redline | 4a9e1c7d8047242a7e39a0468aa60b362bc9b0b219229902d1f855254e9fe6ce

General

Target

4a9e1c7d8047242a7e39a0468aa60b362bc9b0b219229902d1f855254e9fe6ce.exe
Size

1.1MB
MD5

9c001ed62a2b63cb1f3d32867c26962c
SHA1

bf65d16e9c64adc0e888093d941401ae4e203625
SHA256

4a9e1c7d8047242a7e39a0468aa60b362bc9b0b219229902d1f855254e9fe6ce
SHA512

b5780eb22352c0cb5f0cca33c4df4c06e4f33a8fd7f26fc0400f5d1b5b2a509dd6ea11b1ed18ffde51c6c5148794229800670ad470dbcc84d7e6bb2993dbacdb
SSDEEP

24576:wyTsNHziTfFkX31FiBAXnLULiNqxQD13N0fZhQhTy4oACdIwoD:3g50fFkX3KBAXLUxQD1Ev8ePO

Score

10^/10

redline masta discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

masta

C2

185.161.248.75:4132

Attributes

auth_value
57f23b6b74d0f680c5a0c8ac9f52bd75

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a6396647.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6396647.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6396647.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6396647.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6396647.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6396647.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000023adf-54.dat	family_redline
behavioral1/memory/5008-56-0x0000000000860000-0x000000000088A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
3484	v5679298.exe
3232	v6840782.exe
1668	a6396647.exe
5008	b8839076.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a6396647.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6396647.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5679298.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6840782.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4a9e1c7d8047242a7e39a0468aa60b362bc9b0b219229902d1f855254e9fe6ce.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a9e1c7d8047242a7e39a0468aa60b362bc9b0b219229902d1f855254e9fe6ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v5679298.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6840782.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6396647.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8839076.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1668	a6396647.exe
1668	a6396647.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	a6396647.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 3484	3848	4a9e1c7d8047242a7e39a0468aa60b362bc9b0b219229902d1f855254e9fe6ce.exe	84
PID 3848 wrote to memory of 3484	3848	4a9e1c7d8047242a7e39a0468aa60b362bc9b0b219229902d1f855254e9fe6ce.exe	84
PID 3848 wrote to memory of 3484	3848	4a9e1c7d8047242a7e39a0468aa60b362bc9b0b219229902d1f855254e9fe6ce.exe	84
PID 3484 wrote to memory of 3232	3484	v5679298.exe	85
PID 3484 wrote to memory of 3232	3484	v5679298.exe	85
PID 3484 wrote to memory of 3232	3484	v5679298.exe	85
PID 3232 wrote to memory of 1668	3232	v6840782.exe	87
PID 3232 wrote to memory of 1668	3232	v6840782.exe	87
PID 3232 wrote to memory of 1668	3232	v6840782.exe	87
PID 3232 wrote to memory of 5008	3232	v6840782.exe	96
PID 3232 wrote to memory of 5008	3232	v6840782.exe	96
PID 3232 wrote to memory of 5008	3232	v6840782.exe	96

C:\Users\Admin\AppData\Local\Temp\4a9e1c7d8047242a7e39a0468aa60b362bc9b0b219229902d1f855254e9fe6ce.exe
"C:\Users\Admin\AppData\Local\Temp\4a9e1c7d8047242a7e39a0468aa60b362bc9b0b219229902d1f855254e9fe6ce.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5679298.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5679298.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6840782.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6840782.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6396647.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6396647.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8839076.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8839076.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5679298.exe

Filesize
749KB

MD5
8d035d67a03718eae9cd788b6ca249c3

SHA1
7331e66bde3d3c67d8fe0cb8ece78ab47f324835

SHA256
0179fddfa7fc43a18852d9d000b4e1ea40974667ceec5e70c258d18049a5178c

SHA512
ea59a42e40ae95d11222de1919cce116134c5294fe7ac94d57f3d4fbc6fe7cf8e4fa7c91467aa539d08291b3b7949d7cbd7ad2b41a1a33fa6dafbcc7b9817cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6840782.exe

Filesize
304KB

MD5
a5695e536aed62a7fc9df47a4fa7773d

SHA1
a2bf1ef97fc64b049c0408a7aeb3edefcd22c9ce

SHA256
ec7af1d73852d697634ed900e4ff3c321eff0b671c41bac329e88114e1d246c9

SHA512
7e50370d701d831a1f64c41bb4a23079184b949c158eb6d6bab36dea32461bdfec17ef11edf7bcc97720ccfa3c0c96163f7afda94044c86de67700c62a9d5dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6396647.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8839076.exe

Filesize
145KB

MD5
55b53b233afa1061b409ec921fa429f3

SHA1
4bf0e73b4fafce9448bbb429174290b9568561ba

SHA256
3f2c8375ef47579e5295717e4d9deaa7572dcdc2174617dc4f5d7b72305c02b8

SHA512
33ed98707b1ddd3568218f50c17fd1a740689a359b6b5501a18c7cc078121e219b3b02cde88bfe453100a3458ff8b9ace8e486a295b4652b8d51821ff455994c

Download Submit
memory/1668-33-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1668-35-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1668-29-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1668-22-0x0000000004B70000-0x0000000005114000-memory.dmp

Filesize
5.6MB

Download
memory/1668-51-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1668-47-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1668-45-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1668-43-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1668-41-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1668-39-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1668-37-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1668-23-0x0000000002210000-0x000000000222C000-memory.dmp

Filesize
112KB

Download
memory/1668-31-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1668-25-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1668-49-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1668-24-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1668-27-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1668-21-0x0000000002160000-0x000000000217E000-memory.dmp

Filesize
120KB

Download
memory/5008-56-0x0000000000860000-0x000000000088A000-memory.dmp

Filesize
168KB

Download
memory/5008-57-0x0000000005690000-0x0000000005CA8000-memory.dmp

Filesize
6.1MB

Download
memory/5008-58-0x00000000051F0000-0x00000000052FA000-memory.dmp

Filesize
1.0MB

Download
memory/5008-59-0x0000000005130000-0x0000000005142000-memory.dmp

Filesize
72KB

Download
memory/5008-60-0x0000000005190000-0x00000000051CC000-memory.dmp

Filesize
240KB

Download
memory/5008-61-0x0000000005300000-0x000000000534C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads