redline | 53b61bf5fbf118038cb96e8d46bbe2e9561d9142a533603dce8a7c559fd1b21f

General

Target

53b61bf5fbf118038cb96e8d46bbe2e9561d9142a533603dce8a7c559fd1b21fN.exe
Size

316KB
MD5

e9a8169fb6c6a67bba67c5b992f58a30
SHA1

f536e6e1a6461a61e9f533863baf0fde51c6b5e2
SHA256

53b61bf5fbf118038cb96e8d46bbe2e9561d9142a533603dce8a7c559fd1b21f
SHA512

f0c0d04202e2079f9681c5303ce1b70d1e5fd9b3ff41fff9f251bd1db73341498c5868a8210484bf581645ec150480129bdd2e29ff39cf06f7ec0b86301b698a
SSDEEP

6144:Kdy+bnr+Op0yN90QE76vZrMgXGm9O5VaHJnQKJC0H6UznVCXvs+:PMriy90xmNGHapQKJC0aUcfH

Score

10^/10

redline dubur discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dubur

C2

217.196.96.102:4132

Attributes

auth_value
32d04179aa1e8d655d2d80c21f99de41

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k5634991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k5634991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k5634991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k5634991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k5634991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k5634991.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c9d-47.dat	family_redline
behavioral1/memory/1812-50-0x0000000000AE0000-0x0000000000B0E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
1968	k5634991.exe
1812	l9624419.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k5634991.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k5634991.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	53b61bf5fbf118038cb96e8d46bbe2e9561d9142a533603dce8a7c559fd1b21fN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53b61bf5fbf118038cb96e8d46bbe2e9561d9142a533603dce8a7c559fd1b21fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k5634991.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l9624419.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1968	k5634991.exe
1968	k5634991.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	k5634991.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 1968	3764	53b61bf5fbf118038cb96e8d46bbe2e9561d9142a533603dce8a7c559fd1b21fN.exe	83
PID 3764 wrote to memory of 1968	3764	53b61bf5fbf118038cb96e8d46bbe2e9561d9142a533603dce8a7c559fd1b21fN.exe	83
PID 3764 wrote to memory of 1968	3764	53b61bf5fbf118038cb96e8d46bbe2e9561d9142a533603dce8a7c559fd1b21fN.exe	83
PID 3764 wrote to memory of 1812	3764	53b61bf5fbf118038cb96e8d46bbe2e9561d9142a533603dce8a7c559fd1b21fN.exe	85
PID 3764 wrote to memory of 1812	3764	53b61bf5fbf118038cb96e8d46bbe2e9561d9142a533603dce8a7c559fd1b21fN.exe	85
PID 3764 wrote to memory of 1812	3764	53b61bf5fbf118038cb96e8d46bbe2e9561d9142a533603dce8a7c559fd1b21fN.exe	85

C:\Users\Admin\AppData\Local\Temp\53b61bf5fbf118038cb96e8d46bbe2e9561d9142a533603dce8a7c559fd1b21fN.exe
"C:\Users\Admin\AppData\Local\Temp\53b61bf5fbf118038cb96e8d46bbe2e9561d9142a533603dce8a7c559fd1b21fN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k5634991.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k5634991.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l9624419.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l9624419.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k5634991.exe

Filesize
184KB

MD5
967926f1ea3ff90b95e22d2e8205cc1b

SHA1
4a6ea766a07ead4abbdc9cc65d89626b77ccf2ca

SHA256
c2d6c2467ed17d71ef9bd4bc83fa9bd99bf96de27fabe179239dcf854af2657d

SHA512
00400f92c303727a0b302957e27c4f1dce79d91ec1de87beb261919fb372b821222ce0f8e2fa9aff05a80f2023735abdba0c79296e4c9516defd6a4cb2933e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l9624419.exe

Filesize
168KB

MD5
394f51d2de463f414a71101ea641624e

SHA1
5eccd88a33e9178eea05322e92e34b20d761ffc4

SHA256
8f8688ddc84a4968c266037df05ffddfdcd3415cc323b3ed7bcac89407330b3f

SHA512
09fdbb24af1202991714f5f992c94a9258d43a90c60a84cb690412d42e6afb3dedaeaf3f6221f3104ca09078baaa09cbe3829dfb8bf69845267566bd85a71f05

Download Submit
memory/1812-57-0x0000000004E50000-0x0000000004E9C000-memory.dmp

Filesize
304KB

Download
memory/1812-56-0x000000000AA20000-0x000000000AA5C000-memory.dmp

Filesize
240KB

Download
memory/1812-55-0x000000000A9C0000-0x000000000A9D2000-memory.dmp

Filesize
72KB

Download
memory/1812-54-0x0000000074A80000-0x0000000074B2B000-memory.dmp

Filesize
684KB

Download
memory/1812-53-0x000000000AAA0000-0x000000000ABAA000-memory.dmp

Filesize
1.0MB

Download
memory/1812-52-0x000000000AFB0000-0x000000000B5C8000-memory.dmp

Filesize
6.1MB

Download
memory/1812-51-0x0000000002CC0000-0x0000000002CC6000-memory.dmp

Filesize
24KB

Download
memory/1812-50-0x0000000000AE0000-0x0000000000B0E000-memory.dmp

Filesize
184KB

Download
memory/1812-49-0x0000000074A80000-0x0000000074B2B000-memory.dmp

Filesize
684KB

Download
memory/1968-41-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1968-43-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/1968-31-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1968-29-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1968-27-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1968-25-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1968-23-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1968-21-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1968-19-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1968-17-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1968-15-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1968-14-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1968-42-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/1968-35-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1968-45-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/1968-37-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1968-39-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1968-33-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/1968-13-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/1968-12-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/1968-11-0x00000000023C0000-0x00000000023DC000-memory.dmp

Filesize
112KB

Download
memory/1968-10-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/1968-9-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/1968-8-0x0000000002390000-0x00000000023AE000-memory.dmp

Filesize
120KB

Download
memory/1968-7-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads