redline | c04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0

General

Target

c04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0.exe
Size

581KB
MD5

0bc1143763574d14b6bebcbb92e5a21e
SHA1

793a762006de7749cc6f2b4e9a5e348edef884eb
SHA256

c04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0
SHA512

b0609a4c3b3eab2a09f15146519d4e4e21e8cb362da755c290d4c346363f51c8f41e75ed6592483b6f3321aff60fd4812724f535cdb5bdfa02ad7080f6dde701
SSDEEP

6144:Kfy+bnr+3p0yN90QE6+NKYMryY8WbevNID0/VFS1Oc55Myy6JKTwck0axV5pLPw4:ZMrny90tNKvuNQV+lmXyHv1g

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a7842844.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7842844.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7842844.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7842844.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7842844.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7842844.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v1359070.exev7397152.exea7842844.exeb8942636.exe

pid process

2152 v1359070.exe
2340 v7397152.exe
2420 a7842844.exe
4960 b8942636.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a7842844.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7842844.exe

pid	process
2152	v1359070.exe
2340	v7397152.exe
2420	a7842844.exe
4960	b8942636.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7842844.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v7397152.exec04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0.exev1359070.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7397152.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1359070.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1359070.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7397152.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a7842844.exe

pid process

2420 a7842844.exe
2420 a7842844.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a7842844.exe

description pid process

Token: SeDebugPrivilege 2420 a7842844.exe

pid	process
2420	a7842844.exe
2420	a7842844.exe

description	pid	process
Token: SeDebugPrivilege	2420	a7842844.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

c04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0.exev1359070.exev7397152.exe

description	pid	process	target process
PID 1968 wrote to memory of 2152	1968	c04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0.exe	v1359070.exe
PID 1968 wrote to memory of 2152	1968	c04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0.exe	v1359070.exe
PID 1968 wrote to memory of 2152	1968	c04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0.exe	v1359070.exe
PID 2152 wrote to memory of 2340	2152	v1359070.exe	v7397152.exe
PID 2152 wrote to memory of 2340	2152	v1359070.exe	v7397152.exe
PID 2152 wrote to memory of 2340	2152	v1359070.exe	v7397152.exe
PID 2340 wrote to memory of 2420	2340	v7397152.exe	a7842844.exe
PID 2340 wrote to memory of 2420	2340	v7397152.exe	a7842844.exe
PID 2340 wrote to memory of 4960	2340	v7397152.exe	b8942636.exe
PID 2340 wrote to memory of 4960	2340	v7397152.exe	b8942636.exe
PID 2340 wrote to memory of 4960	2340	v7397152.exe	b8942636.exe

C:\Users\Admin\AppData\Local\Temp\c04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0.exe
"C:\Users\Admin\AppData\Local\Temp\c04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1359070.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1359070.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7397152.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7397152.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7842844.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7842844.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8942636.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8942636.exe
4⤵
- Executes dropped EXE
PID:4960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1359070.exe
Filesize
377KB

MD5
10865164b45c32fc85d158cca0037826

SHA1
7b6bac11308c48d46620c3cb535b7cb370579c39

SHA256
5154580e4ee4e4ffdbddb118ba3e2f34d4f9991bb5c3325531e781ee40e5bf9a

SHA512
ea57da4f3edc7679d3bd71e03183f78a05249afb8ca562b5aaa22fc773bd64b8285dc2262d73650933c1187c024cf000fb401125fd9d6c25cfc23897c590c1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1359070.exe
Filesize
377KB

MD5
10865164b45c32fc85d158cca0037826

SHA1
7b6bac11308c48d46620c3cb535b7cb370579c39

SHA256
5154580e4ee4e4ffdbddb118ba3e2f34d4f9991bb5c3325531e781ee40e5bf9a

SHA512
ea57da4f3edc7679d3bd71e03183f78a05249afb8ca562b5aaa22fc773bd64b8285dc2262d73650933c1187c024cf000fb401125fd9d6c25cfc23897c590c1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7397152.exe
Filesize
206KB

MD5
7625d0e137343f96aae87917576c3bf6

SHA1
0b4d11bca7bc424be2234bddcfddc3b755b8a3ad

SHA256
88853f74f4cc245c1ea236cf5b5a720d6a1cf4c92bd2f19a7e97af553cfa5beb

SHA512
4ec3c6e089af55b9c6f2824ecc6f68ccb8b3a88cbbdbf1d2a82324b66cb1f666ab34433f748100ee82230f471678a8ddefc0f999445524140cfb66cf0e340450

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7397152.exe
Filesize
206KB

MD5
7625d0e137343f96aae87917576c3bf6

SHA1
0b4d11bca7bc424be2234bddcfddc3b755b8a3ad

SHA256
88853f74f4cc245c1ea236cf5b5a720d6a1cf4c92bd2f19a7e97af553cfa5beb

SHA512
4ec3c6e089af55b9c6f2824ecc6f68ccb8b3a88cbbdbf1d2a82324b66cb1f666ab34433f748100ee82230f471678a8ddefc0f999445524140cfb66cf0e340450

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7842844.exe
Filesize
11KB

MD5
fda150cbbe59c4a15e60691d25397873

SHA1
10214422ff569e6b48623d9f73465dab8157d993

SHA256
69dbde5c1e79180df44fbbe52a81585cf03b44843610fdff1f0a15fa212046f9

SHA512
9a4db3f159a8ba5a950c27edb8b784dafe443561c55c95fbfaf7bf0e120e1dbf1552b5b85025c634d2841ad3e9927394b3072dc5dc2e974bd494e4ff9b38e089

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7842844.exe
Filesize
11KB

MD5
fda150cbbe59c4a15e60691d25397873

SHA1
10214422ff569e6b48623d9f73465dab8157d993

SHA256
69dbde5c1e79180df44fbbe52a81585cf03b44843610fdff1f0a15fa212046f9

SHA512
9a4db3f159a8ba5a950c27edb8b784dafe443561c55c95fbfaf7bf0e120e1dbf1552b5b85025c634d2841ad3e9927394b3072dc5dc2e974bd494e4ff9b38e089

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8942636.exe
Filesize
172KB

MD5
287aac2015e8246204b10961c1805668

SHA1
90230b5603230ebfae07112b0e3611e02eb3b4d9

SHA256
2ef1419e5bec6b4c30e271ae4821a32952f35ac3cb8a399cbbd91323b5e4aaf2

SHA512
86c6d35b6b4713e2e75fb38f65c9a0d9c263c777f5723dcecc95c7d47427af5aa46048e863387df040ee09e3756ecaced8f946142f5445f19e489898e742b2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8942636.exe
Filesize
172KB

MD5
287aac2015e8246204b10961c1805668

SHA1
90230b5603230ebfae07112b0e3611e02eb3b4d9

SHA256
2ef1419e5bec6b4c30e271ae4821a32952f35ac3cb8a399cbbd91323b5e4aaf2

SHA512
86c6d35b6b4713e2e75fb38f65c9a0d9c263c777f5723dcecc95c7d47427af5aa46048e863387df040ee09e3756ecaced8f946142f5445f19e489898e742b2c1

Download Submit
memory/2420-142-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/4960-147-0x0000000000A70000-0x0000000000AA0000-memory.dmp

Filesize
192KB

Download
memory/4960-148-0x00000000011C0000-0x00000000011C6000-memory.dmp

Filesize
24KB

Download
memory/4960-149-0x000000000AE60000-0x000000000B466000-memory.dmp

Filesize
6.0MB

Download
memory/4960-150-0x000000000A9B0000-0x000000000AABA000-memory.dmp

Filesize
1.0MB

Download
memory/4960-151-0x000000000A8E0000-0x000000000A8F2000-memory.dmp

Filesize
72KB

Download
memory/4960-152-0x000000000A940000-0x000000000A97E000-memory.dmp

Filesize
248KB

Download
memory/4960-153-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4960-154-0x000000000AAC0000-0x000000000AB0B000-memory.dmp

Filesize
300KB

Download
memory/4960-155-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads