redline | 1967152872436f4ed9b38275d2dac98199c2ff1f473e1eac47a281c060926e0d

General

Target

1967152872436f4ed9b38275d2dac98199c2ff1f473e1eac47a281c060926e0d.exe
Size

1.1MB
MD5

5eaaa24dceadaa18668e1fb6ff6a84df
SHA1

44a1a8ba0d8554dd4da8052fefda51982c39c80d
SHA256

1967152872436f4ed9b38275d2dac98199c2ff1f473e1eac47a281c060926e0d
SHA512

a6083359b11e8f28d9fbdc46ca34af016cee8c289564c47fac552f2eb298b63a57f1230b34daeebd8213c2560ec4fc48eb4923bb07faa660884bfb2a75f011d6
SSDEEP

24576:iyZfA8Wxe43bE0g9M0UoImR/2ms5lXhT8VKZ91jMd/B:JS5s0E0g9M0UMpO58VK/1gd

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k9092469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k9092469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k9092469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k9092469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k9092469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k9092469.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ca8-54.dat	family_redline
behavioral1/memory/2400-56-0x0000000000B10000-0x0000000000B3A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
3980	y9491122.exe
872	y4704657.exe
736	k9092469.exe
2400	l2074779.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k9092469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k9092469.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1967152872436f4ed9b38275d2dac98199c2ff1f473e1eac47a281c060926e0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9491122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y4704657.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1967152872436f4ed9b38275d2dac98199c2ff1f473e1eac47a281c060926e0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y9491122.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y4704657.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k9092469.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l2074779.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
736	k9092469.exe
736	k9092469.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	736	k9092469.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 3980	3060	1967152872436f4ed9b38275d2dac98199c2ff1f473e1eac47a281c060926e0d.exe	84
PID 3060 wrote to memory of 3980	3060	1967152872436f4ed9b38275d2dac98199c2ff1f473e1eac47a281c060926e0d.exe	84
PID 3060 wrote to memory of 3980	3060	1967152872436f4ed9b38275d2dac98199c2ff1f473e1eac47a281c060926e0d.exe	84
PID 3980 wrote to memory of 872	3980	y9491122.exe	85
PID 3980 wrote to memory of 872	3980	y9491122.exe	85
PID 3980 wrote to memory of 872	3980	y9491122.exe	85
PID 872 wrote to memory of 736	872	y4704657.exe	87
PID 872 wrote to memory of 736	872	y4704657.exe	87
PID 872 wrote to memory of 736	872	y4704657.exe	87
PID 872 wrote to memory of 2400	872	y4704657.exe	93
PID 872 wrote to memory of 2400	872	y4704657.exe	93
PID 872 wrote to memory of 2400	872	y4704657.exe	93

C:\Users\Admin\AppData\Local\Temp\1967152872436f4ed9b38275d2dac98199c2ff1f473e1eac47a281c060926e0d.exe
"C:\Users\Admin\AppData\Local\Temp\1967152872436f4ed9b38275d2dac98199c2ff1f473e1eac47a281c060926e0d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9491122.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9491122.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4704657.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4704657.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9092469.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9092469.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:736
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2074779.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2074779.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9491122.exe

Filesize
748KB

MD5
24ea58ec6ddf5c8c7d3dc754cd42dc2b

SHA1
503dd09035505712f982776f899fe41630885e2d

SHA256
5e2ab36d249a5e5307a89315b6aaad20c6e1cd53929c774df92633cc6d2f778d

SHA512
f56e062fecf18acdabbed18a02c3b9afb69ff7910b223f7b1c7ec934ec78645007b520201370caac8375bea3177f17cfff12e3b1369d9659e5e35b6d62091dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4704657.exe

Filesize
305KB

MD5
3e87dd6d18f7dc5742a6e487f0258544

SHA1
390a16257d24f8cb776f8ea092cf51600e61c697

SHA256
d14400499e38e470710618847baae48d5d890e1b0878d1d911a6b4f553166e02

SHA512
b37f96d27115b7cdba0ccf1432e9a8b9be7127d5f2fc0b590abd20c748f863a41bf88eb0ae7b023bd0656c0ea0885358365bada1342bc3f0c36705f12349b1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9092469.exe

Filesize
183KB

MD5
d18dd7e957d8eab39abe21eefd498331

SHA1
2d7b11252dbb1ed8cefff8d63d447b0f697a0060

SHA256
57f8f54609021997865fed724894ad76b78b39a48a51b47a1d97a92eb836c440

SHA512
c383080be8f9fbb5fd313204cc47ca9ecca8b6148362aa5ef76c219217971184472d0c4be2f1d7e9c9fbee561079b34357346507ddb882d779b06741a5ad0581

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2074779.exe

Filesize
145KB

MD5
ea19f3278691260e5c816a12dd198641

SHA1
a1ff73356e6891a921fc6907855a7492e6d8ddcd

SHA256
4fa7652f1804de185a2fe76c8eb58258ca6a3dbfaa56d1f274920998eb6a5bc9

SHA512
7224292dfe055a79f1fdee1db8a706befda7a984725415a8237cce323dade9d37a64d2d5d631a1ab397672bf845fe9365668b56855845b5f3fbf9df4b91063cf

Download Submit
memory/736-41-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/736-36-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/736-29-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/736-22-0x0000000004B90000-0x0000000005134000-memory.dmp

Filesize
5.6MB

Download
memory/736-51-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/736-49-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/736-47-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/736-45-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/736-43-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/736-40-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/736-37-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/736-23-0x00000000023A0000-0x00000000023BC000-memory.dmp

Filesize
112KB

Download
memory/736-33-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/736-31-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/736-27-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/736-25-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/736-24-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/736-21-0x00000000022C0000-0x00000000022DE000-memory.dmp

Filesize
120KB

Download
memory/2400-56-0x0000000000B10000-0x0000000000B3A000-memory.dmp

Filesize
168KB

Download
memory/2400-57-0x0000000005920000-0x0000000005F38000-memory.dmp

Filesize
6.1MB

Download
memory/2400-58-0x00000000054A0000-0x00000000055AA000-memory.dmp

Filesize
1.0MB

Download
memory/2400-59-0x00000000053D0000-0x00000000053E2000-memory.dmp

Filesize
72KB

Download
memory/2400-60-0x0000000005430000-0x000000000546C000-memory.dmp

Filesize
240KB

Download
memory/2400-61-0x00000000055B0000-0x00000000055FC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads