redline | 138b12a61b355225f3f58e24129be621df2f25bd956282d0863d688102924c86

General

Target

138b12a61b355225f3f58e24129be621df2f25bd956282d0863d688102924c86.exe
Size

1.1MB
MD5

dd42ea4b50fe981b21dfad3ef57d00ac
SHA1

3d669fabb05229f6f548580a1068196fd39d5a89
SHA256

138b12a61b355225f3f58e24129be621df2f25bd956282d0863d688102924c86
SHA512

f9a8643e844b7be561a3d0dd516d57d2702e57cfd784289a3943e642b470e6406fed0b5e4bbd3d804e27befdd2144fba8887e0703b70c3e0a6419e2bf9fe069f
SSDEEP

24576:oyrQ8SDb5zg4FkaASxyZY+e9ceTSIm7mDlj41LaT9ftxb4U8:vrQ8SDb5U4FkaDxyZY+PuSP7mDl0wpfJ

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8306852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8306852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8306852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8306852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8306852.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k8306852.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b7a-54.dat	family_redline
behavioral1/memory/2908-56-0x0000000000A70000-0x0000000000A9A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
4312	y6098314.exe
4512	y1157094.exe
4880	k8306852.exe
2908	l4925449.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k8306852.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8306852.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	138b12a61b355225f3f58e24129be621df2f25bd956282d0863d688102924c86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6098314.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y1157094.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l4925449.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	138b12a61b355225f3f58e24129be621df2f25bd956282d0863d688102924c86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y6098314.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y1157094.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k8306852.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4880	k8306852.exe
4880	k8306852.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4880	k8306852.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 4312	3532	138b12a61b355225f3f58e24129be621df2f25bd956282d0863d688102924c86.exe	83
PID 3532 wrote to memory of 4312	3532	138b12a61b355225f3f58e24129be621df2f25bd956282d0863d688102924c86.exe	83
PID 3532 wrote to memory of 4312	3532	138b12a61b355225f3f58e24129be621df2f25bd956282d0863d688102924c86.exe	83
PID 4312 wrote to memory of 4512	4312	y6098314.exe	84
PID 4312 wrote to memory of 4512	4312	y6098314.exe	84
PID 4312 wrote to memory of 4512	4312	y6098314.exe	84
PID 4512 wrote to memory of 4880	4512	y1157094.exe	85
PID 4512 wrote to memory of 4880	4512	y1157094.exe	85
PID 4512 wrote to memory of 4880	4512	y1157094.exe	85
PID 4512 wrote to memory of 2908	4512	y1157094.exe	93
PID 4512 wrote to memory of 2908	4512	y1157094.exe	93
PID 4512 wrote to memory of 2908	4512	y1157094.exe	93

C:\Users\Admin\AppData\Local\Temp\138b12a61b355225f3f58e24129be621df2f25bd956282d0863d688102924c86.exe
"C:\Users\Admin\AppData\Local\Temp\138b12a61b355225f3f58e24129be621df2f25bd956282d0863d688102924c86.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6098314.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6098314.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1157094.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1157094.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8306852.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8306852.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4880
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4925449.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4925449.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6098314.exe

Filesize
749KB

MD5
70eb9153a5d38459b4c5816c8e0b23b3

SHA1
0df101269916741a72fd98832cf76a8621d7bc03

SHA256
a0f6ac77d0afc89d7ba66099614431e9ced2ed7fd61c3fffb80ee382181e5e8a

SHA512
3f5d51de9136bf455692207565ed56f3aa3775f0e47d58cd9e71e1578e50c30ac0310c6cf68eefb690af69b6ac858611c58955f1df8d3e25cca44c455461a0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1157094.exe

Filesize
304KB

MD5
b5873a2cec74f3305613f59fcdccfc75

SHA1
94636b27dd856ea0ba3c343b3b6df5b4498b6127

SHA256
df3e81675683f9772e2ad2cada51abc92d4c48246f66f0747b41055da2fff465

SHA512
490948c3b56df0b8690409e5ddd165d6ab545b3c2b74d1ba0571d1790dbfc9fa0d0861f56f60ee239ec91f60ba510937c2ab94d399a1188a3deaea0267ba68b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8306852.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4925449.exe

Filesize
145KB

MD5
c1ddac58513605bf07b7da124108f5f8

SHA1
1baf8bf62d0487144a090bc53f39d220472e7ecf

SHA256
9922f0c0f5fa861e776451247fb8020f3f89156310fb2018b5166818cda68934

SHA512
715ee77b5bc160d977cad75450b22ed1b9bdda6d6cd7071bfdaf1e316b6dd2fc15fceece0a1a0b5630f727b2e669cd6ad8547bdbbeccdfa4c6000d1832171d92

Download Submit
memory/2908-61-0x0000000005510000-0x000000000555C000-memory.dmp

Filesize
304KB

Download
memory/2908-60-0x0000000005390000-0x00000000053CC000-memory.dmp

Filesize
240KB

Download
memory/2908-59-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/2908-58-0x0000000005400000-0x000000000550A000-memory.dmp

Filesize
1.0MB

Download
memory/2908-57-0x0000000005880000-0x0000000005E98000-memory.dmp

Filesize
6.1MB

Download
memory/2908-56-0x0000000000A70000-0x0000000000A9A000-memory.dmp

Filesize
168KB

Download
memory/4880-31-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4880-28-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4880-43-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4880-41-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4880-39-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4880-37-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4880-36-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4880-33-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4880-29-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4880-45-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4880-25-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4880-47-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4880-49-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4880-51-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4880-24-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4880-23-0x0000000002450000-0x000000000246C000-memory.dmp

Filesize
112KB

Download
memory/4880-22-0x0000000004BB0000-0x0000000005154000-memory.dmp

Filesize
5.6MB

Download
memory/4880-21-0x00000000022B0000-0x00000000022CE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads