redline | e486ce42efdf98b40721cc586ccbfef280a754f96bdf83829da80b979702a7cf

General

Target

e486ce42efdf98b40721cc586ccbfef280a754f96bdf83829da80b979702a7cf.exe
Size

580KB
MD5

6b7671326ad4d8cd0b49037cd9bf128c
SHA1

d8ca30dae251c203e8d819a2c1eac09f98e042a1
SHA256

e486ce42efdf98b40721cc586ccbfef280a754f96bdf83829da80b979702a7cf
SHA512

f4808095351dd98303e6f00c00c6b40e2637d9dcb2f2d0c262424bfefe0e8ecf43ca7d5bb233cf9180e38f0a83fda1fdace8d35067cd4c8af86e68a0c253cb4a
SSDEEP

12288:NMrzy90SjA9Cmyaw3QVAO7v6bTvOxkIzAgkVM+xir:eyLsmaEV3PYkV7xS

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a0747893.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0747893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0747893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0747893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0747893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0747893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0747893.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v9525985.exev3792513.exea0747893.exeb8043418.exe

pid process

4232 v9525985.exe
4792 v3792513.exe
5104 a0747893.exe
4544 b8043418.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a0747893.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0747893.exe

pid	process
4232	v9525985.exe
4792	v3792513.exe
5104	a0747893.exe
4544	b8043418.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0747893.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e486ce42efdf98b40721cc586ccbfef280a754f96bdf83829da80b979702a7cf.exev9525985.exev3792513.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e486ce42efdf98b40721cc586ccbfef280a754f96bdf83829da80b979702a7cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e486ce42efdf98b40721cc586ccbfef280a754f96bdf83829da80b979702a7cf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9525985.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9525985.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3792513.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3792513.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a0747893.exe

pid process

5104 a0747893.exe
5104 a0747893.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a0747893.exe

description pid process

Token: SeDebugPrivilege 5104 a0747893.exe

pid	process
5104	a0747893.exe
5104	a0747893.exe

description	pid	process
Token: SeDebugPrivilege	5104	a0747893.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

e486ce42efdf98b40721cc586ccbfef280a754f96bdf83829da80b979702a7cf.exev9525985.exev3792513.exe

description	pid	process	target process
PID 1664 wrote to memory of 4232	1664	e486ce42efdf98b40721cc586ccbfef280a754f96bdf83829da80b979702a7cf.exe	v9525985.exe
PID 1664 wrote to memory of 4232	1664	e486ce42efdf98b40721cc586ccbfef280a754f96bdf83829da80b979702a7cf.exe	v9525985.exe
PID 1664 wrote to memory of 4232	1664	e486ce42efdf98b40721cc586ccbfef280a754f96bdf83829da80b979702a7cf.exe	v9525985.exe
PID 4232 wrote to memory of 4792	4232	v9525985.exe	v3792513.exe
PID 4232 wrote to memory of 4792	4232	v9525985.exe	v3792513.exe
PID 4232 wrote to memory of 4792	4232	v9525985.exe	v3792513.exe
PID 4792 wrote to memory of 5104	4792	v3792513.exe	a0747893.exe
PID 4792 wrote to memory of 5104	4792	v3792513.exe	a0747893.exe
PID 4792 wrote to memory of 4544	4792	v3792513.exe	b8043418.exe
PID 4792 wrote to memory of 4544	4792	v3792513.exe	b8043418.exe
PID 4792 wrote to memory of 4544	4792	v3792513.exe	b8043418.exe

C:\Users\Admin\AppData\Local\Temp\e486ce42efdf98b40721cc586ccbfef280a754f96bdf83829da80b979702a7cf.exe
"C:\Users\Admin\AppData\Local\Temp\e486ce42efdf98b40721cc586ccbfef280a754f96bdf83829da80b979702a7cf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9525985.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9525985.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4232

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3792513.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3792513.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0747893.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0747893.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8043418.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8043418.exe
4⤵
- Executes dropped EXE
PID:4544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9525985.exe

Filesize
377KB

MD5
a66c3ef92854642432c606ee0aab12df

SHA1
b6594a58ac2e6a417556a81cb8fa3a001734356b

SHA256
7553c242e7191905d661f1d6cc45b63b7ed11828a6bc09e03c3a29bbcaf66c2f

SHA512
3a858b39b23e6a9248285c1788aba370c82c2e7f3ac062e2293a6ca3e8d64d2c257cd35986918f21cd057914c8a8a15e88b20f13d0ab9744dff0bc47cfe7978e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9525985.exe

Filesize
377KB

MD5
a66c3ef92854642432c606ee0aab12df

SHA1
b6594a58ac2e6a417556a81cb8fa3a001734356b

SHA256
7553c242e7191905d661f1d6cc45b63b7ed11828a6bc09e03c3a29bbcaf66c2f

SHA512
3a858b39b23e6a9248285c1788aba370c82c2e7f3ac062e2293a6ca3e8d64d2c257cd35986918f21cd057914c8a8a15e88b20f13d0ab9744dff0bc47cfe7978e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3792513.exe

Filesize
206KB

MD5
078eb73d5a875e477d75ccca6cfe4b72

SHA1
6dd7791275616f2b32ad021fbf4e622257710b09

SHA256
39225d79fe468678bb456744fdc5d7c0be91da183bb5f55982eea6cbd12dc992

SHA512
4d9377b99007931dc35d07c86333588499b66dc1155c07b8c3127973ee2d79233f3f3468b444a87318a8bd567c192caf2e8de616e563144dccbfe21524c20341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3792513.exe

Filesize
206KB

MD5
078eb73d5a875e477d75ccca6cfe4b72

SHA1
6dd7791275616f2b32ad021fbf4e622257710b09

SHA256
39225d79fe468678bb456744fdc5d7c0be91da183bb5f55982eea6cbd12dc992

SHA512
4d9377b99007931dc35d07c86333588499b66dc1155c07b8c3127973ee2d79233f3f3468b444a87318a8bd567c192caf2e8de616e563144dccbfe21524c20341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0747893.exe

Filesize
11KB

MD5
444623ddfcf837432df1278bb4b5f400

SHA1
fccb5cfb95586d5f5cd2493d576ed093758dcbea

SHA256
601c3c27fdbdf487a8a1871cb060e33abcefaf2b5e7f698b2ba1933fced5f490

SHA512
1e645e8114ea0ea0d4958b0af241caee1c8dfc5c9b0cb9e54a7985214954b30c9dd7aea784f68b9a2c6ca79495f0e5a6e9fe38010b4fe18cfc60c505b9b12c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0747893.exe

Filesize
11KB

MD5
444623ddfcf837432df1278bb4b5f400

SHA1
fccb5cfb95586d5f5cd2493d576ed093758dcbea

SHA256
601c3c27fdbdf487a8a1871cb060e33abcefaf2b5e7f698b2ba1933fced5f490

SHA512
1e645e8114ea0ea0d4958b0af241caee1c8dfc5c9b0cb9e54a7985214954b30c9dd7aea784f68b9a2c6ca79495f0e5a6e9fe38010b4fe18cfc60c505b9b12c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8043418.exe

Filesize
172KB

MD5
dd6491dfc0127c44961fa0158fa206c6

SHA1
4ed8173ed69d277e55d2960c5b5d396a153908e1

SHA256
ec4d27553f115438dda3fc9147043bcd42ca9a9bb3f9add1a8e1a5abbdd7aec2

SHA512
2d243a2b4917337964a54021c70c870db16c0066c57271d2dcb774172fcdfa2688bd8271aeab376a4ee5f921fb5009b408a8aecdc00f8d50b208902511d9a319

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8043418.exe

Filesize
172KB

MD5
dd6491dfc0127c44961fa0158fa206c6

SHA1
4ed8173ed69d277e55d2960c5b5d396a153908e1

SHA256
ec4d27553f115438dda3fc9147043bcd42ca9a9bb3f9add1a8e1a5abbdd7aec2

SHA512
2d243a2b4917337964a54021c70c870db16c0066c57271d2dcb774172fcdfa2688bd8271aeab376a4ee5f921fb5009b408a8aecdc00f8d50b208902511d9a319

Download Submit
memory/4544-159-0x0000000000640000-0x0000000000670000-memory.dmp

Filesize
192KB

Download
memory/4544-160-0x000000000AA60000-0x000000000B078000-memory.dmp

Filesize
6.1MB

Download
memory/4544-161-0x000000000A5C0000-0x000000000A6CA000-memory.dmp

Filesize
1.0MB

Download
memory/4544-162-0x000000000A500000-0x000000000A512000-memory.dmp

Filesize
72KB

Download
memory/4544-163-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/4544-164-0x000000000A560000-0x000000000A59C000-memory.dmp

Filesize
240KB

Download
memory/4544-165-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/5104-154-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads