redline | ccfd41c9ac7acffbeeee894ae84997e82fce0df7de84c53f25153019480f19a8

General

Target

ccfd41c9ac7acffbeeee894ae84997e82fce0df7de84c53f25153019480f19a8.exe
Size

1.1MB
MD5

49f20ba05a2e8735318d804d3e7b4240
SHA1

ac2dc0060bb1ccf7f30f15f78a4e6c4b07b9186a
SHA256

ccfd41c9ac7acffbeeee894ae84997e82fce0df7de84c53f25153019480f19a8
SHA512

ae55c7bedfc5b94b5e1a2d1efac9c34cbb9aa88b8ff701072bf319fc325f94db71992bf81325188aa2ce3c5a433f7ee1b372e492307bfe8e4540fae09e184770
SSDEEP

24576:CyO5dapQFTFk3C5eay+scyZkxBZmGUdTXvWK:pwspQFTFkyibwmBdTe

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k1138511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1138511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1138511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1138511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1138511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1138511.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ca4-54.dat	family_redline
behavioral1/memory/1428-56-0x00000000007F0000-0x000000000081A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
3068	y1727941.exe
2120	y9573045.exe
1236	k1138511.exe
1428	l7042820.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k1138511.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1138511.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ccfd41c9ac7acffbeeee894ae84997e82fce0df7de84c53f25153019480f19a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1727941.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9573045.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y9573045.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k1138511.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l7042820.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccfd41c9ac7acffbeeee894ae84997e82fce0df7de84c53f25153019480f19a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y1727941.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1236	k1138511.exe
1236	k1138511.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1236	k1138511.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 3068	2436	ccfd41c9ac7acffbeeee894ae84997e82fce0df7de84c53f25153019480f19a8.exe	84
PID 2436 wrote to memory of 3068	2436	ccfd41c9ac7acffbeeee894ae84997e82fce0df7de84c53f25153019480f19a8.exe	84
PID 2436 wrote to memory of 3068	2436	ccfd41c9ac7acffbeeee894ae84997e82fce0df7de84c53f25153019480f19a8.exe	84
PID 3068 wrote to memory of 2120	3068	y1727941.exe	85
PID 3068 wrote to memory of 2120	3068	y1727941.exe	85
PID 3068 wrote to memory of 2120	3068	y1727941.exe	85
PID 2120 wrote to memory of 1236	2120	y9573045.exe	86
PID 2120 wrote to memory of 1236	2120	y9573045.exe	86
PID 2120 wrote to memory of 1236	2120	y9573045.exe	86
PID 2120 wrote to memory of 1428	2120	y9573045.exe	94
PID 2120 wrote to memory of 1428	2120	y9573045.exe	94
PID 2120 wrote to memory of 1428	2120	y9573045.exe	94

C:\Users\Admin\AppData\Local\Temp\ccfd41c9ac7acffbeeee894ae84997e82fce0df7de84c53f25153019480f19a8.exe
"C:\Users\Admin\AppData\Local\Temp\ccfd41c9ac7acffbeeee894ae84997e82fce0df7de84c53f25153019480f19a8.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1727941.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1727941.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9573045.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9573045.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1138511.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1138511.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7042820.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7042820.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1727941.exe

Filesize
749KB

MD5
a04bec5266612898a643913613caa0bd

SHA1
fe49779710b6c436e071e5d0fda6643a78e7a1d3

SHA256
5c6b2761e1d0324be10ff53bff8257ffaa70a1a724a7d69c9a61fde608bedb28

SHA512
55af492413568f516232390373b36a1214a043df6557f7bf9ed2363a435f29fc182a6ac431595da6124b94da359d4a27e1bb27f379d7d6aee75e08c04843a264

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9573045.exe

Filesize
304KB

MD5
fa8b2a6d58293eb1343b7e16f9336e19

SHA1
8cbd8279bc48d96dfa1088e69e76af151bb9ee2e

SHA256
0783f11e58eb2dd3bf4924f77df00369d62cb49b277cfab94e5f892b58a575b0

SHA512
e1b11243d614ccc94ecfa9af3867b3528ba1ffc6f63461e6b1c430e09c57127a8c1eef6a713c7a3a7285c4eb40d0aa08fe76b10083366fe03a9c47accd4248f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1138511.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7042820.exe

Filesize
145KB

MD5
88cd6b0ed0a007e9a031568a9636cd09

SHA1
01aa363d9fb5f2fdbc7b7e74dac9afd9a6b4763b

SHA256
fe6b79f5d6df914b95cb3a87355d8b433965f7dde1bc1f7ff642c51b351fa462

SHA512
17e21d9315f2eeb2a7a1d6036e45330702e980621b0cc914cf1e2ecf22f1d82e8c6f92870e1f4b177d9e5321b2adfbee688d0d8e711ab7d91cf7cde21c96ab1c

Download Submit
memory/1236-51-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1236-31-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1236-37-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1236-22-0x00000000049D0000-0x0000000004F74000-memory.dmp

Filesize
5.6MB

Download
memory/1236-49-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1236-47-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1236-45-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1236-43-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1236-41-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1236-39-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1236-33-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1236-23-0x0000000002550000-0x000000000256C000-memory.dmp

Filesize
112KB

Download
memory/1236-29-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1236-27-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1236-25-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1236-35-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1236-24-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1236-21-0x00000000022B0000-0x00000000022CE000-memory.dmp

Filesize
120KB

Download
memory/1428-56-0x00000000007F0000-0x000000000081A000-memory.dmp

Filesize
168KB

Download
memory/1428-57-0x0000000005780000-0x0000000005D98000-memory.dmp

Filesize
6.1MB

Download
memory/1428-58-0x00000000052C0000-0x00000000053CA000-memory.dmp

Filesize
1.0MB

Download
memory/1428-59-0x00000000051F0000-0x0000000005202000-memory.dmp

Filesize
72KB

Download
memory/1428-60-0x0000000005250000-0x000000000528C000-memory.dmp

Filesize
240KB

Download
memory/1428-61-0x00000000053D0000-0x000000000541C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads