redline | 45533f0e97d182027461de3421456a7bef5b37315d494b4c1b6139f0cc7c7945

General

Target

45533f0e97d182027461de3421456a7bef5b37315d494b4c1b6139f0cc7c7945.exe
Size

1.1MB
MD5

49c33b85a84e9821d5674350710c92b8
SHA1

2791f5b5c3cbcdb1a1b735ca89c07b6db3de033a
SHA256

45533f0e97d182027461de3421456a7bef5b37315d494b4c1b6139f0cc7c7945
SHA512

88cb5343d0fbf28ec013888e46b105920bbac8bf87c9081ba47046bd388e2ff9f0dde43dcbbb46b6bef705e3cdbf562f95f0dc018f2374ef85758ae8155d0da4
SSDEEP

24576:byWduDG1KS/hWuFkptd6NFfxjNQwvrERMK8xuECxiD:OquDGUSouFkrkNPNGxw9Cx

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

k8122202.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k8122202.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8122202.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8122202.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8122202.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8122202.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8122202.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5950845.exe	family_redline
behavioral1/memory/3904-56-0x0000000000670000-0x000000000069A000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 4 IoCs

Processes:

y8535676.exey5277261.exek8122202.exel5950845.exe

pid process

1348 y8535676.exe
1056 y5277261.exe
628 k8122202.exe
3904 l5950845.exe

pid	process
1348	y8535676.exe
1056	y5277261.exe
628	k8122202.exe
3904	l5950845.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

k8122202.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k8122202.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8122202.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

y5277261.exe45533f0e97d182027461de3421456a7bef5b37315d494b4c1b6139f0cc7c7945.exey8535676.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5277261.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	45533f0e97d182027461de3421456a7bef5b37315d494b4c1b6139f0cc7c7945.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8535676.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

y8535676.exey5277261.exek8122202.exel5950845.exe45533f0e97d182027461de3421456a7bef5b37315d494b4c1b6139f0cc7c7945.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y8535676.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y5277261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k8122202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l5950845.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45533f0e97d182027461de3421456a7bef5b37315d494b4c1b6139f0cc7c7945.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

k8122202.exe

pid process

628 k8122202.exe
628 k8122202.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

k8122202.exe

description pid process

Token: SeDebugPrivilege 628 k8122202.exe

pid	process
628	k8122202.exe
628	k8122202.exe

description	pid	process
Token: SeDebugPrivilege	628	k8122202.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

45533f0e97d182027461de3421456a7bef5b37315d494b4c1b6139f0cc7c7945.exey8535676.exey5277261.exe

description	pid	process	target process
PID 4040 wrote to memory of 1348	4040	45533f0e97d182027461de3421456a7bef5b37315d494b4c1b6139f0cc7c7945.exe	y8535676.exe
PID 4040 wrote to memory of 1348	4040	45533f0e97d182027461de3421456a7bef5b37315d494b4c1b6139f0cc7c7945.exe	y8535676.exe
PID 4040 wrote to memory of 1348	4040	45533f0e97d182027461de3421456a7bef5b37315d494b4c1b6139f0cc7c7945.exe	y8535676.exe
PID 1348 wrote to memory of 1056	1348	y8535676.exe	y5277261.exe
PID 1348 wrote to memory of 1056	1348	y8535676.exe	y5277261.exe
PID 1348 wrote to memory of 1056	1348	y8535676.exe	y5277261.exe
PID 1056 wrote to memory of 628	1056	y5277261.exe	k8122202.exe
PID 1056 wrote to memory of 628	1056	y5277261.exe	k8122202.exe
PID 1056 wrote to memory of 628	1056	y5277261.exe	k8122202.exe
PID 1056 wrote to memory of 3904	1056	y5277261.exe	l5950845.exe
PID 1056 wrote to memory of 3904	1056	y5277261.exe	l5950845.exe
PID 1056 wrote to memory of 3904	1056	y5277261.exe	l5950845.exe

C:\Users\Admin\AppData\Local\Temp\45533f0e97d182027461de3421456a7bef5b37315d494b4c1b6139f0cc7c7945.exe
"C:\Users\Admin\AppData\Local\Temp\45533f0e97d182027461de3421456a7bef5b37315d494b4c1b6139f0cc7c7945.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8535676.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8535676.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5277261.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5277261.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8122202.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8122202.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:628
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5950845.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5950845.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8535676.exe

Filesize
749KB

MD5
33ddcb2feb3afa90f5a66e71b42d3b88

SHA1
78584737fdbcfd2875cec29eab9522c499cfc7fd

SHA256
1c55e95e56211602a924174bee584d8794122c854c2117bb0455793e92e9af07

SHA512
3e364ede8a8d8f2596b5f614c43c341cf126dae9d33305e223d0dd58dd24f22be561ecf961ee35368779d79f4bd8b81716fbd20bf7d635220818e4e3dfe10d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5277261.exe

Filesize
304KB

MD5
fe7ebf2396deb143ea3635086df611f9

SHA1
abe837773a384eb07fcf19f99550e5608bfd169e

SHA256
cd3ce0b580e066ee5c66cdaf74cf49045c58484aeaed197175b7e6c152d37079

SHA512
9c9a05bb406ef956d72dd6f489d70283d73e7667a976e05242c8dbd38117a43275e1cc3234cfb608f207f5678f212fe84fe313f77cbd86fbe6394c9a870a4e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8122202.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5950845.exe

Filesize
145KB

MD5
b3dcd804e5f238e4568a442e237378b7

SHA1
bdc4b9cc999807f5643551393ee06a8f5415c3b1

SHA256
e93225163a61b5f9356b67a788d4a8c664930298ae0cce326ebabce7c8eac8f2

SHA512
f670a3c2b11f216ab86dc6661149691a7b6ad0bce50a4e0530aa7f7bdbf096b98c83c26396fc96405b18e3d019c898ef87f6e3bbd3b4d9a8e2e1931f0333a2ff

Download Submit
memory/628-51-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/628-35-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/628-25-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/628-22-0x0000000004C10000-0x00000000051B4000-memory.dmp

Filesize
5.6MB

Download
memory/628-49-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/628-47-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/628-46-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/628-43-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/628-41-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/628-39-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/628-37-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/628-23-0x0000000004AD0000-0x0000000004AEC000-memory.dmp

Filesize
112KB

Download
memory/628-33-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/628-31-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/628-29-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/628-27-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/628-24-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/628-21-0x0000000002100000-0x000000000211E000-memory.dmp

Filesize
120KB

Download
memory/3904-56-0x0000000000670000-0x000000000069A000-memory.dmp

Filesize
168KB

Download
memory/3904-57-0x0000000005500000-0x0000000005B18000-memory.dmp

Filesize
6.1MB

Download
memory/3904-58-0x0000000005000000-0x000000000510A000-memory.dmp

Filesize
1.0MB

Download
memory/3904-59-0x0000000004F30000-0x0000000004F42000-memory.dmp

Filesize
72KB

Download
memory/3904-60-0x0000000004F90000-0x0000000004FCC000-memory.dmp

Filesize
240KB

Download
memory/3904-61-0x0000000005110000-0x000000000515C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads