redline | f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413

General

Target

f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe
Size

580KB
MD5

7a95d8176babc8d4001f66751970388e
SHA1

310ef01c2818c268356aba406e4734a37fb1de74
SHA256

f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413
SHA512

90e2f77f59452a32e1df44404e46b06c183d0032ca73adb72a260b68fc81ed3ee944b9b69bea93cb2e5575bb5ed29bf6dde35fe9f10992bd56ae0c6b25f16906
SSDEEP

6144:K3y+bnr+lp0yN90QElvZZ8PvdYJXuyLxyfD+zT7qk6S5z3zfd5IQqLVDTdfJAZs+:pMrpy90km9u6yb+X7/WVD/3EVQfMwa

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a7265545.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7265545.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7265545.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7265545.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7265545.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7265545.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7265545.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v6716526.exev7821638.exea7265545.exeb5051535.exe

pid process

5112 v6716526.exe
684 v7821638.exe
812 a7265545.exe
1344 b5051535.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a7265545.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7265545.exe

pid	process
5112	v6716526.exe
684	v7821638.exe
812	a7265545.exe
1344	b5051535.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7265545.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exev6716526.exev7821638.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6716526.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6716526.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7821638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7821638.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a7265545.exe

pid process

812 a7265545.exe
812 a7265545.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a7265545.exe

description pid process

Token: SeDebugPrivilege 812 a7265545.exe

pid	process
812	a7265545.exe
812	a7265545.exe

description	pid	process
Token: SeDebugPrivilege	812	a7265545.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exev6716526.exev7821638.exe

description	pid	process	target process
PID 2088 wrote to memory of 5112	2088	f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe	v6716526.exe
PID 2088 wrote to memory of 5112	2088	f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe	v6716526.exe
PID 2088 wrote to memory of 5112	2088	f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe	v6716526.exe
PID 5112 wrote to memory of 684	5112	v6716526.exe	v7821638.exe
PID 5112 wrote to memory of 684	5112	v6716526.exe	v7821638.exe
PID 5112 wrote to memory of 684	5112	v6716526.exe	v7821638.exe
PID 684 wrote to memory of 812	684	v7821638.exe	a7265545.exe
PID 684 wrote to memory of 812	684	v7821638.exe	a7265545.exe
PID 684 wrote to memory of 1344	684	v7821638.exe	b5051535.exe
PID 684 wrote to memory of 1344	684	v7821638.exe	b5051535.exe
PID 684 wrote to memory of 1344	684	v7821638.exe	b5051535.exe

C:\Users\Admin\AppData\Local\Temp\f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe
"C:\Users\Admin\AppData\Local\Temp\f0ee9881e5d7e2d8ec5dac75dbef0ca6c901b97fdf0e5f8147a7416e990df413.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6716526.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6716526.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7821638.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7821638.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7265545.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7265545.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5051535.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5051535.exe
4⤵
- Executes dropped EXE
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6716526.exe
Filesize
377KB

MD5
7177a061535db2bac66e1cb08466a712

SHA1
4917d700b3571ed7c105a094e105e48815ea86d6

SHA256
d33a0ff6d6d88152a648117509ea99707bc527eeb0e9e77745e04d11925c633b

SHA512
ff6ec17a1056fd0eb70c6946ac0dbf84d100ca3d4d11dfc6d0a6284c7e1fd63095f8db8ae9fe61a3aa0718d7dfb216842a900bb2158a1b68f1a814e8ba0786fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6716526.exe
Filesize
377KB

MD5
7177a061535db2bac66e1cb08466a712

SHA1
4917d700b3571ed7c105a094e105e48815ea86d6

SHA256
d33a0ff6d6d88152a648117509ea99707bc527eeb0e9e77745e04d11925c633b

SHA512
ff6ec17a1056fd0eb70c6946ac0dbf84d100ca3d4d11dfc6d0a6284c7e1fd63095f8db8ae9fe61a3aa0718d7dfb216842a900bb2158a1b68f1a814e8ba0786fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7821638.exe
Filesize
206KB

MD5
32b8e33eb4661a1ae77f79c9222d7f6e

SHA1
0a6bbeb5d86e293f789993e1adb2ddaef57769ef

SHA256
fa8face846204f1e36fad8c4c4b50b04322e463da9da14cfa8fe42fc2532ff7c

SHA512
ca454efd8d1f120b9be2d00eb1369d84a0fb902b86408eb7ad595dcaa6cc928df39126e704e95f739c4f040af68f8ab598f010e300ab3b12ac22471144539b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7821638.exe
Filesize
206KB

MD5
32b8e33eb4661a1ae77f79c9222d7f6e

SHA1
0a6bbeb5d86e293f789993e1adb2ddaef57769ef

SHA256
fa8face846204f1e36fad8c4c4b50b04322e463da9da14cfa8fe42fc2532ff7c

SHA512
ca454efd8d1f120b9be2d00eb1369d84a0fb902b86408eb7ad595dcaa6cc928df39126e704e95f739c4f040af68f8ab598f010e300ab3b12ac22471144539b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7265545.exe
Filesize
11KB

MD5
e3d7138cfc827d8e118dc9cd38ebe29f

SHA1
114737f21a5ad482ea4622c64643139805b5dd4e

SHA256
110592072c1ec7230e3b37d9aa59f99e04a64540a015d42903d5f96c3b354492

SHA512
d8df79d01af58228c4ffba79b6e74ff1621a8558be8f25106422fb235ff9455aa02a11b90846032d1403c9431f9a185709eef900f8f82a6139c978e8d4346303

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7265545.exe
Filesize
11KB

MD5
e3d7138cfc827d8e118dc9cd38ebe29f

SHA1
114737f21a5ad482ea4622c64643139805b5dd4e

SHA256
110592072c1ec7230e3b37d9aa59f99e04a64540a015d42903d5f96c3b354492

SHA512
d8df79d01af58228c4ffba79b6e74ff1621a8558be8f25106422fb235ff9455aa02a11b90846032d1403c9431f9a185709eef900f8f82a6139c978e8d4346303

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5051535.exe
Filesize
172KB

MD5
83b56b018a9e3dd6b00dcdca3c79713f

SHA1
8744e463c42ad3625f42c7348622fed5cc76cdfa

SHA256
89ec01e0cf956f01c3252a04ee5158438888ef239635215ab5ebb5f222e83343

SHA512
3f0800c3a8320fa454e9b82763f2abb3d76ddefba0747c6a9131db7d62c88a8017abd0087f9699861c3981929c05dd3e01c038326dae2e31478c1980f2d32ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5051535.exe
Filesize
172KB

MD5
83b56b018a9e3dd6b00dcdca3c79713f

SHA1
8744e463c42ad3625f42c7348622fed5cc76cdfa

SHA256
89ec01e0cf956f01c3252a04ee5158438888ef239635215ab5ebb5f222e83343

SHA512
3f0800c3a8320fa454e9b82763f2abb3d76ddefba0747c6a9131db7d62c88a8017abd0087f9699861c3981929c05dd3e01c038326dae2e31478c1980f2d32ed5

Download Submit
memory/812-154-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/1344-159-0x0000000000E90000-0x0000000000EC0000-memory.dmp

Filesize
192KB

Download
memory/1344-160-0x000000000B1F0000-0x000000000B808000-memory.dmp

Filesize
6.1MB

Download
memory/1344-161-0x000000000ACE0000-0x000000000ADEA000-memory.dmp

Filesize
1.0MB

Download
memory/1344-162-0x000000000AC10000-0x000000000AC22000-memory.dmp

Filesize
72KB

Download
memory/1344-163-0x000000000AC70000-0x000000000ACAC000-memory.dmp

Filesize
240KB

Download
memory/1344-164-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/1344-165-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads