redline | 0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d

General

Target

0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe
Size

580KB
MD5

ccc295c80487159aee8aa637fd6ebdee
SHA1

1123e190199f2f7760ff7f046375ba0865202f5d
SHA256

0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d
SHA512

8664a1dca420a5816788251076818edf47ea2795490fe9e843bf4f5b81fb6046baaa81cbd1a8f3b17fc386b711d92458e6d8e75e7502f1833bf33d6cc5d3d132
SSDEEP

12288:MMrjy90HGR2AZK9N7peW6vH7GzeynPo9K4ejwiMPja99L6P:nyrA9udvbGxP1BjPcjaf6P

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a7924477.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7924477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7924477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7924477.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7924477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7924477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7924477.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v2881533.exev1904183.exea7924477.exeb0560022.exe

pid process

2884 v2881533.exe
1564 v1904183.exe
3260 a7924477.exe
4600 b0560022.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a7924477.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7924477.exe

pid	process
2884	v2881533.exe
1564	v1904183.exe
3260	a7924477.exe
4600	b0560022.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7924477.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exev2881533.exev1904183.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2881533.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2881533.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1904183.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1904183.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a7924477.exe

pid process

3260 a7924477.exe
3260 a7924477.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a7924477.exe

description pid process

Token: SeDebugPrivilege 3260 a7924477.exe

pid	process
3260	a7924477.exe
3260	a7924477.exe

description	pid	process
Token: SeDebugPrivilege	3260	a7924477.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exev2881533.exev1904183.exe

description	pid	process	target process
PID 1644 wrote to memory of 2884	1644	0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe	v2881533.exe
PID 1644 wrote to memory of 2884	1644	0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe	v2881533.exe
PID 1644 wrote to memory of 2884	1644	0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe	v2881533.exe
PID 2884 wrote to memory of 1564	2884	v2881533.exe	v1904183.exe
PID 2884 wrote to memory of 1564	2884	v2881533.exe	v1904183.exe
PID 2884 wrote to memory of 1564	2884	v2881533.exe	v1904183.exe
PID 1564 wrote to memory of 3260	1564	v1904183.exe	a7924477.exe
PID 1564 wrote to memory of 3260	1564	v1904183.exe	a7924477.exe
PID 1564 wrote to memory of 4600	1564	v1904183.exe	b0560022.exe
PID 1564 wrote to memory of 4600	1564	v1904183.exe	b0560022.exe
PID 1564 wrote to memory of 4600	1564	v1904183.exe	b0560022.exe

C:\Users\Admin\AppData\Local\Temp\0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe
"C:\Users\Admin\AppData\Local\Temp\0fcf50dd961c255389e709f159012c3326e1363e833c4373422fb01070e57d3d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2881533.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2881533.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2884

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1904183.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1904183.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7924477.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7924477.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0560022.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0560022.exe
4⤵
- Executes dropped EXE
PID:4600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2881533.exe
Filesize
377KB

MD5
c247c64d797d85f624c1aa797b3dd6d8

SHA1
4496837681ce64fb88cec768ff9e387c1660db28

SHA256
a655f0f80001b6432cb9dbd5088a5204111d2f5a5ffb0aa3e2d94361e81dc4a4

SHA512
45d09fc1051b94b8197f327dcaa77fe248ced67f8c94bd91c31d72c2a50fa069bd3c4ec3053bc4fd2b43bd45cc9c0152c947515bece8b8b3d31084bcf5ba07cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2881533.exe
Filesize
377KB

MD5
c247c64d797d85f624c1aa797b3dd6d8

SHA1
4496837681ce64fb88cec768ff9e387c1660db28

SHA256
a655f0f80001b6432cb9dbd5088a5204111d2f5a5ffb0aa3e2d94361e81dc4a4

SHA512
45d09fc1051b94b8197f327dcaa77fe248ced67f8c94bd91c31d72c2a50fa069bd3c4ec3053bc4fd2b43bd45cc9c0152c947515bece8b8b3d31084bcf5ba07cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1904183.exe
Filesize
206KB

MD5
e3bafea044dc2e31bcbe0b590f10617f

SHA1
33f940902fcc2a689fc7e5c9e1361c5841722716

SHA256
67962d445b4877dc79431f74104ffbdf24335d6dd676ecb3006f22c39b530691

SHA512
c29756cfa30388921b6a519d7e3a92498842d6ef975a86401aa0627a071dd59ee08a2e7131e9a8213953997ac88f7091cc08ec0d82b8aadd425472099c8a042a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1904183.exe
Filesize
206KB

MD5
e3bafea044dc2e31bcbe0b590f10617f

SHA1
33f940902fcc2a689fc7e5c9e1361c5841722716

SHA256
67962d445b4877dc79431f74104ffbdf24335d6dd676ecb3006f22c39b530691

SHA512
c29756cfa30388921b6a519d7e3a92498842d6ef975a86401aa0627a071dd59ee08a2e7131e9a8213953997ac88f7091cc08ec0d82b8aadd425472099c8a042a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7924477.exe
Filesize
11KB

MD5
fed3fc5119323be877430895793469d1

SHA1
754ba2357aa430cb263705ef8e142a1a5c459a69

SHA256
c633e8a3f6ceea3aff642f715fe4406d545cc5ac555ed9089eff504559e895a9

SHA512
1da905d88db793069220a3491baf869515b6cb73c123e5996d6a33163e8f9e2f31bd9c90b029c4c91a418f90cc8191c35df27a679acbdde4b151bacc3f801bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7924477.exe
Filesize
11KB

MD5
fed3fc5119323be877430895793469d1

SHA1
754ba2357aa430cb263705ef8e142a1a5c459a69

SHA256
c633e8a3f6ceea3aff642f715fe4406d545cc5ac555ed9089eff504559e895a9

SHA512
1da905d88db793069220a3491baf869515b6cb73c123e5996d6a33163e8f9e2f31bd9c90b029c4c91a418f90cc8191c35df27a679acbdde4b151bacc3f801bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0560022.exe
Filesize
172KB

MD5
212c8a24c47c593cb8a32ed89cc02204

SHA1
31d359474b5358002d96c04797c50a9fbd19c964

SHA256
a67f254061283cbaf1e433bf16cb05f93d328f2a1ac1a0345b59924943372a89

SHA512
28e317637fcd8c6efffc443fa302243bf6cc4f205fcd554d35ed424e7fcd4286c5752d19f9fe4d6b8d8405b7b151d32e996a9b2ba7ff62d59dacee5b031ce56c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0560022.exe
Filesize
172KB

MD5
212c8a24c47c593cb8a32ed89cc02204

SHA1
31d359474b5358002d96c04797c50a9fbd19c964

SHA256
a67f254061283cbaf1e433bf16cb05f93d328f2a1ac1a0345b59924943372a89

SHA512
28e317637fcd8c6efffc443fa302243bf6cc4f205fcd554d35ed424e7fcd4286c5752d19f9fe4d6b8d8405b7b151d32e996a9b2ba7ff62d59dacee5b031ce56c

Download Submit
memory/3260-154-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/4600-159-0x00000000007B0000-0x00000000007E0000-memory.dmp

Filesize
192KB

Download
memory/4600-160-0x000000000ABE0000-0x000000000B1F8000-memory.dmp

Filesize
6.1MB

Download
memory/4600-161-0x000000000A730000-0x000000000A83A000-memory.dmp

Filesize
1.0MB

Download
memory/4600-162-0x000000000A670000-0x000000000A682000-memory.dmp

Filesize
72KB

Download
memory/4600-163-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4600-164-0x000000000A6D0000-0x000000000A70C000-memory.dmp

Filesize
240KB

Download
memory/4600-165-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads