redline | 6acca80260b47c20c6681665eefb0025e8ae3ef61546735ebab36a1d6e35d03e

General

Target

6acca80260b47c20c6681665eefb0025e8ae3ef61546735ebab36a1d6e35d03e.exe
Size

1.1MB
MD5

1508e81310227f63b5d4550734d38251
SHA1

8694a7dbf6d3fbef6874cfd05dd1275aeb4f6fbb
SHA256

6acca80260b47c20c6681665eefb0025e8ae3ef61546735ebab36a1d6e35d03e
SHA512

6f8d858f6c1c2c9c16ccbc6172be5c966f8ff820f23d453b5726f58ca394e7d64ab42216bc42953c548ed7361c9b77800e968361f1a1a6c44e5b8dd3af336732
SSDEEP

24576:ZyqrMQea0Ep0gVJFk1T2DUfuhhOqNLoUBUA9Rk:MqoQDugVJFkl2DU2hosLouUAX

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k1936059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1936059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1936059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1936059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1936059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1936059.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b90-54.dat	family_redline
behavioral1/memory/3052-56-0x0000000000760000-0x000000000078A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
4940	y7373940.exe
4800	y5435367.exe
2952	k1936059.exe
3052	l8119411.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k1936059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1936059.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6acca80260b47c20c6681665eefb0025e8ae3ef61546735ebab36a1d6e35d03e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7373940.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5435367.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6acca80260b47c20c6681665eefb0025e8ae3ef61546735ebab36a1d6e35d03e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y7373940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y5435367.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k1936059.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l8119411.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2952	k1936059.exe
2952	k1936059.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	k1936059.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 4940	3356	6acca80260b47c20c6681665eefb0025e8ae3ef61546735ebab36a1d6e35d03e.exe	84
PID 3356 wrote to memory of 4940	3356	6acca80260b47c20c6681665eefb0025e8ae3ef61546735ebab36a1d6e35d03e.exe	84
PID 3356 wrote to memory of 4940	3356	6acca80260b47c20c6681665eefb0025e8ae3ef61546735ebab36a1d6e35d03e.exe	84
PID 4940 wrote to memory of 4800	4940	y7373940.exe	85
PID 4940 wrote to memory of 4800	4940	y7373940.exe	85
PID 4940 wrote to memory of 4800	4940	y7373940.exe	85
PID 4800 wrote to memory of 2952	4800	y5435367.exe	86
PID 4800 wrote to memory of 2952	4800	y5435367.exe	86
PID 4800 wrote to memory of 2952	4800	y5435367.exe	86
PID 4800 wrote to memory of 3052	4800	y5435367.exe	95
PID 4800 wrote to memory of 3052	4800	y5435367.exe	95
PID 4800 wrote to memory of 3052	4800	y5435367.exe	95

C:\Users\Admin\AppData\Local\Temp\6acca80260b47c20c6681665eefb0025e8ae3ef61546735ebab36a1d6e35d03e.exe
"C:\Users\Admin\AppData\Local\Temp\6acca80260b47c20c6681665eefb0025e8ae3ef61546735ebab36a1d6e35d03e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7373940.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7373940.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5435367.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5435367.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1936059.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1936059.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8119411.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8119411.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7373940.exe

Filesize
748KB

MD5
1527dfb63aa26baa66451bf7ce4ee8a7

SHA1
f14ee3f27d15d99c1a73e340f2856ea949660f43

SHA256
08f98b3366b17236777a5251c50806cc2c93e943b18dadcfddcd3d7502b56b47

SHA512
d37fbdcf2956a4fcc26847e0d2c18cb756092c692fc2ecf24efeee067b186c75ff1494cb24ad3691e0d1b60e928ed7a47f21f92db02199cf618af8036baec224

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5435367.exe

Filesize
304KB

MD5
a65be2c5af747f36157d0b759edb097d

SHA1
cc586b716f7f739124cf8d66b434762a083c2b09

SHA256
427a59273ab70da7e4324ec22e6f1c1d002f800c7bc4b1ac0f191808e0bd82f9

SHA512
1920d00d03e1157593f4cb42022cd4edc83321f2b7850f0dd99349f57611219dae18fd3fe4b4c713a18ab2964095fab9a91c932f1495f5c4bfb5e5f3cea796ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1936059.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8119411.exe

Filesize
145KB

MD5
f384a5868a614ee6cf96a524720f659d

SHA1
bf45e79a4eb906cd42aece88cabc4886b38fda5c

SHA256
9eb0cec749cbf1bd5c879708456ac8bedca349bf9542f52e26692cb581b178e6

SHA512
d4f8093547c1338099edd5169d98ba17b8b5bd44d549f29cb8930ac936e55f95ec3cc9f3854e1619e8002958a0a088d7f08c4be74d526b20dc0d7a2aa6900966

Download Submit
memory/2952-31-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2952-37-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2952-29-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2952-22-0x0000000004990000-0x0000000004F34000-memory.dmp

Filesize
5.6MB

Download
memory/2952-51-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2952-49-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2952-47-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2952-45-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2952-43-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2952-41-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2952-39-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2952-23-0x0000000004F50000-0x0000000004F6C000-memory.dmp

Filesize
112KB

Download
memory/2952-35-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2952-33-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2952-27-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2952-25-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2952-24-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2952-21-0x00000000023D0000-0x00000000023EE000-memory.dmp

Filesize
120KB

Download
memory/3052-56-0x0000000000760000-0x000000000078A000-memory.dmp

Filesize
168KB

Download
memory/3052-57-0x00000000055D0000-0x0000000005BE8000-memory.dmp

Filesize
6.1MB

Download
memory/3052-58-0x0000000005100000-0x000000000520A000-memory.dmp

Filesize
1.0MB

Download
memory/3052-59-0x0000000005020000-0x0000000005032000-memory.dmp

Filesize
72KB

Download
memory/3052-60-0x00000000050C0000-0x00000000050FC000-memory.dmp

Filesize
240KB

Download
memory/3052-61-0x0000000005210000-0x000000000525C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads