redline | a7063d061b68b71986238c24f510d809c46c4f205bc7bb6253aaae8a686bffff

General

Target

a7063d061b68b71986238c24f510d809c46c4f205bc7bb6253aaae8a686bffff.exe
Size

1.1MB
MD5

1c59cf23f82fd63c5524bf0a934a1fc0
SHA1

37b302adf3080d125b2d63079498a32ae192106e
SHA256

a7063d061b68b71986238c24f510d809c46c4f205bc7bb6253aaae8a686bffff
SHA512

06bbf10aa15d2378d1ae2356fa8458675996089d83fbf9c012b9dc5a4b1f21faee73045e6b6a24955beaae775b9c32d07b56f21c47890b52925725499b41f92a
SSDEEP

24576:ly75506JpHgXFkVPQBOgxaAQdtS2S6CPcDl1RXIxzN:A75qK2XFk6Ogx7QnS2S6rbRo

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

k3664034.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k3664034.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k3664034.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k3664034.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k3664034.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k3664034.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k3664034.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023ca8-54.dat	family_redline
behavioral1/memory/4512-56-0x0000000000C60000-0x0000000000C8A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

Processes:

y8541708.exey0408705.exek3664034.exel0385313.exe

pid	Process
724	y8541708.exe
4356	y0408705.exe
3892	k3664034.exe
4512	l0385313.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

k3664034.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k3664034.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k3664034.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a7063d061b68b71986238c24f510d809c46c4f205bc7bb6253aaae8a686bffff.exey8541708.exey0408705.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a7063d061b68b71986238c24f510d809c46c4f205bc7bb6253aaae8a686bffff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8541708.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0408705.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a7063d061b68b71986238c24f510d809c46c4f205bc7bb6253aaae8a686bffff.exey8541708.exey0408705.exek3664034.exel0385313.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7063d061b68b71986238c24f510d809c46c4f205bc7bb6253aaae8a686bffff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y8541708.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y0408705.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k3664034.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l0385313.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

k3664034.exe

pid	Process
3892	k3664034.exe
3892	k3664034.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

k3664034.exe

description	pid	Process
Token: SeDebugPrivilege	3892	k3664034.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a7063d061b68b71986238c24f510d809c46c4f205bc7bb6253aaae8a686bffff.exey8541708.exey0408705.exe

description	pid	Process	procid_target
PID 3668 wrote to memory of 724	3668	a7063d061b68b71986238c24f510d809c46c4f205bc7bb6253aaae8a686bffff.exe	83
PID 3668 wrote to memory of 724	3668	a7063d061b68b71986238c24f510d809c46c4f205bc7bb6253aaae8a686bffff.exe	83
PID 3668 wrote to memory of 724	3668	a7063d061b68b71986238c24f510d809c46c4f205bc7bb6253aaae8a686bffff.exe	83
PID 724 wrote to memory of 4356	724	y8541708.exe	84
PID 724 wrote to memory of 4356	724	y8541708.exe	84
PID 724 wrote to memory of 4356	724	y8541708.exe	84
PID 4356 wrote to memory of 3892	4356	y0408705.exe	86
PID 4356 wrote to memory of 3892	4356	y0408705.exe	86
PID 4356 wrote to memory of 3892	4356	y0408705.exe	86
PID 4356 wrote to memory of 4512	4356	y0408705.exe	96
PID 4356 wrote to memory of 4512	4356	y0408705.exe	96
PID 4356 wrote to memory of 4512	4356	y0408705.exe	96

C:\Users\Admin\AppData\Local\Temp\a7063d061b68b71986238c24f510d809c46c4f205bc7bb6253aaae8a686bffff.exe
"C:\Users\Admin\AppData\Local\Temp\a7063d061b68b71986238c24f510d809c46c4f205bc7bb6253aaae8a686bffff.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8541708.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8541708.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0408705.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0408705.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3664034.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3664034.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0385313.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0385313.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8541708.exe

Filesize
749KB

MD5
26b6637edfcb2982f15c5aa2e38851c3

SHA1
20e10ba004e943a216f99670683497ae185e048b

SHA256
e959d88067a28478ca2aff47ba3e53d33be82fa75c217c80bdc322ed721136c1

SHA512
f8bdfd95459dc3433b0b303629c34af352e3133e0a2bc02abf6a6b7c7b1820a050149960eaafff5a9ee21bfe274af2aa3630670329bbc6f3e20a49e1182400cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0408705.exe

Filesize
304KB

MD5
fe67195bd20235d017bd24a2a8e1f05c

SHA1
80733eed0478f4f1c1c1fcaba50190789b456325

SHA256
ebb057495d3754a71a0988f282db1c1494c0fce4b3a4c13f5fd316ac98b46113

SHA512
77379e4d835d10bd9ede9903d8fad9c090a7c717d4755d57f0b2592e95f314e69d6c880b5b1e6623586636a4bacd30b357a87e9ac6d3a2b487008046a9a7c03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3664034.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0385313.exe

Filesize
145KB

MD5
77a5ca8fad18b74c6388a5aa6a0cc0c4

SHA1
10f1d1e7d72b94646591a4beb87b5e653b1cd054

SHA256
a481fcbf371c70e75afe175623832b1a2c5bbb1f6cd473937101b17e0ba44650

SHA512
1e20a83cce903588a4cc7e7c51bdc9900d22616efecbda68769ae9deadeb1eb1a7b43a3b037029e6bca0f5035486212cab8f261ca4d020ee40019b2b6b132575

Download Submit
memory/3892-51-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3892-33-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3892-39-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3892-22-0x0000000004A00000-0x0000000004FA4000-memory.dmp

Filesize
5.6MB

Download
memory/3892-49-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3892-47-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3892-45-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3892-43-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3892-41-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3892-37-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3892-35-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3892-23-0x00000000049A0000-0x00000000049BC000-memory.dmp

Filesize
112KB

Download
memory/3892-31-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3892-29-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3892-27-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3892-25-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3892-24-0x00000000049A0000-0x00000000049B6000-memory.dmp

Filesize
88KB

Download
memory/3892-21-0x00000000021B0000-0x00000000021CE000-memory.dmp

Filesize
120KB

Download
memory/4512-56-0x0000000000C60000-0x0000000000C8A000-memory.dmp

Filesize
168KB

Download
memory/4512-57-0x0000000005AA0000-0x00000000060B8000-memory.dmp

Filesize
6.1MB

Download
memory/4512-58-0x00000000055F0000-0x00000000056FA000-memory.dmp

Filesize
1.0MB

Download
memory/4512-59-0x0000000005530000-0x0000000005542000-memory.dmp

Filesize
72KB

Download
memory/4512-60-0x0000000005590000-0x00000000055CC000-memory.dmp

Filesize
240KB

Download
memory/4512-61-0x0000000005700000-0x000000000574C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads