.exe
Size

581KB
MD5

4e284b1257451e69eeec6a0f70199f60
SHA1

a1dde698c9cbaf62057dc5db558d1cc851b1201e
SHA256

5dffc7254a3daeec3b53cd052ce09422f89b2b2b96d42ed83441fd63750b74be
SHA512

74dd32faebae44f5632d00da15aedcf9e65c7c40ba2f0c7f3fb9a18d30b83b8f18260a58e17943b1f58bc5177ddebcd6e32d76a4d93881d4075c5648723b081d
SSDEEP

12288:fMrFy90MhQtPwx7D8WiL5TNGJYpthp6Bo5IXUcn:OyctoFD8dZrCo5IXUS

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a5387004.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5387004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5387004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5387004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5387004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5387004.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v6362982.exev0929784.exea5387004.exeb3202068.exe

pid process

2504 v6362982.exe
2896 v0929784.exe
4248 a5387004.exe
4988 b3202068.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a5387004.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5387004.exe

pid	process
2504	v6362982.exe
2896	v0929784.exe
4248	a5387004.exe
4988	b3202068.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5387004.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v6362982.exev0929784.exe5dffc7254a3daeec3b53cd052ce09422f89b2b2b96d42ed83441fd63750b74be.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6362982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6362982.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0929784.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0929784.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5dffc7254a3daeec3b53cd052ce09422f89b2b2b96d42ed83441fd63750b74be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5dffc7254a3daeec3b53cd052ce09422f89b2b2b96d42ed83441fd63750b74be.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

a5387004.exeb3202068.exe

pid	process
4248	a5387004.exe
4248	a5387004.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe
4988	b3202068.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a5387004.exeb3202068.exe

description pid process

Token: SeDebugPrivilege 4248 a5387004.exe
Token: SeDebugPrivilege 4988 b3202068.exe

description	pid	process
Token: SeDebugPrivilege	4248	a5387004.exe
Token: SeDebugPrivilege	4988	b3202068.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

5dffc7254a3daeec3b53cd052ce09422f89b2b2b96d42ed83441fd63750b74be.exev6362982.exev0929784.exe

description	pid	process	target process
PID 2276 wrote to memory of 2504	2276	5dffc7254a3daeec3b53cd052ce09422f89b2b2b96d42ed83441fd63750b74be.exe	v6362982.exe
PID 2276 wrote to memory of 2504	2276	5dffc7254a3daeec3b53cd052ce09422f89b2b2b96d42ed83441fd63750b74be.exe	v6362982.exe
PID 2276 wrote to memory of 2504	2276	5dffc7254a3daeec3b53cd052ce09422f89b2b2b96d42ed83441fd63750b74be.exe	v6362982.exe
PID 2504 wrote to memory of 2896	2504	v6362982.exe	v0929784.exe
PID 2504 wrote to memory of 2896	2504	v6362982.exe	v0929784.exe
PID 2504 wrote to memory of 2896	2504	v6362982.exe	v0929784.exe
PID 2896 wrote to memory of 4248	2896	v0929784.exe	a5387004.exe
PID 2896 wrote to memory of 4248	2896	v0929784.exe	a5387004.exe
PID 2896 wrote to memory of 4988	2896	v0929784.exe	b3202068.exe
PID 2896 wrote to memory of 4988	2896	v0929784.exe	b3202068.exe
PID 2896 wrote to memory of 4988	2896	v0929784.exe	b3202068.exe

C:\Users\Admin\AppData\Local\Temp\5dffc7254a3daeec3b53cd052ce09422f89b2b2b96d42ed83441fd63750b74be.exe
"C:\Users\Admin\AppData\Local\Temp\5dffc7254a3daeec3b53cd052ce09422f89b2b2b96d42ed83441fd63750b74be.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6362982.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6362982.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0929784.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0929784.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5387004.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5387004.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3202068.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3202068.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6362982.exe

Filesize
377KB

MD5
59c8a3351885c154b9eb61b551300fc9

SHA1
4c66eea50df647d8e0fdd942a5106f196fd1d24c

SHA256
1c3ba1a41a51a9f995d018c30a7708b14cc97e02ecd204967ef7056fa0c798db

SHA512
cee3cadd4b763662eb74bea2e73df295bbd99242fdc1098350f789a134d1f9cd32336809a58c53f25be5c8efa064822f020e0be277e7445d7e0581b86419dc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6362982.exe

Filesize
377KB

MD5
59c8a3351885c154b9eb61b551300fc9

SHA1
4c66eea50df647d8e0fdd942a5106f196fd1d24c

SHA256
1c3ba1a41a51a9f995d018c30a7708b14cc97e02ecd204967ef7056fa0c798db

SHA512
cee3cadd4b763662eb74bea2e73df295bbd99242fdc1098350f789a134d1f9cd32336809a58c53f25be5c8efa064822f020e0be277e7445d7e0581b86419dc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0929784.exe

Filesize
206KB

MD5
aa48ed0be159d9e40f5137ddb4cb6ea1

SHA1
2b5036c62f158bcc6f27fbf6bdff2d5364cd75d5

SHA256
9627596933e2e8f18d87303635f6d4b4e62c0f9d93d5d61c87ad5e4d112f4460

SHA512
af12887859b3e1777bea067697903dadb90965efcc5c9ad0e940111c0cd76a2315dfea063fcd6615116b6d1c58ef5d97ca5623b8fd416e7e7b9b28a68d308754

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0929784.exe

Filesize
206KB

MD5
aa48ed0be159d9e40f5137ddb4cb6ea1

SHA1
2b5036c62f158bcc6f27fbf6bdff2d5364cd75d5

SHA256
9627596933e2e8f18d87303635f6d4b4e62c0f9d93d5d61c87ad5e4d112f4460

SHA512
af12887859b3e1777bea067697903dadb90965efcc5c9ad0e940111c0cd76a2315dfea063fcd6615116b6d1c58ef5d97ca5623b8fd416e7e7b9b28a68d308754

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5387004.exe

Filesize
11KB

MD5
4c4ef888cc493f9e92c1d330b01bcff6

SHA1
ca17575cd69197ab39e875c1e7a2eb72fc25f8ba

SHA256
19985d10279bee2bb04bda3bc3f6c37ab8c3ab66df4adff597aaff60debd7348

SHA512
ef90cf20c7e5900a551db04f28507501256c19c1cb3e23c08de9e93d4bc874c40b9792012d6570fbc16fe4dc39694a32ac1094926b9e33c4ec96a1cb3dfe788d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5387004.exe

Filesize
11KB

MD5
4c4ef888cc493f9e92c1d330b01bcff6

SHA1
ca17575cd69197ab39e875c1e7a2eb72fc25f8ba

SHA256
19985d10279bee2bb04bda3bc3f6c37ab8c3ab66df4adff597aaff60debd7348

SHA512
ef90cf20c7e5900a551db04f28507501256c19c1cb3e23c08de9e93d4bc874c40b9792012d6570fbc16fe4dc39694a32ac1094926b9e33c4ec96a1cb3dfe788d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3202068.exe

Filesize
172KB

MD5
d4c833a252a1bcd102b86907be9a8af3

SHA1
4e1b3c5de967e4bb50c313a7fb0c18411e1dab74

SHA256
f952db86d909c66ec4850a145d58a8173c529d2f60c8ba00d087862ab9ad2d83

SHA512
781543b47d645bcc65f220ce183b01355ff10781b4e7a91941e5c2124b62fe27b83f0f88ecc32125f70706bcc8787040d062e588c30878e6322b976fba1080e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3202068.exe

Filesize
172KB

MD5
d4c833a252a1bcd102b86907be9a8af3

SHA1
4e1b3c5de967e4bb50c313a7fb0c18411e1dab74

SHA256
f952db86d909c66ec4850a145d58a8173c529d2f60c8ba00d087862ab9ad2d83

SHA512
781543b47d645bcc65f220ce183b01355ff10781b4e7a91941e5c2124b62fe27b83f0f88ecc32125f70706bcc8787040d062e588c30878e6322b976fba1080e5

Download Submit
memory/4248-142-0x0000000000DF0000-0x0000000000DFA000-memory.dmp

Filesize
40KB

Download
memory/4988-150-0x0000000004D80000-0x0000000004E8A000-memory.dmp

Filesize
1.0MB

Download
memory/4988-154-0x0000000004CF0000-0x0000000004D3B000-memory.dmp

Filesize
300KB

Download
memory/4988-149-0x0000000005280000-0x0000000005886000-memory.dmp

Filesize
6.0MB

Download
memory/4988-147-0x0000000000330000-0x0000000000360000-memory.dmp

Filesize
192KB

Download
memory/4988-151-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/4988-152-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

Filesize
248KB

Download
memory/4988-153-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/4988-148-0x00000000025F0000-0x00000000025F6000-memory.dmp

Filesize
24KB

Download
memory/4988-155-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/4988-156-0x0000000004FC0000-0x0000000005036000-memory.dmp

Filesize
472KB

Download
memory/4988-157-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/4988-158-0x00000000062A0000-0x000000000679E000-memory.dmp

Filesize
5.0MB

Download
memory/4988-159-0x00000000051F0000-0x0000000005256000-memory.dmp

Filesize
408KB

Download
memory/4988-160-0x0000000006070000-0x0000000006232000-memory.dmp

Filesize
1.8MB

Download
memory/4988-161-0x0000000007FF0000-0x000000000851C000-memory.dmp

Filesize
5.2MB

Download
memory/4988-162-0x0000000005C10000-0x0000000005C60000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads