redline | b4cbaecefba3a0a16b3d64a98cc870572f02711e57a3e4126d4f955a18c529c3

General

Target

b4cbaecefba3a0a16b3d64a98cc870572f02711e57a3e4126d4f955a18c529c3.exe
Size

1.1MB
MD5

111d7320fd6d663c9c87f5377cef5e64
SHA1

527da2bb39c02abefe3d94ed0561c4b0a5011255
SHA256

b4cbaecefba3a0a16b3d64a98cc870572f02711e57a3e4126d4f955a18c529c3
SHA512

614b0dcf2f653be63253887d601854196830deb9d93ee7a87fdc984740780e54f7d4df325991fc3c7175c9d564a40a9e9464232c8c719c5254665711c3b5eef2
SSDEEP

24576:EysiD43iIXtZWUHQFk/FuYxjmyQ4qbrQDYRDYb49Bgf866a1g:TsiD43rZxHQFk/FuK9G0T02fN6

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k9180891.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k9180891.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k9180891.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k9180891.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k9180891.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k9180891.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b85-54.dat	family_redline
behavioral1/memory/1192-56-0x0000000000250000-0x000000000027A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
812	y2281606.exe
1768	y5197638.exe
4804	k9180891.exe
1192	l5847701.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k9180891.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k9180891.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5197638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b4cbaecefba3a0a16b3d64a98cc870572f02711e57a3e4126d4f955a18c529c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2281606.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4036	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4cbaecefba3a0a16b3d64a98cc870572f02711e57a3e4126d4f955a18c529c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y2281606.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y5197638.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k9180891.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l5847701.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4804	k9180891.exe
4804	k9180891.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	k9180891.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 812	1032	b4cbaecefba3a0a16b3d64a98cc870572f02711e57a3e4126d4f955a18c529c3.exe	84
PID 1032 wrote to memory of 812	1032	b4cbaecefba3a0a16b3d64a98cc870572f02711e57a3e4126d4f955a18c529c3.exe	84
PID 1032 wrote to memory of 812	1032	b4cbaecefba3a0a16b3d64a98cc870572f02711e57a3e4126d4f955a18c529c3.exe	84
PID 812 wrote to memory of 1768	812	y2281606.exe	85
PID 812 wrote to memory of 1768	812	y2281606.exe	85
PID 812 wrote to memory of 1768	812	y2281606.exe	85
PID 1768 wrote to memory of 4804	1768	y5197638.exe	86
PID 1768 wrote to memory of 4804	1768	y5197638.exe	86
PID 1768 wrote to memory of 4804	1768	y5197638.exe	86
PID 1768 wrote to memory of 1192	1768	y5197638.exe	95
PID 1768 wrote to memory of 1192	1768	y5197638.exe	95
PID 1768 wrote to memory of 1192	1768	y5197638.exe	95

C:\Users\Admin\AppData\Local\Temp\b4cbaecefba3a0a16b3d64a98cc870572f02711e57a3e4126d4f955a18c529c3.exe
"C:\Users\Admin\AppData\Local\Temp\b4cbaecefba3a0a16b3d64a98cc870572f02711e57a3e4126d4f955a18c529c3.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2281606.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2281606.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5197638.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5197638.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9180891.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9180891.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5847701.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5847701.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1192

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2281606.exe

Filesize
749KB

MD5
b21adf506309c0ec230a06ee5230b3e2

SHA1
735104302f850c4bc806d3979bfdb0a44eea8ece

SHA256
86591ecbf1e133d0356f371b79934f512ba3d91477b1afe4d66943edd300bdba

SHA512
5730eb916a662cd2b4f3e33050e12b5957270279cb5c4df675b0c46fa09e4212c8c0faa230c54c5bb8155bd7dedc31e6f02ed375464a88fb6f71a02b9fbef1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5197638.exe

Filesize
304KB

MD5
f1aae9ba10f45ab92d85df3870d96f58

SHA1
bb8d4727bf920dd3fa66538efc6552d84f097523

SHA256
b1a5e0acfd5c2a55994f0d2f8d3c7cfac0a9c8e08cc2299c14173a1241b10aea

SHA512
0fc54c558e23cdbc38709d72581786e5504bef441a9d4e04eea81c5dd391a1c8c0a31236ca905517c3415fe50bb0719bdcb3cd80f3372041cfa6edcb0e5357a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9180891.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5847701.exe

Filesize
145KB

MD5
70c97762c8938485e138c08fecb701f4

SHA1
c2935795a83f0bf695d9feaf4e3caa8572b8fc6f

SHA256
ecee59ef5a235356771cb172b3aeb0c522d6637b0d1a84d09e8ddfbb9691a4d9

SHA512
a9b2ab38b1ccad12b02f3d08b065c37e9bfcaf084c5e372dfdf84fa9d1f64e9d13051aa6c148e82564eefb4fe3aa8722eee8d5baf800d57d4330ba8410f93cd6

Download Submit
memory/1192-61-0x0000000004CF0000-0x0000000004D3C000-memory.dmp

Filesize
304KB

Download
memory/1192-60-0x0000000004CB0000-0x0000000004CEC000-memory.dmp

Filesize
240KB

Download
memory/1192-59-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/1192-58-0x0000000004D40000-0x0000000004E4A000-memory.dmp

Filesize
1.0MB

Download
memory/1192-57-0x0000000005250000-0x0000000005868000-memory.dmp

Filesize
6.1MB

Download
memory/1192-56-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/4804-51-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/4804-37-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/4804-39-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/4804-33-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/4804-31-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/4804-29-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/4804-27-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/4804-25-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/4804-24-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/4804-41-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/4804-35-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/4804-43-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/4804-45-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/4804-47-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/4804-49-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/4804-23-0x0000000004AC0000-0x0000000004ADC000-memory.dmp

Filesize
112KB

Download
memory/4804-22-0x0000000004BC0000-0x0000000005164000-memory.dmp

Filesize
5.6MB

Download
memory/4804-21-0x0000000002560000-0x000000000257E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads