redline | 4c900573993862c4d460d3e6090514da84aa3d08cf439cff41b90655620db9b1

General

Target

4c900573993862c4d460d3e6090514da84aa3d08cf439cff41b90655620db9b1.exe
Size

1.1MB
MD5

7bdb2d08182b4f2da77d04d7f7e19a82
SHA1

a28a0f73f723dfcc9a2086290512a8f6f950cdca
SHA256

4c900573993862c4d460d3e6090514da84aa3d08cf439cff41b90655620db9b1
SHA512

01329b6dc46423d8a8c1a712cbee6202c2569103cb7839dec8bc7a910140ce3aefc864bc78f9f266691efd182856dddd8a67854291f94c134b8823685ebc51cf
SSDEEP

24576:9ywp34KW/BtBsdC9iVFkOSLb8zaLew1DJpECmRzNAhF5poCt:YMVEms9iVFkOWb8S/J5mRziRpD

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8651301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8651301.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k8651301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8651301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8651301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8651301.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b6e-54.dat	family_redline
behavioral1/memory/3924-56-0x0000000000280000-0x00000000002AA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
740	y8973665.exe
4936	y4659353.exe
1628	k8651301.exe
3924	l4216508.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k8651301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8651301.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4c900573993862c4d460d3e6090514da84aa3d08cf439cff41b90655620db9b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8973665.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y4659353.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y8973665.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y4659353.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k8651301.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l4216508.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c900573993862c4d460d3e6090514da84aa3d08cf439cff41b90655620db9b1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1628	k8651301.exe
1628	k8651301.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	k8651301.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 740	4148	4c900573993862c4d460d3e6090514da84aa3d08cf439cff41b90655620db9b1.exe	85
PID 4148 wrote to memory of 740	4148	4c900573993862c4d460d3e6090514da84aa3d08cf439cff41b90655620db9b1.exe	85
PID 4148 wrote to memory of 740	4148	4c900573993862c4d460d3e6090514da84aa3d08cf439cff41b90655620db9b1.exe	85
PID 740 wrote to memory of 4936	740	y8973665.exe	86
PID 740 wrote to memory of 4936	740	y8973665.exe	86
PID 740 wrote to memory of 4936	740	y8973665.exe	86
PID 4936 wrote to memory of 1628	4936	y4659353.exe	87
PID 4936 wrote to memory of 1628	4936	y4659353.exe	87
PID 4936 wrote to memory of 1628	4936	y4659353.exe	87
PID 4936 wrote to memory of 3924	4936	y4659353.exe	93
PID 4936 wrote to memory of 3924	4936	y4659353.exe	93
PID 4936 wrote to memory of 3924	4936	y4659353.exe	93

C:\Users\Admin\AppData\Local\Temp\4c900573993862c4d460d3e6090514da84aa3d08cf439cff41b90655620db9b1.exe
"C:\Users\Admin\AppData\Local\Temp\4c900573993862c4d460d3e6090514da84aa3d08cf439cff41b90655620db9b1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8973665.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8973665.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4659353.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4659353.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8651301.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8651301.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4216508.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4216508.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8973665.exe

Filesize
748KB

MD5
a39e87b56aac36b22a0548f884019617

SHA1
1df429fd566c64fabe2d84d7f9a928d20013cfd1

SHA256
e43843755cf8364cc82399ebdded87d5981382b0c7448b3235571b7733412a0b

SHA512
56e379b6b547f331124b416c6cdb3befe9f05e6693d080a37f35a517a259dccc00d14c473df5f1a81f6999ab5018a163e0e42989e44afa1cb190132af87ab7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4659353.exe

Filesize
304KB

MD5
ce09fb222f0df0d9b593cc711928c981

SHA1
47ba5171a6a114ae1a8e6c8c8c7538c1185ec0d1

SHA256
1cc2a8d4b8b8ec90840a0f458da8232a42efbbcc7fa787bf091c2f368a48f392

SHA512
37fccebdd67aaff47b0fcabe6d8f42dcc4e567fb9ed4ce026acbc711a41ee8f89e35dc32d233652c83c2a0b7a31cff51b8729e70b353d807875ba55efa36fd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8651301.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4216508.exe

Filesize
145KB

MD5
a55b82a17e30b6474da00231d551248e

SHA1
dc76e914c4b5fb6703037416ad97aabcabd575bd

SHA256
cb0b5d15c901d4796f10e2a355873da257d3d2edf257496add3a0a3425b7e6f6

SHA512
fe3538e9efffa03c9ebe1fbb20dd5cb4e90058c50b7c1c7118f47a673a505489b9b4cf67de02b5a4c5dcb1da731a5518157f9dcc6da122f87d9816130e6bd3ae

Download Submit
memory/1628-51-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/1628-31-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/1628-49-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/1628-22-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/1628-47-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/1628-46-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/1628-43-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/1628-41-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/1628-39-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/1628-37-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/1628-35-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/1628-23-0x0000000002480000-0x000000000249C000-memory.dmp

Filesize
112KB

Download
memory/1628-29-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/1628-27-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/1628-25-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/1628-24-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/1628-33-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/1628-21-0x00000000022C0000-0x00000000022DE000-memory.dmp

Filesize
120KB

Download
memory/3924-56-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/3924-57-0x0000000005090000-0x00000000056A8000-memory.dmp

Filesize
6.1MB

Download
memory/3924-58-0x0000000004C10000-0x0000000004D1A000-memory.dmp

Filesize
1.0MB

Download
memory/3924-59-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/3924-60-0x0000000004BB0000-0x0000000004BEC000-memory.dmp

Filesize
240KB

Download
memory/3924-61-0x0000000004D20000-0x0000000004D6C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads