redline | 4bad89428f866849e45904254b49dcb2eb4d780ebde5b61d2ca490b31d6269f2

General

Target

4bad89428f866849e45904254b49dcb2eb4d780ebde5b61d2ca490b31d6269f2.exe
Size

1.1MB
MD5

093d3dd55c4248854181576cb3ed94fd
SHA1

3232a0e657e2c12fa7056c742c7622c3973a4023
SHA256

4bad89428f866849e45904254b49dcb2eb4d780ebde5b61d2ca490b31d6269f2
SHA512

57621fdedeee9bc71a9d85340aa3c1ac73e36cc1ea4ba4da9bbfc199b7ccc2d811c287ac8489498933afc99be96c65fdd86b6c5ac371254c30b18a79794591da
SSDEEP

24576:hyCst2MPEGg9LijrW2Sr9Tafha5oSgTXc/OgmnWBn2qZMecxrD67:UCst2MPEGg9LX2Sr9TEhaqSkgnLBn2Mj

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k4891307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k4891307.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k4891307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k4891307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k4891307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k4891307.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cb8-54.dat	family_redline
behavioral1/memory/3732-56-0x00000000005E0000-0x000000000060A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
1752	y8471253.exe
212	y5212442.exe
1912	k4891307.exe
3732	l4698387.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k4891307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k4891307.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4bad89428f866849e45904254b49dcb2eb4d780ebde5b61d2ca490b31d6269f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8471253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5212442.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k4891307.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l4698387.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4bad89428f866849e45904254b49dcb2eb4d780ebde5b61d2ca490b31d6269f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y8471253.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y5212442.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1912	k4891307.exe
1912	k4891307.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	k4891307.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 1752	736	4bad89428f866849e45904254b49dcb2eb4d780ebde5b61d2ca490b31d6269f2.exe	83
PID 736 wrote to memory of 1752	736	4bad89428f866849e45904254b49dcb2eb4d780ebde5b61d2ca490b31d6269f2.exe	83
PID 736 wrote to memory of 1752	736	4bad89428f866849e45904254b49dcb2eb4d780ebde5b61d2ca490b31d6269f2.exe	83
PID 1752 wrote to memory of 212	1752	y8471253.exe	85
PID 1752 wrote to memory of 212	1752	y8471253.exe	85
PID 1752 wrote to memory of 212	1752	y8471253.exe	85
PID 212 wrote to memory of 1912	212	y5212442.exe	86
PID 212 wrote to memory of 1912	212	y5212442.exe	86
PID 212 wrote to memory of 1912	212	y5212442.exe	86
PID 212 wrote to memory of 3732	212	y5212442.exe	96
PID 212 wrote to memory of 3732	212	y5212442.exe	96
PID 212 wrote to memory of 3732	212	y5212442.exe	96

C:\Users\Admin\AppData\Local\Temp\4bad89428f866849e45904254b49dcb2eb4d780ebde5b61d2ca490b31d6269f2.exe
"C:\Users\Admin\AppData\Local\Temp\4bad89428f866849e45904254b49dcb2eb4d780ebde5b61d2ca490b31d6269f2.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8471253.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8471253.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5212442.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5212442.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4891307.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4891307.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4698387.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4698387.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8471253.exe

Filesize
750KB

MD5
12e1234e7da653cf57fcbc705987f3ae

SHA1
8fbb76342a8cf1a69e40d1405a695d15f76ae97b

SHA256
18e906f833763d9d3f94c3d65f961d3d958f7b0f26216409bcf9ce80f7ef5b4c

SHA512
5c6dc66bc0fee72a41285210ce807396a340bb91eda2fcdc355d4239a13deda35bef22ccb2a35def55e1ac8c8384c0a8dab69935ae5d255d310bbd00bdb14a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5212442.exe

Filesize
305KB

MD5
14179785c6eba00089bde3cbce5513e3

SHA1
5b35706e0bd526b37840245bb4548586a2f4df6a

SHA256
f62ffd50179271eba707d660fd16a0b9028ba4263b5dd7c0d536e9a5f66858b9

SHA512
427d89b551ac58a1fdb3f8b7a36e7bec5acec63de9bcc7a23b04d043cea4fe941653b244bddca445ffcdd9160002daffce1779753539365e49c5d7128ba4922f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4891307.exe

Filesize
183KB

MD5
d18dd7e957d8eab39abe21eefd498331

SHA1
2d7b11252dbb1ed8cefff8d63d447b0f697a0060

SHA256
57f8f54609021997865fed724894ad76b78b39a48a51b47a1d97a92eb836c440

SHA512
c383080be8f9fbb5fd313204cc47ca9ecca8b6148362aa5ef76c219217971184472d0c4be2f1d7e9c9fbee561079b34357346507ddb882d779b06741a5ad0581

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4698387.exe

Filesize
145KB

MD5
253a1647d45629701059d825c6d14b8a

SHA1
95948d0f3377e5fc9feac7a070923a19697ab110

SHA256
d5984e73cf01d87d65ce9caa2ccd1d560a70b7d7ec3131368bb2278e93590a48

SHA512
16d252101937a61f07b1b2fdaefdaabbb4ce0e2c41d9c0b22e22911861bd00865f2bec568855515b38be2fe7554be6141b03e5185c5844f37883dd8ab0a617e8

Download Submit
memory/1912-51-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1912-35-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1912-33-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1912-22-0x0000000004C20000-0x00000000051C4000-memory.dmp

Filesize
5.6MB

Download
memory/1912-49-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1912-47-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1912-45-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1912-43-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1912-41-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1912-39-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1912-37-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1912-23-0x0000000004AD0000-0x0000000004AEC000-memory.dmp

Filesize
112KB

Download
memory/1912-31-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1912-30-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1912-27-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1912-25-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1912-24-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1912-21-0x0000000002580000-0x000000000259E000-memory.dmp

Filesize
120KB

Download
memory/3732-56-0x00000000005E0000-0x000000000060A000-memory.dmp

Filesize
168KB

Download
memory/3732-57-0x0000000005430000-0x0000000005A48000-memory.dmp

Filesize
6.1MB

Download
memory/3732-58-0x0000000004F70000-0x000000000507A000-memory.dmp

Filesize
1.0MB

Download
memory/3732-59-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

Filesize
72KB

Download
memory/3732-60-0x0000000004F00000-0x0000000004F3C000-memory.dmp

Filesize
240KB

Download
memory/3732-61-0x0000000005080000-0x00000000050CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads