redline | b65c2dee8a921a678656bca6f44ec710e3439f80464a5ae3f448f9a65734f6bd

General

Target

b65c2dee8a921a678656bca6f44ec710e3439f80464a5ae3f448f9a65734f6bd.exe
Size

1.1MB
MD5

11c750ffe9cfa158f7c5f2c104e2efcc
SHA1

e807ffdc1af391ce8d587d5e613df3c0a96ef575
SHA256

b65c2dee8a921a678656bca6f44ec710e3439f80464a5ae3f448f9a65734f6bd
SHA512

8e0014e9a66b9c81f45481a76c228d7ba3aeafdd472c792423e77aa44333b0b29b8724750d7bc7abd67cdf9cc643434607bdff76cba51375c8a51a7cf10db35a
SSDEEP

24576:wyzoqJL2jZQ8UFkllH7IgbzqiKxHOvNSuvrGd7c7l:31J6jZtUFkn7rzqimuI6SU

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k8133937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8133937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8133937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8133937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8133937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8133937.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cb9-54.dat	family_redline
behavioral1/memory/1840-56-0x0000000000550000-0x000000000057A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
468	y6379757.exe
464	y9842752.exe
4360	k8133937.exe
1840	l3122808.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k8133937.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8133937.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9842752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b65c2dee8a921a678656bca6f44ec710e3439f80464a5ae3f448f9a65734f6bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6379757.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y6379757.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y9842752.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k8133937.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l3122808.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b65c2dee8a921a678656bca6f44ec710e3439f80464a5ae3f448f9a65734f6bd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4360	k8133937.exe
4360	k8133937.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4360	k8133937.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 468	3240	b65c2dee8a921a678656bca6f44ec710e3439f80464a5ae3f448f9a65734f6bd.exe	83
PID 3240 wrote to memory of 468	3240	b65c2dee8a921a678656bca6f44ec710e3439f80464a5ae3f448f9a65734f6bd.exe	83
PID 3240 wrote to memory of 468	3240	b65c2dee8a921a678656bca6f44ec710e3439f80464a5ae3f448f9a65734f6bd.exe	83
PID 468 wrote to memory of 464	468	y6379757.exe	84
PID 468 wrote to memory of 464	468	y6379757.exe	84
PID 468 wrote to memory of 464	468	y6379757.exe	84
PID 464 wrote to memory of 4360	464	y9842752.exe	85
PID 464 wrote to memory of 4360	464	y9842752.exe	85
PID 464 wrote to memory of 4360	464	y9842752.exe	85
PID 464 wrote to memory of 1840	464	y9842752.exe	96
PID 464 wrote to memory of 1840	464	y9842752.exe	96
PID 464 wrote to memory of 1840	464	y9842752.exe	96

C:\Users\Admin\AppData\Local\Temp\b65c2dee8a921a678656bca6f44ec710e3439f80464a5ae3f448f9a65734f6bd.exe
"C:\Users\Admin\AppData\Local\Temp\b65c2dee8a921a678656bca6f44ec710e3439f80464a5ae3f448f9a65734f6bd.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6379757.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6379757.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9842752.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9842752.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8133937.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8133937.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3122808.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3122808.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6379757.exe

Filesize
748KB

MD5
113315923489db79bf56f50c97534906

SHA1
d56c966deb07b0907ebee6fdffbf84a1935bb213

SHA256
3c0eae0d707dc1d4ca3fbebcfbaa3424519feacf8933d22b05c98818dbf09bd9

SHA512
5d6699ca9746b0fe3a7efead505808e495751e9544756453986029924a584d3d2a51bfe15703e029a040b867497cc99a0d8649981059bb15828ef6a6001dd009

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9842752.exe

Filesize
304KB

MD5
3b326a7052c52f871789b65c099acb91

SHA1
c07df6aed2c6d87b76baa8218379e3b77af7ee4c

SHA256
26407f77e0d7c8da6b9a1d46ec891fabe7b80ebb88407285632372e2e803d3bc

SHA512
540a4500eb517a2b749f4f13f4ce11b51cee1653156dab73ad104b6ac87d2bd91fd6deeed72ac52dae1723ea8f41909a84686c628283d0baf9fa5824b1a01062

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8133937.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3122808.exe

Filesize
145KB

MD5
b18b74d39296cbe623b1f155a6e7db39

SHA1
e6716a3f501939a4fcfb7c06dbff6b84c422d709

SHA256
4ab6cf0215bdb68aadea41e26060a42267a6f032e3d3f4ab29a6c964505cbb61

SHA512
0572e7a202aa2c3039476f196fb8570b37dfbf937388b16c51412c85b77a1e6ec63f590347aaafce41fbd8e8bf7f7cd62c168834140a90eb4b43dc6768c68302

Download Submit
memory/1840-61-0x0000000005130000-0x000000000517C000-memory.dmp

Filesize
304KB

Download
memory/1840-60-0x0000000004FC0000-0x0000000004FFC000-memory.dmp

Filesize
240KB

Download
memory/1840-59-0x0000000004F60000-0x0000000004F72000-memory.dmp

Filesize
72KB

Download
memory/1840-58-0x0000000005020000-0x000000000512A000-memory.dmp

Filesize
1.0MB

Download
memory/1840-57-0x00000000054D0000-0x0000000005AE8000-memory.dmp

Filesize
6.1MB

Download
memory/1840-56-0x0000000000550000-0x000000000057A000-memory.dmp

Filesize
168KB

Download
memory/4360-51-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/4360-25-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/4360-41-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/4360-39-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/4360-37-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/4360-35-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/4360-33-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/4360-29-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/4360-27-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/4360-43-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/4360-24-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/4360-45-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/4360-47-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/4360-49-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/4360-31-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/4360-23-0x0000000002440000-0x000000000245C000-memory.dmp

Filesize
112KB

Download
memory/4360-22-0x0000000004B60000-0x0000000005104000-memory.dmp

Filesize
5.6MB

Download
memory/4360-21-0x0000000002120000-0x000000000213E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads