redline | 4de1124a0c0b201907321b44ffbad15b2e2e9ad38b6ae1a833ce56f145c5c177

Analysis

max time kernel
143s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64a91313eb50dddfb61c52017487fbcae9e2ebfc5426285d97ea6e073db0e1f3.exe
Size

769KB
MD5

9bf6b90455cdafbc4f730e0d36e6f2f3
SHA1

1280c19116ee65594582d39b5f35693e843eb3cd
SHA256

64a91313eb50dddfb61c52017487fbcae9e2ebfc5426285d97ea6e073db0e1f3
SHA512

aa93787490febd0e91e0a64a3b04d825fcf474833e9199df6029a1ec9b7ad6b00b15cce125b70e3c89c6a09ed03a549e0abef07baebd82331d19afa5b003cfeb
SSDEEP

12288:BMrKy90IjoIdwRsoHBc9xklpmHUpBjdJ7pT2cDoLX3Ehmg/3acxtJxJ0:Ly0IdwPhcM3P5drMLcFJ0

Score

10^/10

redline mixa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

185.161.248.75:4132

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a3942167.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3942167.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a3942167.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3942167.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3942167.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3942167.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3942167.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral8/files/0x000700000002324c-54.dat	family_redline
behavioral8/memory/3796-56-0x00000000004A0000-0x00000000004CE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

v2615825.exev0466746.exea3942167.exeb6072127.exe

pid	Process
2220	v2615825.exe
2752	v0466746.exe
4068	a3942167.exe
3796	b6072127.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

a3942167.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a3942167.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3942167.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

64a91313eb50dddfb61c52017487fbcae9e2ebfc5426285d97ea6e073db0e1f3.exev2615825.exev0466746.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	64a91313eb50dddfb61c52017487fbcae9e2ebfc5426285d97ea6e073db0e1f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2615825.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0466746.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a3942167.exe

pid	Process
4068	a3942167.exe
4068	a3942167.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a3942167.exe

description	pid	Process
Token: SeDebugPrivilege	4068	a3942167.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

64a91313eb50dddfb61c52017487fbcae9e2ebfc5426285d97ea6e073db0e1f3.exev2615825.exev0466746.exe

description	pid	Process	procid_target
PID 1720 wrote to memory of 2220	1720	64a91313eb50dddfb61c52017487fbcae9e2ebfc5426285d97ea6e073db0e1f3.exe	91
PID 1720 wrote to memory of 2220	1720	64a91313eb50dddfb61c52017487fbcae9e2ebfc5426285d97ea6e073db0e1f3.exe	91
PID 1720 wrote to memory of 2220	1720	64a91313eb50dddfb61c52017487fbcae9e2ebfc5426285d97ea6e073db0e1f3.exe	91
PID 2220 wrote to memory of 2752	2220	v2615825.exe	92
PID 2220 wrote to memory of 2752	2220	v2615825.exe	92
PID 2220 wrote to memory of 2752	2220	v2615825.exe	92
PID 2752 wrote to memory of 4068	2752	v0466746.exe	93
PID 2752 wrote to memory of 4068	2752	v0466746.exe	93
PID 2752 wrote to memory of 4068	2752	v0466746.exe	93
PID 2752 wrote to memory of 3796	2752	v0466746.exe	94
PID 2752 wrote to memory of 3796	2752	v0466746.exe	94
PID 2752 wrote to memory of 3796	2752	v0466746.exe	94

C:\Users\Admin\AppData\Local\Temp\64a91313eb50dddfb61c52017487fbcae9e2ebfc5426285d97ea6e073db0e1f3.exe
"C:\Users\Admin\AppData\Local\Temp\64a91313eb50dddfb61c52017487fbcae9e2ebfc5426285d97ea6e073db0e1f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2615825.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2615825.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0466746.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0466746.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3942167.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3942167.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4068
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6072127.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6072127.exe
      4⤵
      Executes dropped EXE
      PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2615825.exe

Filesize
488KB

MD5
69f5e440580ae1897024b43da76a46f9

SHA1
0ab8b16fb09db75011a66bcac3b2fd1b03c022d8

SHA256
d84ea774e7c0e371244596d0cf1e99a25d5cc572eadc16ed0724e9366dc64dae

SHA512
d1bf5fbe24a19c55eee4210c938b83a699d033dd28fd895671189e41c41a5b874f5af5a91b61a118257aab4589338115602215198673d5590b202ea5b64407b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0466746.exe

Filesize
316KB

MD5
2f3f3933a88c5548f0f53de0c045744c

SHA1
4a6a2e1e012452533c92a8c0106a13c22bc78195

SHA256
8c9f0fa0be3118f84dc4af8a50fa0b11a785e5014b63d362193e6a262a8fb066

SHA512
c82a6cfe58f8a8b67592c08bdf3f1b14f77ec97ef276e5611d6135b8b9892166ce39d27d3251cc4c154f62b9a639c25896569a637a35a255dc9d3e71cc2879b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3942167.exe

Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6072127.exe

Filesize
168KB

MD5
18f0522e81339408016047163095662d

SHA1
2057577e206a4145a74a4c24bc11b1aeca84353d

SHA256
4aa922fae468293dbca3b2c9fff775be892427f913698bb55e6b559623585715

SHA512
df479febf0f93836d624f623b35777cc712a7ce3180ff4ebe961110c1b691522884aa0a890768f1dd87ff354e9093f749bf38345f1857f5f60ba3899172470cd

Download Submit
memory/3796-62-0x0000000004CA0000-0x0000000004CEC000-memory.dmp

Filesize
304KB

Download
memory/3796-61-0x000000000A2A0000-0x000000000A2DC000-memory.dmp

Filesize
240KB

Download
memory/3796-60-0x000000000A240000-0x000000000A252000-memory.dmp

Filesize
72KB

Download
memory/3796-59-0x000000000A310000-0x000000000A41A000-memory.dmp

Filesize
1.0MB

Download
memory/3796-58-0x000000000A7D0000-0x000000000ADE8000-memory.dmp

Filesize
6.1MB

Download
memory/3796-57-0x0000000004DC0000-0x0000000004DC6000-memory.dmp

Filesize
24KB

Download
memory/3796-56-0x00000000004A0000-0x00000000004CE000-memory.dmp

Filesize
184KB

Download
memory/4068-27-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4068-25-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4068-41-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4068-39-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4068-37-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4068-35-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4068-34-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4068-31-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4068-29-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4068-43-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4068-45-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4068-47-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4068-50-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4068-51-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4068-24-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4068-23-0x00000000025F0000-0x000000000260C000-memory.dmp

Filesize
112KB

Download
memory/4068-22-0x0000000004BE0000-0x0000000005184000-memory.dmp

Filesize
5.6MB

Download
memory/4068-21-0x00000000020D0000-0x00000000020EE000-memory.dmp

Filesize
120KB

Download