redline | 21bcc215616958d6e41751acec99b76badeeae3b948c1059436734213c9dcde3

General

Target

21bcc215616958d6e41751acec99b76badeeae3b948c1059436734213c9dcde3.exe
Size

1.1MB
MD5

30a5e9aff9df873661a06505bf8533aa
SHA1

6682750d17eb8eb5fafdfaf59a623059f9c9b996
SHA256

21bcc215616958d6e41751acec99b76badeeae3b948c1059436734213c9dcde3
SHA512

1169a2907c74c06caa1c81ce669598658998a804d695fd92f6f26aa667e5b699b640b2a7d4ebf45fbf94b11c987ea6ea3097a6d2531bfe25f0d9533bf26bd582
SSDEEP

24576:GyAcH8YVU68yUeECg9GLPX6rva/EQiGUCytizeXQJa6fqikzPO:VA88Yu6/ECg9G76jy3iGUCy4zveD

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0696362.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0696362.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0696362.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0696362.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0696362.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k0696362.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b9e-54.dat	family_redline
behavioral1/memory/3084-56-0x0000000000850000-0x000000000087A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
1780	y3497267.exe
3228	y3013724.exe
5076	k0696362.exe
3084	l2422755.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k0696362.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0696362.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	21bcc215616958d6e41751acec99b76badeeae3b948c1059436734213c9dcde3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3497267.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y3013724.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y3497267.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y3013724.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k0696362.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l2422755.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21bcc215616958d6e41751acec99b76badeeae3b948c1059436734213c9dcde3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5076	k0696362.exe
5076	k0696362.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5076	k0696362.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1780	1960	21bcc215616958d6e41751acec99b76badeeae3b948c1059436734213c9dcde3.exe	83
PID 1960 wrote to memory of 1780	1960	21bcc215616958d6e41751acec99b76badeeae3b948c1059436734213c9dcde3.exe	83
PID 1960 wrote to memory of 1780	1960	21bcc215616958d6e41751acec99b76badeeae3b948c1059436734213c9dcde3.exe	83
PID 1780 wrote to memory of 3228	1780	y3497267.exe	85
PID 1780 wrote to memory of 3228	1780	y3497267.exe	85
PID 1780 wrote to memory of 3228	1780	y3497267.exe	85
PID 3228 wrote to memory of 5076	3228	y3013724.exe	86
PID 3228 wrote to memory of 5076	3228	y3013724.exe	86
PID 3228 wrote to memory of 5076	3228	y3013724.exe	86
PID 3228 wrote to memory of 3084	3228	y3013724.exe	93
PID 3228 wrote to memory of 3084	3228	y3013724.exe	93
PID 3228 wrote to memory of 3084	3228	y3013724.exe	93

C:\Users\Admin\AppData\Local\Temp\21bcc215616958d6e41751acec99b76badeeae3b948c1059436734213c9dcde3.exe
"C:\Users\Admin\AppData\Local\Temp\21bcc215616958d6e41751acec99b76badeeae3b948c1059436734213c9dcde3.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3497267.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3497267.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3013724.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3013724.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3228
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0696362.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0696362.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2422755.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2422755.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3497267.exe

Filesize
749KB

MD5
a39269d1632bab94a1a177fae9182a53

SHA1
c6f41e6cdf629465502276c47bd2ccdd7475930b

SHA256
69993047ecbcf53f6f23f7cc76d6b44d572160eeaa6c222917a528829689dfac

SHA512
9a0a6da9e00ac33c38bd3d148d256211ad03883a75213e8be71bcae74bae15124bbeeb673cca664b678b5589a0b191b11e8846f42ebdc285439ef970bfaeb2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3013724.exe

Filesize
305KB

MD5
366c4de99355969b90ba422ac842a742

SHA1
08b9294d1f370996e33b9f7e49498ae1f0941987

SHA256
a0c6da125b77e9fa3177280b1a21bbb6f2f563b0f28b0c60103d0a5d8e8a37e8

SHA512
52c74d1b675008b5ff57845c185b1d63d675ec779583d67c2cb193f2087bc95bf0f8f0a483e54881be9cdd78b4f8407027c532dc5f2e1bfc9b40398a6bfcad58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0696362.exe

Filesize
183KB

MD5
d18dd7e957d8eab39abe21eefd498331

SHA1
2d7b11252dbb1ed8cefff8d63d447b0f697a0060

SHA256
57f8f54609021997865fed724894ad76b78b39a48a51b47a1d97a92eb836c440

SHA512
c383080be8f9fbb5fd313204cc47ca9ecca8b6148362aa5ef76c219217971184472d0c4be2f1d7e9c9fbee561079b34357346507ddb882d779b06741a5ad0581

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2422755.exe

Filesize
145KB

MD5
6331639b8d7c8befbe44723812b12769

SHA1
d4cf5e8dc520365dcd294217496a250115d7d579

SHA256
3f72619fdc40c7d9ecfa2a99877ebd7a72da13ad57b40389126783f737dc4c37

SHA512
f3d2b94160773f84519a09b46f879176fa13ce9c21191e428c7a9a05c4be79b7cb0c7ba0c6bbf440e7fb65c3da5378b0a276be8550e3c3c9c1d484b36ca4734c

Download Submit
memory/3084-61-0x0000000005170000-0x00000000051BC000-memory.dmp

Filesize
304KB

Download
memory/3084-60-0x00000000052F0000-0x000000000532C000-memory.dmp

Filesize
240KB

Download
memory/3084-59-0x0000000005110000-0x0000000005122000-memory.dmp

Filesize
72KB

Download
memory/3084-58-0x00000000051E0000-0x00000000052EA000-memory.dmp

Filesize
1.0MB

Download
memory/3084-57-0x0000000005690000-0x0000000005CA8000-memory.dmp

Filesize
6.1MB

Download
memory/3084-56-0x0000000000850000-0x000000000087A000-memory.dmp

Filesize
168KB

Download
memory/5076-51-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/5076-25-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/5076-41-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/5076-39-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/5076-38-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/5076-35-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/5076-33-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/5076-31-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/5076-29-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/5076-43-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/5076-24-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/5076-45-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/5076-47-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/5076-49-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/5076-27-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/5076-23-0x0000000002570000-0x000000000258C000-memory.dmp

Filesize
112KB

Download
memory/5076-22-0x0000000004A50000-0x0000000004FF4000-memory.dmp

Filesize
5.6MB

Download
memory/5076-21-0x00000000021C0000-0x00000000021DE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads