redline | 7e381dc6ed27aad28240e19ca8ce69f20aeba2eff253a246eb722b86f6a337c3

Analysis

max time kernel
138s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e381dc6ed27aad28240e19ca8ce69f20aeba2eff253a246eb722b86f6a337c3.exe
Size

1.5MB
MD5

ff284da9454b1b2202daac0826e279e6
SHA1

9baa769e12fef2d18553a7f8ab38f955d78aba88
SHA256

7e381dc6ed27aad28240e19ca8ce69f20aeba2eff253a246eb722b86f6a337c3
SHA512

c5ae52c56f4693f82efb14500c71f35d66c528cb326962c020b38f76111a8b60bc2d9bd814a3d302223b2635134eb4016e2458995042a8d8ed25a781c8aee597
SSDEEP

24576:jywRErvx0bDhOQz8wbYv0ipLm1kZPxEj05VZBs5bcRRtnp1N4eiKo2s6xr2wS:2wRaJHQFbYhLm1kZZEj0Ao3vwKo2s6

Score

10^/10

redline maxbi evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxbi

185.161.248.73:4164

Attributes

auth_value
6aa7dba884fe45693dfa04c91440daef

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/552-216-0x000000000AD20000-0x000000000B338000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a14609536.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a14609536.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a14609536.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a14609536.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a14609536.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a14609536.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
488	i45987781.exe
1792	i69763979.exe
4168	i28107940.exe
4512	i64204160.exe
1704	a14609536.exe
552	b33249662.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a14609536.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a14609536.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7e381dc6ed27aad28240e19ca8ce69f20aeba2eff253a246eb722b86f6a337c3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i45987781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i45987781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i69763979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i28107940.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7e381dc6ed27aad28240e19ca8ce69f20aeba2eff253a246eb722b86f6a337c3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i69763979.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i28107940.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i64204160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i64204160.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1376	1704	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1704	a14609536.exe
1704	a14609536.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	a14609536.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 488	768	7e381dc6ed27aad28240e19ca8ce69f20aeba2eff253a246eb722b86f6a337c3.exe	82
PID 768 wrote to memory of 488	768	7e381dc6ed27aad28240e19ca8ce69f20aeba2eff253a246eb722b86f6a337c3.exe	82
PID 768 wrote to memory of 488	768	7e381dc6ed27aad28240e19ca8ce69f20aeba2eff253a246eb722b86f6a337c3.exe	82
PID 488 wrote to memory of 1792	488	i45987781.exe	83
PID 488 wrote to memory of 1792	488	i45987781.exe	83
PID 488 wrote to memory of 1792	488	i45987781.exe	83
PID 1792 wrote to memory of 4168	1792	i69763979.exe	84
PID 1792 wrote to memory of 4168	1792	i69763979.exe	84
PID 1792 wrote to memory of 4168	1792	i69763979.exe	84
PID 4168 wrote to memory of 4512	4168	i28107940.exe	85
PID 4168 wrote to memory of 4512	4168	i28107940.exe	85
PID 4168 wrote to memory of 4512	4168	i28107940.exe	85
PID 4512 wrote to memory of 1704	4512	i64204160.exe	86
PID 4512 wrote to memory of 1704	4512	i64204160.exe	86
PID 4512 wrote to memory of 1704	4512	i64204160.exe	86
PID 4512 wrote to memory of 552	4512	i64204160.exe	90
PID 4512 wrote to memory of 552	4512	i64204160.exe	90
PID 4512 wrote to memory of 552	4512	i64204160.exe	90

C:\Users\Admin\AppData\Local\Temp\7e381dc6ed27aad28240e19ca8ce69f20aeba2eff253a246eb722b86f6a337c3.exe
"C:\Users\Admin\AppData\Local\Temp\7e381dc6ed27aad28240e19ca8ce69f20aeba2eff253a246eb722b86f6a337c3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:768
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i45987781.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i45987781.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i69763979.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i69763979.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28107940.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28107940.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4168
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64204160.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64204160.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4512
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a14609536.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a14609536.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1084
        7⤵
        Program crash
        
        PID:1376
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b33249662.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b33249662.exe
        6⤵
        Executes dropped EXE
        
        PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1704 -ip 1704
1⤵
PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i45987781.exe

Filesize
1.3MB

MD5
e4324f15707e225c1bc183fef8c57ecc

SHA1
58e7e6cac92fb23a3f32584eaa4ed5da0c027241

SHA256
4ef8dfa216dc88079ac5d75ac4b19dc35b4b079eddc7dea8157e6b1a1e5a8c93

SHA512
5d1a3d905a867a198fa70949fb321f780459a4f8ff37b65bc0cc702956bfb15d0c72ed692175e60feffadcd22f15e8829e2e3d7ba4d35e416a83f85070813b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i45987781.exe

Filesize
1.3MB

MD5
e4324f15707e225c1bc183fef8c57ecc

SHA1
58e7e6cac92fb23a3f32584eaa4ed5da0c027241

SHA256
4ef8dfa216dc88079ac5d75ac4b19dc35b4b079eddc7dea8157e6b1a1e5a8c93

SHA512
5d1a3d905a867a198fa70949fb321f780459a4f8ff37b65bc0cc702956bfb15d0c72ed692175e60feffadcd22f15e8829e2e3d7ba4d35e416a83f85070813b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i69763979.exe

Filesize
1.1MB

MD5
f62b8c3ff9cc407fbb4f33522c12a7b8

SHA1
b141101171fa09eaad00835389b6af493b7fd2d2

SHA256
8272fe0601366df231e36b9a8f5152b5a37cce3a8a0862197bf758a8912ade17

SHA512
27456f590acd48bd9f4814f6ffa74fa1902e16a1c600c5add0cf8e8a223ef836ec964cd42cbd699110b1f9f902667bde8ecdb43dbce8da3f2ac4cab9d5af9a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i69763979.exe

Filesize
1.1MB

MD5
f62b8c3ff9cc407fbb4f33522c12a7b8

SHA1
b141101171fa09eaad00835389b6af493b7fd2d2

SHA256
8272fe0601366df231e36b9a8f5152b5a37cce3a8a0862197bf758a8912ade17

SHA512
27456f590acd48bd9f4814f6ffa74fa1902e16a1c600c5add0cf8e8a223ef836ec964cd42cbd699110b1f9f902667bde8ecdb43dbce8da3f2ac4cab9d5af9a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28107940.exe

Filesize
686KB

MD5
3e69647532ded1d71128177e00479a5a

SHA1
dcff48417e51c6f65703a41cdcc6440cb32f5da2

SHA256
2b0336cde0821701552e92242214dbc453e938abb66917d927d6468d4c9d6175

SHA512
bff1387fe7a80cf9bef96129d827b5832176b391411a4950b115764e15120f9f51c8109ee929e3acdfd296e3cb8a6b0bc84b3a5ab2607aa98ff3a11f7780f084

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i28107940.exe

Filesize
686KB

MD5
3e69647532ded1d71128177e00479a5a

SHA1
dcff48417e51c6f65703a41cdcc6440cb32f5da2

SHA256
2b0336cde0821701552e92242214dbc453e938abb66917d927d6468d4c9d6175

SHA512
bff1387fe7a80cf9bef96129d827b5832176b391411a4950b115764e15120f9f51c8109ee929e3acdfd296e3cb8a6b0bc84b3a5ab2607aa98ff3a11f7780f084

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64204160.exe

Filesize
405KB

MD5
77817c26289d95fe71b846bd0ce2be3e

SHA1
02dccbf0228a75db188dc71721fbb2ee08073a75

SHA256
e28e8a6c58403d10ddad277c83453897af0dcd36a448369f707f2a9d1ddc4050

SHA512
70a0bcb8f8b788a0eaeb8bbed80a7b40581d758daa23bf449ccd68bfb3e670ebf73c460bbb6fba393376148125fe8eab56df9f23af972ed53250419033172168

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i64204160.exe

Filesize
405KB

MD5
77817c26289d95fe71b846bd0ce2be3e

SHA1
02dccbf0228a75db188dc71721fbb2ee08073a75

SHA256
e28e8a6c58403d10ddad277c83453897af0dcd36a448369f707f2a9d1ddc4050

SHA512
70a0bcb8f8b788a0eaeb8bbed80a7b40581d758daa23bf449ccd68bfb3e670ebf73c460bbb6fba393376148125fe8eab56df9f23af972ed53250419033172168

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a14609536.exe

Filesize
345KB

MD5
bf24dab0dacf543d81abe62951069a20

SHA1
29346525e00f0c34442db07ab9fa062ea0d05189

SHA256
8404cce8edc1cbce2b4df8b29a13abaffa80add9bcfebdd1aede46d0f8231c19

SHA512
e3b54b77129fae1977c4a930787a72326339237af3800b5d1438b9643c3bbf5fec9e57b66eab70838a46ec12f6d6e829c6800452994d0d1c14f1708913803224

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a14609536.exe

Filesize
345KB

MD5
bf24dab0dacf543d81abe62951069a20

SHA1
29346525e00f0c34442db07ab9fa062ea0d05189

SHA256
8404cce8edc1cbce2b4df8b29a13abaffa80add9bcfebdd1aede46d0f8231c19

SHA512
e3b54b77129fae1977c4a930787a72326339237af3800b5d1438b9643c3bbf5fec9e57b66eab70838a46ec12f6d6e829c6800452994d0d1c14f1708913803224

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b33249662.exe

Filesize
168KB

MD5
8c2d003d7cd9c535347752d141027498

SHA1
b3fd918cba2f1b0539d3c3c4421b8e602dd8601e

SHA256
4ad49407ec74d97fcf746262839b21fe2c5c14ffe4e2697ede87aca7a73c501c

SHA512
66d9650fc6079d1a1b93a2961834bc9fc41984e3bdfeb37fbc47f9392a88174f664ceabb9644ed6c32c590f2d627964c29cd170b5daaedd8c4b2bfcc49946ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b33249662.exe

Filesize
168KB

MD5
8c2d003d7cd9c535347752d141027498

SHA1
b3fd918cba2f1b0539d3c3c4421b8e602dd8601e

SHA256
4ad49407ec74d97fcf746262839b21fe2c5c14ffe4e2697ede87aca7a73c501c

SHA512
66d9650fc6079d1a1b93a2961834bc9fc41984e3bdfeb37fbc47f9392a88174f664ceabb9644ed6c32c590f2d627964c29cd170b5daaedd8c4b2bfcc49946ac9

Download Submit
memory/552-221-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/552-220-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/552-219-0x000000000A830000-0x000000000A86C000-memory.dmp

Filesize
240KB

Download
memory/552-218-0x000000000A7D0000-0x000000000A7E2000-memory.dmp

Filesize
72KB

Download
memory/552-217-0x000000000A8A0000-0x000000000A9AA000-memory.dmp

Filesize
1.0MB

Download
memory/552-216-0x000000000AD20000-0x000000000B338000-memory.dmp

Filesize
6.1MB

Download
memory/552-215-0x0000000000A60000-0x0000000000A90000-memory.dmp

Filesize
192KB

Download
memory/1704-187-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1704-204-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1704-185-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1704-181-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1704-189-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1704-191-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1704-193-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1704-195-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1704-197-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1704-199-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1704-201-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1704-202-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1704-203-0x0000000000CC0000-0x0000000000CED000-memory.dmp

Filesize
180KB

Download
memory/1704-183-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1704-205-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1704-206-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1704-208-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1704-179-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1704-177-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1704-175-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1704-174-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1704-172-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1704-173-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1704-171-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1704-170-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/1704-169-0x0000000000CC0000-0x0000000000CED000-memory.dmp

Filesize
180KB

Download