redline | 909757acd131a67d24b91ced5ecd760e1e6164106cca1d7bfe1e3a6c337fc092

General

Target

909757acd131a67d24b91ced5ecd760e1e6164106cca1d7bfe1e3a6c337fc092.exe
Size

580KB
MD5

083f63f0a1b0e8341c707c51b16a5897
SHA1

2ef9c680caf38f546e627032dbe8535556202450
SHA256

909757acd131a67d24b91ced5ecd760e1e6164106cca1d7bfe1e3a6c337fc092
SHA512

848e9f300c9a39c1c510e817b5d80d57b038cbfc9d35ae698206c0e450d17a7e2becda446e7d73d28ab253c479a7134c4042176991dd8e0852871f46e609c8b2
SSDEEP

12288:OMrwy90FUAAylSXbwIob+5T3jHbhNIw3m8M0+qw1Cm:+yjaSXqb+RzHl6wTM05m

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a3084994.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3084994.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3084994.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3084994.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3084994.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3084994.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v4625882.exev4870264.exea3084994.exeb5578171.exe

pid process

1660 v4625882.exe
2092 v4870264.exe
4256 a3084994.exe
4040 b5578171.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a3084994.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a3084994.exe

pid	process
1660	v4625882.exe
2092	v4870264.exe
4256	a3084994.exe
4040	b5578171.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3084994.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v4625882.exev4870264.exe909757acd131a67d24b91ced5ecd760e1e6164106cca1d7bfe1e3a6c337fc092.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4625882.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4625882.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4870264.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4870264.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	909757acd131a67d24b91ced5ecd760e1e6164106cca1d7bfe1e3a6c337fc092.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	909757acd131a67d24b91ced5ecd760e1e6164106cca1d7bfe1e3a6c337fc092.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a3084994.exe

pid process

4256 a3084994.exe
4256 a3084994.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a3084994.exe

description pid process

Token: SeDebugPrivilege 4256 a3084994.exe

pid	process
4256	a3084994.exe
4256	a3084994.exe

description	pid	process
Token: SeDebugPrivilege	4256	a3084994.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

909757acd131a67d24b91ced5ecd760e1e6164106cca1d7bfe1e3a6c337fc092.exev4625882.exev4870264.exe

description	pid	process	target process
PID 4048 wrote to memory of 1660	4048	909757acd131a67d24b91ced5ecd760e1e6164106cca1d7bfe1e3a6c337fc092.exe	v4625882.exe
PID 4048 wrote to memory of 1660	4048	909757acd131a67d24b91ced5ecd760e1e6164106cca1d7bfe1e3a6c337fc092.exe	v4625882.exe
PID 4048 wrote to memory of 1660	4048	909757acd131a67d24b91ced5ecd760e1e6164106cca1d7bfe1e3a6c337fc092.exe	v4625882.exe
PID 1660 wrote to memory of 2092	1660	v4625882.exe	v4870264.exe
PID 1660 wrote to memory of 2092	1660	v4625882.exe	v4870264.exe
PID 1660 wrote to memory of 2092	1660	v4625882.exe	v4870264.exe
PID 2092 wrote to memory of 4256	2092	v4870264.exe	a3084994.exe
PID 2092 wrote to memory of 4256	2092	v4870264.exe	a3084994.exe
PID 2092 wrote to memory of 4040	2092	v4870264.exe	b5578171.exe
PID 2092 wrote to memory of 4040	2092	v4870264.exe	b5578171.exe
PID 2092 wrote to memory of 4040	2092	v4870264.exe	b5578171.exe

C:\Users\Admin\AppData\Local\Temp\909757acd131a67d24b91ced5ecd760e1e6164106cca1d7bfe1e3a6c337fc092.exe
"C:\Users\Admin\AppData\Local\Temp\909757acd131a67d24b91ced5ecd760e1e6164106cca1d7bfe1e3a6c337fc092.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4625882.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4625882.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4870264.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4870264.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3084994.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3084994.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5578171.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5578171.exe
4⤵
- Executes dropped EXE
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4625882.exe
Filesize
377KB

MD5
251ce29304d38f6e57fde71830679502

SHA1
85ca03f0735d491fd209bca93d6a54dce59804d9

SHA256
a630029cb95f30e3b3e54ba180193cc5003bf43d856e40c1a2da019fc50648eb

SHA512
3302dcd516c14322e8bd165230d25bdbbad647b50d0c2556f284a6790edfaa1d3b275468a36a7dca79fa906152123f75cef4e117be0fd8a47b5b3f3d270c6976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4625882.exe
Filesize
377KB

MD5
251ce29304d38f6e57fde71830679502

SHA1
85ca03f0735d491fd209bca93d6a54dce59804d9

SHA256
a630029cb95f30e3b3e54ba180193cc5003bf43d856e40c1a2da019fc50648eb

SHA512
3302dcd516c14322e8bd165230d25bdbbad647b50d0c2556f284a6790edfaa1d3b275468a36a7dca79fa906152123f75cef4e117be0fd8a47b5b3f3d270c6976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4870264.exe
Filesize
206KB

MD5
3334b86ef11c42eef0b4884c21430231

SHA1
db99757552ca74d33830d722bc872c8ce39390ff

SHA256
84a713e8ce7a8e6de1cce03bb58138a719803afa3b1397c57bd509ae1de28527

SHA512
987c7cda1399308ce9e67d1ef3111863a95176c3c24d096ee91c0b00c71929ce65522d70652419449097d30574bb24a41fff1886ddb92ef089c599929e1d4002

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4870264.exe
Filesize
206KB

MD5
3334b86ef11c42eef0b4884c21430231

SHA1
db99757552ca74d33830d722bc872c8ce39390ff

SHA256
84a713e8ce7a8e6de1cce03bb58138a719803afa3b1397c57bd509ae1de28527

SHA512
987c7cda1399308ce9e67d1ef3111863a95176c3c24d096ee91c0b00c71929ce65522d70652419449097d30574bb24a41fff1886ddb92ef089c599929e1d4002

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3084994.exe
Filesize
11KB

MD5
0d1adc464e416783f91dd522d8f713c1

SHA1
f46e2095c91d0e5ebf4ddc42fbac6f28802ec227

SHA256
3d7562c74cd97c0dbe54d3a56f77458a78f90476c1cc76cf7a157a06c856c609

SHA512
fb56f426e3b1811843002a88f4ca094b0279302aeb18c5abeeec4f79ae01e1c637405f3996656b644bb2edb9141aecb422dda327e410a4dfde59dadc272bc0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3084994.exe
Filesize
11KB

MD5
0d1adc464e416783f91dd522d8f713c1

SHA1
f46e2095c91d0e5ebf4ddc42fbac6f28802ec227

SHA256
3d7562c74cd97c0dbe54d3a56f77458a78f90476c1cc76cf7a157a06c856c609

SHA512
fb56f426e3b1811843002a88f4ca094b0279302aeb18c5abeeec4f79ae01e1c637405f3996656b644bb2edb9141aecb422dda327e410a4dfde59dadc272bc0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5578171.exe
Filesize
172KB

MD5
b79c132485010267b0f7ffd9de8f487c

SHA1
54c65492eb6b9f5b9cead9b87e9c186af21cbf55

SHA256
aa9d9d1e84e24620de2e527c81f3d9dc86f248a8e6817831243a21b2779c41d2

SHA512
4e91b29608f1b4dcc0497c81495e8b8ad568caeaca87f1817cda533a914fb6c33e06a2af75122ddbbd40f1c1f1f1054d177e89a5a162bd319100ba7dab682aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5578171.exe
Filesize
172KB

MD5
b79c132485010267b0f7ffd9de8f487c

SHA1
54c65492eb6b9f5b9cead9b87e9c186af21cbf55

SHA256
aa9d9d1e84e24620de2e527c81f3d9dc86f248a8e6817831243a21b2779c41d2

SHA512
4e91b29608f1b4dcc0497c81495e8b8ad568caeaca87f1817cda533a914fb6c33e06a2af75122ddbbd40f1c1f1f1054d177e89a5a162bd319100ba7dab682aee

Download Submit
memory/4040-146-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/4040-147-0x0000000004CF0000-0x0000000004CF6000-memory.dmp

Filesize
24KB

Download
memory/4040-148-0x000000000A830000-0x000000000AE36000-memory.dmp

Filesize
6.0MB

Download
memory/4040-149-0x000000000A380000-0x000000000A48A000-memory.dmp

Filesize
1.0MB

Download
memory/4040-150-0x000000000A2B0000-0x000000000A2C2000-memory.dmp

Filesize
72KB

Download
memory/4040-151-0x000000000A310000-0x000000000A34E000-memory.dmp

Filesize
248KB

Download
memory/4040-152-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4040-153-0x000000000A490000-0x000000000A4DB000-memory.dmp

Filesize
300KB

Download
memory/4256-141-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads