redline | 3370f5b80d6cf1a00eb1967e9952f4ceae4892fd1349ebc55fd00df81a79108f

General

Target

3370f5b80d6cf1a00eb1967e9952f4ceae4892fd1349ebc55fd00df81a79108f.exe
Size

316KB
MD5

8339677ffcc693f59e993f7889f24179
SHA1

5d8c68db7e82bf7908af9f13a4fe9660cdb377f1
SHA256

3370f5b80d6cf1a00eb1967e9952f4ceae4892fd1349ebc55fd00df81a79108f
SHA512

09c2e7176c5e8137e6a2bb3b075353bc9d215eba02872eef5a28c90d8c94aa786c10e914e4a6b4c6ca4bed63f439121c4cb47ab378d5b8d1e4f4480730af4286
SSDEEP

6144:Kdy+bnr+Op0yN90QE76vZrMgXGm9O5VaHJnQKJC0H6UznVCXvs+A:PMriy90xmNGHapQKJC0aUcfHA

Score

10^/10

redline dubur discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dubur

C2

217.196.96.102:4132

Attributes

auth_value
32d04179aa1e8d655d2d80c21f99de41

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k5634991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k5634991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k5634991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k5634991.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k5634991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k5634991.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b64-47.dat	family_redline
behavioral1/memory/2484-49-0x0000000000120000-0x000000000014E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
1080	k5634991.exe
2484	l9624419.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k5634991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k5634991.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3370f5b80d6cf1a00eb1967e9952f4ceae4892fd1349ebc55fd00df81a79108f.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3370f5b80d6cf1a00eb1967e9952f4ceae4892fd1349ebc55fd00df81a79108f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k5634991.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l9624419.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1080	k5634991.exe
1080	k5634991.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1080	k5634991.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1080	2204	3370f5b80d6cf1a00eb1967e9952f4ceae4892fd1349ebc55fd00df81a79108f.exe	83
PID 2204 wrote to memory of 1080	2204	3370f5b80d6cf1a00eb1967e9952f4ceae4892fd1349ebc55fd00df81a79108f.exe	83
PID 2204 wrote to memory of 1080	2204	3370f5b80d6cf1a00eb1967e9952f4ceae4892fd1349ebc55fd00df81a79108f.exe	83
PID 2204 wrote to memory of 2484	2204	3370f5b80d6cf1a00eb1967e9952f4ceae4892fd1349ebc55fd00df81a79108f.exe	94
PID 2204 wrote to memory of 2484	2204	3370f5b80d6cf1a00eb1967e9952f4ceae4892fd1349ebc55fd00df81a79108f.exe	94
PID 2204 wrote to memory of 2484	2204	3370f5b80d6cf1a00eb1967e9952f4ceae4892fd1349ebc55fd00df81a79108f.exe	94

C:\Users\Admin\AppData\Local\Temp\3370f5b80d6cf1a00eb1967e9952f4ceae4892fd1349ebc55fd00df81a79108f.exe
"C:\Users\Admin\AppData\Local\Temp\3370f5b80d6cf1a00eb1967e9952f4ceae4892fd1349ebc55fd00df81a79108f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k5634991.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k5634991.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l9624419.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l9624419.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k5634991.exe

Filesize
184KB

MD5
967926f1ea3ff90b95e22d2e8205cc1b

SHA1
4a6ea766a07ead4abbdc9cc65d89626b77ccf2ca

SHA256
c2d6c2467ed17d71ef9bd4bc83fa9bd99bf96de27fabe179239dcf854af2657d

SHA512
00400f92c303727a0b302957e27c4f1dce79d91ec1de87beb261919fb372b821222ce0f8e2fa9aff05a80f2023735abdba0c79296e4c9516defd6a4cb2933e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l9624419.exe

Filesize
168KB

MD5
394f51d2de463f414a71101ea641624e

SHA1
5eccd88a33e9178eea05322e92e34b20d761ffc4

SHA256
8f8688ddc84a4968c266037df05ffddfdcd3415cc323b3ed7bcac89407330b3f

SHA512
09fdbb24af1202991714f5f992c94a9258d43a90c60a84cb690412d42e6afb3dedaeaf3f6221f3104ca09078baaa09cbe3829dfb8bf69845267566bd85a71f05

Download Submit
memory/1080-19-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1080-39-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1080-10-0x0000000004A10000-0x0000000004FB4000-memory.dmp

Filesize
5.6MB

Download
memory/1080-11-0x0000000004990000-0x00000000049AC000-memory.dmp

Filesize
112KB

Download
memory/1080-8-0x00000000048E0000-0x00000000048FE000-memory.dmp

Filesize
120KB

Download
memory/1080-23-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1080-40-0x0000000073C40000-0x00000000743F0000-memory.dmp

Filesize
7.7MB

Download
memory/1080-18-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1080-37-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1080-15-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1080-33-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1080-32-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1080-29-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1080-27-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1080-25-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1080-21-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1080-13-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1080-9-0x0000000073C40000-0x00000000743F0000-memory.dmp

Filesize
7.7MB

Download
memory/1080-35-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1080-12-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/1080-41-0x0000000073C40000-0x00000000743F0000-memory.dmp

Filesize
7.7MB

Download
memory/1080-42-0x0000000073C4E000-0x0000000073C4F000-memory.dmp

Filesize
4KB

Download
memory/1080-43-0x0000000073C40000-0x00000000743F0000-memory.dmp

Filesize
7.7MB

Download
memory/1080-45-0x0000000073C40000-0x00000000743F0000-memory.dmp

Filesize
7.7MB

Download
memory/1080-7-0x0000000073C4E000-0x0000000073C4F000-memory.dmp

Filesize
4KB

Download
memory/2484-49-0x0000000000120000-0x000000000014E000-memory.dmp

Filesize
184KB

Download
memory/2484-50-0x0000000073BF0000-0x0000000073C9B000-memory.dmp

Filesize
684KB

Download
memory/2484-51-0x0000000004940000-0x0000000004946000-memory.dmp

Filesize
24KB

Download
memory/2484-52-0x00000000050D0000-0x00000000056E8000-memory.dmp

Filesize
6.1MB

Download
memory/2484-53-0x0000000004BC0000-0x0000000004CCA000-memory.dmp

Filesize
1.0MB

Download
memory/2484-55-0x0000000073BF0000-0x0000000073C9B000-memory.dmp

Filesize
684KB

Download
memory/2484-54-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

Filesize
72KB

Download
memory/2484-56-0x0000000004AD0000-0x0000000004B0C000-memory.dmp

Filesize
240KB

Download
memory/2484-57-0x0000000004B50000-0x0000000004B9C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads