redline | 126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0

General

Target

126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0.exe
Size

579KB
MD5

289c797539e006499cfa78e6ba421478
SHA1

acd2518c80d2128ec136da8465e34cde0e81a60b
SHA256

126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0
SHA512

6bd58bd613363666b744b5f7025fa6e47e43638362ed797e99c584c29d8d089bcdacce914251a6ac78276d7141ada22a142018da8b86c95c03d4c5944f85eab8
SSDEEP

12288:HMr1y90+ZYWHWkeVzGAvWbIcATYoMqcHKhsVeLIfSbUJt4u:Wy5FqVzGARxT/CqqfS4J+u

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a1076701.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a1076701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1076701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1076701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1076701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1076701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1076701.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v8164776.exev2598729.exea1076701.exeb3567561.exe

pid process

4616 v8164776.exe
4928 v2598729.exe
456 a1076701.exe
1656 b3567561.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a1076701.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1076701.exe

pid	process
4616	v8164776.exe
4928	v2598729.exe
456	a1076701.exe
1656	b3567561.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1076701.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0.exev8164776.exev2598729.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8164776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8164776.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2598729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2598729.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a1076701.exe

pid process

456 a1076701.exe
456 a1076701.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a1076701.exe

description pid process

Token: SeDebugPrivilege 456 a1076701.exe

pid	process
456	a1076701.exe
456	a1076701.exe

description	pid	process
Token: SeDebugPrivilege	456	a1076701.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0.exev8164776.exev2598729.exe

description	pid	process	target process
PID 4216 wrote to memory of 4616	4216	126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0.exe	v8164776.exe
PID 4216 wrote to memory of 4616	4216	126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0.exe	v8164776.exe
PID 4216 wrote to memory of 4616	4216	126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0.exe	v8164776.exe
PID 4616 wrote to memory of 4928	4616	v8164776.exe	v2598729.exe
PID 4616 wrote to memory of 4928	4616	v8164776.exe	v2598729.exe
PID 4616 wrote to memory of 4928	4616	v8164776.exe	v2598729.exe
PID 4928 wrote to memory of 456	4928	v2598729.exe	a1076701.exe
PID 4928 wrote to memory of 456	4928	v2598729.exe	a1076701.exe
PID 4928 wrote to memory of 1656	4928	v2598729.exe	b3567561.exe
PID 4928 wrote to memory of 1656	4928	v2598729.exe	b3567561.exe
PID 4928 wrote to memory of 1656	4928	v2598729.exe	b3567561.exe

C:\Users\Admin\AppData\Local\Temp\126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0.exe
"C:\Users\Admin\AppData\Local\Temp\126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8164776.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8164776.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4616

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2598729.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2598729.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1076701.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1076701.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3567561.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3567561.exe
4⤵
- Executes dropped EXE
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8164776.exe

Filesize
377KB

MD5
f41399fcd55cff4a843b4a035b4c2d43

SHA1
d241d3357baa8abc65dc97abbea02cc36ead98a1

SHA256
6df175969e50571355b65b816ba26ecce0497fd5f54d619864c2fe2273fda344

SHA512
f6f85ce15c12e4c773b3057ca2e18dd4eea3042cdf3006414779d6cb14078eda892046cc6f73f49dbe8f8702ddf7c0810c97107380d783a701a168cef4ff9931

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8164776.exe

Filesize
377KB

MD5
f41399fcd55cff4a843b4a035b4c2d43

SHA1
d241d3357baa8abc65dc97abbea02cc36ead98a1

SHA256
6df175969e50571355b65b816ba26ecce0497fd5f54d619864c2fe2273fda344

SHA512
f6f85ce15c12e4c773b3057ca2e18dd4eea3042cdf3006414779d6cb14078eda892046cc6f73f49dbe8f8702ddf7c0810c97107380d783a701a168cef4ff9931

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2598729.exe

Filesize
206KB

MD5
529e1c3636e9561fb8a37ed5318a6b25

SHA1
df32460fcd2f7d69c499953337c5bf92118b3276

SHA256
03dfd551f22256f0116fb66fc254b038fe5820b58fb0712e8cb6d677a65492ae

SHA512
27e0fa77f8dc88671b4a2e51ebe0ff5a0b367b6808cc3097364f83a3a82ca59876638de6c13dbaf3d513c697cded8f8ba920c2316493003be093c559bd37d528

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2598729.exe

Filesize
206KB

MD5
529e1c3636e9561fb8a37ed5318a6b25

SHA1
df32460fcd2f7d69c499953337c5bf92118b3276

SHA256
03dfd551f22256f0116fb66fc254b038fe5820b58fb0712e8cb6d677a65492ae

SHA512
27e0fa77f8dc88671b4a2e51ebe0ff5a0b367b6808cc3097364f83a3a82ca59876638de6c13dbaf3d513c697cded8f8ba920c2316493003be093c559bd37d528

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1076701.exe

Filesize
12KB

MD5
c2a05bf02a5e6ce6beeb1b747f006b3e

SHA1
801edcbef274e47c522bb985467ced3bff296dfb

SHA256
cb2b0d97af25b121dd8ef83a7003f3cee9469acd374d0d04986be37c76ed060b

SHA512
dc399d61fc7efeea480ef95f008d13c6b040080246eac7efd56e43457af2d0d6a5e89f16c63eb339d98d0b0d2b8ed1879ce4bc707111f5b74f928f1499182d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1076701.exe

Filesize
12KB

MD5
c2a05bf02a5e6ce6beeb1b747f006b3e

SHA1
801edcbef274e47c522bb985467ced3bff296dfb

SHA256
cb2b0d97af25b121dd8ef83a7003f3cee9469acd374d0d04986be37c76ed060b

SHA512
dc399d61fc7efeea480ef95f008d13c6b040080246eac7efd56e43457af2d0d6a5e89f16c63eb339d98d0b0d2b8ed1879ce4bc707111f5b74f928f1499182d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3567561.exe

Filesize
172KB

MD5
c4b60e437ef855048af2f3684b188ae9

SHA1
be86f2a356df18fc4fb12df777fe34ca694742ca

SHA256
d1ee48e11d4f86c6a40533211fb353ff52d659f72d62278b54cdc388ff29ab02

SHA512
bc3e230d4a8dcde20eb96e73c9dbe1852ebadff71342821969e4a5210aba0b20d8e14eeb76e3e1b89dda5947b053097b459dc51ef2a99a2439be574e47bd1035

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3567561.exe

Filesize
172KB

MD5
c4b60e437ef855048af2f3684b188ae9

SHA1
be86f2a356df18fc4fb12df777fe34ca694742ca

SHA256
d1ee48e11d4f86c6a40533211fb353ff52d659f72d62278b54cdc388ff29ab02

SHA512
bc3e230d4a8dcde20eb96e73c9dbe1852ebadff71342821969e4a5210aba0b20d8e14eeb76e3e1b89dda5947b053097b459dc51ef2a99a2439be574e47bd1035

Download Submit
memory/456-154-0x0000000000DF0000-0x0000000000DFA000-memory.dmp

Filesize
40KB

Download
memory/1656-159-0x00000000009A0000-0x00000000009D0000-memory.dmp

Filesize
192KB

Download
memory/1656-160-0x000000000ADA0000-0x000000000B3B8000-memory.dmp

Filesize
6.1MB

Download
memory/1656-161-0x000000000A920000-0x000000000AA2A000-memory.dmp

Filesize
1.0MB

Download
memory/1656-162-0x000000000A860000-0x000000000A872000-memory.dmp

Filesize
72KB

Download
memory/1656-163-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/1656-164-0x000000000A8C0000-0x000000000A8FC000-memory.dmp

Filesize
240KB

Download
memory/1656-165-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads