redline | cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f

General

Target

cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe
Size

580KB
MD5

fcf686a2f8478c0d7233284d840fe07e
SHA1

f7c8e9145a16467be98002753002df8dcd7961f2
SHA256

cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f
SHA512

f0fb7a99d174b5b7814b4f268c693375aa4264c8716244536bf23e1d61fad5b07bcc13d591cc12fc78507a72c9d8b95c82117caec35e0ba2cb5315bc954f2ec8
SSDEEP

12288:sMr9y9054LXUXituh9sGpe22U05gSKYiV5nC5LgRXXw:ZysykPhWGg22U0FW3nSLgNA

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7962651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7962651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7962651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7962651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7962651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7962651.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2708	v8821415.exe
4644	v7191090.exe
1160	a7962651.exe
1220	b6653795.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7962651.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8821415.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8821415.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7191090.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7191090.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1160	a7962651.exe
1160	a7962651.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	a7962651.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2708	2676	cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe	82
PID 2676 wrote to memory of 2708	2676	cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe	82
PID 2676 wrote to memory of 2708	2676	cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe	82
PID 2708 wrote to memory of 4644	2708	v8821415.exe	83
PID 2708 wrote to memory of 4644	2708	v8821415.exe	83
PID 2708 wrote to memory of 4644	2708	v8821415.exe	83
PID 4644 wrote to memory of 1160	4644	v7191090.exe	84
PID 4644 wrote to memory of 1160	4644	v7191090.exe	84
PID 4644 wrote to memory of 1220	4644	v7191090.exe	85
PID 4644 wrote to memory of 1220	4644	v7191090.exe	85
PID 4644 wrote to memory of 1220	4644	v7191090.exe	85

C:\Users\Admin\AppData\Local\Temp\cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe
"C:\Users\Admin\AppData\Local\Temp\cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8821415.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8821415.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7191090.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7191090.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7962651.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7962651.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6653795.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6653795.exe
      4⤵
      Executes dropped EXE
      PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8821415.exe

Filesize
377KB

MD5
299854985b821504c2a6cde499fb5c54

SHA1
c06cd3ee7c670bd067b2d14047a54b0df32bc6d9

SHA256
971fb3c8428a4fb277694f5c6df349b738ee1db593bfffd3ed243ec5846860e1

SHA512
79626bb45a580e239d21b031c319e52207d20e14831747e3211477e3ce5ab0cca09716766409484ba7af18f2e7804dd68ecea6833d525b9e7abd2ad9bb35640c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8821415.exe

Filesize
377KB

MD5
299854985b821504c2a6cde499fb5c54

SHA1
c06cd3ee7c670bd067b2d14047a54b0df32bc6d9

SHA256
971fb3c8428a4fb277694f5c6df349b738ee1db593bfffd3ed243ec5846860e1

SHA512
79626bb45a580e239d21b031c319e52207d20e14831747e3211477e3ce5ab0cca09716766409484ba7af18f2e7804dd68ecea6833d525b9e7abd2ad9bb35640c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7191090.exe

Filesize
206KB

MD5
cbd4e0468885c5e0e56a7deeaabec09c

SHA1
42e87934cfca264fa7eb5a30f0843d13558cc153

SHA256
9d8ee0c5343d2ffda16e3ac89ce7be3926d52f612fcff4f3099abb1e73c5a116

SHA512
7ca44d673dcebb3321e9aa42faa501f5c1d42f8751c8b9efbf069d6b028a3b0cb8918de3b6a251fa530f0b8da4befd6ac288a13ec4ffa6c2d322ead2b1ccbd97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7191090.exe

Filesize
206KB

MD5
cbd4e0468885c5e0e56a7deeaabec09c

SHA1
42e87934cfca264fa7eb5a30f0843d13558cc153

SHA256
9d8ee0c5343d2ffda16e3ac89ce7be3926d52f612fcff4f3099abb1e73c5a116

SHA512
7ca44d673dcebb3321e9aa42faa501f5c1d42f8751c8b9efbf069d6b028a3b0cb8918de3b6a251fa530f0b8da4befd6ac288a13ec4ffa6c2d322ead2b1ccbd97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7962651.exe

Filesize
11KB

MD5
992f840b8844279765e9956933b71c9a

SHA1
54817a24a05a39181f0ca7e232411a8c3a22180c

SHA256
2091b6ccd6133f4c7fd3d0787be78f5584c500f2fb9cd3acd0a8de0d67a38aa7

SHA512
47a8dae101736fec9586a47195758137d04fb7fd3f5cb73e6ae8b43c400b5630458a9ca8a04ffb68a1974035addb46f7ae2a74fc267ca26e4bed780c823923aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7962651.exe

Filesize
11KB

MD5
992f840b8844279765e9956933b71c9a

SHA1
54817a24a05a39181f0ca7e232411a8c3a22180c

SHA256
2091b6ccd6133f4c7fd3d0787be78f5584c500f2fb9cd3acd0a8de0d67a38aa7

SHA512
47a8dae101736fec9586a47195758137d04fb7fd3f5cb73e6ae8b43c400b5630458a9ca8a04ffb68a1974035addb46f7ae2a74fc267ca26e4bed780c823923aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6653795.exe

Filesize
172KB

MD5
9432cb337859ae13f807724fd81ae49e

SHA1
a839d9d7a55cb3c1fe069afd33efa3eb9db5d405

SHA256
e37ea980109d26a5cba10c122f20be5165a85f7241fa41c1db4d0268afa4b36b

SHA512
1e18f16f2b9db4bb01614750be770aa8877d2775bd0cb874909b8eab51010183ed96003f73e7601aa33961c06447ae99ec7e599a160cdb46094baa0266c8aeef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6653795.exe

Filesize
172KB

MD5
9432cb337859ae13f807724fd81ae49e

SHA1
a839d9d7a55cb3c1fe069afd33efa3eb9db5d405

SHA256
e37ea980109d26a5cba10c122f20be5165a85f7241fa41c1db4d0268afa4b36b

SHA512
1e18f16f2b9db4bb01614750be770aa8877d2775bd0cb874909b8eab51010183ed96003f73e7601aa33961c06447ae99ec7e599a160cdb46094baa0266c8aeef

Download Submit
memory/1160-154-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download
memory/1220-159-0x0000000000310000-0x0000000000340000-memory.dmp

Filesize
192KB

Download
memory/1220-160-0x000000000A5F0000-0x000000000AC08000-memory.dmp

Filesize
6.1MB

Download
memory/1220-161-0x000000000A150000-0x000000000A25A000-memory.dmp

Filesize
1.0MB

Download
memory/1220-162-0x000000000A090000-0x000000000A0A2000-memory.dmp

Filesize
72KB

Download
memory/1220-163-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/1220-164-0x000000000A0F0000-0x000000000A12C000-memory.dmp

Filesize
240KB

Download
memory/1220-165-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads