redline | 229931e582ec3d64b8fa894473f20ebc26c2a4c3fe9e10b88474c27a940776fe

General

Target

229931e582ec3d64b8fa894473f20ebc26c2a4c3fe9e10b88474c27a940776fe.exe
Size

1.1MB
MD5

c489250546c52acfcf779a85438268e3
SHA1

1b3aff474b0e99cbf601267c51bced2e75f2e7d6
SHA256

229931e582ec3d64b8fa894473f20ebc26c2a4c3fe9e10b88474c27a940776fe
SHA512

f672e64a2e1e9ff3aec39490b990acd3861bb6da942f35701073b5e0e8d0a53712f1e535773a926cdf86a548a75ea4b020c48f426ea2c942a00a63dc2435d7f4
SSDEEP

24576:Sy0HYCYwC9xnbovU36tycZx5/8v78cdBR/Lvz3ooO5b1YReiTWIdI:504CBCj8vU3HcGzRRTjybA

Score

10^/10

redline miran discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

miran

C2

185.161.248.75:4132

Attributes

auth_value
f1084732cb99b2cbe314a2a565371e6c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2736219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2736219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2736219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2736219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2736219.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a2736219.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cae-54.dat	family_redline
behavioral1/memory/1392-56-0x00000000009C0000-0x00000000009EA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
4000	v8763368.exe
4808	v9509541.exe
1220	a2736219.exe
1392	b1521037.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a2736219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2736219.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	229931e582ec3d64b8fa894473f20ebc26c2a4c3fe9e10b88474c27a940776fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8763368.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9509541.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	229931e582ec3d64b8fa894473f20ebc26c2a4c3fe9e10b88474c27a940776fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v8763368.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v9509541.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2736219.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1521037.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1220	a2736219.exe
1220	a2736219.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	a2736219.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 4000	2108	229931e582ec3d64b8fa894473f20ebc26c2a4c3fe9e10b88474c27a940776fe.exe	83
PID 2108 wrote to memory of 4000	2108	229931e582ec3d64b8fa894473f20ebc26c2a4c3fe9e10b88474c27a940776fe.exe	83
PID 2108 wrote to memory of 4000	2108	229931e582ec3d64b8fa894473f20ebc26c2a4c3fe9e10b88474c27a940776fe.exe	83
PID 4000 wrote to memory of 4808	4000	v8763368.exe	84
PID 4000 wrote to memory of 4808	4000	v8763368.exe	84
PID 4000 wrote to memory of 4808	4000	v8763368.exe	84
PID 4808 wrote to memory of 1220	4808	v9509541.exe	85
PID 4808 wrote to memory of 1220	4808	v9509541.exe	85
PID 4808 wrote to memory of 1220	4808	v9509541.exe	85
PID 4808 wrote to memory of 1392	4808	v9509541.exe	96
PID 4808 wrote to memory of 1392	4808	v9509541.exe	96
PID 4808 wrote to memory of 1392	4808	v9509541.exe	96

C:\Users\Admin\AppData\Local\Temp\229931e582ec3d64b8fa894473f20ebc26c2a4c3fe9e10b88474c27a940776fe.exe
"C:\Users\Admin\AppData\Local\Temp\229931e582ec3d64b8fa894473f20ebc26c2a4c3fe9e10b88474c27a940776fe.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8763368.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8763368.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9509541.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9509541.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2736219.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2736219.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1521037.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1521037.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8763368.exe

Filesize
749KB

MD5
f86ceda38eab81878d10f34fabd4c163

SHA1
eab24e773f9cd540ab7c02cfbb3ee63c9f85445b

SHA256
eca43756536212c1a7bdf647251d789ba2f226b78b295ed70b4a79be6865b26c

SHA512
379cda0304afa2a5fccfb051ff148d5dc3ce9af3c4ab3b21435d44ab33f30bcc9c245eb3c1a333a9b37dd42352170704eb84ccb568462e9561dac10bbd7a15e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9509541.exe

Filesize
305KB

MD5
23dc4aefc08fd2c7025d9d2258f07cce

SHA1
9b8d149653e3172fff361e32605588e4efc72a3e

SHA256
c836d4b1a618440bd4e74cfb35e92b9afff665e99d9250af21b14073c4cbf5b7

SHA512
bc1e54c81f6e7ddfd5c262caeed8902e604549139e83fb06ed1afd5578352902e63a554dfb7c9615200a259c676b0eebd0334127ae63e72d5a589c36cb1017a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2736219.exe

Filesize
183KB

MD5
e554091714347ee5dd0e0a184e79ad8e

SHA1
c01b24796f81b6abf993b2ec72693e9c36299bb1

SHA256
c4785c996c72ee27276f99c87a5b2aa930337c56f60e55f6443d5f0035bb8970

SHA512
21324f9744e7f3084efa2b446d317a8c8401eeae71c04663843134cd2449b81f645eb0a67c68b76d9d05d160217d2fae08027a4d0cb2b872cf240cf4b3755979

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1521037.exe

Filesize
145KB

MD5
7aabbcbb85c0ecc44d68d9b9eecc8a80

SHA1
2c3af136ad46b455088e720b67f606451a2942eb

SHA256
7da85f4c5701db6ed8849f815143a9df416846ad1e6992e6fd030702aa14c492

SHA512
c5cf695011c7130aa9e62a1e921eefdf71763b143732a88202659ad575ab9ff96a4bf54ff2ddb1b9c5c7dab2c54660dcf35a4b1d537094458c0c2bee4819dc41

Download Submit
memory/1220-50-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1220-33-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1220-51-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1220-22-0x0000000004C60000-0x0000000005204000-memory.dmp

Filesize
5.6MB

Download
memory/1220-48-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1220-45-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1220-43-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1220-41-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1220-39-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1220-37-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1220-35-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1220-23-0x0000000002580000-0x000000000259C000-memory.dmp

Filesize
112KB

Download
memory/1220-31-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1220-29-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1220-27-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1220-25-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1220-24-0x0000000002580000-0x0000000002596000-memory.dmp

Filesize
88KB

Download
memory/1220-21-0x00000000007C0000-0x00000000007DE000-memory.dmp

Filesize
120KB

Download
memory/1392-56-0x00000000009C0000-0x00000000009EA000-memory.dmp

Filesize
168KB

Download
memory/1392-57-0x00000000057E0000-0x0000000005DF8000-memory.dmp

Filesize
6.1MB

Download
memory/1392-58-0x0000000005350000-0x000000000545A000-memory.dmp

Filesize
1.0MB

Download
memory/1392-59-0x0000000005280000-0x0000000005292000-memory.dmp

Filesize
72KB

Download
memory/1392-60-0x00000000052E0000-0x000000000531C000-memory.dmp

Filesize
240KB

Download
memory/1392-61-0x0000000005460000-0x00000000054AC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads