redline | 6a3a0c7ebdf8b2c659cf22da296c4a8121e64123abc4f8383f2e6cccfe5c942e

General

Target

6a3a0c7ebdf8b2c659cf22da296c4a8121e64123abc4f8383f2e6cccfe5c942e.exe
Size

772KB
MD5

723c46731434889ebf4131fc644b3a60
SHA1

47388a744e6c70213e53eab5a62cac414924f48f
SHA256

6a3a0c7ebdf8b2c659cf22da296c4a8121e64123abc4f8383f2e6cccfe5c942e
SHA512

1a3859b3e57dc41bdcda37a9a04fb6601e287b0e92c8d733ecd5aeda7bb24ef0b69572f920a657d0ab44d93a65003f21baf54fca98094a29e014ce716c79fc17
SSDEEP

24576:2yd7+PVlmm3JEvfqI7CerqbdTjNOPpiJOYb:FdiPSM6bqdTpOPpiv

Score

10^/10

redline misik discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

misik

C2

217.196.96.102:4132

Attributes

auth_value
9133827666bc8f4b05339316460b08aa

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a3428185.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3428185.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3428185.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3428185.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3428185.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3428185.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ca8-54.dat	family_redline
behavioral1/memory/1648-56-0x0000000000D00000-0x0000000000D2E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
5104	v3674740.exe
2952	v7634471.exe
3508	a3428185.exe
1648	b6458812.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a3428185.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3428185.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6a3a0c7ebdf8b2c659cf22da296c4a8121e64123abc4f8383f2e6cccfe5c942e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3674740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7634471.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3428185.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6458812.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a3a0c7ebdf8b2c659cf22da296c4a8121e64123abc4f8383f2e6cccfe5c942e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v3674740.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v7634471.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3508	a3428185.exe
3508	a3428185.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3508	a3428185.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 5104	2268	6a3a0c7ebdf8b2c659cf22da296c4a8121e64123abc4f8383f2e6cccfe5c942e.exe	83
PID 2268 wrote to memory of 5104	2268	6a3a0c7ebdf8b2c659cf22da296c4a8121e64123abc4f8383f2e6cccfe5c942e.exe	83
PID 2268 wrote to memory of 5104	2268	6a3a0c7ebdf8b2c659cf22da296c4a8121e64123abc4f8383f2e6cccfe5c942e.exe	83
PID 5104 wrote to memory of 2952	5104	v3674740.exe	84
PID 5104 wrote to memory of 2952	5104	v3674740.exe	84
PID 5104 wrote to memory of 2952	5104	v3674740.exe	84
PID 2952 wrote to memory of 3508	2952	v7634471.exe	86
PID 2952 wrote to memory of 3508	2952	v7634471.exe	86
PID 2952 wrote to memory of 3508	2952	v7634471.exe	86
PID 2952 wrote to memory of 1648	2952	v7634471.exe	95
PID 2952 wrote to memory of 1648	2952	v7634471.exe	95
PID 2952 wrote to memory of 1648	2952	v7634471.exe	95

C:\Users\Admin\AppData\Local\Temp\6a3a0c7ebdf8b2c659cf22da296c4a8121e64123abc4f8383f2e6cccfe5c942e.exe
"C:\Users\Admin\AppData\Local\Temp\6a3a0c7ebdf8b2c659cf22da296c4a8121e64123abc4f8383f2e6cccfe5c942e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3674740.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3674740.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7634471.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7634471.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3428185.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3428185.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6458812.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6458812.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3674740.exe

Filesize
488KB

MD5
d41a9e3d58078100d89f555423b17195

SHA1
3d2ea90eac44fbf413d051848bd7ede08e99322f

SHA256
105c58ce985978fb5b665a7332477ab99ce81e2f0f85b03e820a5dcec062c32f

SHA512
2409243479f7e08f941657212989cc658d513b799007d7b52e3932eac2a96df86eca3ee310c6940d256e3276310dc825e0e0cc42c42b162cfe128881aa83bba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7634471.exe

Filesize
316KB

MD5
e30e685b5607f4845027aa17b6954273

SHA1
63e6823eb94431b80cf033d386edc5ac9a9755e8

SHA256
1694e22f8c680c245b25fb624766a7b3850d3397bf9b19e5af2ce69d2ee2dcd3

SHA512
765c22bca0ca6e72c05439eaf343edf74b2424970811059735210281a30a22457559beedc6d881dd5bdd1d8ce6527ee85a85454e79d0c716f1e20d3b27ce0cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3428185.exe

Filesize
184KB

MD5
849244ac726419050bf081eaf6ebca6b

SHA1
8baaeab5cf9ef3b78a498031f7973b7c521e8622

SHA256
e1229b8110a795ff45acfaa373bafbfc089efb808aed4c29d047453e0e0cadf3

SHA512
da63d7ee4efa93c9666347880bbc9311b4d794e0f975168641d12323e9976e23396b6e487e86abf45c6f59012a0d803fbbee44cc9ead804087ed5c1889723b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6458812.exe

Filesize
168KB

MD5
f36e9cf6ae5de4bc91b754453e2f8bc5

SHA1
5c906fdb8beaa66084842863b56d89801f0a8a34

SHA256
6211ac3c53952ec5c0ea48f96aaf02bbafc51920e157e35d06591f06a80e7b21

SHA512
0e83c5fab97b80bf29f2f77752d05842e53303e80eda2ff45db7e1ce0229c0a23bb6aab1d3da16b5d44a2c394735720e4bc613f08f7ee01d3d7c4f2c4b852219

Download Submit
memory/1648-62-0x0000000005030000-0x000000000507C000-memory.dmp

Filesize
304KB

Download
memory/1648-61-0x000000000AC40000-0x000000000AC7C000-memory.dmp

Filesize
240KB

Download
memory/1648-60-0x000000000ABE0000-0x000000000ABF2000-memory.dmp

Filesize
72KB

Download
memory/1648-59-0x000000000ACB0000-0x000000000ADBA000-memory.dmp

Filesize
1.0MB

Download
memory/1648-58-0x000000000B140000-0x000000000B758000-memory.dmp

Filesize
6.1MB

Download
memory/1648-57-0x0000000002FF0000-0x0000000002FF6000-memory.dmp

Filesize
24KB

Download
memory/1648-56-0x0000000000D00000-0x0000000000D2E000-memory.dmp

Filesize
184KB

Download
memory/3508-49-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3508-24-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3508-37-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3508-35-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3508-33-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3508-31-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3508-29-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3508-27-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3508-25-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3508-39-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3508-41-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3508-43-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3508-45-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3508-47-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3508-51-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/3508-23-0x0000000004990000-0x00000000049AC000-memory.dmp

Filesize
112KB

Download
memory/3508-22-0x0000000004A10000-0x0000000004FB4000-memory.dmp

Filesize
5.6MB

Download
memory/3508-21-0x00000000022D0000-0x00000000022EE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads