redline | f3ac6a89a13c62884f763738f1dcbc080cc89d0ec6f35eb63137f0a8aeb7a815

General

Target

f3ac6a89a13c62884f763738f1dcbc080cc89d0ec6f35eb63137f0a8aeb7a815.exe
Size

581KB
MD5

22ae7a8cc3b17564f6f2d62081788a58
SHA1

3802ae29e91dae37deef67c2e7fa6a0fff68d52b
SHA256

f3ac6a89a13c62884f763738f1dcbc080cc89d0ec6f35eb63137f0a8aeb7a815
SHA512

5a73e1ccd4c4aa84e9eda5d9e204005a77b165c7fffe5018506a13b981eb9b8e8908caeb3c21ef702549779e5840f5dcfd59742e40ff691a25d51eaff18c6171
SSDEEP

12288:eMrry90K9wFpYaPEtp3q6pcxDM36Bbc4eFzIPchK6I2:Ny3GCaw3I3BIZDYt2

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a1728477.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1728477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1728477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1728477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1728477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1728477.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v8933799.exev8327824.exea1728477.exeb8343361.exe

pid process

2676 v8933799.exe
3252 v8327824.exe
4960 a1728477.exe
2552 b8343361.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a1728477.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1728477.exe

pid	process
2676	v8933799.exe
3252	v8327824.exe
4960	a1728477.exe
2552	b8343361.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1728477.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v8327824.exef3ac6a89a13c62884f763738f1dcbc080cc89d0ec6f35eb63137f0a8aeb7a815.exev8933799.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8327824.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f3ac6a89a13c62884f763738f1dcbc080cc89d0ec6f35eb63137f0a8aeb7a815.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f3ac6a89a13c62884f763738f1dcbc080cc89d0ec6f35eb63137f0a8aeb7a815.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8933799.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8933799.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8327824.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a1728477.exe

pid process

4960 a1728477.exe
4960 a1728477.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a1728477.exe

description pid process

Token: SeDebugPrivilege 4960 a1728477.exe

pid	process
4960	a1728477.exe
4960	a1728477.exe

description	pid	process
Token: SeDebugPrivilege	4960	a1728477.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f3ac6a89a13c62884f763738f1dcbc080cc89d0ec6f35eb63137f0a8aeb7a815.exev8933799.exev8327824.exe

description	pid	process	target process
PID 2420 wrote to memory of 2676	2420	f3ac6a89a13c62884f763738f1dcbc080cc89d0ec6f35eb63137f0a8aeb7a815.exe	v8933799.exe
PID 2420 wrote to memory of 2676	2420	f3ac6a89a13c62884f763738f1dcbc080cc89d0ec6f35eb63137f0a8aeb7a815.exe	v8933799.exe
PID 2420 wrote to memory of 2676	2420	f3ac6a89a13c62884f763738f1dcbc080cc89d0ec6f35eb63137f0a8aeb7a815.exe	v8933799.exe
PID 2676 wrote to memory of 3252	2676	v8933799.exe	v8327824.exe
PID 2676 wrote to memory of 3252	2676	v8933799.exe	v8327824.exe
PID 2676 wrote to memory of 3252	2676	v8933799.exe	v8327824.exe
PID 3252 wrote to memory of 4960	3252	v8327824.exe	a1728477.exe
PID 3252 wrote to memory of 4960	3252	v8327824.exe	a1728477.exe
PID 3252 wrote to memory of 2552	3252	v8327824.exe	b8343361.exe
PID 3252 wrote to memory of 2552	3252	v8327824.exe	b8343361.exe
PID 3252 wrote to memory of 2552	3252	v8327824.exe	b8343361.exe

C:\Users\Admin\AppData\Local\Temp\f3ac6a89a13c62884f763738f1dcbc080cc89d0ec6f35eb63137f0a8aeb7a815.exe
"C:\Users\Admin\AppData\Local\Temp\f3ac6a89a13c62884f763738f1dcbc080cc89d0ec6f35eb63137f0a8aeb7a815.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8933799.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8933799.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8327824.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8327824.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3252

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1728477.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1728477.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8343361.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8343361.exe
4⤵
- Executes dropped EXE
PID:2552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8933799.exe

Filesize
377KB

MD5
dba936e55e55c69bd842bdb551bd389c

SHA1
1b40a49ed16d7cba82a799559e4effdd073f28dd

SHA256
3529f28827118d0634bf2cf25031937e462bdefaeee4147445c34526e050c10b

SHA512
35ecf2c97fce1e7282b08a92e37f00a18ce2ed1d86d04a7817c5f359e434d34793a8fa097a4efb26ac4ae1922d1230879167e77e892ba78ef74f0cc147f852bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8933799.exe

Filesize
377KB

MD5
dba936e55e55c69bd842bdb551bd389c

SHA1
1b40a49ed16d7cba82a799559e4effdd073f28dd

SHA256
3529f28827118d0634bf2cf25031937e462bdefaeee4147445c34526e050c10b

SHA512
35ecf2c97fce1e7282b08a92e37f00a18ce2ed1d86d04a7817c5f359e434d34793a8fa097a4efb26ac4ae1922d1230879167e77e892ba78ef74f0cc147f852bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8327824.exe

Filesize
206KB

MD5
b62aa4bd592d073b257aacea13c4b102

SHA1
805b2577f91ac36c0ea9c6758c00f415a31e27b2

SHA256
dc7bb3c37a0bfac0c4cab4d4232381bd06bcd6665673f738ba63a7a764aa3bb2

SHA512
5cda19da379bdbabbbb4eb1ff5ab7af7809cebe070712472a132d3dd1ccd0eca36490ef92633f30742b9222c20d709bbdad355cf45cd86e5bd18e3d35da03bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8327824.exe

Filesize
206KB

MD5
b62aa4bd592d073b257aacea13c4b102

SHA1
805b2577f91ac36c0ea9c6758c00f415a31e27b2

SHA256
dc7bb3c37a0bfac0c4cab4d4232381bd06bcd6665673f738ba63a7a764aa3bb2

SHA512
5cda19da379bdbabbbb4eb1ff5ab7af7809cebe070712472a132d3dd1ccd0eca36490ef92633f30742b9222c20d709bbdad355cf45cd86e5bd18e3d35da03bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1728477.exe

Filesize
11KB

MD5
fc3e7e0018bacde54ae70108c112ed7a

SHA1
6cd0d2dfeb5702f340957f7c70ebfb1dda231897

SHA256
1c9ba9059630d1d525233c8a073ffc0e1e6e9bec68e916296e7b65d7e9dce4ad

SHA512
853abac9576e336e30e344337757746169bc367489a45f919bd33619aacd5068728983abbf16eb4f1df4b4f0a65020f140b552107ed5db1c8c3f335a80175b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1728477.exe

Filesize
11KB

MD5
fc3e7e0018bacde54ae70108c112ed7a

SHA1
6cd0d2dfeb5702f340957f7c70ebfb1dda231897

SHA256
1c9ba9059630d1d525233c8a073ffc0e1e6e9bec68e916296e7b65d7e9dce4ad

SHA512
853abac9576e336e30e344337757746169bc367489a45f919bd33619aacd5068728983abbf16eb4f1df4b4f0a65020f140b552107ed5db1c8c3f335a80175b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8343361.exe

Filesize
172KB

MD5
6249ee75496f59e6374a981669d3ab4b

SHA1
4a18aa30ddb6186425348fc2025e9f9d22e70f74

SHA256
6ee92f1965fa7e7240dbca44f7851a21e4bb3775be6cea763fe41e0094f87541

SHA512
b625242d9ee92754e3815215952efd8e4abd1e0aa17228d7cb3fc88543212f4e4efcc111ac3efdb8b877d542632001e41e5c5eb56adc4a305aeb1e9426a170d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8343361.exe

Filesize
172KB

MD5
6249ee75496f59e6374a981669d3ab4b

SHA1
4a18aa30ddb6186425348fc2025e9f9d22e70f74

SHA256
6ee92f1965fa7e7240dbca44f7851a21e4bb3775be6cea763fe41e0094f87541

SHA512
b625242d9ee92754e3815215952efd8e4abd1e0aa17228d7cb3fc88543212f4e4efcc111ac3efdb8b877d542632001e41e5c5eb56adc4a305aeb1e9426a170d7

Download Submit
memory/2552-147-0x0000000000C80000-0x0000000000CB0000-memory.dmp

Filesize
192KB

Download
memory/2552-148-0x0000000002F00000-0x0000000002F06000-memory.dmp

Filesize
24KB

Download
memory/2552-149-0x0000000005C00000-0x0000000006206000-memory.dmp

Filesize
6.0MB

Download
memory/2552-150-0x0000000005700000-0x000000000580A000-memory.dmp

Filesize
1.0MB

Download
memory/2552-151-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/2552-152-0x00000000055F0000-0x000000000562E000-memory.dmp

Filesize
248KB

Download
memory/2552-153-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2552-154-0x0000000005630000-0x000000000567B000-memory.dmp

Filesize
300KB

Download
memory/2552-155-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/4960-142-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads