redline | 69d5046bc0b69b064eeffb4208ef30cd5d527d660c91bccab3f79610f201e3f7

General

Target

69d5046bc0b69b064eeffb4208ef30cd5d527d660c91bccab3f79610f201e3f7.exe
Size

1.1MB
MD5

a3fd68414dbcf3a3e5d21dfcc9dd5048
SHA1

82c7568bd65bbb23858b9d4f013f3776db81aee1
SHA256

69d5046bc0b69b064eeffb4208ef30cd5d527d660c91bccab3f79610f201e3f7
SHA512

33641391d1f5b0b7d2f3a15800db4e1cc475f9d2c5f6bb8bfeb68b66236cf89eb49190b2749eba2ffe94793cebc054235aa886f2a39db89e60a07d9b7e487dff
SSDEEP

24576:ZyGqwwmfkZzAZAFkoJWemzXzaaAdm95xy4wnaqaZu:MGqufk6AFkO+zDaa6m9ny4+e

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k7496064.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k7496064.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k7496064.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k7496064.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k7496064.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k7496064.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c7f-54.dat	family_redline
behavioral1/memory/5012-56-0x0000000000380000-0x00000000003AA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
348	y4780143.exe
2648	y5623661.exe
1896	k7496064.exe
5012	l4237089.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k7496064.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k7496064.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	69d5046bc0b69b064eeffb4208ef30cd5d527d660c91bccab3f79610f201e3f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4780143.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5623661.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y5623661.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k7496064.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l4237089.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69d5046bc0b69b064eeffb4208ef30cd5d527d660c91bccab3f79610f201e3f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y4780143.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1896	k7496064.exe
1896	k7496064.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	k7496064.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 348	4376	69d5046bc0b69b064eeffb4208ef30cd5d527d660c91bccab3f79610f201e3f7.exe	85
PID 4376 wrote to memory of 348	4376	69d5046bc0b69b064eeffb4208ef30cd5d527d660c91bccab3f79610f201e3f7.exe	85
PID 4376 wrote to memory of 348	4376	69d5046bc0b69b064eeffb4208ef30cd5d527d660c91bccab3f79610f201e3f7.exe	85
PID 348 wrote to memory of 2648	348	y4780143.exe	86
PID 348 wrote to memory of 2648	348	y4780143.exe	86
PID 348 wrote to memory of 2648	348	y4780143.exe	86
PID 2648 wrote to memory of 1896	2648	y5623661.exe	88
PID 2648 wrote to memory of 1896	2648	y5623661.exe	88
PID 2648 wrote to memory of 1896	2648	y5623661.exe	88
PID 2648 wrote to memory of 5012	2648	y5623661.exe	95
PID 2648 wrote to memory of 5012	2648	y5623661.exe	95
PID 2648 wrote to memory of 5012	2648	y5623661.exe	95

C:\Users\Admin\AppData\Local\Temp\69d5046bc0b69b064eeffb4208ef30cd5d527d660c91bccab3f79610f201e3f7.exe
"C:\Users\Admin\AppData\Local\Temp\69d5046bc0b69b064eeffb4208ef30cd5d527d660c91bccab3f79610f201e3f7.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4780143.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4780143.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5623661.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5623661.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7496064.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7496064.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4237089.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4237089.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4780143.exe

Filesize
749KB

MD5
9001a4e4cd7918dcf7663d28ab174af0

SHA1
838a800d63322ce8cd9f3084853db6136a06ca46

SHA256
dcc42802d6c822d427f050b124015719a070acb59a6a209690721e0f6c4d4a78

SHA512
4f355ec0d2d11790a428e406e6a82bd03ecf0bfee006bdbd6b4944b0a158dee8f8b734da3f74ced63c07bfb3b7846b521cd2edd8523a86ec1797591bd746c7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5623661.exe

Filesize
304KB

MD5
637dc9d02d158423cd0fd75477f074f9

SHA1
e1ddbf1e8d8dc138ed84bac26b142640db9ac463

SHA256
520adaa9734d1839fa1c9b0678631c01af48ca8db54a47bb4ab9f2f516f59e86

SHA512
0acff872e863879e20d065a2d30971776da9d81f32b1cb9f367f6d978fdd785a96164265917c03c6c3524c892c5498d690bab1fcd05af7d1b5ada2528791d329

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k7496064.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4237089.exe

Filesize
145KB

MD5
4bb531ff128077e4f310a44f0a95faab

SHA1
9fc4195a2fd6d5dd193bed95413d81671ec02b08

SHA256
c8ac41f13ac658a82f5bc70c85911e4132a02ee0c8a3c9785a49e11d985ba737

SHA512
6e3d7927cab71e2e9ab21af160b49e0bf2b81259fbf105e2b85e07a06568d175f1837de1caf3fde461df65fd71e2d1b57f2e1a6863093e03de79b216ca60db7c

Download Submit
memory/1896-49-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1896-34-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1896-51-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1896-22-0x0000000004B50000-0x00000000050F4000-memory.dmp

Filesize
5.6MB

Download
memory/1896-47-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1896-45-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1896-43-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1896-41-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1896-39-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1896-37-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1896-35-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1896-23-0x0000000004990000-0x00000000049AC000-memory.dmp

Filesize
112KB

Download
memory/1896-31-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1896-29-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1896-27-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1896-25-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1896-24-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1896-21-0x0000000002180000-0x000000000219E000-memory.dmp

Filesize
120KB

Download
memory/5012-56-0x0000000000380000-0x00000000003AA000-memory.dmp

Filesize
168KB

Download
memory/5012-57-0x0000000005190000-0x00000000057A8000-memory.dmp

Filesize
6.1MB

Download
memory/5012-58-0x0000000004D10000-0x0000000004E1A000-memory.dmp

Filesize
1.0MB

Download
memory/5012-59-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/5012-60-0x0000000004CA0000-0x0000000004CDC000-memory.dmp

Filesize
240KB

Download
memory/5012-61-0x0000000004E20000-0x0000000004E6C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads