redline | cae22920e1a922ca7820074785c5da58b081243779f2dcbba7def7850a87f376

General

Target

cae22920e1a922ca7820074785c5da58b081243779f2dcbba7def7850a87f376.exe
Size

580KB
MD5

63aa5505e68b0f1bce5d3f13df4eada5
SHA1

28c4a169f021fc7947e84c5527b2ca8d9bd2735f
SHA256

cae22920e1a922ca7820074785c5da58b081243779f2dcbba7def7850a87f376
SHA512

5e03bb79c9b268a25406ca6291822ffae77917ac1635a6fdbf2d88b312b07cfa6c293f44d9c900b07b1f5802c7642e96bbaf275d2a4f1751a06ea23b7e806a93
SSDEEP

12288:XMrvy90+tIL5OYNRmylbRk4pwKLwr8oLgeS65Rq53GCBkVW:YyZt7Y+yLpnLS8oc2Or

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a7008541.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7008541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7008541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7008541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7008541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7008541.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v6889711.exev8055372.exea7008541.exeb9260350.exe

pid process

3220 v6889711.exe
4268 v8055372.exe
1452 a7008541.exe
5056 b9260350.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a7008541.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7008541.exe

pid	process
3220	v6889711.exe
4268	v8055372.exe
1452	a7008541.exe
5056	b9260350.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7008541.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cae22920e1a922ca7820074785c5da58b081243779f2dcbba7def7850a87f376.exev6889711.exev8055372.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cae22920e1a922ca7820074785c5da58b081243779f2dcbba7def7850a87f376.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cae22920e1a922ca7820074785c5da58b081243779f2dcbba7def7850a87f376.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6889711.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6889711.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8055372.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8055372.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a7008541.exe

pid process

1452 a7008541.exe
1452 a7008541.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a7008541.exe

description pid process

Token: SeDebugPrivilege 1452 a7008541.exe

pid	process
1452	a7008541.exe
1452	a7008541.exe

description	pid	process
Token: SeDebugPrivilege	1452	a7008541.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cae22920e1a922ca7820074785c5da58b081243779f2dcbba7def7850a87f376.exev6889711.exev8055372.exe

description	pid	process	target process
PID 2868 wrote to memory of 3220	2868	cae22920e1a922ca7820074785c5da58b081243779f2dcbba7def7850a87f376.exe	v6889711.exe
PID 2868 wrote to memory of 3220	2868	cae22920e1a922ca7820074785c5da58b081243779f2dcbba7def7850a87f376.exe	v6889711.exe
PID 2868 wrote to memory of 3220	2868	cae22920e1a922ca7820074785c5da58b081243779f2dcbba7def7850a87f376.exe	v6889711.exe
PID 3220 wrote to memory of 4268	3220	v6889711.exe	v8055372.exe
PID 3220 wrote to memory of 4268	3220	v6889711.exe	v8055372.exe
PID 3220 wrote to memory of 4268	3220	v6889711.exe	v8055372.exe
PID 4268 wrote to memory of 1452	4268	v8055372.exe	a7008541.exe
PID 4268 wrote to memory of 1452	4268	v8055372.exe	a7008541.exe
PID 4268 wrote to memory of 5056	4268	v8055372.exe	b9260350.exe
PID 4268 wrote to memory of 5056	4268	v8055372.exe	b9260350.exe
PID 4268 wrote to memory of 5056	4268	v8055372.exe	b9260350.exe

C:\Users\Admin\AppData\Local\Temp\cae22920e1a922ca7820074785c5da58b081243779f2dcbba7def7850a87f376.exe
"C:\Users\Admin\AppData\Local\Temp\cae22920e1a922ca7820074785c5da58b081243779f2dcbba7def7850a87f376.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6889711.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6889711.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8055372.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8055372.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008541.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008541.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9260350.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9260350.exe
4⤵
- Executes dropped EXE
PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6889711.exe

Filesize
377KB

MD5
5af67022669869664d487f785ef9b905

SHA1
fdea7609ea84e520747247b352f4058946194440

SHA256
1ac45fcb6792b082d51e8b367b40e78880a8b40eb1fd3fb223f1bed695925f93

SHA512
8d54a7769b09a6a672b833e2131f594ad7c8dd3ed4ab1b7847f76c727dd84b7a1fb352363c6ca0624b356bc420b2c96a10d154c911c15ff75c76a2d770a350db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6889711.exe

Filesize
377KB

MD5
5af67022669869664d487f785ef9b905

SHA1
fdea7609ea84e520747247b352f4058946194440

SHA256
1ac45fcb6792b082d51e8b367b40e78880a8b40eb1fd3fb223f1bed695925f93

SHA512
8d54a7769b09a6a672b833e2131f594ad7c8dd3ed4ab1b7847f76c727dd84b7a1fb352363c6ca0624b356bc420b2c96a10d154c911c15ff75c76a2d770a350db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8055372.exe

Filesize
206KB

MD5
8edfe8f4bc6332089d8e75dabceb22a8

SHA1
d41b0f1c192b75e1c28d0e8cb391e19e8709e13b

SHA256
ccff3d84c41494c731d524d1997b8aba6c01d1d1bb0cfa92af0338d717443b2a

SHA512
8fee1766a619fc7e013b67a55a39358f5e89ca64b90911ec72a8b3cd3d04b11d96bb3bda4035dfa2c9361452e83f4dffd1d3eb63150c3ecba016a46287c02c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8055372.exe

Filesize
206KB

MD5
8edfe8f4bc6332089d8e75dabceb22a8

SHA1
d41b0f1c192b75e1c28d0e8cb391e19e8709e13b

SHA256
ccff3d84c41494c731d524d1997b8aba6c01d1d1bb0cfa92af0338d717443b2a

SHA512
8fee1766a619fc7e013b67a55a39358f5e89ca64b90911ec72a8b3cd3d04b11d96bb3bda4035dfa2c9361452e83f4dffd1d3eb63150c3ecba016a46287c02c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008541.exe

Filesize
12KB

MD5
2ec4640232b1848ae68845f48a57f912

SHA1
f104382796c69ca74f3c3305774819a738fc672f

SHA256
a73dee9964005b1f37bf42680cb70acad7355ca2d481e0f4dd39036b870dd22e

SHA512
db88d8f58550872a2a57bd2ae09900661ca92805f209652dc039f659a696da2b38e57f56fdf5922f50d968f4eada29361ef34fdf5b656c92867058f053a5be26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7008541.exe

Filesize
12KB

MD5
2ec4640232b1848ae68845f48a57f912

SHA1
f104382796c69ca74f3c3305774819a738fc672f

SHA256
a73dee9964005b1f37bf42680cb70acad7355ca2d481e0f4dd39036b870dd22e

SHA512
db88d8f58550872a2a57bd2ae09900661ca92805f209652dc039f659a696da2b38e57f56fdf5922f50d968f4eada29361ef34fdf5b656c92867058f053a5be26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9260350.exe

Filesize
172KB

MD5
820300667eabda4ef41502f4e4bdaea7

SHA1
dcd46b0c29aa71fbfaa761ccacc829472e8b4fab

SHA256
788bb3a5f2eafe9eec250d5bd7eaf56e8202120e38506eae54de67bbe1ad1add

SHA512
e0e39a4f2e115084c9abdb6c70c50ae24f7cf117910794e34d5a7c520111bf76e4ff41e1034b6b10b8b47540376232440bca364228f7be035c1670b9ed81f020

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9260350.exe

Filesize
172KB

MD5
820300667eabda4ef41502f4e4bdaea7

SHA1
dcd46b0c29aa71fbfaa761ccacc829472e8b4fab

SHA256
788bb3a5f2eafe9eec250d5bd7eaf56e8202120e38506eae54de67bbe1ad1add

SHA512
e0e39a4f2e115084c9abdb6c70c50ae24f7cf117910794e34d5a7c520111bf76e4ff41e1034b6b10b8b47540376232440bca364228f7be035c1670b9ed81f020

Download Submit
memory/1452-142-0x0000000000DD0000-0x0000000000DDA000-memory.dmp

Filesize
40KB

Download
memory/5056-147-0x00000000003C0000-0x00000000003F0000-memory.dmp

Filesize
192KB

Download
memory/5056-148-0x0000000000B80000-0x0000000000B86000-memory.dmp

Filesize
24KB

Download
memory/5056-149-0x000000000A680000-0x000000000AC86000-memory.dmp

Filesize
6.0MB

Download
memory/5056-150-0x000000000A1C0000-0x000000000A2CA000-memory.dmp

Filesize
1.0MB

Download
memory/5056-151-0x000000000A0F0000-0x000000000A102000-memory.dmp

Filesize
72KB

Download
memory/5056-152-0x000000000A150000-0x000000000A18E000-memory.dmp

Filesize
248KB

Download
memory/5056-153-0x000000000A2D0000-0x000000000A31B000-memory.dmp

Filesize
300KB

Download
memory/5056-154-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/5056-155-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads