redline | 8ef1b9ccc565c63b37f4f1adc40a5fbe35a3631adf090e95fd144b4ee8b09b8c

General

Target

8ef1b9ccc565c63b37f4f1adc40a5fbe35a3631adf090e95fd144b4ee8b09b8c.exe
Size

1.1MB
MD5

a212156cd7e799c0aa41ea997af43f7d
SHA1

b801675c9ef28a4b24618f3a852a559bf202453f
SHA256

8ef1b9ccc565c63b37f4f1adc40a5fbe35a3631adf090e95fd144b4ee8b09b8c
SHA512

3e6e189d0922f16ce9bd31d6a54769f5b9a5c45c9126132fa02128d14db573665606da4c75659eb0927a238b82ca1edcebf54244268ffd04d6fb38da6181a300
SSDEEP

24576:qy/taK2T4S1DENewD9FklUYtWuAdtdb1Fp11QFXGFSX6MukDYigX1iwG:xEwFswD9FkxodtdbDoXjT4X1iw

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k7088189.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k7088189.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k7088189.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k7088189.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k7088189.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k7088189.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b9c-54.dat	family_redline
behavioral1/memory/1908-56-0x0000000000760000-0x000000000078A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
1052	y3405981.exe
4988	y3104251.exe
1484	k7088189.exe
1908	l0018271.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k7088189.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k7088189.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8ef1b9ccc565c63b37f4f1adc40a5fbe35a3631adf090e95fd144b4ee8b09b8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3405981.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y3104251.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ef1b9ccc565c63b37f4f1adc40a5fbe35a3631adf090e95fd144b4ee8b09b8c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y3405981.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y3104251.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k7088189.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l0018271.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1484	k7088189.exe
1484	k7088189.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	k7088189.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 1052	2876	8ef1b9ccc565c63b37f4f1adc40a5fbe35a3631adf090e95fd144b4ee8b09b8c.exe	84
PID 2876 wrote to memory of 1052	2876	8ef1b9ccc565c63b37f4f1adc40a5fbe35a3631adf090e95fd144b4ee8b09b8c.exe	84
PID 2876 wrote to memory of 1052	2876	8ef1b9ccc565c63b37f4f1adc40a5fbe35a3631adf090e95fd144b4ee8b09b8c.exe	84
PID 1052 wrote to memory of 4988	1052	y3405981.exe	85
PID 1052 wrote to memory of 4988	1052	y3405981.exe	85
PID 1052 wrote to memory of 4988	1052	y3405981.exe	85
PID 4988 wrote to memory of 1484	4988	y3104251.exe	86
PID 4988 wrote to memory of 1484	4988	y3104251.exe	86
PID 4988 wrote to memory of 1484	4988	y3104251.exe	86
PID 4988 wrote to memory of 1908	4988	y3104251.exe	94
PID 4988 wrote to memory of 1908	4988	y3104251.exe	94
PID 4988 wrote to memory of 1908	4988	y3104251.exe	94

C:\Users\Admin\AppData\Local\Temp\8ef1b9ccc565c63b37f4f1adc40a5fbe35a3631adf090e95fd144b4ee8b09b8c.exe
"C:\Users\Admin\AppData\Local\Temp\8ef1b9ccc565c63b37f4f1adc40a5fbe35a3631adf090e95fd144b4ee8b09b8c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3405981.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3405981.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3104251.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3104251.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7088189.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7088189.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0018271.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0018271.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3405981.exe

Filesize
748KB

MD5
535e316ef2f0d142e3703ce34b63941b

SHA1
648ea5159f23333a331dee6ce9b4201e175b14ff

SHA256
63328c24a82216c26a17cfba4989813b698e01275640e0ef5fdeaabf1e07f5d1

SHA512
ac871938d9750117fe8800c1479319b2df226e8b4d4e8ed07646d137dc6030a7ef75b11aff2d078b42badc1dcebd57c0dad441942c532bb116c31b6596a48fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3104251.exe

Filesize
304KB

MD5
b289d4bb49a639a9c3fa4899d7653d03

SHA1
f3594fe172e694be60523c525886c7caabbbff4b

SHA256
16e436ad85faf70b6c46eefb964a901d4740cd85894685aaeb77e172488ac1bc

SHA512
a857687c3a1cf2d38563fdfc5b88dd1e1e99c6e717e370893688381d6cb2556628004819acc2789f497b309da5cc94369c2b8017f7bb2d5e7540ce846d0d71c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7088189.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0018271.exe

Filesize
145KB

MD5
1d0a8c298ca0d1a1b2fd8985312d9d8e

SHA1
610b0415eb59b5aca7834b7c6210f004c2ee5ea3

SHA256
1dfb6e526926ccf3b0ebbafa744cc906a2293921ee2d3dc5dd16f1149beea34e

SHA512
d0550475a0b6786600d17d2a4f1ee99f7f8e5c88fb0e628c5732f369333cfb9a1991e683fef35fbbfa91b6c75ce2f58ba68e0fda25c02c655e925aa82115863f

Download Submit
memory/1484-51-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1484-35-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1484-31-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1484-22-0x0000000004B90000-0x0000000005134000-memory.dmp

Filesize
5.6MB

Download
memory/1484-49-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1484-47-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1484-45-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1484-43-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1484-42-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1484-39-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1484-37-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1484-23-0x0000000004AD0000-0x0000000004AEC000-memory.dmp

Filesize
112KB

Download
memory/1484-33-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1484-29-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1484-25-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1484-24-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1484-27-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1484-21-0x00000000024C0000-0x00000000024DE000-memory.dmp

Filesize
120KB

Download
memory/1908-56-0x0000000000760000-0x000000000078A000-memory.dmp

Filesize
168KB

Download
memory/1908-57-0x00000000056B0000-0x0000000005CC8000-memory.dmp

Filesize
6.1MB

Download
memory/1908-58-0x0000000005230000-0x000000000533A000-memory.dmp

Filesize
1.0MB

Download
memory/1908-59-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/1908-60-0x00000000051C0000-0x00000000051FC000-memory.dmp

Filesize
240KB

Download
memory/1908-61-0x0000000005340000-0x000000000538C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads