redline | 4d49c66d411f15d402a0055e3e51fe6964628d0a1961735c3a4346f5a8ba83d3

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d49c66d411f15d402a0055e3e51fe6964628d0a1961735c3a4346f5a8ba83d3.exe
Size

1.4MB
MD5

342dfbdbb3a5512cf4b1a7250271810a
SHA1

acd153d503d09e1dca9ea40b901c721beb42f6b6
SHA256

4d49c66d411f15d402a0055e3e51fe6964628d0a1961735c3a4346f5a8ba83d3
SHA512

3ec03af1011afdd495ac7a52e1e48fc3241cb0044bdef569da609c95cb71dd987d79e98b025d92e4b6ea0d1a256a46558d9d8827c62c8441a3eb0e592cad7107
SSDEEP

24576:lyeBdjlWVvJMFtaeFExziN0BwNQXBgUugalPHOIBB8960Lis9:A8RUo5MziNXUg3RD8

Score

10^/10

redline maxbi evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxbi

185.161.248.73:4164

Attributes

auth_value
6aa7dba884fe45693dfa04c91440daef

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/3892-211-0x000000000B340000-0x000000000B958000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a60340977.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a60340977.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a60340977.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a60340977.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a60340977.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a60340977.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
796	i27237472.exe
2384	i37353573.exe
3540	i24572701.exe
1496	i42291303.exe
2448	a60340977.exe
3892	b15519275.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a60340977.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a60340977.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4d49c66d411f15d402a0055e3e51fe6964628d0a1961735c3a4346f5a8ba83d3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i27237472.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i27237472.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i42291303.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4d49c66d411f15d402a0055e3e51fe6964628d0a1961735c3a4346f5a8ba83d3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i37353573.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i37353573.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i24572701.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i24572701.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i42291303.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2820	2448	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2448	a60340977.exe
2448	a60340977.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	a60340977.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 796	1516	4d49c66d411f15d402a0055e3e51fe6964628d0a1961735c3a4346f5a8ba83d3.exe	83
PID 1516 wrote to memory of 796	1516	4d49c66d411f15d402a0055e3e51fe6964628d0a1961735c3a4346f5a8ba83d3.exe	83
PID 1516 wrote to memory of 796	1516	4d49c66d411f15d402a0055e3e51fe6964628d0a1961735c3a4346f5a8ba83d3.exe	83
PID 796 wrote to memory of 2384	796	i27237472.exe	84
PID 796 wrote to memory of 2384	796	i27237472.exe	84
PID 796 wrote to memory of 2384	796	i27237472.exe	84
PID 2384 wrote to memory of 3540	2384	i37353573.exe	85
PID 2384 wrote to memory of 3540	2384	i37353573.exe	85
PID 2384 wrote to memory of 3540	2384	i37353573.exe	85
PID 3540 wrote to memory of 1496	3540	i24572701.exe	86
PID 3540 wrote to memory of 1496	3540	i24572701.exe	86
PID 3540 wrote to memory of 1496	3540	i24572701.exe	86
PID 1496 wrote to memory of 2448	1496	i42291303.exe	87
PID 1496 wrote to memory of 2448	1496	i42291303.exe	87
PID 1496 wrote to memory of 2448	1496	i42291303.exe	87
PID 1496 wrote to memory of 3892	1496	i42291303.exe	91
PID 1496 wrote to memory of 3892	1496	i42291303.exe	91
PID 1496 wrote to memory of 3892	1496	i42291303.exe	91

C:\Users\Admin\AppData\Local\Temp\4d49c66d411f15d402a0055e3e51fe6964628d0a1961735c3a4346f5a8ba83d3.exe
"C:\Users\Admin\AppData\Local\Temp\4d49c66d411f15d402a0055e3e51fe6964628d0a1961735c3a4346f5a8ba83d3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i27237472.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i27237472.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i37353573.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i37353573.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i24572701.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i24572701.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3540
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i42291303.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i42291303.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a60340977.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a60340977.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1064
        7⤵
        Program crash
        
        PID:2820
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b15519275.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b15519275.exe
        6⤵
        Executes dropped EXE
        
        PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2448 -ip 2448
1⤵
PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i27237472.exe

Filesize
1.3MB

MD5
01e654313bf0473281e09083cd2b8288

SHA1
ef0ac2dd7658b3f4940012a0109cfb5eb6d466e0

SHA256
b037a0fb7b501bf85e3b6ff5ba7bb1f1298e3130a76d2a9be2fe339ef88633f8

SHA512
0f91e73794a72e8564f08584cb788adce8bb2ef949118a56cd7ea637cb4a89955e86b2eab1fae63a35d2d43515f5b60db6a2602483d135a59e0d700ca9f4791b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i27237472.exe

Filesize
1.3MB

MD5
01e654313bf0473281e09083cd2b8288

SHA1
ef0ac2dd7658b3f4940012a0109cfb5eb6d466e0

SHA256
b037a0fb7b501bf85e3b6ff5ba7bb1f1298e3130a76d2a9be2fe339ef88633f8

SHA512
0f91e73794a72e8564f08584cb788adce8bb2ef949118a56cd7ea637cb4a89955e86b2eab1fae63a35d2d43515f5b60db6a2602483d135a59e0d700ca9f4791b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i37353573.exe

Filesize
1.1MB

MD5
a38e58901555adbe4a8c2e9ab851986e

SHA1
930946c973e0f319c4de14fb05021e3c1fb36ff2

SHA256
221b59dc079bd55edae774bf7cb9e228efc483b694e95e823b0856069df1f59f

SHA512
46e919b5e4fec1d298dd32d0fa6cc94f37631b7d8d3cd0fc09bd639f32af0e39d61c6c1dfaf565df038077106f6185688bb0620b42b812e0e4014dd56dfa3c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i37353573.exe

Filesize
1.1MB

MD5
a38e58901555adbe4a8c2e9ab851986e

SHA1
930946c973e0f319c4de14fb05021e3c1fb36ff2

SHA256
221b59dc079bd55edae774bf7cb9e228efc483b694e95e823b0856069df1f59f

SHA512
46e919b5e4fec1d298dd32d0fa6cc94f37631b7d8d3cd0fc09bd639f32af0e39d61c6c1dfaf565df038077106f6185688bb0620b42b812e0e4014dd56dfa3c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i24572701.exe

Filesize
645KB

MD5
6357b8f4dced1e8c9de301b05eca46ff

SHA1
5c764bca4ba7db355fec689f2a3d1c915e1a9b61

SHA256
5799f9a3105a01f7a19fa063f6b58ba28b0eb95708de1d0e5bd05b80aa718b22

SHA512
346ab2d7beb9b4607035275883323b344b8ba30880ba5381d00541a1c7ca9884a8bf9f3b6502239250ec4209f38b53e4d395ffdc27d802e41864342d76642221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i24572701.exe

Filesize
645KB

MD5
6357b8f4dced1e8c9de301b05eca46ff

SHA1
5c764bca4ba7db355fec689f2a3d1c915e1a9b61

SHA256
5799f9a3105a01f7a19fa063f6b58ba28b0eb95708de1d0e5bd05b80aa718b22

SHA512
346ab2d7beb9b4607035275883323b344b8ba30880ba5381d00541a1c7ca9884a8bf9f3b6502239250ec4209f38b53e4d395ffdc27d802e41864342d76642221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i42291303.exe

Filesize
385KB

MD5
dcfd931b7639ae086b197277a691421c

SHA1
a5106401712251fece02d1b312c0f7fa2f565eef

SHA256
7750a94d0d5f3aa88ce88159dbdb2b5c3c8fcaade151e6fbd9960108fbdcaded

SHA512
c2956ad716ebb521aea761de71c67ab97f03ddded6a7d36a0108b0419700a1f8e57ac08b4c3d390d634ec536aa3cf4e647a2070e49ceba3ded64385a6688db6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i42291303.exe

Filesize
385KB

MD5
dcfd931b7639ae086b197277a691421c

SHA1
a5106401712251fece02d1b312c0f7fa2f565eef

SHA256
7750a94d0d5f3aa88ce88159dbdb2b5c3c8fcaade151e6fbd9960108fbdcaded

SHA512
c2956ad716ebb521aea761de71c67ab97f03ddded6a7d36a0108b0419700a1f8e57ac08b4c3d390d634ec536aa3cf4e647a2070e49ceba3ded64385a6688db6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a60340977.exe

Filesize
294KB

MD5
359e54a30521c478d4ae86e7b0e1f843

SHA1
a04bcc9bd761226b64d15f4c371b5a7a627550c6

SHA256
3bc6a547b9b0ed12d87f122fe9fce4cb5b5ba69cee13da7ee2937b2cd036a80b

SHA512
ab1fdb9fa7ee6fd41b523ca0dd028242bb467fcf87f07c01b107243900cfa1e4f43bbc3307b04db74ab22a4ef255af07e45245efbfc43e5a2eb5d774bf4dd6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a60340977.exe

Filesize
294KB

MD5
359e54a30521c478d4ae86e7b0e1f843

SHA1
a04bcc9bd761226b64d15f4c371b5a7a627550c6

SHA256
3bc6a547b9b0ed12d87f122fe9fce4cb5b5ba69cee13da7ee2937b2cd036a80b

SHA512
ab1fdb9fa7ee6fd41b523ca0dd028242bb467fcf87f07c01b107243900cfa1e4f43bbc3307b04db74ab22a4ef255af07e45245efbfc43e5a2eb5d774bf4dd6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b15519275.exe

Filesize
168KB

MD5
8be8c4ebc7777b72f50ce68c715e1159

SHA1
42244d44dd92c3a7eff51f1d849fbbca3fe003fc

SHA256
61074b791c9a63b2512389f23bb2baf8fede150fc06e4d6c87e45b5f372545a2

SHA512
3a3d2eeb7e94d3461dc55a19b158944f10a05eea7b66e36f6b500be60081eae4f790b60374d5a3cf3925e528720b4651c560c9f2af862255d4c0e84787e75278

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b15519275.exe

Filesize
168KB

MD5
8be8c4ebc7777b72f50ce68c715e1159

SHA1
42244d44dd92c3a7eff51f1d849fbbca3fe003fc

SHA256
61074b791c9a63b2512389f23bb2baf8fede150fc06e4d6c87e45b5f372545a2

SHA512
3a3d2eeb7e94d3461dc55a19b158944f10a05eea7b66e36f6b500be60081eae4f790b60374d5a3cf3925e528720b4651c560c9f2af862255d4c0e84787e75278

Download Submit
memory/2448-184-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2448-198-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2448-173-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2448-174-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2448-176-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2448-178-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2448-180-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2448-182-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2448-172-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/2448-186-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2448-188-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2448-190-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2448-192-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2448-194-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2448-196-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2448-170-0x0000000004E00000-0x00000000053A4000-memory.dmp

Filesize
5.6MB

Download
memory/2448-200-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2448-201-0x0000000000400000-0x00000000006CA000-memory.dmp

Filesize
2.8MB

Download
memory/2448-202-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/2448-203-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/2448-204-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/2448-206-0x0000000000400000-0x00000000006CA000-memory.dmp

Filesize
2.8MB

Download
memory/2448-171-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/2448-169-0x00000000007A0000-0x00000000007CD000-memory.dmp

Filesize
180KB

Download
memory/3892-210-0x0000000000EA0000-0x0000000000ED0000-memory.dmp

Filesize
192KB

Download
memory/3892-211-0x000000000B340000-0x000000000B958000-memory.dmp

Filesize
6.1MB

Download
memory/3892-212-0x000000000AE30000-0x000000000AF3A000-memory.dmp

Filesize
1.0MB

Download
memory/3892-213-0x000000000AD50000-0x000000000AD62000-memory.dmp

Filesize
72KB

Download
memory/3892-214-0x000000000ADB0000-0x000000000ADEC000-memory.dmp

Filesize
240KB

Download
memory/3892-215-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/3892-216-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download