redline | 2f574d2eea034e896b38aa19ea7192a162c353cc7c31c30e8e3ca5a1180ee68e

General

Target

2f574d2eea034e896b38aa19ea7192a162c353cc7c31c30e8e3ca5a1180ee68e.exe
Size

581KB
MD5

fd5490265aba587f9be6ab85373f2502
SHA1

90e19b4452bb49c0ab21fcffdb53c5f9ea3c02d6
SHA256

2f574d2eea034e896b38aa19ea7192a162c353cc7c31c30e8e3ca5a1180ee68e
SHA512

4a39e5c322bdda69def8ba96d5024060c78f722e0d89ab279ba477b5f27b6faccadc7a19695ec5a3b0d22807afbb33fc9aa5f77794b8510da54288705d65caee
SSDEEP

12288:5MrXy90Qy0CBt4CgYkTq044wNn27rkxmfnhgP6OXXLw:myBy0o4wakxPP6O8

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a4821990.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a4821990.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4821990.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4821990.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4821990.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4821990.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4821990.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v9501190.exev6878159.exea4821990.exeb3074710.exe

pid process

4456 v9501190.exe
4292 v6878159.exe
2672 a4821990.exe
2816 b3074710.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a4821990.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a4821990.exe

pid	process
4456	v9501190.exe
4292	v6878159.exe
2672	a4821990.exe
2816	b3074710.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4821990.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2f574d2eea034e896b38aa19ea7192a162c353cc7c31c30e8e3ca5a1180ee68e.exev9501190.exev6878159.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2f574d2eea034e896b38aa19ea7192a162c353cc7c31c30e8e3ca5a1180ee68e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2f574d2eea034e896b38aa19ea7192a162c353cc7c31c30e8e3ca5a1180ee68e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9501190.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9501190.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6878159.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6878159.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a4821990.exe

pid process

2672 a4821990.exe
2672 a4821990.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a4821990.exe

description pid process

Token: SeDebugPrivilege 2672 a4821990.exe

pid	process
2672	a4821990.exe
2672	a4821990.exe

description	pid	process
Token: SeDebugPrivilege	2672	a4821990.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2f574d2eea034e896b38aa19ea7192a162c353cc7c31c30e8e3ca5a1180ee68e.exev9501190.exev6878159.exe

description	pid	process	target process
PID 436 wrote to memory of 4456	436	2f574d2eea034e896b38aa19ea7192a162c353cc7c31c30e8e3ca5a1180ee68e.exe	v9501190.exe
PID 436 wrote to memory of 4456	436	2f574d2eea034e896b38aa19ea7192a162c353cc7c31c30e8e3ca5a1180ee68e.exe	v9501190.exe
PID 436 wrote to memory of 4456	436	2f574d2eea034e896b38aa19ea7192a162c353cc7c31c30e8e3ca5a1180ee68e.exe	v9501190.exe
PID 4456 wrote to memory of 4292	4456	v9501190.exe	v6878159.exe
PID 4456 wrote to memory of 4292	4456	v9501190.exe	v6878159.exe
PID 4456 wrote to memory of 4292	4456	v9501190.exe	v6878159.exe
PID 4292 wrote to memory of 2672	4292	v6878159.exe	a4821990.exe
PID 4292 wrote to memory of 2672	4292	v6878159.exe	a4821990.exe
PID 4292 wrote to memory of 2816	4292	v6878159.exe	b3074710.exe
PID 4292 wrote to memory of 2816	4292	v6878159.exe	b3074710.exe
PID 4292 wrote to memory of 2816	4292	v6878159.exe	b3074710.exe

C:\Users\Admin\AppData\Local\Temp\2f574d2eea034e896b38aa19ea7192a162c353cc7c31c30e8e3ca5a1180ee68e.exe
"C:\Users\Admin\AppData\Local\Temp\2f574d2eea034e896b38aa19ea7192a162c353cc7c31c30e8e3ca5a1180ee68e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9501190.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9501190.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6878159.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6878159.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4292

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4821990.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4821990.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3074710.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3074710.exe
4⤵
- Executes dropped EXE
PID:2816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9501190.exe
Filesize
377KB

MD5
0295d4c139f72128128fade0bfb79bdb

SHA1
9af5487e0bad3aabf01b4f1de8378f11d6cdbd34

SHA256
31604023abe0de136e9b16208ac5085f091d450c5c70e9d05312bd1604a90b85

SHA512
a6cc0e7bb788ec5724fdaae3bcdd38cab6c14b382d5c33128db89cf1b51cdf1baccce09f74f479f76dac0ff9467df25de0ed5c3aa1edd95b4449c1b2c730d765

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9501190.exe
Filesize
377KB

MD5
0295d4c139f72128128fade0bfb79bdb

SHA1
9af5487e0bad3aabf01b4f1de8378f11d6cdbd34

SHA256
31604023abe0de136e9b16208ac5085f091d450c5c70e9d05312bd1604a90b85

SHA512
a6cc0e7bb788ec5724fdaae3bcdd38cab6c14b382d5c33128db89cf1b51cdf1baccce09f74f479f76dac0ff9467df25de0ed5c3aa1edd95b4449c1b2c730d765

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6878159.exe
Filesize
206KB

MD5
e410fe0a5ef83e45772d9d6c9ddabbcc

SHA1
5cfb177e92f0e864f8846b1911b28788713ae559

SHA256
b099ff159aa5942dec543933dff0c83d94b35b62874318c900ccca79e2f0fe7c

SHA512
e0604ffb10dc33996cb1941359f0946e97a20baf930d57ca14a7bae00f46033ae3063673f85ad22e6f1495d2dbfd0e7de84dcf889eb498ff98e6f642654ca738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6878159.exe
Filesize
206KB

MD5
e410fe0a5ef83e45772d9d6c9ddabbcc

SHA1
5cfb177e92f0e864f8846b1911b28788713ae559

SHA256
b099ff159aa5942dec543933dff0c83d94b35b62874318c900ccca79e2f0fe7c

SHA512
e0604ffb10dc33996cb1941359f0946e97a20baf930d57ca14a7bae00f46033ae3063673f85ad22e6f1495d2dbfd0e7de84dcf889eb498ff98e6f642654ca738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4821990.exe
Filesize
11KB

MD5
196b6f6a3f018793a27516ce66aab9d3

SHA1
4efc104dc1e8801215c8416c158f84aaef37d8be

SHA256
98334b644bcd77acf7abafdb3d47d9a1652a93dc4d2f05df206a20bdf2bb27b2

SHA512
effcfd6a1857bcd08e4732ba145c20bf4d1001716b9b3a22fd4f172f13757c84daab26d6ad766103b5721b2747e36686ee7a58620449fff4580271444bd6eee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4821990.exe
Filesize
11KB

MD5
196b6f6a3f018793a27516ce66aab9d3

SHA1
4efc104dc1e8801215c8416c158f84aaef37d8be

SHA256
98334b644bcd77acf7abafdb3d47d9a1652a93dc4d2f05df206a20bdf2bb27b2

SHA512
effcfd6a1857bcd08e4732ba145c20bf4d1001716b9b3a22fd4f172f13757c84daab26d6ad766103b5721b2747e36686ee7a58620449fff4580271444bd6eee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3074710.exe
Filesize
172KB

MD5
bf9c58f183a56065521f3536512df259

SHA1
07a12364826786379f206cdcca734f5d20689de6

SHA256
8c0d3d9fc2bc13125848aebfc0f7fbf2cbc2aed66a20371ae5f92aaea00cc118

SHA512
baf5b2f502b04f032d251451451111213621cfe1039dda18a651a177629a74de048650f52f863aa940c6a75a06e1328bc4807627410178b2703201af33681e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3074710.exe
Filesize
172KB

MD5
bf9c58f183a56065521f3536512df259

SHA1
07a12364826786379f206cdcca734f5d20689de6

SHA256
8c0d3d9fc2bc13125848aebfc0f7fbf2cbc2aed66a20371ae5f92aaea00cc118

SHA512
baf5b2f502b04f032d251451451111213621cfe1039dda18a651a177629a74de048650f52f863aa940c6a75a06e1328bc4807627410178b2703201af33681e8f

Download Submit
memory/2672-154-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2816-159-0x0000000000A40000-0x0000000000A70000-memory.dmp

Filesize
192KB

Download
memory/2816-160-0x000000000AE90000-0x000000000B4A8000-memory.dmp

Filesize
6.1MB

Download
memory/2816-161-0x000000000A9C0000-0x000000000AACA000-memory.dmp

Filesize
1.0MB

Download
memory/2816-162-0x000000000A900000-0x000000000A912000-memory.dmp

Filesize
72KB

Download
memory/2816-164-0x000000000A960000-0x000000000A99C000-memory.dmp

Filesize
240KB

Download
memory/2816-163-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2816-165-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads