redline | 6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89

General

Target

6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe
Size

1.1MB
MD5

005e7f9debdf573a6fddad49c1311cf6
SHA1

6779582ea1deca54999b84b9d0ad698598649f09
SHA256

6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89
SHA512

d79da55cdd944c63477f469a444d8598688012236fc798750dc7f19a9667660ddcfc45eb334f377c437d39edbbb9a245c63ac78b4e360061a0c9bb6ef58d91f6
SSDEEP

24576:yyGLjMu1b+0TFkYkDtEzCESAUPQLQ12u2d9T+r/6TbD:ZgjlTFkYkKCES14LK2rd06T

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k4028986.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k4028986.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k4028986.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k4028986.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k4028986.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k4028986.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023caf-54.dat	family_redline
behavioral1/memory/4808-56-0x00000000002A0000-0x00000000002CA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
3528	y3389223.exe
2176	y7962986.exe
1664	k4028986.exe
4808	l3177548.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k4028986.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k4028986.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3389223.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y7962986.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y3389223.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y7962986.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k4028986.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l3177548.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1664	k4028986.exe
1664	k4028986.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	k4028986.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 3528	3188	6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe	83
PID 3188 wrote to memory of 3528	3188	6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe	83
PID 3188 wrote to memory of 3528	3188	6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe	83
PID 3528 wrote to memory of 2176	3528	y3389223.exe	84
PID 3528 wrote to memory of 2176	3528	y3389223.exe	84
PID 3528 wrote to memory of 2176	3528	y3389223.exe	84
PID 2176 wrote to memory of 1664	2176	y7962986.exe	86
PID 2176 wrote to memory of 1664	2176	y7962986.exe	86
PID 2176 wrote to memory of 1664	2176	y7962986.exe	86
PID 2176 wrote to memory of 4808	2176	y7962986.exe	94
PID 2176 wrote to memory of 4808	2176	y7962986.exe	94
PID 2176 wrote to memory of 4808	2176	y7962986.exe	94

C:\Users\Admin\AppData\Local\Temp\6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe
"C:\Users\Admin\AppData\Local\Temp\6a20e6a31bab0895881bc2ceef7d5883399e2f4aa6b3fd1aa56927e39acf6b89.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3389223.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3389223.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7962986.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7962986.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4028986.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4028986.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3177548.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3177548.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3389223.exe

Filesize
748KB

MD5
fc97d61eeeddb56f41b8de123737f501

SHA1
d1bc89e883aafe9b77676c30625886fc70838d85

SHA256
28cd0114cfa1522e984db394edf1b1f0914543d5f0ff871893d8878274238e28

SHA512
fbfb393ef3d4555f2e89052ecc4a0a2d17c58c126606ac42210836f16500898be83b511590ed420795d3bd4c5dae8074d03b3aab35ad42ad429d40da2d0ba732

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7962986.exe

Filesize
304KB

MD5
afdecd7d32467df31c9353496918f411

SHA1
ed3124ac449a66d7c27aed410353accf00510d28

SHA256
a5ffe10d687eac9f2771bb59b5337594baec47d92b8e3ebc4c01d3d916e05478

SHA512
0f55c37c5e56064c92b9b069779e2879ad6409ff546b44f971bece0f74ae6ce99e18fd44177e17eaded6f8e2a790f7ae7d84511dabec4906a3c25700988556dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4028986.exe

Filesize
183KB

MD5
75df6a4aaf5c63bc4f42ac5ec8ecc76a

SHA1
8d9da11aa11364c1b580b12faa446403f527ff83

SHA256
d1d13ff4eabb541a9cfc225beeb1c27d9cd85c8f9849e8d0fece0a4503c63f05

SHA512
72d34a4770cf9885993630f04e83831f4ded666af58cb705c7b1ca4cd7ca95911dec7247e4987c64afc13fee10bcf94fc913bd9a7790edb65c75b01a89bbe8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3177548.exe

Filesize
145KB

MD5
cf63b13eb092a69f74be861904e7d695

SHA1
31cfcf910573da78bd89cf507de0ba4fe5227daf

SHA256
7b946a95ba449082ae7d118dfb8ce7a1e92c2f859878c4be5ec842af63a2b81e

SHA512
a4255f0902197a577d2b94ca48f8e137b065ec927c569f1413c746976526abed26555c954c9cdbc27dab13b786184cd846c19ddf548f233b864e0a84cc0fa43d

Download Submit
memory/1664-49-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/1664-33-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/1664-51-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/1664-22-0x00000000049B0000-0x0000000004F54000-memory.dmp

Filesize
5.6MB

Download
memory/1664-48-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/1664-45-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/1664-43-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/1664-42-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/1664-39-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/1664-37-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/1664-35-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/1664-23-0x0000000004F60000-0x0000000004F7C000-memory.dmp

Filesize
112KB

Download
memory/1664-31-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/1664-29-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/1664-27-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/1664-25-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/1664-24-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/1664-21-0x0000000002480000-0x000000000249E000-memory.dmp

Filesize
120KB

Download
memory/4808-56-0x00000000002A0000-0x00000000002CA000-memory.dmp

Filesize
168KB

Download
memory/4808-57-0x00000000051F0000-0x0000000005808000-memory.dmp

Filesize
6.1MB

Download
memory/4808-58-0x0000000004D70000-0x0000000004E7A000-memory.dmp

Filesize
1.0MB

Download
memory/4808-59-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/4808-60-0x0000000004D00000-0x0000000004D3C000-memory.dmp

Filesize
240KB

Download
memory/4808-61-0x0000000004E80000-0x0000000004ECC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads