redline | 1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d

General

Target

1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe
Size

580KB
MD5

19c711525b964c991eaf9fe8eed69a12
SHA1

d7bc63204ad4cc573e0a5ca3c73019dcb487e271
SHA256

1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d
SHA512

03517ec1afe0625c1509711f455982cf426def548b01880642d0d1b3cc44c128dd4f2c4030241a41531397e5a4a8fdcd70a6a0db63424a8a6e5afc2da1191a46
SSDEEP

12288:kMrny90xiMvqGV54haox/6quvWq1g5o/ya0ClA:7y2lPqnoWSx/A

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a8936623.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8936623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8936623.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a8936623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8936623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8936623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8936623.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v6117734.exev7654277.exea8936623.exeb4385635.exe

pid process

3080 v6117734.exe
4960 v7654277.exe
5012 a8936623.exe
1388 b4385635.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a8936623.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a8936623.exe

pid	process
3080	v6117734.exe
4960	v7654277.exe
5012	a8936623.exe
1388	b4385635.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8936623.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exev6117734.exev7654277.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6117734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6117734.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7654277.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7654277.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a8936623.exe

pid process

5012 a8936623.exe
5012 a8936623.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a8936623.exe

description pid process

Token: SeDebugPrivilege 5012 a8936623.exe

pid	process
5012	a8936623.exe
5012	a8936623.exe

description	pid	process
Token: SeDebugPrivilege	5012	a8936623.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exev6117734.exev7654277.exe

description	pid	process	target process
PID 4896 wrote to memory of 3080	4896	1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe	v6117734.exe
PID 4896 wrote to memory of 3080	4896	1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe	v6117734.exe
PID 4896 wrote to memory of 3080	4896	1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe	v6117734.exe
PID 3080 wrote to memory of 4960	3080	v6117734.exe	v7654277.exe
PID 3080 wrote to memory of 4960	3080	v6117734.exe	v7654277.exe
PID 3080 wrote to memory of 4960	3080	v6117734.exe	v7654277.exe
PID 4960 wrote to memory of 5012	4960	v7654277.exe	a8936623.exe
PID 4960 wrote to memory of 5012	4960	v7654277.exe	a8936623.exe
PID 4960 wrote to memory of 1388	4960	v7654277.exe	b4385635.exe
PID 4960 wrote to memory of 1388	4960	v7654277.exe	b4385635.exe
PID 4960 wrote to memory of 1388	4960	v7654277.exe	b4385635.exe

C:\Users\Admin\AppData\Local\Temp\1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe
"C:\Users\Admin\AppData\Local\Temp\1fba8f29ec06e397f1c444b4b8a871be1794b06ca8d93939a85b8b82b5fb452d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6117734.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6117734.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7654277.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7654277.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8936623.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8936623.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4385635.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4385635.exe
4⤵
- Executes dropped EXE
PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6117734.exe
Filesize
377KB

MD5
2656ce02ab97758d4f3261584475def5

SHA1
5a97fcea90a1742e8765af601651e9c174921a15

SHA256
396651fe6e371c338b69dd2b6b1f7d61615fe592c1ed3b0cde167c29ed75772e

SHA512
93d1b0ca83d1d8f1c29607d681622c5cdf9e5889a782c2d80823e53fef0c2822afa91cd562c23ba66bf2aa876315c5128f0550e8280d39fa944947d4eb2bb453

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6117734.exe
Filesize
377KB

MD5
2656ce02ab97758d4f3261584475def5

SHA1
5a97fcea90a1742e8765af601651e9c174921a15

SHA256
396651fe6e371c338b69dd2b6b1f7d61615fe592c1ed3b0cde167c29ed75772e

SHA512
93d1b0ca83d1d8f1c29607d681622c5cdf9e5889a782c2d80823e53fef0c2822afa91cd562c23ba66bf2aa876315c5128f0550e8280d39fa944947d4eb2bb453

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7654277.exe
Filesize
206KB

MD5
bd57323dabdb22117c6102710112e7c2

SHA1
529093c3265b67a7cda4f6478adeb679baef6c9b

SHA256
914888564389e2c56591c3566e43d103e55c30c7bc7c9d551d42c6677111edb3

SHA512
e762889f3f3b98bb861f2366ad68f979f089414d718c6b68424bbd8ce008a710c0bd97ccd83d5e4bbe2a013998d944667c3ad9abc9b368683e66df90c48fe1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7654277.exe
Filesize
206KB

MD5
bd57323dabdb22117c6102710112e7c2

SHA1
529093c3265b67a7cda4f6478adeb679baef6c9b

SHA256
914888564389e2c56591c3566e43d103e55c30c7bc7c9d551d42c6677111edb3

SHA512
e762889f3f3b98bb861f2366ad68f979f089414d718c6b68424bbd8ce008a710c0bd97ccd83d5e4bbe2a013998d944667c3ad9abc9b368683e66df90c48fe1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8936623.exe
Filesize
11KB

MD5
46bc2ec112e6603454761cd76c2be6d6

SHA1
199ebea81a631d64f040611b39c740200e7154a9

SHA256
a41e61463876c72d1b78617a3757a6ca22f79915223bddf2dc8546b1710e11c7

SHA512
ed53a574c7aa346fb92069502ceb8e329b4eb4e3af7ba7f48042db85de26d54281caae09e6c7e50dc2a2774dde80a797e4090739b46d561626ef425bcfaa9988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8936623.exe
Filesize
11KB

MD5
46bc2ec112e6603454761cd76c2be6d6

SHA1
199ebea81a631d64f040611b39c740200e7154a9

SHA256
a41e61463876c72d1b78617a3757a6ca22f79915223bddf2dc8546b1710e11c7

SHA512
ed53a574c7aa346fb92069502ceb8e329b4eb4e3af7ba7f48042db85de26d54281caae09e6c7e50dc2a2774dde80a797e4090739b46d561626ef425bcfaa9988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4385635.exe
Filesize
172KB

MD5
386b283293ed127e2efc5b9791d41bd1

SHA1
acfe016cd8ed6b6c98e0d7eec1ccad566a8a1508

SHA256
072afaa7e08dc010741848d0487d5c63d8b2ffa8ab860ed1c7dfb584db06437b

SHA512
1b21f37491a76b75a183764b6838f641edd8286c6ae2af2e186c4a7cd033a08d5f501bb18edaa7d88f0c7cc115a796aa86c69eaba32266e1c7dc3d2e76141e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4385635.exe
Filesize
172KB

MD5
386b283293ed127e2efc5b9791d41bd1

SHA1
acfe016cd8ed6b6c98e0d7eec1ccad566a8a1508

SHA256
072afaa7e08dc010741848d0487d5c63d8b2ffa8ab860ed1c7dfb584db06437b

SHA512
1b21f37491a76b75a183764b6838f641edd8286c6ae2af2e186c4a7cd033a08d5f501bb18edaa7d88f0c7cc115a796aa86c69eaba32266e1c7dc3d2e76141e21

Download Submit
memory/1388-159-0x00000000005A0000-0x00000000005D0000-memory.dmp

Filesize
192KB

Download
memory/1388-160-0x000000000AA20000-0x000000000B038000-memory.dmp

Filesize
6.1MB

Download
memory/1388-161-0x000000000A520000-0x000000000A62A000-memory.dmp

Filesize
1.0MB

Download
memory/1388-162-0x000000000A460000-0x000000000A472000-memory.dmp

Filesize
72KB

Download
memory/1388-163-0x000000000A4C0000-0x000000000A4FC000-memory.dmp

Filesize
240KB

Download
memory/1388-164-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/1388-165-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/5012-154-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads