redline | 41e0eac2cb5e52222d91a27c0c26b7283321bc9e329126fbba1fa30b70ef9141

General

Target

41e0eac2cb5e52222d91a27c0c26b7283321bc9e329126fbba1fa30b70ef9141.exe
Size

1.1MB
MD5

a392627dc118160e51286076a7f64999
SHA1

e145f5cc5b1818be16907dce532b6a1f92fd19dc
SHA256

41e0eac2cb5e52222d91a27c0c26b7283321bc9e329126fbba1fa30b70ef9141
SHA512

04bdc0bbfdfcb7a267be16090b074c41fa6445a8ac96d5ad897ecd95f20b8b9ca84f3ddf848bf78f8b64254f68e29c5248b695dcdcdc26f83e8712bc44d79d0a
SSDEEP

24576:Ky9fJ8nAWXBVnnp+JnMsdpYZH8l2IWdUvRu519CmTMDkusc:R9fJ7WXnp+JnMQq25A9xMDQ

Score

10^/10

redline dogma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dogma

C2

185.161.248.75:4132

Attributes

auth_value
d6c5d36e9aa03c956dc76aa0fcbe3639

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k1902040.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1902040.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1902040.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1902040.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1902040.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1902040.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b80-54.dat	family_redline
behavioral1/memory/2008-56-0x0000000000030000-0x000000000005A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
4748	y6688947.exe
2440	y9074506.exe
3728	k1902040.exe
2008	l4460516.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k1902040.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1902040.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	41e0eac2cb5e52222d91a27c0c26b7283321bc9e329126fbba1fa30b70ef9141.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6688947.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9074506.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2816	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k1902040.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l4460516.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41e0eac2cb5e52222d91a27c0c26b7283321bc9e329126fbba1fa30b70ef9141.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y6688947.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y9074506.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3728	k1902040.exe
3728	k1902040.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3728	k1902040.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 4748	3316	41e0eac2cb5e52222d91a27c0c26b7283321bc9e329126fbba1fa30b70ef9141.exe	85
PID 3316 wrote to memory of 4748	3316	41e0eac2cb5e52222d91a27c0c26b7283321bc9e329126fbba1fa30b70ef9141.exe	85
PID 3316 wrote to memory of 4748	3316	41e0eac2cb5e52222d91a27c0c26b7283321bc9e329126fbba1fa30b70ef9141.exe	85
PID 4748 wrote to memory of 2440	4748	y6688947.exe	86
PID 4748 wrote to memory of 2440	4748	y6688947.exe	86
PID 4748 wrote to memory of 2440	4748	y6688947.exe	86
PID 2440 wrote to memory of 3728	2440	y9074506.exe	88
PID 2440 wrote to memory of 3728	2440	y9074506.exe	88
PID 2440 wrote to memory of 3728	2440	y9074506.exe	88
PID 2440 wrote to memory of 2008	2440	y9074506.exe	98
PID 2440 wrote to memory of 2008	2440	y9074506.exe	98
PID 2440 wrote to memory of 2008	2440	y9074506.exe	98

C:\Users\Admin\AppData\Local\Temp\41e0eac2cb5e52222d91a27c0c26b7283321bc9e329126fbba1fa30b70ef9141.exe
"C:\Users\Admin\AppData\Local\Temp\41e0eac2cb5e52222d91a27c0c26b7283321bc9e329126fbba1fa30b70ef9141.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6688947.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6688947.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9074506.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9074506.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1902040.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1902040.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3728
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4460516.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4460516.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2008

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6688947.exe

Filesize
751KB

MD5
1ade5507d4c7e4642a2f551a53e53f55

SHA1
92f7bd2f9b5adf7856309b26a2eabafde489b2c0

SHA256
07bc08027fcd2366316f9cecfcf6f56d32b5212463aec7a9d3b15d30ef049fce

SHA512
d4b9fa83ac898c37710b3a09bddbb947d8429b4ba1a804aad11457f6ffcae1f1b5d447b87b3ac066d50e518697875a6c7cbb4e745972747930d047b6a7e78f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9074506.exe

Filesize
306KB

MD5
4b43f89a4648c7ab36379d457f823ca0

SHA1
96cc289dfa3219100ccbce2474dbc8e13ef947ee

SHA256
9e2cbd5e90497be953e1cca0aea5fe269bb74b4f74f1008e78c830b4f608bff5

SHA512
f420cf7e40d21036863eaca1631e9727ac1af44e2be3acf3b9beb64badbc832fcfae14d6b9c1e2689a22cba11e98a9fc1e8c0a881bd4ad5c09296ece49d94210

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1902040.exe

Filesize
185KB

MD5
0b0ca6215535e08756ced876c69aeea7

SHA1
ad734e855c7e5de7061bd959a08633c5bac291f3

SHA256
9a150506673ab4813fb211f6a4a173532c9de934ba2c12537497e10a1faf9043

SHA512
ea035dd0b46bcb430f71af6cb568c77f6dc861e4528539558b83cfaf37c64784231eaff20e38cd7a421bd77b86945a68f5956ac92206117de857440274affd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4460516.exe

Filesize
145KB

MD5
503537f291c6f661e4842d977b4346f1

SHA1
0d00652a5f7ef88e2a2d44e22f0d6b80347485a1

SHA256
70b8838f61adcff246619e0e5fd48baaa6fda0ae68b10fce3ce3f19f96ba2f4c

SHA512
3a33fdb012ad7f7ea6c833abd7a8cd0d436f7d3cf9e4292d58b81c4046c469fd803419ce23d7d758edfd4a94f9d44a1524ab00fbafd695063c58ed8da07ca16e

Download Submit
memory/2008-61-0x0000000004910000-0x000000000495C000-memory.dmp

Filesize
304KB

Download
memory/2008-60-0x0000000004AD0000-0x0000000004B0C000-memory.dmp

Filesize
240KB

Download
memory/2008-59-0x00000000048F0000-0x0000000004902000-memory.dmp

Filesize
72KB

Download
memory/2008-58-0x00000000049C0000-0x0000000004ACA000-memory.dmp

Filesize
1.0MB

Download
memory/2008-57-0x0000000004E40000-0x0000000005458000-memory.dmp

Filesize
6.1MB

Download
memory/2008-56-0x0000000000030000-0x000000000005A000-memory.dmp

Filesize
168KB

Download
memory/3728-51-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3728-24-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3728-40-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3728-38-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3728-35-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3728-33-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3728-31-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3728-29-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3728-28-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3728-41-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3728-43-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3728-45-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3728-47-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3728-49-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3728-25-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3728-23-0x0000000004990000-0x00000000049AC000-memory.dmp

Filesize
112KB

Download
memory/3728-22-0x00000000049C0000-0x0000000004F64000-memory.dmp

Filesize
5.6MB

Download
memory/3728-21-0x00000000008D0000-0x00000000008EE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads