redline | a5d61912dbd2a83e907946937998836a97321a6b772df1da9e4dd48d14453056

General

Target

a5d61912dbd2a83e907946937998836a97321a6b772df1da9e4dd48d14453056.exe
Size

580KB
MD5

78985f5d07c69fe642bd48a513d2da88
SHA1

f6f79a7c1d5b0f569f9af1d42aa07b849c13ed74
SHA256

a5d61912dbd2a83e907946937998836a97321a6b772df1da9e4dd48d14453056
SHA512

7d5114601dc5cd4e3cbd910bbced3ea4cad9e8d8a0121b7bc3e9a4211d8b090759980ce3dea17c3ef7c7bc4dc4ffd5fcb1bc71a7277af4d806f1f244881fdd3a
SSDEEP

12288:dMrTy90BxU0FpXFBICNRXZmGqgvIu++yrL7nO8bAW:myc3ICNUrTnO8bAW

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a2685808.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2685808.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2685808.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2685808.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2685808.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2685808.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a2685808.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v6335402.exev1190457.exea2685808.exeb7059520.exe

pid process

3572 v6335402.exe
3656 v1190457.exe
4036 a2685808.exe
4456 b7059520.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a2685808.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a2685808.exe

pid	process
3572	v6335402.exe
3656	v1190457.exe
4036	a2685808.exe
4456	b7059520.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2685808.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a5d61912dbd2a83e907946937998836a97321a6b772df1da9e4dd48d14453056.exev6335402.exev1190457.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a5d61912dbd2a83e907946937998836a97321a6b772df1da9e4dd48d14453056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a5d61912dbd2a83e907946937998836a97321a6b772df1da9e4dd48d14453056.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6335402.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6335402.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1190457.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1190457.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a2685808.exe

pid process

4036 a2685808.exe
4036 a2685808.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a2685808.exe

description pid process

Token: SeDebugPrivilege 4036 a2685808.exe

pid	process
4036	a2685808.exe
4036	a2685808.exe

description	pid	process
Token: SeDebugPrivilege	4036	a2685808.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

a5d61912dbd2a83e907946937998836a97321a6b772df1da9e4dd48d14453056.exev6335402.exev1190457.exe

description	pid	process	target process
PID 2980 wrote to memory of 3572	2980	a5d61912dbd2a83e907946937998836a97321a6b772df1da9e4dd48d14453056.exe	v6335402.exe
PID 2980 wrote to memory of 3572	2980	a5d61912dbd2a83e907946937998836a97321a6b772df1da9e4dd48d14453056.exe	v6335402.exe
PID 2980 wrote to memory of 3572	2980	a5d61912dbd2a83e907946937998836a97321a6b772df1da9e4dd48d14453056.exe	v6335402.exe
PID 3572 wrote to memory of 3656	3572	v6335402.exe	v1190457.exe
PID 3572 wrote to memory of 3656	3572	v6335402.exe	v1190457.exe
PID 3572 wrote to memory of 3656	3572	v6335402.exe	v1190457.exe
PID 3656 wrote to memory of 4036	3656	v1190457.exe	a2685808.exe
PID 3656 wrote to memory of 4036	3656	v1190457.exe	a2685808.exe
PID 3656 wrote to memory of 4456	3656	v1190457.exe	b7059520.exe
PID 3656 wrote to memory of 4456	3656	v1190457.exe	b7059520.exe
PID 3656 wrote to memory of 4456	3656	v1190457.exe	b7059520.exe

C:\Users\Admin\AppData\Local\Temp\a5d61912dbd2a83e907946937998836a97321a6b772df1da9e4dd48d14453056.exe
"C:\Users\Admin\AppData\Local\Temp\a5d61912dbd2a83e907946937998836a97321a6b772df1da9e4dd48d14453056.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6335402.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6335402.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1190457.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1190457.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3656

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2685808.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2685808.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7059520.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7059520.exe
4⤵
- Executes dropped EXE
PID:4456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6335402.exe

Filesize
377KB

MD5
99c1134041d8562d60cf60295cc7ca8c

SHA1
f1f7eb0a95a79a5dd4a896c7122b8024d68adfbf

SHA256
be09795d5078afa668facce75e40a47cb3cfcd1ab4bb68e4a95eb0eefd05bb5b

SHA512
f33c8bd79432db2533c30ac58548989f09b11b3408999561d9dcbbaefb4c557b6b5c0f6349fd983557ab8bc937faea0fc7e99fae9bd190d8ce1c696b3fdca21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6335402.exe

Filesize
377KB

MD5
99c1134041d8562d60cf60295cc7ca8c

SHA1
f1f7eb0a95a79a5dd4a896c7122b8024d68adfbf

SHA256
be09795d5078afa668facce75e40a47cb3cfcd1ab4bb68e4a95eb0eefd05bb5b

SHA512
f33c8bd79432db2533c30ac58548989f09b11b3408999561d9dcbbaefb4c557b6b5c0f6349fd983557ab8bc937faea0fc7e99fae9bd190d8ce1c696b3fdca21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1190457.exe

Filesize
206KB

MD5
f1818bad375c929d2ee85e0e555eb338

SHA1
a6a45c3a61fab269467842944e1d3ff07d71017c

SHA256
ed951f87f8e5840a8b852c4ecadeafad51acf5a35e1978084cb2501451832be8

SHA512
a33817caf5be8157067ac2e6ce5e0f6119bdf1a683def129922505b295c308f434186128832e5cdbee7673b33de3389a253a32bf24e36744a0e71380a1201d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1190457.exe

Filesize
206KB

MD5
f1818bad375c929d2ee85e0e555eb338

SHA1
a6a45c3a61fab269467842944e1d3ff07d71017c

SHA256
ed951f87f8e5840a8b852c4ecadeafad51acf5a35e1978084cb2501451832be8

SHA512
a33817caf5be8157067ac2e6ce5e0f6119bdf1a683def129922505b295c308f434186128832e5cdbee7673b33de3389a253a32bf24e36744a0e71380a1201d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2685808.exe

Filesize
11KB

MD5
2421f3f61a7aeccbd9392636d3e90ff3

SHA1
e7cc687c5af49e8e1378e1f54cc113aa9b9c22e5

SHA256
5c3916bf9435beaf644db3d4c519f4e682a367c20df5a0df9b5014cd5e246115

SHA512
fe9c6e59344268ba383c0d44d501049036f6c94691a91cf95ddb799344fcef0e81151ba50b60119c996fd8292fdd58612a3ab186bc21c5e513216adb5e1196d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2685808.exe

Filesize
11KB

MD5
2421f3f61a7aeccbd9392636d3e90ff3

SHA1
e7cc687c5af49e8e1378e1f54cc113aa9b9c22e5

SHA256
5c3916bf9435beaf644db3d4c519f4e682a367c20df5a0df9b5014cd5e246115

SHA512
fe9c6e59344268ba383c0d44d501049036f6c94691a91cf95ddb799344fcef0e81151ba50b60119c996fd8292fdd58612a3ab186bc21c5e513216adb5e1196d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7059520.exe

Filesize
172KB

MD5
c995b998dec8b2718778a1dfac453f37

SHA1
e9542483d65f17b9831065979aa37950722b6892

SHA256
1362e075a00579887dd6703c91d4f97cfde565f426292d8493b6f347f1138a6b

SHA512
18066250c9faca6d0a2bb05c180957725f605b6c68577020eee8f0af5ca2676e943f22f1f2cd357f1d7dcd9e2923dc15cc0965b39f18c564c2e51b277287e54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7059520.exe

Filesize
172KB

MD5
c995b998dec8b2718778a1dfac453f37

SHA1
e9542483d65f17b9831065979aa37950722b6892

SHA256
1362e075a00579887dd6703c91d4f97cfde565f426292d8493b6f347f1138a6b

SHA512
18066250c9faca6d0a2bb05c180957725f605b6c68577020eee8f0af5ca2676e943f22f1f2cd357f1d7dcd9e2923dc15cc0965b39f18c564c2e51b277287e54a

Download Submit
memory/4036-154-0x0000000000F40000-0x0000000000F4A000-memory.dmp

Filesize
40KB

Download
memory/4456-159-0x00000000006B0000-0x00000000006E0000-memory.dmp

Filesize
192KB

Download
memory/4456-160-0x000000000AAC0000-0x000000000B0D8000-memory.dmp

Filesize
6.1MB

Download
memory/4456-161-0x000000000A630000-0x000000000A73A000-memory.dmp

Filesize
1.0MB

Download
memory/4456-162-0x000000000A570000-0x000000000A582000-memory.dmp

Filesize
72KB

Download
memory/4456-163-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/4456-164-0x000000000A5D0000-0x000000000A60C000-memory.dmp

Filesize
240KB

Download
memory/4456-165-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads