redline | 421ccdf8a211f8c47743c32599ae4358d3ecbc0ed5a57156322527692e337c1b

General

Target

421ccdf8a211f8c47743c32599ae4358d3ecbc0ed5a57156322527692e337c1b.exe
Size

1.1MB
MD5

aa1091a5d64d8546644e51c23d172ce4
SHA1

c4ff45a85fa6338bf2735d96f1a60429d0e1b30c
SHA256

421ccdf8a211f8c47743c32599ae4358d3ecbc0ed5a57156322527692e337c1b
SHA512

238e4c3b24b45d20578996c65ded6971bc184cdabd1a856fec769913ded10033720182a36f99c3115fbf6af66b6815b07b940be3039cd8a39b86199c97bf0e52
SSDEEP

24576:Dy7T9aKzdUr7WFkiPEb8gLA0lcvUWUHq9AG0B84b+ZWfx:Wtp5E7WFk78gFlcvUWsr82+ZW

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k7548365.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k7548365.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k7548365.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k7548365.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k7548365.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k7548365.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b98-54.dat	family_redline
behavioral1/memory/2092-56-0x0000000000990000-0x00000000009BA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
4068	y8088921.exe
3824	y7018916.exe
2056	k7548365.exe
2092	l7960837.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k7548365.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k7548365.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	421ccdf8a211f8c47743c32599ae4358d3ecbc0ed5a57156322527692e337c1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8088921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y7018916.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	421ccdf8a211f8c47743c32599ae4358d3ecbc0ed5a57156322527692e337c1b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y8088921.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y7018916.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k7548365.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l7960837.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2056	k7548365.exe
2056	k7548365.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	k7548365.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 4068	384	421ccdf8a211f8c47743c32599ae4358d3ecbc0ed5a57156322527692e337c1b.exe	83
PID 384 wrote to memory of 4068	384	421ccdf8a211f8c47743c32599ae4358d3ecbc0ed5a57156322527692e337c1b.exe	83
PID 384 wrote to memory of 4068	384	421ccdf8a211f8c47743c32599ae4358d3ecbc0ed5a57156322527692e337c1b.exe	83
PID 4068 wrote to memory of 3824	4068	y8088921.exe	84
PID 4068 wrote to memory of 3824	4068	y8088921.exe	84
PID 4068 wrote to memory of 3824	4068	y8088921.exe	84
PID 3824 wrote to memory of 2056	3824	y7018916.exe	85
PID 3824 wrote to memory of 2056	3824	y7018916.exe	85
PID 3824 wrote to memory of 2056	3824	y7018916.exe	85
PID 3824 wrote to memory of 2092	3824	y7018916.exe	97
PID 3824 wrote to memory of 2092	3824	y7018916.exe	97
PID 3824 wrote to memory of 2092	3824	y7018916.exe	97

C:\Users\Admin\AppData\Local\Temp\421ccdf8a211f8c47743c32599ae4358d3ecbc0ed5a57156322527692e337c1b.exe
"C:\Users\Admin\AppData\Local\Temp\421ccdf8a211f8c47743c32599ae4358d3ecbc0ed5a57156322527692e337c1b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8088921.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8088921.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7018916.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7018916.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7548365.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7548365.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7960837.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7960837.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8088921.exe

Filesize
748KB

MD5
d7fc9545e302938a8ec9f8ef07432526

SHA1
c30ab09448a48c8e45f481ce24dd9bfa2194974e

SHA256
5a4e8fe6a85c7431577f1cc51a07035ed55801342a0348f7437e611881585806

SHA512
2fccb5892eacb4ac7a5a8a6574361442808504ab4bd524751129d0314c148b8f2a3178c6169f574fba6ff460b525deec85bb053376394cb977f5cef3bc5c3209

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7018916.exe

Filesize
304KB

MD5
554330801c03689ef6b39805f774a38c

SHA1
9a9622c556c2b8d83d029f4a3d45f51da41d4528

SHA256
9ea36ea52b48a3f9e12e497304a1d207332b2cda0e8636dd7cbb9b9ba23db8ac

SHA512
beef76ee2c85f29809d803e4c02eae3aecaecb838a6dedf28368efcb5749cc796818084cb66a05ab5c6f23db9589891f1ec119265011a1fc8e2377d8554782f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7548365.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7960837.exe

Filesize
145KB

MD5
dc4897439f1bd41b9a2d14707fe1b5b8

SHA1
84b6e05b70cda3518c50e7dcf1fdb5a274e284a6

SHA256
90232f6a4ffb2f0abb5801db1711307ff9bd0151b084ab2cceafb9cfff3a49a6

SHA512
b5293e4e1af0985a275951c3dbc22417046a4e9394fa070c794a8274cb18491ac111b457e68c68c91e359df49339d408a646ac71755e2541df30ea1500a384c1

Download Submit
memory/2056-29-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2056-35-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2056-51-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2056-22-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/2056-49-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2056-47-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2056-45-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2056-43-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2056-42-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2056-39-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2056-37-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2056-23-0x0000000004AD0000-0x0000000004AEC000-memory.dmp

Filesize
112KB

Download
memory/2056-33-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2056-31-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2056-27-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2056-25-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2056-24-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2056-21-0x00000000024D0000-0x00000000024EE000-memory.dmp

Filesize
120KB

Download
memory/2092-56-0x0000000000990000-0x00000000009BA000-memory.dmp

Filesize
168KB

Download
memory/2092-57-0x0000000005900000-0x0000000005F18000-memory.dmp

Filesize
6.1MB

Download
memory/2092-58-0x0000000005460000-0x000000000556A000-memory.dmp

Filesize
1.0MB

Download
memory/2092-59-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/2092-60-0x0000000005400000-0x000000000543C000-memory.dmp

Filesize
240KB

Download
memory/2092-61-0x0000000005570000-0x00000000055BC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads