redline | d2cfd151e051e4cb827cb1e92c009ca1cb00fb20db1abe333dd2b0461e2e297e

General

Target

d2cfd151e051e4cb827cb1e92c009ca1cb00fb20db1abe333dd2b0461e2e297eN.exe
Size

488KB
MD5

d0dc86ac5f753c9420f47ae68a157140
SHA1

34278187e6a86598e95afee09d791d44de05b34e
SHA256

d2cfd151e051e4cb827cb1e92c009ca1cb00fb20db1abe333dd2b0461e2e297e
SHA512

7b88310526700772ebd838b4ca9c917a6835ac4720c0018ab867ca4344038133f4959567956e698aa4511f46fc303670ee0de27b1bc956300b100c6fa2b7689e
SSDEEP

6144:KIy+bnr+Rp0yN90QEfP15epEzSHBjkZ8fEg06yZV+Bi89Xl5ARAX32jb/OdQzLVO:4Mrxy90L0H1nEgxyZI/1l5qDH3HVcG4

Score

10^/10

redline misik discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

misik

C2

217.196.96.102:4132

Attributes

auth_value
9133827666bc8f4b05339316460b08aa

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a8817785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8817785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8817785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8817785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8817785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8817785.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b85-54.dat	family_redline
behavioral1/memory/4952-56-0x0000000000690000-0x00000000006BE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4944	v2497781.exe
4828	a8817785.exe
4952	b6493975.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8817785.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a8817785.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d2cfd151e051e4cb827cb1e92c009ca1cb00fb20db1abe333dd2b0461e2e297eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2497781.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2cfd151e051e4cb827cb1e92c009ca1cb00fb20db1abe333dd2b0461e2e297eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v2497781.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8817785.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6493975.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4828	a8817785.exe
4828	a8817785.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4828	a8817785.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 4944	2548	d2cfd151e051e4cb827cb1e92c009ca1cb00fb20db1abe333dd2b0461e2e297eN.exe	82
PID 2548 wrote to memory of 4944	2548	d2cfd151e051e4cb827cb1e92c009ca1cb00fb20db1abe333dd2b0461e2e297eN.exe	82
PID 2548 wrote to memory of 4944	2548	d2cfd151e051e4cb827cb1e92c009ca1cb00fb20db1abe333dd2b0461e2e297eN.exe	82
PID 4944 wrote to memory of 4828	4944	v2497781.exe	83
PID 4944 wrote to memory of 4828	4944	v2497781.exe	83
PID 4944 wrote to memory of 4828	4944	v2497781.exe	83
PID 4944 wrote to memory of 4952	4944	v2497781.exe	84
PID 4944 wrote to memory of 4952	4944	v2497781.exe	84
PID 4944 wrote to memory of 4952	4944	v2497781.exe	84

C:\Users\Admin\AppData\Local\Temp\d2cfd151e051e4cb827cb1e92c009ca1cb00fb20db1abe333dd2b0461e2e297eN.exe
"C:\Users\Admin\AppData\Local\Temp\d2cfd151e051e4cb827cb1e92c009ca1cb00fb20db1abe333dd2b0461e2e297eN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2497781.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2497781.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8817785.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8817785.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6493975.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6493975.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2497781.exe

Filesize
316KB

MD5
3fbf1a6862204c6fd93e5fb552d8037e

SHA1
c404136c388dddeb867cc52e5d606ee2354ad445

SHA256
a3c16e73a82efa869d0da29a9b380a52f386f67d709d286fbbbc6deb469bb1b6

SHA512
74084ba807e85e7a12ecf236ae5a5c443cf0ae1bf5fab2a1aac9ca4833732c0e03a7964453505221151317b98b23b52e813276379b997b5713b429d10661915b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8817785.exe

Filesize
184KB

MD5
23a67e83c9cbf2c2453915247a370189

SHA1
667ef8cf45e96dbeb011ec8dca265637931ba726

SHA256
47f48973c503138803be0a60f3f682d680d3802431bf30ec29698de7a4ba2a28

SHA512
34bb29aa3843d9bc678f81753eabdbcc0521c9154e776c9d1ad99046b1d8b5e076fef021df46a8a2cd697a6a71f1b96f65ac5b9c3d6dc9e258904bef7ccad94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6493975.exe

Filesize
168KB

MD5
6838c4120b5389e9050cd2a5dd779da3

SHA1
81bf8f1046507584a5c21d028da0b48d4ca6a925

SHA256
c2c2f6f084cdcfbbf611ad900d3e1d9ffcd92425ea07e4054117ef4857b28ebe

SHA512
bc8daae61c8183448b3d2d6668b846520c285a08627196ed32957fea3889b0d8a59b51156ce437037c7b7de795f5f4c88eeecb99839bc5a3ad4e2b9ecde152e6

Download Submit
memory/4828-35-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4828-50-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/4828-17-0x0000000004BA0000-0x0000000005144000-memory.dmp

Filesize
5.6MB

Download
memory/4828-18-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/4828-19-0x0000000004AD0000-0x0000000004AEC000-memory.dmp

Filesize
112KB

Download
memory/4828-21-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4828-29-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4828-48-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/4828-45-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4828-43-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4828-41-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4828-39-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4828-37-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4828-15-0x00000000023D0000-0x00000000023EE000-memory.dmp

Filesize
120KB

Download
memory/4828-33-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4828-31-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4828-47-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4828-27-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4828-25-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4828-23-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4828-20-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/4828-49-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download
memory/4828-16-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/4828-52-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/4828-14-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download
memory/4952-56-0x0000000000690000-0x00000000006BE000-memory.dmp

Filesize
184KB

Download
memory/4952-57-0x00000000010D0000-0x00000000010D6000-memory.dmp

Filesize
24KB

Download
memory/4952-58-0x000000000A9B0000-0x000000000AFC8000-memory.dmp

Filesize
6.1MB

Download
memory/4952-59-0x000000000A500000-0x000000000A60A000-memory.dmp

Filesize
1.0MB

Download
memory/4952-60-0x000000000A430000-0x000000000A442000-memory.dmp

Filesize
72KB

Download
memory/4952-61-0x000000000A490000-0x000000000A4CC000-memory.dmp

Filesize
240KB

Download
memory/4952-62-0x0000000004950000-0x000000000499C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads