redline | cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f

General

Target

cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe
Size

580KB
MD5

fcf686a2f8478c0d7233284d840fe07e
SHA1

f7c8e9145a16467be98002753002df8dcd7961f2
SHA256

cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f
SHA512

f0fb7a99d174b5b7814b4f268c693375aa4264c8716244536bf23e1d61fad5b07bcc13d591cc12fc78507a72c9d8b95c82117caec35e0ba2cb5315bc954f2ec8
SSDEEP

12288:sMr9y9054LXUXituh9sGpe22U05gSKYiV5nC5LgRXXw:ZysykPhWGg22U0FW3nSLgNA

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a7962651.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7962651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7962651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7962651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7962651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7962651.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7962651.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v8821415.exev7191090.exea7962651.exeb6653795.exe

pid process

2708 v8821415.exe
4644 v7191090.exe
1160 a7962651.exe
1220 b6653795.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a7962651.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7962651.exe

pid	process
2708	v8821415.exe
4644	v7191090.exe
1160	a7962651.exe
1220	b6653795.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7962651.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exev8821415.exev7191090.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8821415.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8821415.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7191090.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7191090.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a7962651.exe

pid process

1160 a7962651.exe
1160 a7962651.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a7962651.exe

description pid process

Token: SeDebugPrivilege 1160 a7962651.exe

pid	process
1160	a7962651.exe
1160	a7962651.exe

description	pid	process
Token: SeDebugPrivilege	1160	a7962651.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exev8821415.exev7191090.exe

description	pid	process	target process
PID 2676 wrote to memory of 2708	2676	cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe	v8821415.exe
PID 2676 wrote to memory of 2708	2676	cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe	v8821415.exe
PID 2676 wrote to memory of 2708	2676	cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe	v8821415.exe
PID 2708 wrote to memory of 4644	2708	v8821415.exe	v7191090.exe
PID 2708 wrote to memory of 4644	2708	v8821415.exe	v7191090.exe
PID 2708 wrote to memory of 4644	2708	v8821415.exe	v7191090.exe
PID 4644 wrote to memory of 1160	4644	v7191090.exe	a7962651.exe
PID 4644 wrote to memory of 1160	4644	v7191090.exe	a7962651.exe
PID 4644 wrote to memory of 1220	4644	v7191090.exe	b6653795.exe
PID 4644 wrote to memory of 1220	4644	v7191090.exe	b6653795.exe
PID 4644 wrote to memory of 1220	4644	v7191090.exe	b6653795.exe

C:\Users\Admin\AppData\Local\Temp\cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe
"C:\Users\Admin\AppData\Local\Temp\cccd05406f2ea5051041bc6ee246b9175dc22f0df1f9bfd8724ae96fafcc0a9f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8821415.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8821415.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7191090.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7191090.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4644

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7962651.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7962651.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6653795.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6653795.exe
4⤵
- Executes dropped EXE
PID:1220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8821415.exe
Filesize
377KB

MD5
299854985b821504c2a6cde499fb5c54

SHA1
c06cd3ee7c670bd067b2d14047a54b0df32bc6d9

SHA256
971fb3c8428a4fb277694f5c6df349b738ee1db593bfffd3ed243ec5846860e1

SHA512
79626bb45a580e239d21b031c319e52207d20e14831747e3211477e3ce5ab0cca09716766409484ba7af18f2e7804dd68ecea6833d525b9e7abd2ad9bb35640c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8821415.exe
Filesize
377KB

MD5
299854985b821504c2a6cde499fb5c54

SHA1
c06cd3ee7c670bd067b2d14047a54b0df32bc6d9

SHA256
971fb3c8428a4fb277694f5c6df349b738ee1db593bfffd3ed243ec5846860e1

SHA512
79626bb45a580e239d21b031c319e52207d20e14831747e3211477e3ce5ab0cca09716766409484ba7af18f2e7804dd68ecea6833d525b9e7abd2ad9bb35640c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7191090.exe
Filesize
206KB

MD5
cbd4e0468885c5e0e56a7deeaabec09c

SHA1
42e87934cfca264fa7eb5a30f0843d13558cc153

SHA256
9d8ee0c5343d2ffda16e3ac89ce7be3926d52f612fcff4f3099abb1e73c5a116

SHA512
7ca44d673dcebb3321e9aa42faa501f5c1d42f8751c8b9efbf069d6b028a3b0cb8918de3b6a251fa530f0b8da4befd6ac288a13ec4ffa6c2d322ead2b1ccbd97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7191090.exe
Filesize
206KB

MD5
cbd4e0468885c5e0e56a7deeaabec09c

SHA1
42e87934cfca264fa7eb5a30f0843d13558cc153

SHA256
9d8ee0c5343d2ffda16e3ac89ce7be3926d52f612fcff4f3099abb1e73c5a116

SHA512
7ca44d673dcebb3321e9aa42faa501f5c1d42f8751c8b9efbf069d6b028a3b0cb8918de3b6a251fa530f0b8da4befd6ac288a13ec4ffa6c2d322ead2b1ccbd97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7962651.exe
Filesize
11KB

MD5
992f840b8844279765e9956933b71c9a

SHA1
54817a24a05a39181f0ca7e232411a8c3a22180c

SHA256
2091b6ccd6133f4c7fd3d0787be78f5584c500f2fb9cd3acd0a8de0d67a38aa7

SHA512
47a8dae101736fec9586a47195758137d04fb7fd3f5cb73e6ae8b43c400b5630458a9ca8a04ffb68a1974035addb46f7ae2a74fc267ca26e4bed780c823923aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7962651.exe
Filesize
11KB

MD5
992f840b8844279765e9956933b71c9a

SHA1
54817a24a05a39181f0ca7e232411a8c3a22180c

SHA256
2091b6ccd6133f4c7fd3d0787be78f5584c500f2fb9cd3acd0a8de0d67a38aa7

SHA512
47a8dae101736fec9586a47195758137d04fb7fd3f5cb73e6ae8b43c400b5630458a9ca8a04ffb68a1974035addb46f7ae2a74fc267ca26e4bed780c823923aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6653795.exe
Filesize
172KB

MD5
9432cb337859ae13f807724fd81ae49e

SHA1
a839d9d7a55cb3c1fe069afd33efa3eb9db5d405

SHA256
e37ea980109d26a5cba10c122f20be5165a85f7241fa41c1db4d0268afa4b36b

SHA512
1e18f16f2b9db4bb01614750be770aa8877d2775bd0cb874909b8eab51010183ed96003f73e7601aa33961c06447ae99ec7e599a160cdb46094baa0266c8aeef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6653795.exe
Filesize
172KB

MD5
9432cb337859ae13f807724fd81ae49e

SHA1
a839d9d7a55cb3c1fe069afd33efa3eb9db5d405

SHA256
e37ea980109d26a5cba10c122f20be5165a85f7241fa41c1db4d0268afa4b36b

SHA512
1e18f16f2b9db4bb01614750be770aa8877d2775bd0cb874909b8eab51010183ed96003f73e7601aa33961c06447ae99ec7e599a160cdb46094baa0266c8aeef

Download Submit
memory/1160-154-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download
memory/1220-159-0x0000000000310000-0x0000000000340000-memory.dmp

Filesize
192KB

Download
memory/1220-160-0x000000000A5F0000-0x000000000AC08000-memory.dmp

Filesize
6.1MB

Download
memory/1220-161-0x000000000A150000-0x000000000A25A000-memory.dmp

Filesize
1.0MB

Download
memory/1220-162-0x000000000A090000-0x000000000A0A2000-memory.dmp

Filesize
72KB

Download
memory/1220-163-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/1220-164-0x000000000A0F0000-0x000000000A12C000-memory.dmp

Filesize
240KB

Download
memory/1220-165-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads