redline | 430098ac4c3d5041a8a2f7ff151a148db61f07eccac7f2f640386574ac4f57c2

General

Target

430098ac4c3d5041a8a2f7ff151a148db61f07eccac7f2f640386574ac4f57c2.exe
Size

1.1MB
MD5

049e24379b92f63ee3b12ab3e4a97237
SHA1

60118ab476ad60139f5c4d282609e041a7528121
SHA256

430098ac4c3d5041a8a2f7ff151a148db61f07eccac7f2f640386574ac4f57c2
SHA512

aae41e4d3bc957e543d4013b35cb1ca66a11191c52a3985482450819a561989f7956fc8cea8648b77d827c0ddadeaccd62eb75f67e01ea71360925257929d778
SSDEEP

24576:3ykAw+oiEcgHcpFkH/jva74B1x7Q53Ltom9Fs+d:C6t1HcpFkH7q4B1xQ9L79O+

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

k2821078.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k2821078.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k2821078.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k2821078.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k2821078.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k2821078.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k2821078.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6747059.exe	family_redline
behavioral1/memory/4336-56-0x0000000000320000-0x000000000034A000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 4 IoCs

Processes:

y8352875.exey1503191.exek2821078.exel6747059.exe

pid process

880 y8352875.exe
1348 y1503191.exe
2040 k2821078.exe
4336 l6747059.exe

pid	process
880	y8352875.exe
1348	y1503191.exe
2040	k2821078.exe
4336	l6747059.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

k2821078.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k2821078.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k2821078.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

430098ac4c3d5041a8a2f7ff151a148db61f07eccac7f2f640386574ac4f57c2.exey8352875.exey1503191.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	430098ac4c3d5041a8a2f7ff151a148db61f07eccac7f2f640386574ac4f57c2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8352875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y1503191.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

430098ac4c3d5041a8a2f7ff151a148db61f07eccac7f2f640386574ac4f57c2.exey8352875.exey1503191.exek2821078.exel6747059.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	430098ac4c3d5041a8a2f7ff151a148db61f07eccac7f2f640386574ac4f57c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y8352875.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y1503191.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k2821078.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l6747059.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

k2821078.exe

pid process

2040 k2821078.exe
2040 k2821078.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

k2821078.exe

description pid process

Token: SeDebugPrivilege 2040 k2821078.exe

pid	process
2040	k2821078.exe
2040	k2821078.exe

description	pid	process
Token: SeDebugPrivilege	2040	k2821078.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

430098ac4c3d5041a8a2f7ff151a148db61f07eccac7f2f640386574ac4f57c2.exey8352875.exey1503191.exe

description	pid	process	target process
PID 3088 wrote to memory of 880	3088	430098ac4c3d5041a8a2f7ff151a148db61f07eccac7f2f640386574ac4f57c2.exe	y8352875.exe
PID 3088 wrote to memory of 880	3088	430098ac4c3d5041a8a2f7ff151a148db61f07eccac7f2f640386574ac4f57c2.exe	y8352875.exe
PID 3088 wrote to memory of 880	3088	430098ac4c3d5041a8a2f7ff151a148db61f07eccac7f2f640386574ac4f57c2.exe	y8352875.exe
PID 880 wrote to memory of 1348	880	y8352875.exe	y1503191.exe
PID 880 wrote to memory of 1348	880	y8352875.exe	y1503191.exe
PID 880 wrote to memory of 1348	880	y8352875.exe	y1503191.exe
PID 1348 wrote to memory of 2040	1348	y1503191.exe	k2821078.exe
PID 1348 wrote to memory of 2040	1348	y1503191.exe	k2821078.exe
PID 1348 wrote to memory of 2040	1348	y1503191.exe	k2821078.exe
PID 1348 wrote to memory of 4336	1348	y1503191.exe	l6747059.exe
PID 1348 wrote to memory of 4336	1348	y1503191.exe	l6747059.exe
PID 1348 wrote to memory of 4336	1348	y1503191.exe	l6747059.exe

C:\Users\Admin\AppData\Local\Temp\430098ac4c3d5041a8a2f7ff151a148db61f07eccac7f2f640386574ac4f57c2.exe
"C:\Users\Admin\AppData\Local\Temp\430098ac4c3d5041a8a2f7ff151a148db61f07eccac7f2f640386574ac4f57c2.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8352875.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8352875.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1503191.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1503191.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2821078.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2821078.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6747059.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6747059.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8352875.exe

Filesize
748KB

MD5
ea7945837d7d8991aec67fa3ff664f44

SHA1
2dde669aa20f921563e3adb947a037df4ee6597e

SHA256
7dfb66c1388744894f02d081ea019e5613aae2f179f1bcc3571cc34deaba0e78

SHA512
1584dddc9535c1ff02d80f1509b84b542ebf0ad9290405236e2df09a1dca6ea09adc91c552d7457ddf64c581a7c040b4e2b7956182e664a2b778aa508d4fa19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1503191.exe

Filesize
304KB

MD5
5c361ee4ac05bc3f86b5fb569fb21042

SHA1
fb8ef157662930236678c8e72046890669d749f6

SHA256
fc537a1d51dea2020dd5e616d69ff9aab0be335db439edfb994c50c2cecbbc09

SHA512
a08c6286933a90aaf56b80cc7887014e8adebebc17827cc6c8767b684d518e3d1b551546ee9c73b54d83497be90c7f511d30996092a653d5ae1e9ce1eccfd2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2821078.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6747059.exe

Filesize
145KB

MD5
338380923918a2222b4063e6e1864304

SHA1
9ec8e1bf45c59274776b74f84a08a592174df2cc

SHA256
73b4b22767f34fcdff0658c907d22c7bbeac70e81d21b88ddbd11fe34014368b

SHA512
93ce24b9a9d17ec863948f2055579bc78226808578bc7646608bdff019cc6219c27daddfec447e0e029dcd86b11fffc9119ff609adbcf73a3638b7b15adbc658

Download Submit
memory/2040-49-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/2040-33-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/2040-39-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/2040-22-0x00000000049D0000-0x0000000004F74000-memory.dmp

Filesize
5.6MB

Download
memory/2040-48-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/2040-45-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/2040-44-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/2040-41-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/2040-37-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/2040-51-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/2040-35-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/2040-23-0x0000000002460000-0x000000000247C000-memory.dmp

Filesize
112KB

Download
memory/2040-31-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/2040-29-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/2040-27-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/2040-26-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/2040-24-0x0000000002460000-0x0000000002476000-memory.dmp

Filesize
88KB

Download
memory/2040-21-0x00000000021B0000-0x00000000021CE000-memory.dmp

Filesize
120KB

Download
memory/4336-56-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/4336-57-0x0000000005290000-0x00000000058A8000-memory.dmp

Filesize
6.1MB

Download
memory/4336-58-0x0000000004DF0000-0x0000000004EFA000-memory.dmp

Filesize
1.0MB

Download
memory/4336-59-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/4336-60-0x0000000004D90000-0x0000000004DCC000-memory.dmp

Filesize
240KB

Download
memory/4336-61-0x0000000004F00000-0x0000000004F4C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads