redline | e89afb9d648769916f8b523af396c23e9cf03f1e94439293b6ce794809463bd6

General

Target

e89afb9d648769916f8b523af396c23e9cf03f1e94439293b6ce794809463bd6.exe
Size

1.1MB
MD5

3512d01baab3d3da2219ae03e13e7794
SHA1

04e1f7363405d286bcdea5f0425df2bbcb3eefa8
SHA256

e89afb9d648769916f8b523af396c23e9cf03f1e94439293b6ce794809463bd6
SHA512

2f0c1875c6322d2c824f041c71dc4b113705dc57f8e054001c03a52f04d4ca88d85dba52793cf676a0b8c8f82d7ac0f3f71ab26d60f645435d93b2ef78290f30
SSDEEP

24576:QyBtCAfFt6E+SCbzFklFUleKlCmRDaEfifocK3LY:XBRz1CbzFklWlHlXR+7QcuL

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

k9382580.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k9382580.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k9382580.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k9382580.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k9382580.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k9382580.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k9382580.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023cc5-54.dat	family_redline
behavioral1/memory/3724-56-0x0000000000BB0000-0x0000000000BDA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

Processes:

y7773299.exey9317453.exek9382580.exel9572371.exe

pid	Process
4400	y7773299.exe
1292	y9317453.exe
4796	k9382580.exe
3724	l9572371.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

k9382580.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k9382580.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k9382580.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e89afb9d648769916f8b523af396c23e9cf03f1e94439293b6ce794809463bd6.exey7773299.exey9317453.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e89afb9d648769916f8b523af396c23e9cf03f1e94439293b6ce794809463bd6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7773299.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9317453.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

y9317453.exek9382580.exel9572371.exee89afb9d648769916f8b523af396c23e9cf03f1e94439293b6ce794809463bd6.exey7773299.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y9317453.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k9382580.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l9572371.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e89afb9d648769916f8b523af396c23e9cf03f1e94439293b6ce794809463bd6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y7773299.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

k9382580.exe

pid	Process
4796	k9382580.exe
4796	k9382580.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

k9382580.exe

description	pid	Process
Token: SeDebugPrivilege	4796	k9382580.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e89afb9d648769916f8b523af396c23e9cf03f1e94439293b6ce794809463bd6.exey7773299.exey9317453.exe

description	pid	Process	procid_target
PID 460 wrote to memory of 4400	460	e89afb9d648769916f8b523af396c23e9cf03f1e94439293b6ce794809463bd6.exe	83
PID 460 wrote to memory of 4400	460	e89afb9d648769916f8b523af396c23e9cf03f1e94439293b6ce794809463bd6.exe	83
PID 460 wrote to memory of 4400	460	e89afb9d648769916f8b523af396c23e9cf03f1e94439293b6ce794809463bd6.exe	83
PID 4400 wrote to memory of 1292	4400	y7773299.exe	85
PID 4400 wrote to memory of 1292	4400	y7773299.exe	85
PID 4400 wrote to memory of 1292	4400	y7773299.exe	85
PID 1292 wrote to memory of 4796	1292	y9317453.exe	86
PID 1292 wrote to memory of 4796	1292	y9317453.exe	86
PID 1292 wrote to memory of 4796	1292	y9317453.exe	86
PID 1292 wrote to memory of 3724	1292	y9317453.exe	95
PID 1292 wrote to memory of 3724	1292	y9317453.exe	95
PID 1292 wrote to memory of 3724	1292	y9317453.exe	95

C:\Users\Admin\AppData\Local\Temp\e89afb9d648769916f8b523af396c23e9cf03f1e94439293b6ce794809463bd6.exe
"C:\Users\Admin\AppData\Local\Temp\e89afb9d648769916f8b523af396c23e9cf03f1e94439293b6ce794809463bd6.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7773299.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7773299.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9317453.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9317453.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9382580.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9382580.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4796
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9572371.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9572371.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7773299.exe

Filesize
752KB

MD5
a13be4f54480da10e87be8d43aaccc35

SHA1
d411c05c124b8f1f53caf075f2819a8a67624593

SHA256
1924f260786028f941cc57ea79e888e9164c59e758f14c8f21d0908bfb6a22f4

SHA512
ed7c91a114f3043282ab8cae2f090df5bd2217e66622e620aff19bc45fa74e2fe6f28f093d8c1ea8c372fc2872e2571f2d8c370efb7ae2995c8ee04bcb090e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9317453.exe

Filesize
304KB

MD5
734eb3405a99675677944fdf80ae11ef

SHA1
bfaea81fb48ae0d8bc4babd1ef6102b3d471ce58

SHA256
ca358381e7b166125e07e995f5e83996b9d469ce52ab668cb3de1a78c630e412

SHA512
23e6d92d94545a08b11937fe3587541187b704332a077fdd1212adcb5899849fea3ad6bd81829bc8429144f9aebb099f45723f13ee8f9a13786e8f32c755b20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9382580.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9572371.exe

Filesize
145KB

MD5
5781631841a31535fc5de5c8ef85df04

SHA1
419d96b5414db304812efe5481fe337d96a243bf

SHA256
84ea28e66bcd54d3d32d90da167b94d17a69ec0f7f5fc53ad518ec8b70c4d9b4

SHA512
d9514f9752bdaf63c89b10c0df2be29f8e2a95999fd4df5d5f0461aa3905c022e3897d60052be8ef3368fc1d7d5ef976a322b2b6575a462e3bb9e49029b1e561

Download Submit
memory/3724-61-0x0000000005790000-0x00000000057DC000-memory.dmp

Filesize
304KB

Download
memory/3724-60-0x0000000005610000-0x000000000564C000-memory.dmp

Filesize
240KB

Download
memory/3724-59-0x00000000055B0000-0x00000000055C2000-memory.dmp

Filesize
72KB

Download
memory/3724-58-0x0000000005680000-0x000000000578A000-memory.dmp

Filesize
1.0MB

Download
memory/3724-57-0x0000000005B00000-0x0000000006118000-memory.dmp

Filesize
6.1MB

Download
memory/3724-56-0x0000000000BB0000-0x0000000000BDA000-memory.dmp

Filesize
168KB

Download
memory/4796-51-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4796-25-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4796-41-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4796-39-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4796-37-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4796-33-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4796-31-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4796-29-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4796-27-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4796-43-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4796-24-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4796-45-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4796-47-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4796-49-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4796-35-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/4796-23-0x00000000049A0000-0x00000000049BC000-memory.dmp

Filesize
112KB

Download
memory/4796-22-0x0000000004B40000-0x00000000050E4000-memory.dmp

Filesize
5.6MB

Download
memory/4796-21-0x00000000023E0000-0x00000000023FE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads