redline | 68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a

General

Target

68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe
Size

581KB
MD5

9e03656968ab066f370c0b2f61f63918
SHA1

e909cdbacfc9afecc0952033e04fc437d29c83bb
SHA256

68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a
SHA512

b097c69429a4358ee4cb6de53c738ae0ef72b1e8959fbae2a108493d4aa4794e6ad25b75cbc7fb89e7378082360051fb07be9a2f264cb56f6d4cae0315e03a99
SSDEEP

12288:HMryy90vJpvHjqfRpr+QCIcqIWHO4AR/2AfoAW3GvDg:ZymJpbqbyiIv3R/2Akog

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a0843489.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0843489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0843489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0843489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0843489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0843489.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0843489.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v0747121.exev3421983.exea0843489.exeb9710854.exe

pid process

1724 v0747121.exe
3956 v3421983.exe
2776 a0843489.exe
4440 b9710854.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a0843489.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0843489.exe

pid	process
1724	v0747121.exe
3956	v3421983.exe
2776	a0843489.exe
4440	b9710854.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0843489.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exev0747121.exev3421983.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0747121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0747121.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3421983.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3421983.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a0843489.exe

pid process

2776 a0843489.exe
2776 a0843489.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a0843489.exe

description pid process

Token: SeDebugPrivilege 2776 a0843489.exe

pid	process
2776	a0843489.exe
2776	a0843489.exe

description	pid	process
Token: SeDebugPrivilege	2776	a0843489.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exev0747121.exev3421983.exe

description	pid	process	target process
PID 2828 wrote to memory of 1724	2828	68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe	v0747121.exe
PID 2828 wrote to memory of 1724	2828	68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe	v0747121.exe
PID 2828 wrote to memory of 1724	2828	68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe	v0747121.exe
PID 1724 wrote to memory of 3956	1724	v0747121.exe	v3421983.exe
PID 1724 wrote to memory of 3956	1724	v0747121.exe	v3421983.exe
PID 1724 wrote to memory of 3956	1724	v0747121.exe	v3421983.exe
PID 3956 wrote to memory of 2776	3956	v3421983.exe	a0843489.exe
PID 3956 wrote to memory of 2776	3956	v3421983.exe	a0843489.exe
PID 3956 wrote to memory of 4440	3956	v3421983.exe	b9710854.exe
PID 3956 wrote to memory of 4440	3956	v3421983.exe	b9710854.exe
PID 3956 wrote to memory of 4440	3956	v3421983.exe	b9710854.exe

C:\Users\Admin\AppData\Local\Temp\68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe
"C:\Users\Admin\AppData\Local\Temp\68d9ca9b008c38b43dcd6ef6efb65bc873c0f9059c8751bd1e37e7578e79740a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2828

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0747121.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0747121.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3421983.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3421983.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0843489.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0843489.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9710854.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9710854.exe
4⤵
- Executes dropped EXE
PID:4440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0747121.exe
Filesize
377KB

MD5
879d9c8111457792b6d443a246002af8

SHA1
4ef02c783a88f6ae72be0f42317fa77ec567b0e2

SHA256
666a8d831670c080986de375ee01e0b76801798cc9c9df63bf7fa4a0d7f8420f

SHA512
8827524d6e99475c674c50060cfb1cdaa951565a4b5ddc3023ae60271bab85a13a95536b6622e610edc22cc80a761572d75219d599808abc16aad26585712740

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0747121.exe
Filesize
377KB

MD5
879d9c8111457792b6d443a246002af8

SHA1
4ef02c783a88f6ae72be0f42317fa77ec567b0e2

SHA256
666a8d831670c080986de375ee01e0b76801798cc9c9df63bf7fa4a0d7f8420f

SHA512
8827524d6e99475c674c50060cfb1cdaa951565a4b5ddc3023ae60271bab85a13a95536b6622e610edc22cc80a761572d75219d599808abc16aad26585712740

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3421983.exe
Filesize
206KB

MD5
e693be6be05e17666a81136784861564

SHA1
9fde46a71017b39dc4c0d4eb0445cfb55a323a48

SHA256
96bc23a76ceb0a1126424acbb1c6838dcce34a56699a6fab7c8058473538e400

SHA512
9e070607814b2cebf429a5a95c3093fd7a132c4aeb542cd261ca8f271502656d65ffe56c16b1830a8776b060488cef4110ef1bc1e924ff7bb576242dfbb93a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3421983.exe
Filesize
206KB

MD5
e693be6be05e17666a81136784861564

SHA1
9fde46a71017b39dc4c0d4eb0445cfb55a323a48

SHA256
96bc23a76ceb0a1126424acbb1c6838dcce34a56699a6fab7c8058473538e400

SHA512
9e070607814b2cebf429a5a95c3093fd7a132c4aeb542cd261ca8f271502656d65ffe56c16b1830a8776b060488cef4110ef1bc1e924ff7bb576242dfbb93a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0843489.exe
Filesize
11KB

MD5
0c3d377a0c6e48ada16a67496e1fae1a

SHA1
cd6e88b40eb74a61c3cc39f2aa571ce9a5dad422

SHA256
cfd5f8ce02d6d06bcaa69e1a325696c6e6b5febddfbfccfe58cf51c7d2615ec4

SHA512
b650fcc6fb98fa024b1f8a27904f8d1a65bff69e106e3cc48693ab653daa131c2e956933baf67b87f6edab0e50befbd40c3b3885a21d94c009e5ab4c51a75fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0843489.exe
Filesize
11KB

MD5
0c3d377a0c6e48ada16a67496e1fae1a

SHA1
cd6e88b40eb74a61c3cc39f2aa571ce9a5dad422

SHA256
cfd5f8ce02d6d06bcaa69e1a325696c6e6b5febddfbfccfe58cf51c7d2615ec4

SHA512
b650fcc6fb98fa024b1f8a27904f8d1a65bff69e106e3cc48693ab653daa131c2e956933baf67b87f6edab0e50befbd40c3b3885a21d94c009e5ab4c51a75fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9710854.exe
Filesize
172KB

MD5
3ebdd642cb8a6d07a77616327a189e34

SHA1
fdb08eb338481697fab10b4dc76c6383ad5d2111

SHA256
f6497ebb5b6d074f79235e9b70f1e922b2cd9dca581fb744ddca8d1eb3b5aa1c

SHA512
3ee38604d0d98e6798016e87a625111450273fe44bbf255290bd263226ca88b8975006a7f635ceb49b0470266763d77137bf1f6eded8aa324996cd37c2f7c76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9710854.exe
Filesize
172KB

MD5
3ebdd642cb8a6d07a77616327a189e34

SHA1
fdb08eb338481697fab10b4dc76c6383ad5d2111

SHA256
f6497ebb5b6d074f79235e9b70f1e922b2cd9dca581fb744ddca8d1eb3b5aa1c

SHA512
3ee38604d0d98e6798016e87a625111450273fe44bbf255290bd263226ca88b8975006a7f635ceb49b0470266763d77137bf1f6eded8aa324996cd37c2f7c76b

Download Submit
memory/2776-154-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/4440-159-0x0000000000B60000-0x0000000000B90000-memory.dmp

Filesize
192KB

Download
memory/4440-160-0x000000000AFC0000-0x000000000B5D8000-memory.dmp

Filesize
6.1MB

Download
memory/4440-161-0x000000000AAE0000-0x000000000ABEA000-memory.dmp

Filesize
1.0MB

Download
memory/4440-162-0x000000000AA20000-0x000000000AA32000-memory.dmp

Filesize
72KB

Download
memory/4440-163-0x000000000AA80000-0x000000000AABC000-memory.dmp

Filesize
240KB

Download
memory/4440-164-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/4440-165-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads