redline | 3f0e3605dace186bc1d64852888fadad95a0748fd6cccd82e19c0e2fed57e393

General

Target

3f0e3605dace186bc1d64852888fadad95a0748fd6cccd82e19c0e2fed57e393.exe
Size

1.1MB
MD5

af9a6a1b60fabdb413d72279c8508cb1
SHA1

372ae4a3aed493de31f2524e456eacbc9501b213
SHA256

3f0e3605dace186bc1d64852888fadad95a0748fd6cccd82e19c0e2fed57e393
SHA512

01aaa9242fcce304e1005f88b6908136dfed0f782e67964b2d3ffa4353bddde5b992cdc7fa281c203a052669a0fb086afa54441721cebdf1dd9da4958f57eba4
SSDEEP

24576:iyHrwsUBFkBqTPRqlK8LiTISvk1NcZljNMhgVDzI:JL1UBFkBqrRgjLiTISvYWNmcz

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k4297828.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k4297828.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k4297828.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k4297828.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k4297828.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k4297828.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cb7-54.dat	family_redline
behavioral1/memory/3192-56-0x00000000000A0000-0x00000000000CA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
2328	y9652005.exe
612	y7700046.exe
3444	k4297828.exe
3192	l8603190.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k4297828.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k4297828.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3f0e3605dace186bc1d64852888fadad95a0748fd6cccd82e19c0e2fed57e393.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9652005.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y7700046.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3184	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f0e3605dace186bc1d64852888fadad95a0748fd6cccd82e19c0e2fed57e393.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y9652005.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y7700046.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k4297828.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l8603190.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3444	k4297828.exe
3444	k4297828.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3444	k4297828.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 100 wrote to memory of 2328	100	3f0e3605dace186bc1d64852888fadad95a0748fd6cccd82e19c0e2fed57e393.exe	83
PID 100 wrote to memory of 2328	100	3f0e3605dace186bc1d64852888fadad95a0748fd6cccd82e19c0e2fed57e393.exe	83
PID 100 wrote to memory of 2328	100	3f0e3605dace186bc1d64852888fadad95a0748fd6cccd82e19c0e2fed57e393.exe	83
PID 2328 wrote to memory of 612	2328	y9652005.exe	85
PID 2328 wrote to memory of 612	2328	y9652005.exe	85
PID 2328 wrote to memory of 612	2328	y9652005.exe	85
PID 612 wrote to memory of 3444	612	y7700046.exe	86
PID 612 wrote to memory of 3444	612	y7700046.exe	86
PID 612 wrote to memory of 3444	612	y7700046.exe	86
PID 612 wrote to memory of 3192	612	y7700046.exe	93
PID 612 wrote to memory of 3192	612	y7700046.exe	93
PID 612 wrote to memory of 3192	612	y7700046.exe	93

C:\Users\Admin\AppData\Local\Temp\3f0e3605dace186bc1d64852888fadad95a0748fd6cccd82e19c0e2fed57e393.exe
"C:\Users\Admin\AppData\Local\Temp\3f0e3605dace186bc1d64852888fadad95a0748fd6cccd82e19c0e2fed57e393.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9652005.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9652005.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7700046.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7700046.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:612
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4297828.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4297828.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8603190.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8603190.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3192

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9652005.exe

Filesize
749KB

MD5
87196c29bc8f64827ec575a277fcfe26

SHA1
7b5b909a4d4d94910621a3c25bf5a95aac2219cf

SHA256
9f8dc95bb95272a2f5002ad09a004bdfc869e6daf52a63157ecbf0c170490c8d

SHA512
476f12110c5b3cb04c4916bde8be75278b055f06d58383eb1d22dff63ab883fef21a6214cef8fc44e89a1eb89036405a1727a4cd0f8f12c8efd06e3909042789

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7700046.exe

Filesize
304KB

MD5
938608a08fadb3b25a1c2946a6b37e72

SHA1
f5c14daddaf541228cfc200dd67f452ddb194675

SHA256
b8319127a2b4c082c59ff7b5d8039766ae350fab478e6cf26bf9d592e4a4e140

SHA512
53fd6c30f1c3901b29bf4c3740e48d65345887dd6f71b3fb715f60895c5b4abc78f2b8718b1add2da86192745871b442d262f512a2b07a5aabdacc3360b4aa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4297828.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8603190.exe

Filesize
145KB

MD5
cff8bde964f901d9f8c4d9697c2a5800

SHA1
6a3769ab098a979a4b338bd3652312a3f7308de1

SHA256
9014187b073668018e115bec5f11709d0e7df3cccb520c3097d0b9cb420f9d9e

SHA512
cc9652137b0caff6b70001149e937172f865e28c643506748ad24d7520dc2386476f35f45453ceafbb82daf9174d85e70d4af1849e5defdf9e0c48dcb8214af4

Download Submit
memory/3192-61-0x0000000004C70000-0x0000000004CBC000-memory.dmp

Filesize
304KB

Download
memory/3192-60-0x0000000004AF0000-0x0000000004B2C000-memory.dmp

Filesize
240KB

Download
memory/3192-59-0x0000000004A90000-0x0000000004AA2000-memory.dmp

Filesize
72KB

Download
memory/3192-58-0x0000000004B60000-0x0000000004C6A000-memory.dmp

Filesize
1.0MB

Download
memory/3192-57-0x0000000004FE0000-0x00000000055F8000-memory.dmp

Filesize
6.1MB

Download
memory/3192-56-0x00000000000A0000-0x00000000000CA000-memory.dmp

Filesize
168KB

Download
memory/3444-51-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3444-27-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3444-41-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3444-39-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3444-37-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3444-35-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3444-33-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3444-31-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3444-29-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3444-43-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3444-25-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3444-45-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3444-47-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3444-49-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3444-24-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/3444-23-0x0000000004F50000-0x0000000004F6C000-memory.dmp

Filesize
112KB

Download
memory/3444-22-0x00000000049A0000-0x0000000004F44000-memory.dmp

Filesize
5.6MB

Download
memory/3444-21-0x00000000048B0000-0x00000000048CE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads