redline | 7aa66cd0bcc76f6c85319b710936a95b952c85b9174972f2b0f06784eb9ee4cf

General

Target

7aa66cd0bcc76f6c85319b710936a95b952c85b9174972f2b0f06784eb9ee4cf.exe
Size

1.1MB
MD5

1003bc90fe5d48bd554601f84568a802
SHA1

2b8dc7e2b5f7bd89f4958b9c3e4bda74ecd06d0b
SHA256

7aa66cd0bcc76f6c85319b710936a95b952c85b9174972f2b0f06784eb9ee4cf
SHA512

98a694515b1486a15b8387d5edadf15f447b2955cdf5321e62d1121fa4bcef4dbe925c0bdd76b005f82f5c0a79fd44beddefc13397cf21886d6cc5bc6ed62397
SSDEEP

24576:PybCM0IPU3csd3tyQFkAO0n9Dea4x3BzKNvYpSjTqtE0m2qS:aOM0Is3vqQFkh0nIJDOD0z

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k3732679.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k3732679.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k3732679.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k3732679.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k3732679.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k3732679.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cdc-54.dat	family_redline
behavioral1/memory/4820-56-0x0000000000EF0000-0x0000000000F1A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
432	y9183766.exe
4604	y9455373.exe
4168	k3732679.exe
4820	l1889990.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k3732679.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k3732679.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9183766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9455373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7aa66cd0bcc76f6c85319b710936a95b952c85b9174972f2b0f06784eb9ee4cf.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aa66cd0bcc76f6c85319b710936a95b952c85b9174972f2b0f06784eb9ee4cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y9183766.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y9455373.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k3732679.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l1889990.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4168	k3732679.exe
4168	k3732679.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4168	k3732679.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 432	3064	7aa66cd0bcc76f6c85319b710936a95b952c85b9174972f2b0f06784eb9ee4cf.exe	85
PID 3064 wrote to memory of 432	3064	7aa66cd0bcc76f6c85319b710936a95b952c85b9174972f2b0f06784eb9ee4cf.exe	85
PID 3064 wrote to memory of 432	3064	7aa66cd0bcc76f6c85319b710936a95b952c85b9174972f2b0f06784eb9ee4cf.exe	85
PID 432 wrote to memory of 4604	432	y9183766.exe	86
PID 432 wrote to memory of 4604	432	y9183766.exe	86
PID 432 wrote to memory of 4604	432	y9183766.exe	86
PID 4604 wrote to memory of 4168	4604	y9455373.exe	88
PID 4604 wrote to memory of 4168	4604	y9455373.exe	88
PID 4604 wrote to memory of 4168	4604	y9455373.exe	88
PID 4604 wrote to memory of 4820	4604	y9455373.exe	98
PID 4604 wrote to memory of 4820	4604	y9455373.exe	98
PID 4604 wrote to memory of 4820	4604	y9455373.exe	98

C:\Users\Admin\AppData\Local\Temp\7aa66cd0bcc76f6c85319b710936a95b952c85b9174972f2b0f06784eb9ee4cf.exe
"C:\Users\Admin\AppData\Local\Temp\7aa66cd0bcc76f6c85319b710936a95b952c85b9174972f2b0f06784eb9ee4cf.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9183766.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9183766.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9455373.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9455373.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3732679.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3732679.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1889990.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1889990.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9183766.exe

Filesize
749KB

MD5
89d518c1e1b20b58ba1a0535d2ddc1d4

SHA1
0ef1ce4195eb8cd0583d62af7c6ef66327dcbf66

SHA256
ae676149c90a666140b8c4d23f53d90e6252378e6f2216f9a76f542bf73739c8

SHA512
3066649464c25c79b614634cdbb77311851f8ba4c816b368f428783e1681ce812ffff669cf2f5607f31218ccbd112c7f2bde49832a647483d640d429dcb47f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9455373.exe

Filesize
304KB

MD5
1094962ef10ae18e4ad7fa932dfa4e7b

SHA1
231087b110774562fe20917be9af03538f90ff94

SHA256
adae6b8313531c4322fb0f38a182d16cf434d239cb5d103ef7a83c5013f1aadf

SHA512
304c7a9948c4540b9b74eef236f099bb20bde672805aee43cd7c5a0df33dbe0370dbf24c1d0480eba1de50fe0deced06db35fa404e858fcd1612549278775538

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3732679.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1889990.exe

Filesize
145KB

MD5
157e6dbbab1b053c84c54f399533b1f4

SHA1
0c778132c72d1e1d46c84bebedd5f241d61867df

SHA256
d12c0fa0786937cb6381c4455b73be1f8baebb6f897c719706489e455a30e3f4

SHA512
0025cb2dba029a1732141aad024784aafffce62b38b642b7526d52a1afc7843b0838e2ef5188c0992482a4883f9926d889653c78615478ebdde88806a09763c8

Download Submit
memory/4168-49-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/4168-29-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/4168-51-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/4168-22-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download
memory/4168-45-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/4168-43-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/4168-39-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/4168-37-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/4168-35-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/4168-33-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/4168-31-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/4168-23-0x0000000002110000-0x000000000212C000-memory.dmp

Filesize
112KB

Download
memory/4168-27-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/4168-25-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/4168-24-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/4168-47-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/4168-41-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/4168-21-0x0000000002080000-0x000000000209E000-memory.dmp

Filesize
120KB

Download
memory/4820-56-0x0000000000EF0000-0x0000000000F1A000-memory.dmp

Filesize
168KB

Download
memory/4820-57-0x0000000005D00000-0x0000000006318000-memory.dmp

Filesize
6.1MB

Download
memory/4820-58-0x0000000005880000-0x000000000598A000-memory.dmp

Filesize
1.0MB

Download
memory/4820-59-0x00000000057B0000-0x00000000057C2000-memory.dmp

Filesize
72KB

Download
memory/4820-60-0x0000000005810000-0x000000000584C000-memory.dmp

Filesize
240KB

Download
memory/4820-61-0x0000000005990000-0x00000000059DC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads