redline | 99ef893b0c73f2b7df685ef05d07ce24cec85871624fa4f4e0cfa842efd6fe9a

General

Target

99ef893b0c73f2b7df685ef05d07ce24cec85871624fa4f4e0cfa842efd6fe9a.exe
Size

1.1MB
MD5

357de6a1dfbb69b5eddeb32c1b38000b
SHA1

0bc1e13df4a26aca58e01bd9338190135b09e881
SHA256

99ef893b0c73f2b7df685ef05d07ce24cec85871624fa4f4e0cfa842efd6fe9a
SHA512

fea53af844826fe57a0b87b8c19c3b59a785a8a544b057d4578349028c6a7c684b9778533811d092ac895ebf2343ef1cf284403526620186767741a224809122
SSDEEP

24576:wySJILOP4DhcOHGEgg9L+Yco9KcgMjJ0Hbt4bX4Bv:3SJILZlcKGEgg9a4KcuHZ4bXY

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k6790416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k6790416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k6790416.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k6790416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k6790416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k6790416.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cd1-55.dat	family_redline
behavioral1/memory/3472-56-0x00000000006D0000-0x00000000006FA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
2116	y2367468.exe
4564	y8533003.exe
2328	k6790416.exe
3472	l6211290.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k6790416.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k6790416.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	99ef893b0c73f2b7df685ef05d07ce24cec85871624fa4f4e0cfa842efd6fe9a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2367468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8533003.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99ef893b0c73f2b7df685ef05d07ce24cec85871624fa4f4e0cfa842efd6fe9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y2367468.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y8533003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k6790416.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l6211290.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2328	k6790416.exe
2328	k6790416.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	k6790416.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 2116	1412	99ef893b0c73f2b7df685ef05d07ce24cec85871624fa4f4e0cfa842efd6fe9a.exe	84
PID 1412 wrote to memory of 2116	1412	99ef893b0c73f2b7df685ef05d07ce24cec85871624fa4f4e0cfa842efd6fe9a.exe	84
PID 1412 wrote to memory of 2116	1412	99ef893b0c73f2b7df685ef05d07ce24cec85871624fa4f4e0cfa842efd6fe9a.exe	84
PID 2116 wrote to memory of 4564	2116	y2367468.exe	85
PID 2116 wrote to memory of 4564	2116	y2367468.exe	85
PID 2116 wrote to memory of 4564	2116	y2367468.exe	85
PID 4564 wrote to memory of 2328	4564	y8533003.exe	87
PID 4564 wrote to memory of 2328	4564	y8533003.exe	87
PID 4564 wrote to memory of 2328	4564	y8533003.exe	87
PID 4564 wrote to memory of 3472	4564	y8533003.exe	93
PID 4564 wrote to memory of 3472	4564	y8533003.exe	93
PID 4564 wrote to memory of 3472	4564	y8533003.exe	93

C:\Users\Admin\AppData\Local\Temp\99ef893b0c73f2b7df685ef05d07ce24cec85871624fa4f4e0cfa842efd6fe9a.exe
"C:\Users\Admin\AppData\Local\Temp\99ef893b0c73f2b7df685ef05d07ce24cec85871624fa4f4e0cfa842efd6fe9a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2367468.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2367468.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8533003.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8533003.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6790416.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6790416.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6211290.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6211290.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2367468.exe

Filesize
749KB

MD5
c8920e62129e7c1cfd8e160adacfcda9

SHA1
afb2906dceb269c40f296938c8b3ec51d8fb2a59

SHA256
71f88c171018795955329f8182700e387ec2821b65e331e4ec89f775bc7ddfd4

SHA512
232b6c1aaadb20ac2e775d99d586b5328a65126ec02485d2c17cef8e5ec8262cfb933ee8c18bc6f9ba340f70d2598277ac871d319cbb9c1371ccb8c4a91b2043

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8533003.exe

Filesize
305KB

MD5
ca8f42fa25e24fcb8a48b6fa128b07de

SHA1
07634ddd89e854c3a61771abe5db84f49387d4f0

SHA256
4c81838441ba5030f4eb085b35066c57eb69a31904407d886c1a4712221b2be6

SHA512
ef49ebb3c2098c5f99306a89367b7eafda3ecf896ebedf4ed85dbf6f4cf8d1563458f380d5dc8a76db51d660609f9caf102a6057358036118e5464c5999acc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6790416.exe

Filesize
183KB

MD5
d18dd7e957d8eab39abe21eefd498331

SHA1
2d7b11252dbb1ed8cefff8d63d447b0f697a0060

SHA256
57f8f54609021997865fed724894ad76b78b39a48a51b47a1d97a92eb836c440

SHA512
c383080be8f9fbb5fd313204cc47ca9ecca8b6148362aa5ef76c219217971184472d0c4be2f1d7e9c9fbee561079b34357346507ddb882d779b06741a5ad0581

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6211290.exe

Filesize
145KB

MD5
935a99f734b790ab6f4504d67b1273b6

SHA1
ac954133f4e6110d72004b4a806a5566aa269bb4

SHA256
c8ea2e40bfd8edee8d52594bdf62df2e5f934de7e988bf2c26b210951c666299

SHA512
313724a52cebee2863fe99895d3c8182bb9862147cccdc9e89967f024c27f8a5a82d76dd23f05c650304ba63e7fc4881e2612fba0d6cd893eb07fbfea42e6af4

Download Submit
memory/2328-49-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/2328-31-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/2328-35-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/2328-22-0x0000000004B40000-0x00000000050E4000-memory.dmp

Filesize
5.6MB

Download
memory/2328-47-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/2328-45-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/2328-43-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/2328-41-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/2328-51-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/2328-39-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/2328-37-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/2328-23-0x0000000002320000-0x000000000233C000-memory.dmp

Filesize
112KB

Download
memory/2328-29-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/2328-27-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/2328-25-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/2328-24-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/2328-33-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/2328-21-0x0000000002140000-0x000000000215E000-memory.dmp

Filesize
120KB

Download
memory/3472-56-0x00000000006D0000-0x00000000006FA000-memory.dmp

Filesize
168KB

Download
memory/3472-57-0x0000000005530000-0x0000000005B48000-memory.dmp

Filesize
6.1MB

Download
memory/3472-58-0x0000000005060000-0x000000000516A000-memory.dmp

Filesize
1.0MB

Download
memory/3472-59-0x0000000004F90000-0x0000000004FA2000-memory.dmp

Filesize
72KB

Download
memory/3472-60-0x0000000004FF0000-0x000000000502C000-memory.dmp

Filesize
240KB

Download
memory/3472-61-0x0000000005170000-0x00000000051BC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads