redline | 2030d8cc51c7bff0d4873ce7734c61651354ccc30776caaf0dee704fb9e4caf1

General

Target

2030d8cc51c7bff0d4873ce7734c61651354ccc30776caaf0dee704fb9e4caf1.exe
Size

488KB
MD5

7690760f675a39293bde075cd8738e88
SHA1

d36859a3b712246af9eac2ef14257afc6624b9e0
SHA256

2030d8cc51c7bff0d4873ce7734c61651354ccc30776caaf0dee704fb9e4caf1
SHA512

7083c43ce6e1bf4764b1e0fc1c580760ab440cbbf5f44151127f80fd826c6c7d9fabbe9b4399996c17759d713104463aa0390f3b6c41834c98174e25d11ac0e2
SSDEEP

12288:3Mrvy90+Q6xXneoW7JSo5Ksjze3UI+DeQRA:MyxeoWMo5hzoJ+DfA

Score

10^/10

redline mauga discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mauga

C2

217.196.96.102:4132

Attributes

auth_value
36f5411cf117f54076fbbb9ea0631fee

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1813235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1813235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1813235.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a1813235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1813235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1813235.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b8a-54.dat	family_redline
behavioral1/memory/4416-55-0x00000000005A0000-0x00000000005CE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3952	v7777742.exe
452	a1813235.exe
4416	b6882169.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a1813235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1813235.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2030d8cc51c7bff0d4873ce7734c61651354ccc30776caaf0dee704fb9e4caf1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7777742.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2944	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1813235.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6882169.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2030d8cc51c7bff0d4873ce7734c61651354ccc30776caaf0dee704fb9e4caf1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v7777742.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
452	a1813235.exe
452	a1813235.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	452	a1813235.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 3952	1908	2030d8cc51c7bff0d4873ce7734c61651354ccc30776caaf0dee704fb9e4caf1.exe	84
PID 1908 wrote to memory of 3952	1908	2030d8cc51c7bff0d4873ce7734c61651354ccc30776caaf0dee704fb9e4caf1.exe	84
PID 1908 wrote to memory of 3952	1908	2030d8cc51c7bff0d4873ce7734c61651354ccc30776caaf0dee704fb9e4caf1.exe	84
PID 3952 wrote to memory of 452	3952	v7777742.exe	85
PID 3952 wrote to memory of 452	3952	v7777742.exe	85
PID 3952 wrote to memory of 452	3952	v7777742.exe	85
PID 3952 wrote to memory of 4416	3952	v7777742.exe	92
PID 3952 wrote to memory of 4416	3952	v7777742.exe	92
PID 3952 wrote to memory of 4416	3952	v7777742.exe	92

C:\Users\Admin\AppData\Local\Temp\2030d8cc51c7bff0d4873ce7734c61651354ccc30776caaf0dee704fb9e4caf1.exe
"C:\Users\Admin\AppData\Local\Temp\2030d8cc51c7bff0d4873ce7734c61651354ccc30776caaf0dee704fb9e4caf1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7777742.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7777742.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1813235.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1813235.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:452
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6882169.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6882169.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4416

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7777742.exe

Filesize
316KB

MD5
7500efff8eb557fdebb6cfa532eb5a43

SHA1
26a05e36b4bf2d5e80601c55a4c6ce6ab93ccfda

SHA256
63f38cecde6257549adc1c9b4f40c38f3cf29c4da5f61b645c436ba386adcc41

SHA512
217c4f6d9407274bd3eb26f6d962db2caad082e106cd9499c98b544e43613aa61f8d57657bab29ac4e9c06f451f406fe2e39ec9e8c72edf02e0a4717fb7abf3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a1813235.exe

Filesize
184KB

MD5
a4d82b44894c1659048238446bf83dd3

SHA1
e52cfddd63d8ce121f33e61601e5f4d4a9c18b7f

SHA256
d52e429938831e422716c4ae8ca2bef4923be76777ad2640e1ec0b0293e50af0

SHA512
23416b09977da10f532eaa7a8db44051f1e8fff8612af47c442fbd1d28bee358b4580b22f8f0e29054bde680c640737e34617d5a7367a93acc787f0bc1264fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6882169.exe

Filesize
168KB

MD5
a6faaa03e65634c81b318703e8bb402d

SHA1
e4d58290b523e428b3462e95393c568b92fc4660

SHA256
965deacca3407dc644e48212c1f9e7d7e6a9941257c62eb78365cc45788b0eea

SHA512
7679f6ace9570fad45636ea53fe77374663b9bb4709482d5cdab703eb5e7be9c14c027c5a5511177626f7c46f61fd3df8ee931490eb4302c7314c14fb9a9b2ec

Download Submit
memory/452-31-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/452-51-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/452-29-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/452-19-0x0000000004AC0000-0x0000000004ADC000-memory.dmp

Filesize
112KB

Download
memory/452-17-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/452-27-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/452-47-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/452-45-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/452-43-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/452-41-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/452-37-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/452-35-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/452-33-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/452-15-0x0000000002300000-0x000000000231E000-memory.dmp

Filesize
120KB

Download
memory/452-18-0x0000000004C10000-0x00000000051B4000-memory.dmp

Filesize
5.6MB

Download
memory/452-25-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/452-16-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/452-20-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/452-39-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/452-23-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/452-48-0x000000007419E000-0x000000007419F000-memory.dmp

Filesize
4KB

Download
memory/452-49-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/452-21-0x0000000004AC0000-0x0000000004AD6000-memory.dmp

Filesize
88KB

Download
memory/452-14-0x000000007419E000-0x000000007419F000-memory.dmp

Filesize
4KB

Download
memory/4416-55-0x00000000005A0000-0x00000000005CE000-memory.dmp

Filesize
184KB

Download
memory/4416-56-0x0000000002780000-0x0000000002786000-memory.dmp

Filesize
24KB

Download
memory/4416-57-0x0000000005620000-0x0000000005C38000-memory.dmp

Filesize
6.1MB

Download
memory/4416-58-0x0000000005120000-0x000000000522A000-memory.dmp

Filesize
1.0MB

Download
memory/4416-59-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4416-60-0x00000000050B0000-0x00000000050EC000-memory.dmp

Filesize
240KB

Download
memory/4416-61-0x0000000005230000-0x000000000527C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads