redline | 96bc6c7dc47b59769487d39579e01aa385e061ac4cfdaac638c9245585b2f42c

General

Target

96bc6c7dc47b59769487d39579e01aa385e061ac4cfdaac638c9245585b2f42c.exe
Size

581KB
MD5

8278660129a88ab6f356bb51086996fd
SHA1

b1a52136e641a9802851b30565920b44625f16e1
SHA256

96bc6c7dc47b59769487d39579e01aa385e061ac4cfdaac638c9245585b2f42c
SHA512

cff0a46d7b5d05b9355e92e8da8397916d8e1037d0a2e89b426d6d095643fb69ed05dec8f812e0f439af9a0ee00f26b7cfb2d8a17bfbde52168b9ff978c95fc0
SSDEEP

12288:kMrby9079Yb5sioEti5qbxshroQfw+xc/gTNc4UY+edgb6:ny89YyzEti5qbuffw+G/gTaFYh06

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a0159052.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0159052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0159052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0159052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0159052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0159052.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0159052.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v5772539.exev7928868.exea0159052.exeb8050308.exe

pid process

2960 v5772539.exe
1604 v7928868.exe
4076 a0159052.exe
4436 b8050308.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a0159052.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0159052.exe

pid	process
2960	v5772539.exe
1604	v7928868.exe
4076	a0159052.exe
4436	b8050308.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0159052.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v7928868.exe96bc6c7dc47b59769487d39579e01aa385e061ac4cfdaac638c9245585b2f42c.exev5772539.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7928868.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	96bc6c7dc47b59769487d39579e01aa385e061ac4cfdaac638c9245585b2f42c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	96bc6c7dc47b59769487d39579e01aa385e061ac4cfdaac638c9245585b2f42c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5772539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5772539.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7928868.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a0159052.exe

pid process

4076 a0159052.exe
4076 a0159052.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a0159052.exe

description pid process

Token: SeDebugPrivilege 4076 a0159052.exe

pid	process
4076	a0159052.exe
4076	a0159052.exe

description	pid	process
Token: SeDebugPrivilege	4076	a0159052.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

96bc6c7dc47b59769487d39579e01aa385e061ac4cfdaac638c9245585b2f42c.exev5772539.exev7928868.exe

description	pid	process	target process
PID 800 wrote to memory of 2960	800	96bc6c7dc47b59769487d39579e01aa385e061ac4cfdaac638c9245585b2f42c.exe	v5772539.exe
PID 800 wrote to memory of 2960	800	96bc6c7dc47b59769487d39579e01aa385e061ac4cfdaac638c9245585b2f42c.exe	v5772539.exe
PID 800 wrote to memory of 2960	800	96bc6c7dc47b59769487d39579e01aa385e061ac4cfdaac638c9245585b2f42c.exe	v5772539.exe
PID 2960 wrote to memory of 1604	2960	v5772539.exe	v7928868.exe
PID 2960 wrote to memory of 1604	2960	v5772539.exe	v7928868.exe
PID 2960 wrote to memory of 1604	2960	v5772539.exe	v7928868.exe
PID 1604 wrote to memory of 4076	1604	v7928868.exe	a0159052.exe
PID 1604 wrote to memory of 4076	1604	v7928868.exe	a0159052.exe
PID 1604 wrote to memory of 4436	1604	v7928868.exe	b8050308.exe
PID 1604 wrote to memory of 4436	1604	v7928868.exe	b8050308.exe
PID 1604 wrote to memory of 4436	1604	v7928868.exe	b8050308.exe

C:\Users\Admin\AppData\Local\Temp\96bc6c7dc47b59769487d39579e01aa385e061ac4cfdaac638c9245585b2f42c.exe
"C:\Users\Admin\AppData\Local\Temp\96bc6c7dc47b59769487d39579e01aa385e061ac4cfdaac638c9245585b2f42c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5772539.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5772539.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7928868.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7928868.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0159052.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0159052.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8050308.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8050308.exe
4⤵
- Executes dropped EXE
PID:4436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5772539.exe

Filesize
377KB

MD5
129328401c5a1fe1e1e5395b553798fa

SHA1
3ec4d21c96994369fdc60508b3443c73e85bc896

SHA256
70a42793f68efeee5b19953935f820a033cfafdad413b65a9fc6728bd6b6c056

SHA512
703e30b5fd9ce43eb5f58e34468adabc1c86c221513cb263f17156273394ff3c722cd1df23f71e664b74245bd1c3cbce9aee085eb83dbfac39a6d9008770e14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5772539.exe

Filesize
377KB

MD5
129328401c5a1fe1e1e5395b553798fa

SHA1
3ec4d21c96994369fdc60508b3443c73e85bc896

SHA256
70a42793f68efeee5b19953935f820a033cfafdad413b65a9fc6728bd6b6c056

SHA512
703e30b5fd9ce43eb5f58e34468adabc1c86c221513cb263f17156273394ff3c722cd1df23f71e664b74245bd1c3cbce9aee085eb83dbfac39a6d9008770e14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7928868.exe

Filesize
206KB

MD5
4d45ad2b1fedd38fa04185dc10f79479

SHA1
e4f7440930da88fab5433c1c8e5b57630ec56cb3

SHA256
306dca01bd46f645c00127a838009353188d25b15fecbf8efc9585faa5ac0c5e

SHA512
03b33d6b47b0fcabbe6ca7e0e005fdc31301b6077fb9678505f8dcc31e2c3fa8c289430c5b38e06d55858179399fb5a1879ec36b8a45edd66d5faa86664cd6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7928868.exe

Filesize
206KB

MD5
4d45ad2b1fedd38fa04185dc10f79479

SHA1
e4f7440930da88fab5433c1c8e5b57630ec56cb3

SHA256
306dca01bd46f645c00127a838009353188d25b15fecbf8efc9585faa5ac0c5e

SHA512
03b33d6b47b0fcabbe6ca7e0e005fdc31301b6077fb9678505f8dcc31e2c3fa8c289430c5b38e06d55858179399fb5a1879ec36b8a45edd66d5faa86664cd6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0159052.exe

Filesize
11KB

MD5
d7a7116167a6c60a3c647ca61e7e6941

SHA1
ee28334678459ac5d5491126a11df86e55c7ad1b

SHA256
c6dd6f60d807bedef6d46fc2018421d1ade288f48ddb93468f9143d21d0f616b

SHA512
8edb3705e346c6dec6f399a9b6374a1bcd8e06bf6910573ed2242bb1c1ab4144662808ccc1f31eba5a48de40a9015e4de8bf729485c1114f1a5410921c023b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0159052.exe

Filesize
11KB

MD5
d7a7116167a6c60a3c647ca61e7e6941

SHA1
ee28334678459ac5d5491126a11df86e55c7ad1b

SHA256
c6dd6f60d807bedef6d46fc2018421d1ade288f48ddb93468f9143d21d0f616b

SHA512
8edb3705e346c6dec6f399a9b6374a1bcd8e06bf6910573ed2242bb1c1ab4144662808ccc1f31eba5a48de40a9015e4de8bf729485c1114f1a5410921c023b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8050308.exe

Filesize
172KB

MD5
5f263aec50b462282699a7b053b87c1d

SHA1
0d26af8fa5f48a835c0adaa85751359c1e4a9e5c

SHA256
63283d59934c1f1791fda67200ec681d4f3ff8ceac968e185dbf6b51ae6dbc03

SHA512
ebe4cb9a624f709b51fa946fe9cffd4905005eeea4f04844a64f06acfe6c986c5022f382be46b10a416c997d5c1caa12df66c5f5cc67297492431e37afadc4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8050308.exe

Filesize
172KB

MD5
5f263aec50b462282699a7b053b87c1d

SHA1
0d26af8fa5f48a835c0adaa85751359c1e4a9e5c

SHA256
63283d59934c1f1791fda67200ec681d4f3ff8ceac968e185dbf6b51ae6dbc03

SHA512
ebe4cb9a624f709b51fa946fe9cffd4905005eeea4f04844a64f06acfe6c986c5022f382be46b10a416c997d5c1caa12df66c5f5cc67297492431e37afadc4bb

Download Submit
memory/4076-154-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/4436-159-0x0000000000030000-0x0000000000060000-memory.dmp

Filesize
192KB

Download
memory/4436-160-0x000000000A2F0000-0x000000000A908000-memory.dmp

Filesize
6.1MB

Download
memory/4436-161-0x0000000009E70000-0x0000000009F7A000-memory.dmp

Filesize
1.0MB

Download
memory/4436-162-0x0000000009DB0000-0x0000000009DC2000-memory.dmp

Filesize
72KB

Download
memory/4436-163-0x0000000009E10000-0x0000000009E4C000-memory.dmp

Filesize
240KB

Download
memory/4436-164-0x0000000004800000-0x0000000004810000-memory.dmp

Filesize
64KB

Download
memory/4436-165-0x0000000004800000-0x0000000004810000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads