redline | d1963c0f85eed798b72d9646a93f3b3f1ca69ff14e054b317eb41b6fda5dbb8a

General

Target

d1963c0f85eed798b72d9646a93f3b3f1ca69ff14e054b317eb41b6fda5dbb8a.exe
Size

1.1MB
MD5

b06f42c50b1a731741c4804e02d0796d
SHA1

1e0e90db4d232a432f99ffe7830662f3970044aa
SHA256

d1963c0f85eed798b72d9646a93f3b3f1ca69ff14e054b317eb41b6fda5dbb8a
SHA512

0f3fa4a9345ea741a0aecd73d9decfab4f71910035c416740a6c1288c54e3248be030c981b2f687d7879b26610889eea00b9591568c4e924842e5ee3e82b6b9b
SSDEEP

24576:GyjXXYMsxZZFkszKVH1+hG8fpSmTeVzlx+M1QnTF:VjXXMZFks6+Q0Qlx+L

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k8609419.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k8609419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k8609419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k8609419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k8609419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k8609419.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023bf8-54.dat	family_redline
behavioral1/memory/4536-56-0x0000000000F90000-0x0000000000FBA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
3464	y1916598.exe
4384	y8509937.exe
212	k8609419.exe
4536	l5804859.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k8609419.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k8609419.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d1963c0f85eed798b72d9646a93f3b3f1ca69ff14e054b317eb41b6fda5dbb8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1916598.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8509937.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y1916598.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y8509937.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k8609419.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l5804859.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1963c0f85eed798b72d9646a93f3b3f1ca69ff14e054b317eb41b6fda5dbb8a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
212	k8609419.exe
212	k8609419.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	k8609419.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 3464	4896	d1963c0f85eed798b72d9646a93f3b3f1ca69ff14e054b317eb41b6fda5dbb8a.exe	83
PID 4896 wrote to memory of 3464	4896	d1963c0f85eed798b72d9646a93f3b3f1ca69ff14e054b317eb41b6fda5dbb8a.exe	83
PID 4896 wrote to memory of 3464	4896	d1963c0f85eed798b72d9646a93f3b3f1ca69ff14e054b317eb41b6fda5dbb8a.exe	83
PID 3464 wrote to memory of 4384	3464	y1916598.exe	84
PID 3464 wrote to memory of 4384	3464	y1916598.exe	84
PID 3464 wrote to memory of 4384	3464	y1916598.exe	84
PID 4384 wrote to memory of 212	4384	y8509937.exe	86
PID 4384 wrote to memory of 212	4384	y8509937.exe	86
PID 4384 wrote to memory of 212	4384	y8509937.exe	86
PID 4384 wrote to memory of 4536	4384	y8509937.exe	97
PID 4384 wrote to memory of 4536	4384	y8509937.exe	97
PID 4384 wrote to memory of 4536	4384	y8509937.exe	97

C:\Users\Admin\AppData\Local\Temp\d1963c0f85eed798b72d9646a93f3b3f1ca69ff14e054b317eb41b6fda5dbb8a.exe
"C:\Users\Admin\AppData\Local\Temp\d1963c0f85eed798b72d9646a93f3b3f1ca69ff14e054b317eb41b6fda5dbb8a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1916598.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1916598.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8509937.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8509937.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8609419.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8609419.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:212
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5804859.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5804859.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1916598.exe

Filesize
749KB

MD5
614c2237a2b3269b6e244f3174b56980

SHA1
625fb8ef4537b8d399dc72eacc507ef774111cb9

SHA256
144b35b00d6181510091e2ae25f2e26ef586b7fe0f3a2c050477640c63e520da

SHA512
511dd2b0f07959807377c10f94136028f8cdac1ed0e2e097ca9e2aa8f41c344bd77f2b09da6a3038e89aefe4c6e1449d522f35ba3a561124a3fe7cfc9684752f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8509937.exe

Filesize
304KB

MD5
c04a959a519f17c33a3e1c5c84d0debd

SHA1
32f4c7c3dd5154646a4e1250cefcae1c5f283faf

SHA256
7d466bb98375ffc657ca8566734d0275b32736f73b8b3952953f281de09ac7a1

SHA512
0ad606b0d76bed152bfb21022e1d66af81223620837d495b47c2032c245d6471eeac9ab8eb522d8fe5b1eacf2bae8ccd5f50f98facbdbc61b9ee245c24f96f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8609419.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5804859.exe

Filesize
145KB

MD5
b9061cf3cabb8a1f3f42d7bcd4818b75

SHA1
dbc877656056b66b2f63ef7d32376fb2fe5f1b88

SHA256
e9dc4a31b6f949a64ef050d8da74f8e9c0cac5af592f636b8c61d1ef6e883af3

SHA512
1de29d8863ee2618f02432c389574202d0fef1ea099c53a7136ba4d9e995f16720d2feadd814207fc295e121b402c2c6dee7523a94d273ab4a450ea1cf0f20e0

Download Submit
memory/212-51-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/212-35-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/212-33-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/212-22-0x0000000004B00000-0x00000000050A4000-memory.dmp

Filesize
5.6MB

Download
memory/212-50-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/212-47-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/212-45-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/212-43-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/212-41-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/212-39-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/212-37-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/212-23-0x00000000049A0000-0x00000000049BC000-memory.dmp

Filesize
112KB

Download
memory/212-31-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/212-29-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/212-24-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/212-28-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/212-25-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/212-21-0x00000000021C0000-0x00000000021DE000-memory.dmp

Filesize
120KB

Download
memory/4536-56-0x0000000000F90000-0x0000000000FBA000-memory.dmp

Filesize
168KB

Download
memory/4536-57-0x0000000005DA0000-0x00000000063B8000-memory.dmp

Filesize
6.1MB

Download
memory/4536-58-0x0000000005920000-0x0000000005A2A000-memory.dmp

Filesize
1.0MB

Download
memory/4536-59-0x0000000005850000-0x0000000005862000-memory.dmp

Filesize
72KB

Download
memory/4536-60-0x00000000058B0000-0x00000000058EC000-memory.dmp

Filesize
240KB

Download
memory/4536-61-0x0000000005A30000-0x0000000005A7C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads