redline | 4e2edb77c8d886f93f698ef1d1c5c58a8a870bdfd265b163d3f6eccb05afeb05

General

Target

4e2edb77c8d886f93f698ef1d1c5c58a8a870bdfd265b163d3f6eccb05afeb05.exe
Size

579KB
MD5

531b69bbec96b2d87a72919de3a57a7c
SHA1

99a41f0cf14ad208650e10dbb5616207d674dd83
SHA256

4e2edb77c8d886f93f698ef1d1c5c58a8a870bdfd265b163d3f6eccb05afeb05
SHA512

d6e6a6d7437b860fa18ef464ff1d635c560a708469344521d954bdb33baf07aee2eced57dbf8f93247760ea1a641f94ec32a7c9ab3f95a7bbc9b4eb63988eac7
SSDEEP

12288:OMrty903IyW2hj7Z1rjjeuhAuvaP3RyjTuQuOpkNRWAkX5:Dyyf7ZZ/dfUBsurOONRzm

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a1970329.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a1970329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1970329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1970329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1970329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1970329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1970329.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v5179896.exev9357726.exea1970329.exeb3279651.exe

pid process

1296 v5179896.exe
4948 v9357726.exe
4764 a1970329.exe
2948 b3279651.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a1970329.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1970329.exe

pid	process
1296	v5179896.exe
4948	v9357726.exe
4764	a1970329.exe
2948	b3279651.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1970329.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4e2edb77c8d886f93f698ef1d1c5c58a8a870bdfd265b163d3f6eccb05afeb05.exev5179896.exev9357726.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4e2edb77c8d886f93f698ef1d1c5c58a8a870bdfd265b163d3f6eccb05afeb05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4e2edb77c8d886f93f698ef1d1c5c58a8a870bdfd265b163d3f6eccb05afeb05.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5179896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5179896.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9357726.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9357726.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a1970329.exe

pid process

4764 a1970329.exe
4764 a1970329.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a1970329.exe

description pid process

Token: SeDebugPrivilege 4764 a1970329.exe

pid	process
4764	a1970329.exe
4764	a1970329.exe

description	pid	process
Token: SeDebugPrivilege	4764	a1970329.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

4e2edb77c8d886f93f698ef1d1c5c58a8a870bdfd265b163d3f6eccb05afeb05.exev5179896.exev9357726.exe

description	pid	process	target process
PID 3516 wrote to memory of 1296	3516	4e2edb77c8d886f93f698ef1d1c5c58a8a870bdfd265b163d3f6eccb05afeb05.exe	v5179896.exe
PID 3516 wrote to memory of 1296	3516	4e2edb77c8d886f93f698ef1d1c5c58a8a870bdfd265b163d3f6eccb05afeb05.exe	v5179896.exe
PID 3516 wrote to memory of 1296	3516	4e2edb77c8d886f93f698ef1d1c5c58a8a870bdfd265b163d3f6eccb05afeb05.exe	v5179896.exe
PID 1296 wrote to memory of 4948	1296	v5179896.exe	v9357726.exe
PID 1296 wrote to memory of 4948	1296	v5179896.exe	v9357726.exe
PID 1296 wrote to memory of 4948	1296	v5179896.exe	v9357726.exe
PID 4948 wrote to memory of 4764	4948	v9357726.exe	a1970329.exe
PID 4948 wrote to memory of 4764	4948	v9357726.exe	a1970329.exe
PID 4948 wrote to memory of 2948	4948	v9357726.exe	b3279651.exe
PID 4948 wrote to memory of 2948	4948	v9357726.exe	b3279651.exe
PID 4948 wrote to memory of 2948	4948	v9357726.exe	b3279651.exe

C:\Users\Admin\AppData\Local\Temp\4e2edb77c8d886f93f698ef1d1c5c58a8a870bdfd265b163d3f6eccb05afeb05.exe
"C:\Users\Admin\AppData\Local\Temp\4e2edb77c8d886f93f698ef1d1c5c58a8a870bdfd265b163d3f6eccb05afeb05.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3516

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5179896.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5179896.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9357726.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9357726.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4948

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1970329.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1970329.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3279651.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3279651.exe
4⤵
- Executes dropped EXE
PID:2948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5179896.exe

Filesize
377KB

MD5
1a3621a8024278081a0de443a3f6a9f7

SHA1
e6e589c5dba6d1016790c5607b1415af9c38c5c3

SHA256
4a14466c867eae260a1979d320d893b608a56d30437074c5215cf9d0f8d2cb12

SHA512
56fd64be74e83cf35c0b28ccce77595282dd83e7c31eaa38faefb80dd4b2b684f84aaafd71cd89723f0de0b56f5b64deec1d85a30d125428f3cfe18d5fc42b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5179896.exe

Filesize
377KB

MD5
1a3621a8024278081a0de443a3f6a9f7

SHA1
e6e589c5dba6d1016790c5607b1415af9c38c5c3

SHA256
4a14466c867eae260a1979d320d893b608a56d30437074c5215cf9d0f8d2cb12

SHA512
56fd64be74e83cf35c0b28ccce77595282dd83e7c31eaa38faefb80dd4b2b684f84aaafd71cd89723f0de0b56f5b64deec1d85a30d125428f3cfe18d5fc42b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9357726.exe

Filesize
206KB

MD5
87987da04ef3366888457c23ac5c7db1

SHA1
6d7b52fe169fcf6cb5a4f399902f08b2d0010fa7

SHA256
7cb19f0583c07b18cd12d749e8704e3fd26fbed2f40fa31f6a961371c58f2cb2

SHA512
1eefe3cc7e633656f56e22f31854bb7952bd332a3314c1c629edbf4e3768bcb60d39f710c5a752612fec173f7e9b228da4b9ca016015a9b2d93c3560e6cdd4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9357726.exe

Filesize
206KB

MD5
87987da04ef3366888457c23ac5c7db1

SHA1
6d7b52fe169fcf6cb5a4f399902f08b2d0010fa7

SHA256
7cb19f0583c07b18cd12d749e8704e3fd26fbed2f40fa31f6a961371c58f2cb2

SHA512
1eefe3cc7e633656f56e22f31854bb7952bd332a3314c1c629edbf4e3768bcb60d39f710c5a752612fec173f7e9b228da4b9ca016015a9b2d93c3560e6cdd4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1970329.exe

Filesize
11KB

MD5
b3e29bbec2642d4a6159da83b12b8535

SHA1
80f47c0383c6281287cdefaf05e1b18e07625861

SHA256
0fabb677e066e5c5dc45517ac13ab6da1c439e0e32cfab06eec7af6936a4a06e

SHA512
ccbe1f0e796c66de541abbe962f37f5a06903b8eaa8c269913535a2e1ccb55d7fbaa8d0a01ebdf85aa9613ad50e6fd898d1d879501469ab7852607302f0ee931

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1970329.exe

Filesize
11KB

MD5
b3e29bbec2642d4a6159da83b12b8535

SHA1
80f47c0383c6281287cdefaf05e1b18e07625861

SHA256
0fabb677e066e5c5dc45517ac13ab6da1c439e0e32cfab06eec7af6936a4a06e

SHA512
ccbe1f0e796c66de541abbe962f37f5a06903b8eaa8c269913535a2e1ccb55d7fbaa8d0a01ebdf85aa9613ad50e6fd898d1d879501469ab7852607302f0ee931

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3279651.exe

Filesize
172KB

MD5
cfbf8651466cc4a86462934d00403da6

SHA1
d2c02b7095ec5e4ca6c29d11078216e408b3d85a

SHA256
6322372ed9ac0db7278d689a8acf409de2bdefc6e8c0e8bb3b085e4ca3d38103

SHA512
abde8a690d810c7f07ef8a232694734a95331bb4f0a517308e0f990568f4a324365ec7b5a63035b18e78d54306bb1614bf54a79c231010cdc3c692a902b6da94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3279651.exe

Filesize
172KB

MD5
cfbf8651466cc4a86462934d00403da6

SHA1
d2c02b7095ec5e4ca6c29d11078216e408b3d85a

SHA256
6322372ed9ac0db7278d689a8acf409de2bdefc6e8c0e8bb3b085e4ca3d38103

SHA512
abde8a690d810c7f07ef8a232694734a95331bb4f0a517308e0f990568f4a324365ec7b5a63035b18e78d54306bb1614bf54a79c231010cdc3c692a902b6da94

Download Submit
memory/2948-159-0x00000000006D0000-0x0000000000700000-memory.dmp

Filesize
192KB

Download
memory/2948-160-0x000000000AC00000-0x000000000B218000-memory.dmp

Filesize
6.1MB

Download
memory/2948-161-0x000000000A6F0000-0x000000000A7FA000-memory.dmp

Filesize
1.0MB

Download
memory/2948-162-0x0000000005100000-0x0000000005112000-memory.dmp

Filesize
72KB

Download
memory/2948-163-0x000000000A620000-0x000000000A65C000-memory.dmp

Filesize
240KB

Download
memory/2948-164-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2948-165-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4764-154-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads