redline | 5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38

Analysis

max time kernel
75s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe
Size

1.5MB
MD5

3810e4d620629e89095d2024a5dd8f91
SHA1

b14697dadf5bf56dad70d8bc3bd5ef6c1e35a63d
SHA256

5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38
SHA512

2280c3fd9da69c1d24e75a7460bb4df9377d693e9c8e368e45f01b2fc40bb594c58b4f0fb54ec17a853e3c46bdded390b78dcc32e74ac96b1d077a7f9c392399
SSDEEP

49152:aEj3GmxrubgyTCBNRYr62Q5il/do5dGal:F9qbgmCKrnV/S5dxl

Score

10^/10

redline maxbi evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxbi

185.161.248.73:4164

Attributes

auth_value
6aa7dba884fe45693dfa04c91440daef

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2568-212-0x000000000A770000-0x000000000AD88000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a80614746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a80614746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a80614746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a80614746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a80614746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a80614746.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1620	i04415049.exe
4888	i10286750.exe
4280	i08852433.exe
4824	i50244322.exe
884	a80614746.exe
2568	b85160893.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a80614746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a80614746.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i04415049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i10286750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i08852433.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i04415049.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i10286750.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i08852433.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i50244322.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i50244322.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4392	884	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
884	a80614746.exe
884	a80614746.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	a80614746.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 1620	5012	5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe	80
PID 5012 wrote to memory of 1620	5012	5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe	80
PID 5012 wrote to memory of 1620	5012	5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe	80
PID 1620 wrote to memory of 4888	1620	i04415049.exe	81
PID 1620 wrote to memory of 4888	1620	i04415049.exe	81
PID 1620 wrote to memory of 4888	1620	i04415049.exe	81
PID 4888 wrote to memory of 4280	4888	i10286750.exe	82
PID 4888 wrote to memory of 4280	4888	i10286750.exe	82
PID 4888 wrote to memory of 4280	4888	i10286750.exe	82
PID 4280 wrote to memory of 4824	4280	i08852433.exe	83
PID 4280 wrote to memory of 4824	4280	i08852433.exe	83
PID 4280 wrote to memory of 4824	4280	i08852433.exe	83
PID 4824 wrote to memory of 884	4824	i50244322.exe	84
PID 4824 wrote to memory of 884	4824	i50244322.exe	84
PID 4824 wrote to memory of 884	4824	i50244322.exe	84
PID 4824 wrote to memory of 2568	4824	i50244322.exe	93
PID 4824 wrote to memory of 2568	4824	i50244322.exe	93
PID 4824 wrote to memory of 2568	4824	i50244322.exe	93

C:\Users\Admin\AppData\Local\Temp\5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe
"C:\Users\Admin\AppData\Local\Temp\5f558071095f4f97f72828923886a14bab190c9ca85c42c5afc54893102d0d38.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i04415049.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i04415049.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i10286750.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i10286750.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i08852433.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i08852433.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i50244322.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i50244322.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a80614746.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a80614746.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 1004
        7⤵
        Program crash
        
        PID:4392
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b85160893.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b85160893.exe
        6⤵
        Executes dropped EXE
        
        PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 884 -ip 884
1⤵
PID:3236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i04415049.exe

Filesize
1.3MB

MD5
da9291527dfdaab551693a783065cf1e

SHA1
deea25b69cb569a4e0b9e0d7cd80b94518a0ecfa

SHA256
8e9694e53a439d0dde140ecda293ab2e25ac7e00e2ffc7d0b1e7eaf9f81037b2

SHA512
e385d48fe141fe7db8c0da32e87ae89e3b8bf71a371b9ca673d0c1288970d0d6b7fd095d8757134036275d03fe3deabb63f65afc5cd8ed46def4e8d6889d56f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i04415049.exe

Filesize
1.3MB

MD5
da9291527dfdaab551693a783065cf1e

SHA1
deea25b69cb569a4e0b9e0d7cd80b94518a0ecfa

SHA256
8e9694e53a439d0dde140ecda293ab2e25ac7e00e2ffc7d0b1e7eaf9f81037b2

SHA512
e385d48fe141fe7db8c0da32e87ae89e3b8bf71a371b9ca673d0c1288970d0d6b7fd095d8757134036275d03fe3deabb63f65afc5cd8ed46def4e8d6889d56f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i10286750.exe

Filesize
1.1MB

MD5
c88369738627119921756e4d100b92be

SHA1
4c96636a972f6eece28af689e9392f0cae5e2e19

SHA256
228e9b9e1311fcbe70b127a25529e1b7b768ad2c772f2466e669e9c4b05eb71f

SHA512
f99f26f6afa5d03748ee30c924fb47dee07d5fd772cd2535c246f6133db30a9dabf4970249ab423b3e7df5b5e892130805d28b588d341159916682db599c6a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i10286750.exe

Filesize
1.1MB

MD5
c88369738627119921756e4d100b92be

SHA1
4c96636a972f6eece28af689e9392f0cae5e2e19

SHA256
228e9b9e1311fcbe70b127a25529e1b7b768ad2c772f2466e669e9c4b05eb71f

SHA512
f99f26f6afa5d03748ee30c924fb47dee07d5fd772cd2535c246f6133db30a9dabf4970249ab423b3e7df5b5e892130805d28b588d341159916682db599c6a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i08852433.exe

Filesize
685KB

MD5
8ec1015040d537731aaccd6927869814

SHA1
6e1e254a1150c2e5d42783724215cd44bb298f99

SHA256
3a7e871b88cec1256c643422f2fe4bff19a4bf98f82b3798428932fc7e9e1d5d

SHA512
bd4d8abf1d101b3a1fbe82bba15ca78bc91374d538f712c4703df4aa22d125ee2307b1ea90999d0e927affaf70c423aca120226999f87dde99d459ad742efd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i08852433.exe

Filesize
685KB

MD5
8ec1015040d537731aaccd6927869814

SHA1
6e1e254a1150c2e5d42783724215cd44bb298f99

SHA256
3a7e871b88cec1256c643422f2fe4bff19a4bf98f82b3798428932fc7e9e1d5d

SHA512
bd4d8abf1d101b3a1fbe82bba15ca78bc91374d538f712c4703df4aa22d125ee2307b1ea90999d0e927affaf70c423aca120226999f87dde99d459ad742efd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i50244322.exe

Filesize
405KB

MD5
fb68a545c47bef8d86fc7fae244cb745

SHA1
78c00e4aa63d42f0c9f88a16a766072bc01ef64f

SHA256
40dab0ca74c5946c8ab487a234fec1ef46555e93d1d01e9200458b8736601d79

SHA512
5d31fc637870809e2183a61c4f4897ad32ebdf68dc941852efc0c694d6034450bf59028e30fdee0452538ea428482b1718e8670db3b696e38df2319fcc7599db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i50244322.exe

Filesize
405KB

MD5
fb68a545c47bef8d86fc7fae244cb745

SHA1
78c00e4aa63d42f0c9f88a16a766072bc01ef64f

SHA256
40dab0ca74c5946c8ab487a234fec1ef46555e93d1d01e9200458b8736601d79

SHA512
5d31fc637870809e2183a61c4f4897ad32ebdf68dc941852efc0c694d6034450bf59028e30fdee0452538ea428482b1718e8670db3b696e38df2319fcc7599db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a80614746.exe

Filesize
345KB

MD5
4f51b141bd80fd27490866eacbbd1b9d

SHA1
7a8538e072de6a9135bee8e2385699e076c8cdfa

SHA256
74d5e0fd12beef64f224ac393fb04abe498742acabfdea572d33f532156ac05c

SHA512
e2f476a944b8108114c337cb77adbc92557975ac14a8c1ecc5745011d40d08c48a1b2b70027d51580d44429c4280b432ce70c73087e1a517b5f148a8e52415dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a80614746.exe

Filesize
345KB

MD5
4f51b141bd80fd27490866eacbbd1b9d

SHA1
7a8538e072de6a9135bee8e2385699e076c8cdfa

SHA256
74d5e0fd12beef64f224ac393fb04abe498742acabfdea572d33f532156ac05c

SHA512
e2f476a944b8108114c337cb77adbc92557975ac14a8c1ecc5745011d40d08c48a1b2b70027d51580d44429c4280b432ce70c73087e1a517b5f148a8e52415dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b85160893.exe

Filesize
168KB

MD5
64d125ef77d19411db5a256e23a99132

SHA1
b37fb0a2fa43a28f118064faebe20fea9d7ef3a1

SHA256
72005502b374e3ea03a663a20450c5278f69b7b8b98bd566073d98b2aed6b385

SHA512
c1483751d034dbd901e6f73140fa7ef29993cee07556af92b8381795b6c22c62d96c82c48e0e95c3328b07331d6a9b9e7e09ff503b4ba9bc340c54dc70225338

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b85160893.exe

Filesize
168KB

MD5
64d125ef77d19411db5a256e23a99132

SHA1
b37fb0a2fa43a28f118064faebe20fea9d7ef3a1

SHA256
72005502b374e3ea03a663a20450c5278f69b7b8b98bd566073d98b2aed6b385

SHA512
c1483751d034dbd901e6f73140fa7ef29993cee07556af92b8381795b6c22c62d96c82c48e0e95c3328b07331d6a9b9e7e09ff503b4ba9bc340c54dc70225338

Download Submit
memory/884-187-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/884-197-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/884-173-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/884-174-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/884-175-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/884-179-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/884-177-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/884-185-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/884-183-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/884-181-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/884-171-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/884-189-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/884-191-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/884-193-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/884-195-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/884-172-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/884-199-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/884-201-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/884-202-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/884-203-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/884-204-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/884-205-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/884-207-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/884-170-0x0000000004FF0000-0x0000000005594000-memory.dmp

Filesize
5.6MB

Download
memory/884-169-0x0000000000BF0000-0x0000000000C1D000-memory.dmp

Filesize
180KB

Download
memory/2568-211-0x00000000002C0000-0x00000000002F0000-memory.dmp

Filesize
192KB

Download
memory/2568-212-0x000000000A770000-0x000000000AD88000-memory.dmp

Filesize
6.1MB

Download
memory/2568-213-0x000000000A260000-0x000000000A36A000-memory.dmp

Filesize
1.0MB

Download
memory/2568-214-0x000000000A170000-0x000000000A182000-memory.dmp

Filesize
72KB

Download
memory/2568-215-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/2568-216-0x000000000A1D0000-0x000000000A20C000-memory.dmp

Filesize
240KB

Download
memory/2568-217-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download