redline | 3bbd402d2d675fab413e9310c8719377ede054dfa8a21f3a394098a28ec874ec

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bbd402d2d675fab413e9310c8719377ede054dfa8a21f3a394098a28ec874ec.exe
Size

1.4MB
MD5

afd448d2adbd259e497e57a1178fbccd
SHA1

7e98d3512e36c195db6078c6f1012cbfe4ae2c59
SHA256

3bbd402d2d675fab413e9310c8719377ede054dfa8a21f3a394098a28ec874ec
SHA512

3723d1c0fcf265636c5039e9d865e72ee39854b32bc2e3fd21cbc0e595583121ab24c50492c1d2173a828f40820f1e89b39d61a5f6810381850894a4f0cb7c05
SSDEEP

24576:Ey9rvA4PBSse5pE8xw/lxVlcT2nWulbelIyeSB77TfnSonuSdL5j1ScWH:Thvex2lxA0lW7/VuQj1S5

Score

10^/10

redline maxbi evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxbi

185.161.248.73:4164

Attributes

auth_value
6aa7dba884fe45693dfa04c91440daef

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1680-212-0x000000000AA60000-0x000000000B078000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a92405775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a92405775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a92405775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a92405775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a92405775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a92405775.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4276	i79842986.exe
2044	i07872435.exe
2244	i87130228.exe
2104	i10002623.exe
4020	a92405775.exe
1680	b18432150.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a92405775.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a92405775.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i79842986.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i79842986.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i87130228.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3bbd402d2d675fab413e9310c8719377ede054dfa8a21f3a394098a28ec874ec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i07872435.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i07872435.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i87130228.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i10002623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i10002623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3bbd402d2d675fab413e9310c8719377ede054dfa8a21f3a394098a28ec874ec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4020	a92405775.exe
4020	a92405775.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4020	a92405775.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 4276	1964	3bbd402d2d675fab413e9310c8719377ede054dfa8a21f3a394098a28ec874ec.exe	84
PID 1964 wrote to memory of 4276	1964	3bbd402d2d675fab413e9310c8719377ede054dfa8a21f3a394098a28ec874ec.exe	84
PID 1964 wrote to memory of 4276	1964	3bbd402d2d675fab413e9310c8719377ede054dfa8a21f3a394098a28ec874ec.exe	84
PID 4276 wrote to memory of 2044	4276	i79842986.exe	85
PID 4276 wrote to memory of 2044	4276	i79842986.exe	85
PID 4276 wrote to memory of 2044	4276	i79842986.exe	85
PID 2044 wrote to memory of 2244	2044	i07872435.exe	86
PID 2044 wrote to memory of 2244	2044	i07872435.exe	86
PID 2044 wrote to memory of 2244	2044	i07872435.exe	86
PID 2244 wrote to memory of 2104	2244	i87130228.exe	87
PID 2244 wrote to memory of 2104	2244	i87130228.exe	87
PID 2244 wrote to memory of 2104	2244	i87130228.exe	87
PID 2104 wrote to memory of 4020	2104	i10002623.exe	88
PID 2104 wrote to memory of 4020	2104	i10002623.exe	88
PID 2104 wrote to memory of 4020	2104	i10002623.exe	88
PID 2104 wrote to memory of 1680	2104	i10002623.exe	96
PID 2104 wrote to memory of 1680	2104	i10002623.exe	96
PID 2104 wrote to memory of 1680	2104	i10002623.exe	96

C:\Users\Admin\AppData\Local\Temp\3bbd402d2d675fab413e9310c8719377ede054dfa8a21f3a394098a28ec874ec.exe
"C:\Users\Admin\AppData\Local\Temp\3bbd402d2d675fab413e9310c8719377ede054dfa8a21f3a394098a28ec874ec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i79842986.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i79842986.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07872435.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07872435.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87130228.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87130228.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i10002623.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i10002623.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2104
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a92405775.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a92405775.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b18432150.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b18432150.exe
        6⤵
        Executes dropped EXE
        
        PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i79842986.exe

Filesize
1.3MB

MD5
2358394257a6977f9f162d108faaffab

SHA1
c1b1adaf5fbb8bfe0baad1205ff737a438c3d25d

SHA256
8bc7e3f6beac9ac2136aef9fc29d1a59419d25fa4623375cc9f3762d817de7a0

SHA512
1650e531c1e4628f9a34817049ec7fc8f5e8a5d1cd3bee98bce80621ea51c937508e086bc741a8b132a3f7c88224679b361bcbc4a5cdb0f31a6fa4334ad5d09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i79842986.exe

Filesize
1.3MB

MD5
2358394257a6977f9f162d108faaffab

SHA1
c1b1adaf5fbb8bfe0baad1205ff737a438c3d25d

SHA256
8bc7e3f6beac9ac2136aef9fc29d1a59419d25fa4623375cc9f3762d817de7a0

SHA512
1650e531c1e4628f9a34817049ec7fc8f5e8a5d1cd3bee98bce80621ea51c937508e086bc741a8b132a3f7c88224679b361bcbc4a5cdb0f31a6fa4334ad5d09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07872435.exe

Filesize
1.1MB

MD5
32e49ee897d4e41469f3269e4e20f8e5

SHA1
6990b3d6a9712a6cdcc0c9ce2d06ade8df129bcd

SHA256
41ff106c9495c134b8cfa99a9fe3c0df9dd6c069e2979d734bbe7856cd62bb5f

SHA512
cd8484326cc4fd45684e6119183af20705ae82ca13bc0574261402a18f4f74d08cbf78e0c2bc2a0472a20607defb8537a2951f5333da03b6acdb3f6509cbaeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i07872435.exe

Filesize
1.1MB

MD5
32e49ee897d4e41469f3269e4e20f8e5

SHA1
6990b3d6a9712a6cdcc0c9ce2d06ade8df129bcd

SHA256
41ff106c9495c134b8cfa99a9fe3c0df9dd6c069e2979d734bbe7856cd62bb5f

SHA512
cd8484326cc4fd45684e6119183af20705ae82ca13bc0574261402a18f4f74d08cbf78e0c2bc2a0472a20607defb8537a2951f5333da03b6acdb3f6509cbaeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87130228.exe

Filesize
644KB

MD5
5ec16d6bb952d0ffbd7c0c42fb633fd8

SHA1
63fb781bcbe5dc91d8cb63a066f2b8ad8fcab1a3

SHA256
7e85ccc19f83171de021b916590932e421a0c33a5b830166ffc24120af99d848

SHA512
42456d21cf214fcaf81fb97e7f1e96ea2c54dacc462a7fe5baf3aeb64f4e627c7249496ba7c63ff7c53cdb72011243437f6880bfe345ec0e8aebd9fbc4760738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87130228.exe

Filesize
644KB

MD5
5ec16d6bb952d0ffbd7c0c42fb633fd8

SHA1
63fb781bcbe5dc91d8cb63a066f2b8ad8fcab1a3

SHA256
7e85ccc19f83171de021b916590932e421a0c33a5b830166ffc24120af99d848

SHA512
42456d21cf214fcaf81fb97e7f1e96ea2c54dacc462a7fe5baf3aeb64f4e627c7249496ba7c63ff7c53cdb72011243437f6880bfe345ec0e8aebd9fbc4760738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i10002623.exe

Filesize
385KB

MD5
84b9335fba6769263b80c8eb90c95c00

SHA1
4cf4ea7d200e53ee731bf0757ae7efc3b253046e

SHA256
541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1

SHA512
341d752cad51a3203bda876e6b9dda231c023ce8e2f6c9fa650f57122c812fa1351df58c2a2c118ac14dce2a9788625c1cfb60a7071f19c033f06b1e1a1eec94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i10002623.exe

Filesize
385KB

MD5
84b9335fba6769263b80c8eb90c95c00

SHA1
4cf4ea7d200e53ee731bf0757ae7efc3b253046e

SHA256
541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1

SHA512
341d752cad51a3203bda876e6b9dda231c023ce8e2f6c9fa650f57122c812fa1351df58c2a2c118ac14dce2a9788625c1cfb60a7071f19c033f06b1e1a1eec94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a92405775.exe

Filesize
291KB

MD5
ce27553a2a3454e82a427b2a8a7847b8

SHA1
572ce8d9daf60ba37132dfef202a22bf1db391e0

SHA256
97734c5b3a6cc99d4baaafd1ca3e844e27b35b5c2072b2dd2fc258b3504a5373

SHA512
036a00e8a137b9d746573598d4b4d51fe9c5f835abe72af0992261fc96e7a6d575209f4daafdeb6910fffcf7ef85fc10a42957c3d5c25d76b55c5fb31b1fda37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a92405775.exe

Filesize
291KB

MD5
ce27553a2a3454e82a427b2a8a7847b8

SHA1
572ce8d9daf60ba37132dfef202a22bf1db391e0

SHA256
97734c5b3a6cc99d4baaafd1ca3e844e27b35b5c2072b2dd2fc258b3504a5373

SHA512
036a00e8a137b9d746573598d4b4d51fe9c5f835abe72af0992261fc96e7a6d575209f4daafdeb6910fffcf7ef85fc10a42957c3d5c25d76b55c5fb31b1fda37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b18432150.exe

Filesize
168KB

MD5
df9334955bb2461c384e61f8f8d7a628

SHA1
8a277eeb18bf974fdd58c5e5825c6779fde6ae51

SHA256
827f9a77b86cb4745363cfeb07be2d2ab04149536a4085324289b9de1011bb5e

SHA512
0055f0fe6417ff86d1d1ccb4cf8af88e1c481b325366922d1829281d1d3b957a54efaafa12f6fd8249ed96e1985d50f44d9aca8600e9fc2bcb5deec40a28019c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b18432150.exe

Filesize
168KB

MD5
df9334955bb2461c384e61f8f8d7a628

SHA1
8a277eeb18bf974fdd58c5e5825c6779fde6ae51

SHA256
827f9a77b86cb4745363cfeb07be2d2ab04149536a4085324289b9de1011bb5e

SHA512
0055f0fe6417ff86d1d1ccb4cf8af88e1c481b325366922d1829281d1d3b957a54efaafa12f6fd8249ed96e1985d50f44d9aca8600e9fc2bcb5deec40a28019c

Download Submit
memory/1680-217-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/1680-216-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/1680-215-0x000000000A570000-0x000000000A5AC000-memory.dmp

Filesize
240KB

Download
memory/1680-214-0x000000000A510000-0x000000000A522000-memory.dmp

Filesize
72KB

Download
memory/1680-213-0x000000000A5E0000-0x000000000A6EA000-memory.dmp

Filesize
1.0MB

Download
memory/1680-212-0x000000000AA60000-0x000000000B078000-memory.dmp

Filesize
6.1MB

Download
memory/1680-211-0x0000000000660000-0x0000000000690000-memory.dmp

Filesize
192KB

Download
memory/4020-190-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4020-204-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4020-188-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4020-184-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4020-192-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4020-194-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4020-196-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4020-198-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4020-199-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4020-201-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4020-200-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4020-202-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/4020-203-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4020-186-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4020-205-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4020-207-0x0000000000400000-0x00000000006C9000-memory.dmp

Filesize
2.8MB

Download
memory/4020-182-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4020-180-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4020-178-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4020-176-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4020-174-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4020-172-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4020-171-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4020-170-0x0000000004F10000-0x00000000054B4000-memory.dmp

Filesize
5.6MB

Download
memory/4020-169-0x00000000007B0000-0x00000000007DD000-memory.dmp

Filesize
180KB

Download