redline | cb8c4bf18d4c54e7126a690c48fc2e188b95acbfcec65ee4f04b3d9b90d2a918

General

Target

cb8c4bf18d4c54e7126a690c48fc2e188b95acbfcec65ee4f04b3d9b90d2a918.exe
Size

580KB
MD5

ff7005f01c4c4d4ca928dbe3e94030f1
SHA1

51c1b6fc91b9e3d0050cd07f6ed2ee8821ed6c66
SHA256

cb8c4bf18d4c54e7126a690c48fc2e188b95acbfcec65ee4f04b3d9b90d2a918
SHA512

436a4bb0152a2d4731c9b18c482049aa68739a92807b7670b77a5ebec912f0955c007a22afbb75542c595506d8a8f37b230ecd2eab927798bfbfaf8400769692
SSDEEP

12288:SMrRy90rICG6cY6eFKU0a7Pg6JZI0M0nQsE6Pm13l5vEHYCVUgVE:ryicY0U0srW0M0Qt7C4CSgm

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a0222670.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0222670.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0222670.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0222670.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0222670.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0222670.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0222670.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v8101895.exev0154770.exea0222670.exeb1586576.exe

pid process

4460 v8101895.exe
4380 v0154770.exe
2380 a0222670.exe
2432 b1586576.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a0222670.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0222670.exe

pid	process
4460	v8101895.exe
4380	v0154770.exe
2380	a0222670.exe
2432	b1586576.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0222670.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v8101895.exev0154770.execb8c4bf18d4c54e7126a690c48fc2e188b95acbfcec65ee4f04b3d9b90d2a918.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8101895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8101895.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0154770.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0154770.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cb8c4bf18d4c54e7126a690c48fc2e188b95acbfcec65ee4f04b3d9b90d2a918.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cb8c4bf18d4c54e7126a690c48fc2e188b95acbfcec65ee4f04b3d9b90d2a918.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a0222670.exe

pid process

2380 a0222670.exe
2380 a0222670.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a0222670.exe

description pid process

Token: SeDebugPrivilege 2380 a0222670.exe

pid	process
2380	a0222670.exe
2380	a0222670.exe

description	pid	process
Token: SeDebugPrivilege	2380	a0222670.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cb8c4bf18d4c54e7126a690c48fc2e188b95acbfcec65ee4f04b3d9b90d2a918.exev8101895.exev0154770.exe

description	pid	process	target process
PID 264 wrote to memory of 4460	264	cb8c4bf18d4c54e7126a690c48fc2e188b95acbfcec65ee4f04b3d9b90d2a918.exe	v8101895.exe
PID 264 wrote to memory of 4460	264	cb8c4bf18d4c54e7126a690c48fc2e188b95acbfcec65ee4f04b3d9b90d2a918.exe	v8101895.exe
PID 264 wrote to memory of 4460	264	cb8c4bf18d4c54e7126a690c48fc2e188b95acbfcec65ee4f04b3d9b90d2a918.exe	v8101895.exe
PID 4460 wrote to memory of 4380	4460	v8101895.exe	v0154770.exe
PID 4460 wrote to memory of 4380	4460	v8101895.exe	v0154770.exe
PID 4460 wrote to memory of 4380	4460	v8101895.exe	v0154770.exe
PID 4380 wrote to memory of 2380	4380	v0154770.exe	a0222670.exe
PID 4380 wrote to memory of 2380	4380	v0154770.exe	a0222670.exe
PID 4380 wrote to memory of 2432	4380	v0154770.exe	b1586576.exe
PID 4380 wrote to memory of 2432	4380	v0154770.exe	b1586576.exe
PID 4380 wrote to memory of 2432	4380	v0154770.exe	b1586576.exe

C:\Users\Admin\AppData\Local\Temp\cb8c4bf18d4c54e7126a690c48fc2e188b95acbfcec65ee4f04b3d9b90d2a918.exe
"C:\Users\Admin\AppData\Local\Temp\cb8c4bf18d4c54e7126a690c48fc2e188b95acbfcec65ee4f04b3d9b90d2a918.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:264

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8101895.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8101895.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0154770.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0154770.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4380

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0222670.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0222670.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1586576.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1586576.exe
4⤵
- Executes dropped EXE
PID:2432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8101895.exe
Filesize
378KB

MD5
c24597efa70d3586a6dae9768e80576b

SHA1
dd8449e353e96053fd35b271a897adb3a78819ac

SHA256
0313e44659f09386e506c792abea81aaff0b351d1acd2b1f6d7ba231e28e1d2c

SHA512
6e0f024427767b719eafd671fa7e112859f933798afa3c13041aa19a3268e96f906895e484285f6643811323bf2573b154e52b66aaa0bf8c572bb5132fbcc475

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8101895.exe
Filesize
378KB

MD5
c24597efa70d3586a6dae9768e80576b

SHA1
dd8449e353e96053fd35b271a897adb3a78819ac

SHA256
0313e44659f09386e506c792abea81aaff0b351d1acd2b1f6d7ba231e28e1d2c

SHA512
6e0f024427767b719eafd671fa7e112859f933798afa3c13041aa19a3268e96f906895e484285f6643811323bf2573b154e52b66aaa0bf8c572bb5132fbcc475

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0154770.exe
Filesize
206KB

MD5
da3e09fa7d961be96394995b0d51f81b

SHA1
0f14ac20b03de692a5c029c6203201339a4b2548

SHA256
9b94b9d24bf1ba7ea6c775c9dd77cee6ed8ac7c0931259fcb32a8e36c92a00a8

SHA512
e2e177b0ec292fd2af000cc3cc041b8b2164cbf0a789bec3a1cad275916ec016a492df0ef457619e49ea72fcf51eda2b47334d158b38ff2553867c9fbe65a06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0154770.exe
Filesize
206KB

MD5
da3e09fa7d961be96394995b0d51f81b

SHA1
0f14ac20b03de692a5c029c6203201339a4b2548

SHA256
9b94b9d24bf1ba7ea6c775c9dd77cee6ed8ac7c0931259fcb32a8e36c92a00a8

SHA512
e2e177b0ec292fd2af000cc3cc041b8b2164cbf0a789bec3a1cad275916ec016a492df0ef457619e49ea72fcf51eda2b47334d158b38ff2553867c9fbe65a06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0222670.exe
Filesize
12KB

MD5
7816ff0490ede78d4ffcf41c5fe6d0fb

SHA1
44184cd7a1020324cb2b1450005b222d155d4762

SHA256
17e978d0a1ef188f2aedc764f9df2d0a101061a1bc51ae5400dd2318a7939564

SHA512
739864a8d5fcf63b0d23ef384bc1dd7ab887099dda28cc9e211b5bf3e5fd3402d36efdcc61bd261b847f70b03048d5cb475fc045f24db420155e6a7406507079

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0222670.exe
Filesize
12KB

MD5
7816ff0490ede78d4ffcf41c5fe6d0fb

SHA1
44184cd7a1020324cb2b1450005b222d155d4762

SHA256
17e978d0a1ef188f2aedc764f9df2d0a101061a1bc51ae5400dd2318a7939564

SHA512
739864a8d5fcf63b0d23ef384bc1dd7ab887099dda28cc9e211b5bf3e5fd3402d36efdcc61bd261b847f70b03048d5cb475fc045f24db420155e6a7406507079

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1586576.exe
Filesize
172KB

MD5
9b44431a6702af386e9e46c6511c843c

SHA1
3a1a7c9d1152ed02ca3a6a2e5ae3153388aa6ee8

SHA256
cbf5084d453f2c229631468a41928e8c6c379501efa5a7213edb3d12a65fa84e

SHA512
e041b3a4b9210a86aa560fd602d55abf49e41ea6f128f6b75120980370e90188738252a0052a143ca60dcd1f5d78a7ed5a3271cea911cdf4b924e263bc304d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1586576.exe
Filesize
172KB

MD5
9b44431a6702af386e9e46c6511c843c

SHA1
3a1a7c9d1152ed02ca3a6a2e5ae3153388aa6ee8

SHA256
cbf5084d453f2c229631468a41928e8c6c379501efa5a7213edb3d12a65fa84e

SHA512
e041b3a4b9210a86aa560fd602d55abf49e41ea6f128f6b75120980370e90188738252a0052a143ca60dcd1f5d78a7ed5a3271cea911cdf4b924e263bc304d15

Download Submit
memory/2380-154-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/2432-159-0x0000000000FB0000-0x0000000000FE0000-memory.dmp

Filesize
192KB

Download
memory/2432-160-0x000000000B3B0000-0x000000000B9C8000-memory.dmp

Filesize
6.1MB

Download
memory/2432-161-0x000000000AF30000-0x000000000B03A000-memory.dmp

Filesize
1.0MB

Download
memory/2432-162-0x000000000AE70000-0x000000000AE82000-memory.dmp

Filesize
72KB

Download
memory/2432-163-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/2432-164-0x000000000AED0000-0x000000000AF0C000-memory.dmp

Filesize
240KB

Download
memory/2432-165-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads