redline | 459eed0c50ea623534ea90eba5b10ca4f5c7bfbbe668d7d78432f72e9501d4ed

General

Target

459eed0c50ea623534ea90eba5b10ca4f5c7bfbbe668d7d78432f72e9501d4ed.exe
Size

581KB
MD5

7d278bc1d7a94670fb24c4fb1624b51a
SHA1

52ac91e3ae38d668589c1a84a6368fb98a1e0091
SHA256

459eed0c50ea623534ea90eba5b10ca4f5c7bfbbe668d7d78432f72e9501d4ed
SHA512

4e44508189b59aa5481779b9b80ac2e97463a4c4b12724ce2378082d924e878d605892f6dc25710e93226c94561107effda501ea7490cebc435809da84167aab
SSDEEP

12288:bMr5y90dDwGz26OaCiZucg1ez8Sw6jZ6pqCHpkJ:yyWkQYiZnoE8ojIET

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a9039003.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9039003.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9039003.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9039003.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9039003.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9039003.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v2871303.exev8370618.exea9039003.exeb9491872.exe

pid process

3924 v2871303.exe
3416 v8370618.exe
4092 a9039003.exe
5108 b9491872.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a9039003.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a9039003.exe

pid	process
3924	v2871303.exe
3416	v8370618.exe
4092	a9039003.exe
5108	b9491872.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9039003.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v2871303.exev8370618.exe459eed0c50ea623534ea90eba5b10ca4f5c7bfbbe668d7d78432f72e9501d4ed.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2871303.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2871303.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8370618.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8370618.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	459eed0c50ea623534ea90eba5b10ca4f5c7bfbbe668d7d78432f72e9501d4ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	459eed0c50ea623534ea90eba5b10ca4f5c7bfbbe668d7d78432f72e9501d4ed.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a9039003.exe

pid process

4092 a9039003.exe
4092 a9039003.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a9039003.exe

description pid process

Token: SeDebugPrivilege 4092 a9039003.exe

pid	process
4092	a9039003.exe
4092	a9039003.exe

description	pid	process
Token: SeDebugPrivilege	4092	a9039003.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

459eed0c50ea623534ea90eba5b10ca4f5c7bfbbe668d7d78432f72e9501d4ed.exev2871303.exev8370618.exe

description	pid	process	target process
PID 1012 wrote to memory of 3924	1012	459eed0c50ea623534ea90eba5b10ca4f5c7bfbbe668d7d78432f72e9501d4ed.exe	v2871303.exe
PID 1012 wrote to memory of 3924	1012	459eed0c50ea623534ea90eba5b10ca4f5c7bfbbe668d7d78432f72e9501d4ed.exe	v2871303.exe
PID 1012 wrote to memory of 3924	1012	459eed0c50ea623534ea90eba5b10ca4f5c7bfbbe668d7d78432f72e9501d4ed.exe	v2871303.exe
PID 3924 wrote to memory of 3416	3924	v2871303.exe	v8370618.exe
PID 3924 wrote to memory of 3416	3924	v2871303.exe	v8370618.exe
PID 3924 wrote to memory of 3416	3924	v2871303.exe	v8370618.exe
PID 3416 wrote to memory of 4092	3416	v8370618.exe	a9039003.exe
PID 3416 wrote to memory of 4092	3416	v8370618.exe	a9039003.exe
PID 3416 wrote to memory of 5108	3416	v8370618.exe	b9491872.exe
PID 3416 wrote to memory of 5108	3416	v8370618.exe	b9491872.exe
PID 3416 wrote to memory of 5108	3416	v8370618.exe	b9491872.exe

C:\Users\Admin\AppData\Local\Temp\459eed0c50ea623534ea90eba5b10ca4f5c7bfbbe668d7d78432f72e9501d4ed.exe
"C:\Users\Admin\AppData\Local\Temp\459eed0c50ea623534ea90eba5b10ca4f5c7bfbbe668d7d78432f72e9501d4ed.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2871303.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2871303.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3924

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8370618.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8370618.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3416

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9039003.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9039003.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9491872.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9491872.exe
4⤵
- Executes dropped EXE
PID:5108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2871303.exe
Filesize
377KB

MD5
8739dfa21182118c6a2facc9554886a3

SHA1
3068167cd9812b4db9c5be1c72eb0e790d5b1cb3

SHA256
10e67a46c9c4a919c9de3799effc313d2778d666a0744f510cf083f4216f2329

SHA512
af367664ce531b7afb618895d108f833a30dd84888a6276c55a32a33e34f331f4438b5fdddd6b8946d03c1cd48ba163b1cb0844b6437f2b06a06c2ddf72e2841

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2871303.exe
Filesize
377KB

MD5
8739dfa21182118c6a2facc9554886a3

SHA1
3068167cd9812b4db9c5be1c72eb0e790d5b1cb3

SHA256
10e67a46c9c4a919c9de3799effc313d2778d666a0744f510cf083f4216f2329

SHA512
af367664ce531b7afb618895d108f833a30dd84888a6276c55a32a33e34f331f4438b5fdddd6b8946d03c1cd48ba163b1cb0844b6437f2b06a06c2ddf72e2841

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8370618.exe
Filesize
206KB

MD5
ab81a4ac6dd27c6658ac0d117a282445

SHA1
64b62e5bf348ea3510c30ad45982dbb9fdb8213f

SHA256
cc1959bce708296cf115526c582747ae838b8ed69b51b5088ed76fce7ac05c17

SHA512
c320e3e98f70c563912247dd1efd753feffc6d75c966ddfd1b32c23f4ef7605526a3bbed940364bcaf3c18d6fd2b16f034d8129e0fbd5adf13e24d4682a24efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8370618.exe
Filesize
206KB

MD5
ab81a4ac6dd27c6658ac0d117a282445

SHA1
64b62e5bf348ea3510c30ad45982dbb9fdb8213f

SHA256
cc1959bce708296cf115526c582747ae838b8ed69b51b5088ed76fce7ac05c17

SHA512
c320e3e98f70c563912247dd1efd753feffc6d75c966ddfd1b32c23f4ef7605526a3bbed940364bcaf3c18d6fd2b16f034d8129e0fbd5adf13e24d4682a24efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9039003.exe
Filesize
11KB

MD5
745780a05e9025c6c3694ba01d543a92

SHA1
40ffe53a550d1dad4c2f2c41703d07998aed540c

SHA256
000281454f5a284b3416e9c5599f4680cbacd0f10a6feb2bbd17acffab672beb

SHA512
395857d034ad2489a014070a453f340a8bfef56307f5426f6d746c3e7264e900d659045b29a2f98957eabff2223f04fa3e3e74342c757e683bfb4e4d340a278f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9039003.exe
Filesize
11KB

MD5
745780a05e9025c6c3694ba01d543a92

SHA1
40ffe53a550d1dad4c2f2c41703d07998aed540c

SHA256
000281454f5a284b3416e9c5599f4680cbacd0f10a6feb2bbd17acffab672beb

SHA512
395857d034ad2489a014070a453f340a8bfef56307f5426f6d746c3e7264e900d659045b29a2f98957eabff2223f04fa3e3e74342c757e683bfb4e4d340a278f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9491872.exe
Filesize
172KB

MD5
778d4526820b779505d6f6bbc73dc49b

SHA1
6752e8831f33e5360369c933f8c98ab7df8a45d7

SHA256
767a034aef93378517a83daa0ac3491392bb3593b6505a4160c99a6d6f459aab

SHA512
4499afc797b9880a3ecc3cefdcc85bfe6a281c9932a06ae9f269b1586b417b40dfce98411a227b24b2a700321496588ddcbe263ca0fd4e9be4313cfb87823251

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9491872.exe
Filesize
172KB

MD5
778d4526820b779505d6f6bbc73dc49b

SHA1
6752e8831f33e5360369c933f8c98ab7df8a45d7

SHA256
767a034aef93378517a83daa0ac3491392bb3593b6505a4160c99a6d6f459aab

SHA512
4499afc797b9880a3ecc3cefdcc85bfe6a281c9932a06ae9f269b1586b417b40dfce98411a227b24b2a700321496588ddcbe263ca0fd4e9be4313cfb87823251

Download Submit
memory/4092-142-0x00000000007B0000-0x00000000007BA000-memory.dmp

Filesize
40KB

Download
memory/5108-147-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/5108-148-0x0000000002540000-0x0000000002546000-memory.dmp

Filesize
24KB

Download
memory/5108-149-0x000000000A4E0000-0x000000000AAE6000-memory.dmp

Filesize
6.0MB

Download
memory/5108-150-0x000000000A060000-0x000000000A16A000-memory.dmp

Filesize
1.0MB

Download
memory/5108-151-0x0000000009F90000-0x0000000009FA2000-memory.dmp

Filesize
72KB

Download
memory/5108-152-0x0000000009FF0000-0x000000000A02E000-memory.dmp

Filesize
248KB

Download
memory/5108-153-0x000000000A170000-0x000000000A1BB000-memory.dmp

Filesize
300KB

Download
memory/5108-154-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/5108-155-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads