redline | 83539a427d24f67bafdbfebc984a3fa054218a35b1c313ce3a55b57ddcab0380

General

Target

83539a427d24f67bafdbfebc984a3fa054218a35b1c313ce3a55b57ddcab0380.exe
Size

1.1MB
MD5

d9eb77ee6e79d2fb87fe1ebd50c019d8
SHA1

7b338160c3998de27fde26692543f0b4613bad7f
SHA256

83539a427d24f67bafdbfebc984a3fa054218a35b1c313ce3a55b57ddcab0380
SHA512

2282a681a3d838b059975d7d9115aeae99db509fb88ebe7e9879d9dd0ccd3247f7722b0c8809742f6689b97e94ecfd599dd066b9ed7246a327ebc3c872e97e4d
SSDEEP

24576:xyZ9sSMmSEDA5EDFkVMi1qy/boG9kEC87m1YgN+97KM2LnN9B:kvsSLE5EDFkqi1hEsV70P+zmN9

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

k8812027.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k8812027.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8812027.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8812027.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8812027.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8812027.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8812027.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023ca3-54.dat	family_redline
behavioral1/memory/1732-56-0x0000000000D60000-0x0000000000D8A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

Processes:

y6347240.exey6048186.exek8812027.exel7432960.exe

pid	Process
4988	y6347240.exe
4804	y6048186.exe
3272	k8812027.exe
1732	l7432960.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

k8812027.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k8812027.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8812027.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

83539a427d24f67bafdbfebc984a3fa054218a35b1c313ce3a55b57ddcab0380.exey6347240.exey6048186.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	83539a427d24f67bafdbfebc984a3fa054218a35b1c313ce3a55b57ddcab0380.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6347240.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y6048186.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

83539a427d24f67bafdbfebc984a3fa054218a35b1c313ce3a55b57ddcab0380.exey6347240.exey6048186.exek8812027.exel7432960.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83539a427d24f67bafdbfebc984a3fa054218a35b1c313ce3a55b57ddcab0380.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y6347240.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y6048186.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k8812027.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l7432960.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

k8812027.exe

pid	Process
3272	k8812027.exe
3272	k8812027.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

k8812027.exe

description	pid	Process
Token: SeDebugPrivilege	3272	k8812027.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

83539a427d24f67bafdbfebc984a3fa054218a35b1c313ce3a55b57ddcab0380.exey6347240.exey6048186.exe

description	pid	Process	procid_target
PID 1824 wrote to memory of 4988	1824	83539a427d24f67bafdbfebc984a3fa054218a35b1c313ce3a55b57ddcab0380.exe	84
PID 1824 wrote to memory of 4988	1824	83539a427d24f67bafdbfebc984a3fa054218a35b1c313ce3a55b57ddcab0380.exe	84
PID 1824 wrote to memory of 4988	1824	83539a427d24f67bafdbfebc984a3fa054218a35b1c313ce3a55b57ddcab0380.exe	84
PID 4988 wrote to memory of 4804	4988	y6347240.exe	85
PID 4988 wrote to memory of 4804	4988	y6347240.exe	85
PID 4988 wrote to memory of 4804	4988	y6347240.exe	85
PID 4804 wrote to memory of 3272	4804	y6048186.exe	86
PID 4804 wrote to memory of 3272	4804	y6048186.exe	86
PID 4804 wrote to memory of 3272	4804	y6048186.exe	86
PID 4804 wrote to memory of 1732	4804	y6048186.exe	89
PID 4804 wrote to memory of 1732	4804	y6048186.exe	89
PID 4804 wrote to memory of 1732	4804	y6048186.exe	89

C:\Users\Admin\AppData\Local\Temp\83539a427d24f67bafdbfebc984a3fa054218a35b1c313ce3a55b57ddcab0380.exe
"C:\Users\Admin\AppData\Local\Temp\83539a427d24f67bafdbfebc984a3fa054218a35b1c313ce3a55b57ddcab0380.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6347240.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6347240.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6048186.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6048186.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8812027.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8812027.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3272
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7432960.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7432960.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6347240.exe

Filesize
748KB

MD5
e97a855d8d105d6cb734959f48d2732a

SHA1
cdbd23d5863f1096b36de771e843d14a7dc70074

SHA256
835a9f69a7f5f125297c2e6d16c64ffb95938358959e33be2fd0a27d20963a51

SHA512
394577dfba5a6a5375f6b8371a8b7ad5ac6551e96a7b34c7ba8e0243a2dafebcbb615512816c889a9d2c5ab6d80cf5a0e3917e141c7d48e94fa721f299f6b8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6048186.exe

Filesize
304KB

MD5
4fbe345c59ea67982d4f6428686552e5

SHA1
b06ab27e7c75e3afce551dfe1c2bba1a9c425218

SHA256
781a424a698ce9eccf7e0dbf95b19de1b85c7c3fea4ded02dbabe2a325040dd8

SHA512
c47d95356adc67a6e1a9ac919e796367d9f62c086bedbd88dad00762bae98409ab75308d4cd4c4c402c7f061effb9b70ff9e9daa8b2c5a6d8d5c082bdc20af1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8812027.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7432960.exe

Filesize
145KB

MD5
0ab663ea269c40327a61202f1244b93e

SHA1
fcc4382c6c519ceffeea57f0a1f8559475178733

SHA256
47579646e9b9879be7aa8491510b72ac8b4a5189ed201993f29bd945661e3a21

SHA512
b263caf890dff45f71f7adc378fe66e8818d956bb1d8fe73cb60e6e6f713ab5a6e825b261d8ea21763aff4abf7d3f382060b391828ce09e15c24f63772c554dc

Download Submit
memory/1732-61-0x0000000005800000-0x000000000584C000-memory.dmp

Filesize
304KB

Download
memory/1732-60-0x0000000005680000-0x00000000056BC000-memory.dmp

Filesize
240KB

Download
memory/1732-59-0x0000000005620000-0x0000000005632000-memory.dmp

Filesize
72KB

Download
memory/1732-58-0x00000000056F0000-0x00000000057FA000-memory.dmp

Filesize
1.0MB

Download
memory/1732-57-0x0000000005B90000-0x00000000061A8000-memory.dmp

Filesize
6.1MB

Download
memory/1732-56-0x0000000000D60000-0x0000000000D8A000-memory.dmp

Filesize
168KB

Download
memory/3272-31-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3272-37-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3272-43-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3272-41-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3272-39-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3272-29-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3272-27-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3272-25-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3272-24-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3272-45-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3272-35-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3272-47-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3272-49-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3272-51-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3272-33-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3272-23-0x00000000049A0000-0x00000000049BC000-memory.dmp

Filesize
112KB

Download
memory/3272-22-0x0000000004AE0000-0x0000000005084000-memory.dmp

Filesize
5.6MB

Download
memory/3272-21-0x00000000023A0000-0x00000000023BE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads