redline | 91bc1b2fb04e2f8f7f8936c929ceebd6f716812fa1f9f555f309ef05aae1f507

General

Target

91bc1b2fb04e2f8f7f8936c929ceebd6f716812fa1f9f555f309ef05aae1f507.exe
Size

1.1MB
MD5

bb2e858cc3c31dc52ca942a5778593c0
SHA1

174bd3ce411197b4d3929720e0ba93278dbd4d45
SHA256

91bc1b2fb04e2f8f7f8936c929ceebd6f716812fa1f9f555f309ef05aae1f507
SHA512

56534db4204dfc2d01ff6f0127f7e834b6c49125c4cc7e0e1fbdabaa04a1c6dde0d85ea973b273f73faf9aa56d3d46a09e12bdac2d3c56357d38270052cc9d75
SSDEEP

24576:myW6dec+pbE9g9jLCIc0vsEXtoTmC/u77NvaK8T9Zd:1Hde3VE9g9gI99eGsZ

Score

10^/10

redline doma discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

doma

C2

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1650749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1650749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1650749.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k1650749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1650749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1650749.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c41-54.dat	family_redline
behavioral1/memory/2328-56-0x00000000004F0000-0x000000000051A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
1576	y6711569.exe
2096	y6023742.exe
4192	k1650749.exe
2328	l6027280.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k1650749.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1650749.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	91bc1b2fb04e2f8f7f8936c929ceebd6f716812fa1f9f555f309ef05aae1f507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6711569.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y6023742.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l6027280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91bc1b2fb04e2f8f7f8936c929ceebd6f716812fa1f9f555f309ef05aae1f507.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y6711569.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y6023742.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k1650749.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4192	k1650749.exe
4192	k1650749.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4192	k1650749.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 1576	4708	91bc1b2fb04e2f8f7f8936c929ceebd6f716812fa1f9f555f309ef05aae1f507.exe	83
PID 4708 wrote to memory of 1576	4708	91bc1b2fb04e2f8f7f8936c929ceebd6f716812fa1f9f555f309ef05aae1f507.exe	83
PID 4708 wrote to memory of 1576	4708	91bc1b2fb04e2f8f7f8936c929ceebd6f716812fa1f9f555f309ef05aae1f507.exe	83
PID 1576 wrote to memory of 2096	1576	y6711569.exe	85
PID 1576 wrote to memory of 2096	1576	y6711569.exe	85
PID 1576 wrote to memory of 2096	1576	y6711569.exe	85
PID 2096 wrote to memory of 4192	2096	y6023742.exe	86
PID 2096 wrote to memory of 4192	2096	y6023742.exe	86
PID 2096 wrote to memory of 4192	2096	y6023742.exe	86
PID 2096 wrote to memory of 2328	2096	y6023742.exe	97
PID 2096 wrote to memory of 2328	2096	y6023742.exe	97
PID 2096 wrote to memory of 2328	2096	y6023742.exe	97

C:\Users\Admin\AppData\Local\Temp\91bc1b2fb04e2f8f7f8936c929ceebd6f716812fa1f9f555f309ef05aae1f507.exe
"C:\Users\Admin\AppData\Local\Temp\91bc1b2fb04e2f8f7f8936c929ceebd6f716812fa1f9f555f309ef05aae1f507.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6711569.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6711569.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6023742.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6023742.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1650749.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1650749.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4192
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6027280.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6027280.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6711569.exe

Filesize
749KB

MD5
274e1c3cae90a75374bf9d090cde3491

SHA1
50165032b1910d7bcf0e1748ee34d20f1d8a7e1d

SHA256
a92913276f65adbc7dbfdd4df8c590feedfc11e04192da899a9a08826c4c5e59

SHA512
da454f650a99365448cd30be8480b7f67c698fd77aa231207752721c593310801a9c12e034623e137f2854aecee47688f364de1e8c628b0adad9a3b0e2bd7ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6023742.exe

Filesize
305KB

MD5
cbac5f271f2da84010a86d5080868da7

SHA1
c67d0c324228a76592e47cb0573ddd8a8a4eadb9

SHA256
1a5a7ed8e7c9adc64544d76ef24eee21bae3f5a36d9429b0c8175e6c4230d77a

SHA512
77947c7c220f9f9cd76ae80580da04f0c8261e9b53617bee4cc03a92becaed328be8a6355fe28f9d391990eb3d22a55d523d455a34a1492cfcb0aca8570fc67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k1650749.exe

Filesize
183KB

MD5
d18dd7e957d8eab39abe21eefd498331

SHA1
2d7b11252dbb1ed8cefff8d63d447b0f697a0060

SHA256
57f8f54609021997865fed724894ad76b78b39a48a51b47a1d97a92eb836c440

SHA512
c383080be8f9fbb5fd313204cc47ca9ecca8b6148362aa5ef76c219217971184472d0c4be2f1d7e9c9fbee561079b34357346507ddb882d779b06741a5ad0581

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6027280.exe

Filesize
145KB

MD5
dbae277df1250882d6a4af21e3be2199

SHA1
b1647fbb9d486a208bce344355ad0291526cd2be

SHA256
dedbd8c68ebaa7414e32a3ee5462b4c24ebbff2bf9571020bf7eecfe83d1f702

SHA512
befee6046d0444339913166c79bd20debde58abd2c9dc5cd8034c5fde243150e2e53f299cfe396af134ca32479229ad77cd5d3c13a679bf22bc3db2a99352f9f

Download Submit
memory/2328-61-0x00000000050D0000-0x000000000511C000-memory.dmp

Filesize
304KB

Download
memory/2328-60-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2328-59-0x0000000004EF0000-0x0000000004F02000-memory.dmp

Filesize
72KB

Download
memory/2328-58-0x0000000004FC0000-0x00000000050CA000-memory.dmp

Filesize
1.0MB

Download
memory/2328-57-0x0000000005440000-0x0000000005A58000-memory.dmp

Filesize
6.1MB

Download
memory/2328-56-0x00000000004F0000-0x000000000051A000-memory.dmp

Filesize
168KB

Download
memory/4192-51-0x0000000002280000-0x0000000002296000-memory.dmp

Filesize
88KB

Download
memory/4192-25-0x0000000002280000-0x0000000002296000-memory.dmp

Filesize
88KB

Download
memory/4192-41-0x0000000002280000-0x0000000002296000-memory.dmp

Filesize
88KB

Download
memory/4192-39-0x0000000002280000-0x0000000002296000-memory.dmp

Filesize
88KB

Download
memory/4192-37-0x0000000002280000-0x0000000002296000-memory.dmp

Filesize
88KB

Download
memory/4192-36-0x0000000002280000-0x0000000002296000-memory.dmp

Filesize
88KB

Download
memory/4192-33-0x0000000002280000-0x0000000002296000-memory.dmp

Filesize
88KB

Download
memory/4192-32-0x0000000002280000-0x0000000002296000-memory.dmp

Filesize
88KB

Download
memory/4192-27-0x0000000002280000-0x0000000002296000-memory.dmp

Filesize
88KB

Download
memory/4192-43-0x0000000002280000-0x0000000002296000-memory.dmp

Filesize
88KB

Download
memory/4192-24-0x0000000002280000-0x0000000002296000-memory.dmp

Filesize
88KB

Download
memory/4192-45-0x0000000002280000-0x0000000002296000-memory.dmp

Filesize
88KB

Download
memory/4192-47-0x0000000002280000-0x0000000002296000-memory.dmp

Filesize
88KB

Download
memory/4192-49-0x0000000002280000-0x0000000002296000-memory.dmp

Filesize
88KB

Download
memory/4192-29-0x0000000002280000-0x0000000002296000-memory.dmp

Filesize
88KB

Download
memory/4192-23-0x0000000002280000-0x000000000229C000-memory.dmp

Filesize
112KB

Download
memory/4192-22-0x00000000049F0000-0x0000000004F94000-memory.dmp

Filesize
5.6MB

Download
memory/4192-21-0x00000000021A0000-0x00000000021BE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads