redline | faa660f445be1f8f28ffaa3b9ce31029b711bf9b5023a7dc2d557bfd739bccba

General

Target

faa660f445be1f8f28ffaa3b9ce31029b711bf9b5023a7dc2d557bfd739bccba.exe
Size

769KB
MD5

24385bf816bd9e6ca61ba6cd8a4fc993
SHA1

1e4fece9b89d609e1dcd80dc9ed720c290820fbd
SHA256

faa660f445be1f8f28ffaa3b9ce31029b711bf9b5023a7dc2d557bfd739bccba
SHA512

b3cd6ebb5790bbcb7d3c97246d2b52ea5cf2a99677be3ac425be659c8fa706281eeed9480edf9bec074d5a6d74f1db99bb8af5a582b8b53718ceccb8191e2c54
SSDEEP

24576:Cy5fP8XsfSM1QSYtpkM2+pzNC7dcHTKnR3d:pVPMsfS+PkzacHTm3

Score

10^/10

redline debro discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

debro

C2

185.161.248.75:4132

Attributes

auth_value
18c2c191aebfde5d1787ec8d805a01a8

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1402504.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k1402504.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1402504.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1402504.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1402504.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1402504.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b80-54.dat	family_redline
behavioral1/memory/4960-56-0x0000000000DD0000-0x0000000000DFE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
1540	y7200011.exe
3652	y9947472.exe
2608	k1402504.exe
4960	l6003578.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k1402504.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1402504.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7200011.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9947472.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	faa660f445be1f8f28ffaa3b9ce31029b711bf9b5023a7dc2d557bfd739bccba.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k1402504.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l6003578.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faa660f445be1f8f28ffaa3b9ce31029b711bf9b5023a7dc2d557bfd739bccba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y7200011.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y9947472.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2608	k1402504.exe
2608	k1402504.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	k1402504.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1540	2700	faa660f445be1f8f28ffaa3b9ce31029b711bf9b5023a7dc2d557bfd739bccba.exe	83
PID 2700 wrote to memory of 1540	2700	faa660f445be1f8f28ffaa3b9ce31029b711bf9b5023a7dc2d557bfd739bccba.exe	83
PID 2700 wrote to memory of 1540	2700	faa660f445be1f8f28ffaa3b9ce31029b711bf9b5023a7dc2d557bfd739bccba.exe	83
PID 1540 wrote to memory of 3652	1540	y7200011.exe	85
PID 1540 wrote to memory of 3652	1540	y7200011.exe	85
PID 1540 wrote to memory of 3652	1540	y7200011.exe	85
PID 3652 wrote to memory of 2608	3652	y9947472.exe	86
PID 3652 wrote to memory of 2608	3652	y9947472.exe	86
PID 3652 wrote to memory of 2608	3652	y9947472.exe	86
PID 3652 wrote to memory of 4960	3652	y9947472.exe	94
PID 3652 wrote to memory of 4960	3652	y9947472.exe	94
PID 3652 wrote to memory of 4960	3652	y9947472.exe	94

C:\Users\Admin\AppData\Local\Temp\faa660f445be1f8f28ffaa3b9ce31029b711bf9b5023a7dc2d557bfd739bccba.exe
"C:\Users\Admin\AppData\Local\Temp\faa660f445be1f8f28ffaa3b9ce31029b711bf9b5023a7dc2d557bfd739bccba.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7200011.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7200011.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9947472.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9947472.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1402504.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1402504.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6003578.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6003578.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7200011.exe

Filesize
488KB

MD5
11b60010828597547dfb3a9d667daebc

SHA1
3eb6b743ac6583278604a281d26d8d23892fc6e1

SHA256
aec1754d3bc7f0ec89781c494d1a0525c8b12f23f5cb4fe2587a517166337c8e

SHA512
8e5cf7c962a55e9a130e4d7d48797b8ba68deb80621beead2455f283ad872b1fcb914778910414fc5a85307886d8113c4ee6dfc0808887759348b1a80b404c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9947472.exe

Filesize
316KB

MD5
13bde58452527868ea4414f04d4aca35

SHA1
901680b247acc9ac35b84d5cc750692ed509b0dd

SHA256
44c48f772d692d1e20cf042fb7b9e829e650e37878b578ced6ef5adcfc3ab6b1

SHA512
f1a1b3693fa842c914a503527990a20fdc99064f7757393862bca6e66b583ab2b44b3947e223b407da17d8c0d1ca68907e5a354c333a0ca1b05c4759db495a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1402504.exe

Filesize
185KB

MD5
58272e60e21e4d152cc5c507cab47f90

SHA1
5c46e28493efe6fb871537f58b946283c468c9ef

SHA256
b405d49ef90237e74b55dcf348328df4cedec157cc8dfd68b01d7909ca9b512a

SHA512
b9fded016aff1292613351c85cfbdcbd71c93b6f5c2be373ecb8219738128c0b42300f4448491bb459be86eff4b056a06c09aec1454224658df405a8f80de993

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6003578.exe

Filesize
168KB

MD5
5feee4fbdabb09b2d231d960b0763d6d

SHA1
59246ea4e0846acb9baa6294ad28bbe4497950ad

SHA256
ce64eb1998d790e60bea6bee631a9676289cb689be2aded0d8ed218f3407968b

SHA512
6ad1474aa3536c32cc865a2ecb64964a1db9b12697685a21c88f8067b5a8e7eaa36fc96e636cad0e16206e78f9fb9d202c4dba2b3fcd4ae04b5c0af3b8425ab2

Download Submit
memory/2608-51-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2608-31-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2608-24-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2608-22-0x0000000004A10000-0x0000000004FB4000-memory.dmp

Filesize
5.6MB

Download
memory/2608-50-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2608-47-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2608-45-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2608-43-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2608-42-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2608-39-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2608-37-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2608-35-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2608-33-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2608-23-0x0000000004990000-0x00000000049AC000-memory.dmp

Filesize
112KB

Download
memory/2608-29-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2608-28-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2608-25-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2608-21-0x0000000002460000-0x000000000247E000-memory.dmp

Filesize
120KB

Download
memory/4960-56-0x0000000000DD0000-0x0000000000DFE000-memory.dmp

Filesize
184KB

Download
memory/4960-57-0x00000000056E0000-0x00000000056E6000-memory.dmp

Filesize
24KB

Download
memory/4960-58-0x000000000B230000-0x000000000B848000-memory.dmp

Filesize
6.1MB

Download
memory/4960-59-0x000000000AD70000-0x000000000AE7A000-memory.dmp

Filesize
1.0MB

Download
memory/4960-60-0x000000000ACA0000-0x000000000ACB2000-memory.dmp

Filesize
72KB

Download
memory/4960-61-0x000000000AD00000-0x000000000AD3C000-memory.dmp

Filesize
240KB

Download
memory/4960-62-0x00000000050A0000-0x00000000050EC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads