redline | 848b4118e71968a14ebb6062e66a439f9731a3b801c7fce71398a6221c8ea83a

General

Target

848b4118e71968a14ebb6062e66a439f9731a3b801c7fce71398a6221c8ea83a.exe
Size

1.1MB
MD5

7a35578ed06af38c4fe8a0608d7ce4d4
SHA1

66cc7bde26c00df1d6f4764ec80e763d3d6071e3
SHA256

848b4118e71968a14ebb6062e66a439f9731a3b801c7fce71398a6221c8ea83a
SHA512

982576556dbb801c17e09ef9b50453a45075c7243a113f9f0ee28cf6533f63e418c8cb61568eb4c87bdfb06fb68f108fca0dda29ffc0fd7ff7769ccc1c6d4139
SSDEEP

24576:kyruxxdwFyMxhUKhjwE1g9upCYl7xcXQdFQN6QXwfl:zruxxiyMxOKuE1g9urCQzmX

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

k4375337.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k4375337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k4375337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k4375337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k4375337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k4375337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k4375337.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023cb5-54.dat	family_redline
behavioral1/memory/5056-56-0x00000000009C0000-0x00000000009EA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

Processes:

y3602752.exey8175386.exek4375337.exel4410080.exe

pid	Process
2728	y3602752.exe
244	y8175386.exe
3240	k4375337.exe
5056	l4410080.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

k4375337.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k4375337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k4375337.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

848b4118e71968a14ebb6062e66a439f9731a3b801c7fce71398a6221c8ea83a.exey3602752.exey8175386.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	848b4118e71968a14ebb6062e66a439f9731a3b801c7fce71398a6221c8ea83a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3602752.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8175386.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

y8175386.exek4375337.exel4410080.exe848b4118e71968a14ebb6062e66a439f9731a3b801c7fce71398a6221c8ea83a.exey3602752.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y8175386.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k4375337.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l4410080.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	848b4118e71968a14ebb6062e66a439f9731a3b801c7fce71398a6221c8ea83a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y3602752.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

k4375337.exe

pid	Process
3240	k4375337.exe
3240	k4375337.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

k4375337.exe

description	pid	Process
Token: SeDebugPrivilege	3240	k4375337.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

848b4118e71968a14ebb6062e66a439f9731a3b801c7fce71398a6221c8ea83a.exey3602752.exey8175386.exe

description	pid	Process	procid_target
PID 4400 wrote to memory of 2728	4400	848b4118e71968a14ebb6062e66a439f9731a3b801c7fce71398a6221c8ea83a.exe	83
PID 4400 wrote to memory of 2728	4400	848b4118e71968a14ebb6062e66a439f9731a3b801c7fce71398a6221c8ea83a.exe	83
PID 4400 wrote to memory of 2728	4400	848b4118e71968a14ebb6062e66a439f9731a3b801c7fce71398a6221c8ea83a.exe	83
PID 2728 wrote to memory of 244	2728	y3602752.exe	84
PID 2728 wrote to memory of 244	2728	y3602752.exe	84
PID 2728 wrote to memory of 244	2728	y3602752.exe	84
PID 244 wrote to memory of 3240	244	y8175386.exe	86
PID 244 wrote to memory of 3240	244	y8175386.exe	86
PID 244 wrote to memory of 3240	244	y8175386.exe	86
PID 244 wrote to memory of 5056	244	y8175386.exe	96
PID 244 wrote to memory of 5056	244	y8175386.exe	96
PID 244 wrote to memory of 5056	244	y8175386.exe	96

C:\Users\Admin\AppData\Local\Temp\848b4118e71968a14ebb6062e66a439f9731a3b801c7fce71398a6221c8ea83a.exe
"C:\Users\Admin\AppData\Local\Temp\848b4118e71968a14ebb6062e66a439f9731a3b801c7fce71398a6221c8ea83a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3602752.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3602752.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8175386.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8175386.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:244
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4375337.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4375337.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4410080.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4410080.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3602752.exe

Filesize
751KB

MD5
d8cead34ae4ae1579850a19f1aa5f550

SHA1
555430cc640ea07b8ebbf1b35366272cd5ac8086

SHA256
6da31368eb3a6dbed673b7d76fbaf1552fe9b10b02eebd8310f034ee9a340ffc

SHA512
fdfd7e71b6ced297de524b1bb7d76733efa55967633211e6adefe194027feb92f83b47cff83edeeb39aa8148377229f65561a059d87f0f6bed0c6b6fec13aa37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8175386.exe

Filesize
305KB

MD5
50cb4b5b715a0aa0b72adff07153bf86

SHA1
eab446530b3ae243daf837ff73b9ddc133f0cafc

SHA256
2551ebdf5e90f5e7aaf77f8ab9f93bb92b8bef90b5e5b944a02b0201d9ca4b8d

SHA512
36a91b3654c746bad74d1b447375df602439363d8881e0f4d09302a1e1f9e1839a5f57cb00dd834e4dac9ee83bdf36709b81f12372b5a0cefdefed652b3ebcf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4375337.exe

Filesize
183KB

MD5
d18dd7e957d8eab39abe21eefd498331

SHA1
2d7b11252dbb1ed8cefff8d63d447b0f697a0060

SHA256
57f8f54609021997865fed724894ad76b78b39a48a51b47a1d97a92eb836c440

SHA512
c383080be8f9fbb5fd313204cc47ca9ecca8b6148362aa5ef76c219217971184472d0c4be2f1d7e9c9fbee561079b34357346507ddb882d779b06741a5ad0581

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4410080.exe

Filesize
145KB

MD5
1d613b0a45f2038a1eed7949caf4ee17

SHA1
3b25d2544e6dfcd35673db6d4a138eb27ba7ee35

SHA256
a257f21d91cb8e76d39b4947af52e25f4cf6bc6ae5e7a9df5a386e5a0b40e8fe

SHA512
d142fb2d9c4a508664cf73feed8842fd4a8d01230751dbf44d3f569bf5c26f339415b47dacaf8adfe27bce82481134369afdad264aa7c0562a16278468376c8b

Download Submit
memory/3240-45-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/3240-34-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/3240-39-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/3240-22-0x0000000004A70000-0x0000000005014000-memory.dmp

Filesize
5.6MB

Download
memory/3240-51-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/3240-49-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/3240-47-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/3240-43-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/3240-41-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/3240-37-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/3240-35-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/3240-23-0x0000000002460000-0x000000000247C000-memory.dmp

Filesize
112KB

Download
memory/3240-31-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/3240-29-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/3240-27-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/3240-25-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/3240-24-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/3240-21-0x0000000002220000-0x000000000223E000-memory.dmp

Filesize
120KB

Download
memory/5056-56-0x00000000009C0000-0x00000000009EA000-memory.dmp

Filesize
168KB

Download
memory/5056-57-0x00000000059B0000-0x0000000005FC8000-memory.dmp

Filesize
6.1MB

Download
memory/5056-58-0x00000000054A0000-0x00000000055AA000-memory.dmp

Filesize
1.0MB

Download
memory/5056-59-0x00000000053E0000-0x00000000053F2000-memory.dmp

Filesize
72KB

Download
memory/5056-60-0x0000000005400000-0x000000000543C000-memory.dmp

Filesize
240KB

Download
memory/5056-61-0x0000000005440000-0x000000000548C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads