redline | e868a505df3c3deb8dd31d5a50dfab5282d2b6d74e7ada88101c2bdd4fcf2af3

General

Target

e868a505df3c3deb8dd31d5a50dfab5282d2b6d74e7ada88101c2bdd4fcf2af3N.exe
Size

770KB
MD5

8d16780e3ba1b5622c1abfe0e2b2fda0
SHA1

014783a76806c61e83481e6158ce5207ec6bbed1
SHA256

e868a505df3c3deb8dd31d5a50dfab5282d2b6d74e7ada88101c2bdd4fcf2af3
SHA512

b4f09da98abbf45953a1a796bd7932f19264d31649fcc75aa5215f3bafeff07be4c19fdcc32388983ff4fa07c4c35f323ea7508610c119d42bc9b7d7dc100737
SSDEEP

24576:2ySrK08SNLXZRMlDVM0cWzor+s0muZ3V:FP0fNLpiV5XzoKsduZ3

Score

10^/10

redline mixa discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

C2

185.161.248.75:4132

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a2148909.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2148909.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2148909.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2148909.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2148909.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2148909.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ca3-54.dat	family_redline
behavioral1/memory/4092-56-0x00000000004D0000-0x00000000004FE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
2556	v3560595.exe
5004	v4122372.exe
4136	a2148909.exe
4092	b3728096.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2148909.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a2148909.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e868a505df3c3deb8dd31d5a50dfab5282d2b6d74e7ada88101c2bdd4fcf2af3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3560595.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4122372.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3728096.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e868a505df3c3deb8dd31d5a50dfab5282d2b6d74e7ada88101c2bdd4fcf2af3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v3560595.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v4122372.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2148909.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4136	a2148909.exe
4136	a2148909.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	a2148909.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 2556	3672	e868a505df3c3deb8dd31d5a50dfab5282d2b6d74e7ada88101c2bdd4fcf2af3N.exe	82
PID 3672 wrote to memory of 2556	3672	e868a505df3c3deb8dd31d5a50dfab5282d2b6d74e7ada88101c2bdd4fcf2af3N.exe	82
PID 3672 wrote to memory of 2556	3672	e868a505df3c3deb8dd31d5a50dfab5282d2b6d74e7ada88101c2bdd4fcf2af3N.exe	82
PID 2556 wrote to memory of 5004	2556	v3560595.exe	83
PID 2556 wrote to memory of 5004	2556	v3560595.exe	83
PID 2556 wrote to memory of 5004	2556	v3560595.exe	83
PID 5004 wrote to memory of 4136	5004	v4122372.exe	84
PID 5004 wrote to memory of 4136	5004	v4122372.exe	84
PID 5004 wrote to memory of 4136	5004	v4122372.exe	84
PID 5004 wrote to memory of 4092	5004	v4122372.exe	85
PID 5004 wrote to memory of 4092	5004	v4122372.exe	85
PID 5004 wrote to memory of 4092	5004	v4122372.exe	85

C:\Users\Admin\AppData\Local\Temp\e868a505df3c3deb8dd31d5a50dfab5282d2b6d74e7ada88101c2bdd4fcf2af3N.exe
"C:\Users\Admin\AppData\Local\Temp\e868a505df3c3deb8dd31d5a50dfab5282d2b6d74e7ada88101c2bdd4fcf2af3N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3560595.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3560595.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4122372.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4122372.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2148909.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2148909.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4136
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3728096.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3728096.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3560595.exe

Filesize
488KB

MD5
6c83dccf7068c5e4823e2f3b6f909023

SHA1
964b1d259fb408f4876fc6850117af14b7564ed5

SHA256
ff1be372fd874893378538a2cb5bd3dd6d43bd1ee291ea8cc491091cf9010666

SHA512
f1b09bcf5153e211a442333d1c040d835616ee022225a32ec5e1678df8edd67bf047f81893168d13caaffdd01d9bfce00b23f61effd8518b801b59ceec0a90de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4122372.exe

Filesize
316KB

MD5
b4bdc012fea5596aae2172c4e8f489bb

SHA1
e5d7f7d5604321872aa2a93e7424482ee97bd905

SHA256
de2b9236995c77b16ab4012a918178b75292e38536f266e67d011563cdf26ccb

SHA512
cc49baeb0890e7e7e5eac58215cfa2c0d3e8436687ba6f176a40bb2af1d4ec28a4fc4201579f8d8d30e8fe11def52865f47f63335868544f88c3e9a409a1f15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2148909.exe

Filesize
185KB

MD5
f0163b510cf2717a206039be22861d2c

SHA1
76a69295ea8aca57c550fd38c45a9d7d0c058618

SHA256
2709065630f3ca2b27ed588d1dc5c6a045284ce16917f123ca1db257a6d1cb6c

SHA512
6c8f3f56bd751f1e842bd5c45f60d0f6acbeeab6e5331d401f9bc9ce8ab3b6565c10f1eafc5cc0cc3ccdb24ee97aaa2a093d3d5df15ce00c62350745729df1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3728096.exe

Filesize
168KB

MD5
897f9dc9a025756215d04ff3437df610

SHA1
3ff245a31c220d02c179d9d8dd0945094d5ea512

SHA256
d6d5f4bba03d23d90f211f9f442541f08a84b80d5b99ce67e0e971bda66ec084

SHA512
39fe57d28711667b320c0a9c2393759d898e39813de581ad673900f3b36eff229cad963f73a84864c699b0322b67f96127c2eb726103137eb3402b3c3d491bbe

Download Submit
memory/4092-62-0x0000000005050000-0x000000000509C000-memory.dmp

Filesize
304KB

Download
memory/4092-61-0x0000000004EB0000-0x0000000004EEC000-memory.dmp

Filesize
240KB

Download
memory/4092-60-0x0000000004E50000-0x0000000004E62000-memory.dmp

Filesize
72KB

Download
memory/4092-59-0x0000000004F40000-0x000000000504A000-memory.dmp

Filesize
1.0MB

Download
memory/4092-58-0x0000000005450000-0x0000000005A68000-memory.dmp

Filesize
6.1MB

Download
memory/4092-57-0x00000000027D0000-0x00000000027D6000-memory.dmp

Filesize
24KB

Download
memory/4092-56-0x00000000004D0000-0x00000000004FE000-memory.dmp

Filesize
184KB

Download
memory/4136-51-0x00000000050A0000-0x00000000050B6000-memory.dmp

Filesize
88KB

Download
memory/4136-27-0x00000000050A0000-0x00000000050B6000-memory.dmp

Filesize
88KB

Download
memory/4136-39-0x00000000050A0000-0x00000000050B6000-memory.dmp

Filesize
88KB

Download
memory/4136-37-0x00000000050A0000-0x00000000050B6000-memory.dmp

Filesize
88KB

Download
memory/4136-35-0x00000000050A0000-0x00000000050B6000-memory.dmp

Filesize
88KB

Download
memory/4136-33-0x00000000050A0000-0x00000000050B6000-memory.dmp

Filesize
88KB

Download
memory/4136-31-0x00000000050A0000-0x00000000050B6000-memory.dmp

Filesize
88KB

Download
memory/4136-25-0x00000000050A0000-0x00000000050B6000-memory.dmp

Filesize
88KB

Download
memory/4136-24-0x00000000050A0000-0x00000000050B6000-memory.dmp

Filesize
88KB

Download
memory/4136-41-0x00000000050A0000-0x00000000050B6000-memory.dmp

Filesize
88KB

Download
memory/4136-43-0x00000000050A0000-0x00000000050B6000-memory.dmp

Filesize
88KB

Download
memory/4136-45-0x00000000050A0000-0x00000000050B6000-memory.dmp

Filesize
88KB

Download
memory/4136-47-0x00000000050A0000-0x00000000050B6000-memory.dmp

Filesize
88KB

Download
memory/4136-49-0x00000000050A0000-0x00000000050B6000-memory.dmp

Filesize
88KB

Download
memory/4136-29-0x00000000050A0000-0x00000000050B6000-memory.dmp

Filesize
88KB

Download
memory/4136-23-0x00000000050A0000-0x00000000050BC000-memory.dmp

Filesize
112KB

Download
memory/4136-22-0x0000000004AF0000-0x0000000005094000-memory.dmp

Filesize
5.6MB

Download
memory/4136-21-0x0000000002400000-0x000000000241E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads