redline | 76fa99d3add665ac9703b79e52f4eef1676beb6b84582d963749e33971d46dba

General

Target

76fa99d3add665ac9703b79e52f4eef1676beb6b84582d963749e33971d46dba.exe
Size

581KB
MD5

18a578c6eb0f2f795efa9e2670c50aa8
SHA1

f607a2b1f454caebb4b0b9a1f5205d1e10aff2f8
SHA256

76fa99d3add665ac9703b79e52f4eef1676beb6b84582d963749e33971d46dba
SHA512

839d2d694e4a8934635a970c969cafa284d414b648ebc5beab0e34470582b446569b8b927fc125b09c4b8f9f7acd0077e606a0394dcb3a276bc60ae31bf70488
SSDEEP

12288:MMrTy90+EY7nZjEQ0JmrLoZANkXZqKiYreRPN42EB8Zp5bvw+:HytHZjEHJmr0ZANhKiASN4invn

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a2656509.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2656509.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2656509.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a2656509.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2656509.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2656509.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2656509.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v0920641.exev3082489.exea2656509.exeb9888309.exe

pid process

4044 v0920641.exe
1456 v3082489.exe
432 a2656509.exe
2360 b9888309.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a2656509.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a2656509.exe

pid	process
4044	v0920641.exe
1456	v3082489.exe
432	a2656509.exe
2360	b9888309.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2656509.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

76fa99d3add665ac9703b79e52f4eef1676beb6b84582d963749e33971d46dba.exev0920641.exev3082489.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	76fa99d3add665ac9703b79e52f4eef1676beb6b84582d963749e33971d46dba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	76fa99d3add665ac9703b79e52f4eef1676beb6b84582d963749e33971d46dba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0920641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0920641.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3082489.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3082489.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a2656509.exe

pid process

432 a2656509.exe
432 a2656509.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a2656509.exe

description pid process

Token: SeDebugPrivilege 432 a2656509.exe

pid	process
432	a2656509.exe
432	a2656509.exe

description	pid	process
Token: SeDebugPrivilege	432	a2656509.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

76fa99d3add665ac9703b79e52f4eef1676beb6b84582d963749e33971d46dba.exev0920641.exev3082489.exe

description	pid	process	target process
PID 4896 wrote to memory of 4044	4896	76fa99d3add665ac9703b79e52f4eef1676beb6b84582d963749e33971d46dba.exe	v0920641.exe
PID 4896 wrote to memory of 4044	4896	76fa99d3add665ac9703b79e52f4eef1676beb6b84582d963749e33971d46dba.exe	v0920641.exe
PID 4896 wrote to memory of 4044	4896	76fa99d3add665ac9703b79e52f4eef1676beb6b84582d963749e33971d46dba.exe	v0920641.exe
PID 4044 wrote to memory of 1456	4044	v0920641.exe	v3082489.exe
PID 4044 wrote to memory of 1456	4044	v0920641.exe	v3082489.exe
PID 4044 wrote to memory of 1456	4044	v0920641.exe	v3082489.exe
PID 1456 wrote to memory of 432	1456	v3082489.exe	a2656509.exe
PID 1456 wrote to memory of 432	1456	v3082489.exe	a2656509.exe
PID 1456 wrote to memory of 2360	1456	v3082489.exe	b9888309.exe
PID 1456 wrote to memory of 2360	1456	v3082489.exe	b9888309.exe
PID 1456 wrote to memory of 2360	1456	v3082489.exe	b9888309.exe

C:\Users\Admin\AppData\Local\Temp\76fa99d3add665ac9703b79e52f4eef1676beb6b84582d963749e33971d46dba.exe
"C:\Users\Admin\AppData\Local\Temp\76fa99d3add665ac9703b79e52f4eef1676beb6b84582d963749e33971d46dba.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0920641.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0920641.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3082489.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3082489.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2656509.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2656509.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9888309.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9888309.exe
4⤵
- Executes dropped EXE
PID:2360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0920641.exe
Filesize
377KB

MD5
3b2b6e88ce24f36827b53d580a6873e0

SHA1
1b7fe0f3646e52e79002e8076a8096dba81235d8

SHA256
339f85787841f75ed3e42b8b580a34f38ed201ee82c2c32e2090f9f373697efc

SHA512
66fd5920ea307c0c50c2eadb7cf2844d9b9315e30bf07e5f81b5978792df8ffa0a528f13f8936af82219b923da01aadf63dc7b163009ab40b7fb35ed0570db11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0920641.exe
Filesize
377KB

MD5
3b2b6e88ce24f36827b53d580a6873e0

SHA1
1b7fe0f3646e52e79002e8076a8096dba81235d8

SHA256
339f85787841f75ed3e42b8b580a34f38ed201ee82c2c32e2090f9f373697efc

SHA512
66fd5920ea307c0c50c2eadb7cf2844d9b9315e30bf07e5f81b5978792df8ffa0a528f13f8936af82219b923da01aadf63dc7b163009ab40b7fb35ed0570db11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3082489.exe
Filesize
206KB

MD5
da6fe6707db9c363bcbed928bf0ecbb2

SHA1
27ab81fddffb307fe0bc5ae2b020ab7e8d2c0dd5

SHA256
f35bef15e742e91c10aa99700b923d1b273a928629ecf5c821023f5ada0da566

SHA512
00a392dd2d898463e95b8bbaff3d1522c4c2c14b0bd44f925d8046233d1bf3cde0ce0e9891a8be9595375f164e912a33c51b37d19b17de843057c7e4710fbbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3082489.exe
Filesize
206KB

MD5
da6fe6707db9c363bcbed928bf0ecbb2

SHA1
27ab81fddffb307fe0bc5ae2b020ab7e8d2c0dd5

SHA256
f35bef15e742e91c10aa99700b923d1b273a928629ecf5c821023f5ada0da566

SHA512
00a392dd2d898463e95b8bbaff3d1522c4c2c14b0bd44f925d8046233d1bf3cde0ce0e9891a8be9595375f164e912a33c51b37d19b17de843057c7e4710fbbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2656509.exe
Filesize
11KB

MD5
a06909e30ac07e2ff09b340d14ad93a8

SHA1
9267b82b190705d87c1a0a3d845d53c27e053a20

SHA256
3ea5bb7e3b6a539bb0c8ea45e52029273d12ce24d1b55621ae2f8cfa11983093

SHA512
fd0b0a2208f23628158a07c23f0d560e8e0e0d8dcd9a3499bf704102bc773a7aae631fa6c53f81ae12974e0a689df7fdcb27d7f0c02d3475cdf4fdc168d83227

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2656509.exe
Filesize
11KB

MD5
a06909e30ac07e2ff09b340d14ad93a8

SHA1
9267b82b190705d87c1a0a3d845d53c27e053a20

SHA256
3ea5bb7e3b6a539bb0c8ea45e52029273d12ce24d1b55621ae2f8cfa11983093

SHA512
fd0b0a2208f23628158a07c23f0d560e8e0e0d8dcd9a3499bf704102bc773a7aae631fa6c53f81ae12974e0a689df7fdcb27d7f0c02d3475cdf4fdc168d83227

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9888309.exe
Filesize
172KB

MD5
f18065cc4297110d26ef178fac5c9ea2

SHA1
146790ad948dd22bd8b5fb952b1af59894ef6a36

SHA256
71d6c7aa93f09bfd451fb90512f5cd27137afce5c7a0d05e48c29cf5a171bbe2

SHA512
eebeab5ababafd5ec3153a60fdeb8735cec6a57aaf7402db04a4ece6ecf7d8947dc273ecb6ec4e204b0bea7abe1fbcf90f9f1a5d8eb7ce2a5a834f864ecf8786

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9888309.exe
Filesize
172KB

MD5
f18065cc4297110d26ef178fac5c9ea2

SHA1
146790ad948dd22bd8b5fb952b1af59894ef6a36

SHA256
71d6c7aa93f09bfd451fb90512f5cd27137afce5c7a0d05e48c29cf5a171bbe2

SHA512
eebeab5ababafd5ec3153a60fdeb8735cec6a57aaf7402db04a4ece6ecf7d8947dc273ecb6ec4e204b0bea7abe1fbcf90f9f1a5d8eb7ce2a5a834f864ecf8786

Download Submit
memory/432-154-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/2360-159-0x0000000000940000-0x0000000000970000-memory.dmp

Filesize
192KB

Download
memory/2360-160-0x000000000AD40000-0x000000000B358000-memory.dmp

Filesize
6.1MB

Download
memory/2360-161-0x000000000A8C0000-0x000000000A9CA000-memory.dmp

Filesize
1.0MB

Download
memory/2360-162-0x000000000A800000-0x000000000A812000-memory.dmp

Filesize
72KB

Download
memory/2360-163-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/2360-164-0x000000000A860000-0x000000000A89C000-memory.dmp

Filesize
240KB

Download
memory/2360-165-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads