redline | a386878f2705418e4c8eb9e238902fe7b16c105466f51e780614fd7a1c06b8b6

General

Target

a386878f2705418e4c8eb9e238902fe7b16c105466f51e780614fd7a1c06b8b6.exe
Size

1.1MB
MD5

0522f35045c62106b9be4c62414afb3f
SHA1

95788f1678d8a6932bbf19c59477670ace19f256
SHA256

a386878f2705418e4c8eb9e238902fe7b16c105466f51e780614fd7a1c06b8b6
SHA512

65a9acf285f91979d1e213ffba5483a9bf4c084643aa07fe5234d4a72fcefa6ec28370561b85054e26bbd35ee7697d8fd4b4e73f8fdefd22e3e83e59f1ed857b
SSDEEP

24576:kyUFmokZWdFkQ5Q6lAn2ScMcqmFhJFzOCzlTF8:zUFpkZWdFkQ5fAPcXVTJbBF

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1418355.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1418355.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1418355.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1418355.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k1418355.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1418355.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c8d-54.dat	family_redline
behavioral1/memory/5064-56-0x0000000000110000-0x000000000013A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
5076	y1075596.exe
3060	y2819183.exe
1224	k1418355.exe
5064	l8602845.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k1418355.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1418355.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a386878f2705418e4c8eb9e238902fe7b16c105466f51e780614fd7a1c06b8b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1075596.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y2819183.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l8602845.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a386878f2705418e4c8eb9e238902fe7b16c105466f51e780614fd7a1c06b8b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y1075596.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y2819183.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k1418355.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1224	k1418355.exe
1224	k1418355.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	k1418355.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 5076	4360	a386878f2705418e4c8eb9e238902fe7b16c105466f51e780614fd7a1c06b8b6.exe	84
PID 4360 wrote to memory of 5076	4360	a386878f2705418e4c8eb9e238902fe7b16c105466f51e780614fd7a1c06b8b6.exe	84
PID 4360 wrote to memory of 5076	4360	a386878f2705418e4c8eb9e238902fe7b16c105466f51e780614fd7a1c06b8b6.exe	84
PID 5076 wrote to memory of 3060	5076	y1075596.exe	85
PID 5076 wrote to memory of 3060	5076	y1075596.exe	85
PID 5076 wrote to memory of 3060	5076	y1075596.exe	85
PID 3060 wrote to memory of 1224	3060	y2819183.exe	87
PID 3060 wrote to memory of 1224	3060	y2819183.exe	87
PID 3060 wrote to memory of 1224	3060	y2819183.exe	87
PID 3060 wrote to memory of 5064	3060	y2819183.exe	94
PID 3060 wrote to memory of 5064	3060	y2819183.exe	94
PID 3060 wrote to memory of 5064	3060	y2819183.exe	94

C:\Users\Admin\AppData\Local\Temp\a386878f2705418e4c8eb9e238902fe7b16c105466f51e780614fd7a1c06b8b6.exe
"C:\Users\Admin\AppData\Local\Temp\a386878f2705418e4c8eb9e238902fe7b16c105466f51e780614fd7a1c06b8b6.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1075596.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1075596.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2819183.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2819183.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1418355.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1418355.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8602845.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8602845.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1075596.exe

Filesize
749KB

MD5
08af6b9731433e2a85e003b0a0aa993b

SHA1
916d03236151c39885a37f87de3da356e55a733e

SHA256
c060048dbbdc3b015ce4e2d490dd3039d2e56c89242e44d5017a16abf6725516

SHA512
35318440ab9ba1e32dd73bd28a6d6b696be58a3cb1f61563787aec29b58aba438211a40d4c914188977db94ddf99ef96e5b3e63a9b515cbd133bcf98b46a3a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2819183.exe

Filesize
304KB

MD5
004ecca8051e0dddd5af688eb53d90cd

SHA1
5b5358e2c7fc603e3e2871e521d52664fa8c1bff

SHA256
2f4a9a65dbd342e523b23400f8f6a61828c45e08bc57d8e275754a9550ee71a8

SHA512
350411443853f77bcf7aecac58267908f22f8d583fee60b764da3ad670bae676c92ee523dafaf00f18b468e0faa3c17427e86fc23cdf2cb962cb58fb30facba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1418355.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8602845.exe

Filesize
145KB

MD5
e53bae2ca8358457a75550498809492e

SHA1
7413b9ef349c5648aa1989e43f3d44bff2c3e0a1

SHA256
a84a2f33bbd91291d57b0bbd24fa785d3ea10744793174610a38174342534f3f

SHA512
c295383ede0742122fc21d9e96eb1dd1c32a9520e17600bfcfb98a9ef499498cc9b9f4045de97ba7dc430c3e5d730b841c1142dbb5c02836355a1a81025d0b1b

Download Submit
memory/1224-31-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1224-35-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1224-24-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1224-22-0x0000000004C50000-0x00000000051F4000-memory.dmp

Filesize
5.6MB

Download
memory/1224-49-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1224-47-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1224-46-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1224-43-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1224-27-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1224-41-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1224-37-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1224-23-0x0000000004AD0000-0x0000000004AEC000-memory.dmp

Filesize
112KB

Download
memory/1224-33-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1224-29-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1224-51-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1224-25-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1224-39-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1224-21-0x0000000002170000-0x000000000218E000-memory.dmp

Filesize
120KB

Download
memory/5064-56-0x0000000000110000-0x000000000013A000-memory.dmp

Filesize
168KB

Download
memory/5064-57-0x00000000050C0000-0x00000000056D8000-memory.dmp

Filesize
6.1MB

Download
memory/5064-58-0x0000000004BE0000-0x0000000004CEA000-memory.dmp

Filesize
1.0MB

Download
memory/5064-59-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/5064-60-0x0000000004B70000-0x0000000004BAC000-memory.dmp

Filesize
240KB

Download
memory/5064-61-0x0000000004CF0000-0x0000000004D3C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads