redline | a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe
Size

1.5MB
MD5

c1ad9354ae7e8a733f9c12643554ed1c
SHA1

419dc90e728e5fea52f28e5c5541873cb83b136f
SHA256

a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566
SHA512

109e3090fb032c1ddd96ca705932b6fa73209a642fb5fada0b27ab9ede394f5b17bde4874da844f96456c8f53b590fa221b393692c671eb11c8c80734a64cb4d
SSDEEP

49152:wL7b0i7Re4pCcKBuQeTZNxAbkOSqfnuATv0:2b0V4p/26T6bjPu7

Score

10^/10

redline maxbi evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxbi

185.161.248.73:4164

Attributes

auth_value
6aa7dba884fe45693dfa04c91440daef

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/820-211-0x000000000A780000-0x000000000AD98000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a39708225.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a39708225.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a39708225.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a39708225.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a39708225.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a39708225.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4140	i43563383.exe
4144	i92901856.exe
3744	i21401076.exe
3208	i79422272.exe
4788	a39708225.exe
820	b18039794.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a39708225.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a39708225.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i79422272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i79422272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i43563383.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i92901856.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i92901856.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i21401076.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i43563383.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i21401076.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3720	4788	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4788	a39708225.exe
4788	a39708225.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4788	a39708225.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 4140	3032	a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe	84
PID 3032 wrote to memory of 4140	3032	a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe	84
PID 3032 wrote to memory of 4140	3032	a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe	84
PID 4140 wrote to memory of 4144	4140	i43563383.exe	85
PID 4140 wrote to memory of 4144	4140	i43563383.exe	85
PID 4140 wrote to memory of 4144	4140	i43563383.exe	85
PID 4144 wrote to memory of 3744	4144	i92901856.exe	86
PID 4144 wrote to memory of 3744	4144	i92901856.exe	86
PID 4144 wrote to memory of 3744	4144	i92901856.exe	86
PID 3744 wrote to memory of 3208	3744	i21401076.exe	87
PID 3744 wrote to memory of 3208	3744	i21401076.exe	87
PID 3744 wrote to memory of 3208	3744	i21401076.exe	87
PID 3208 wrote to memory of 4788	3208	i79422272.exe	88
PID 3208 wrote to memory of 4788	3208	i79422272.exe	88
PID 3208 wrote to memory of 4788	3208	i79422272.exe	88
PID 3208 wrote to memory of 820	3208	i79422272.exe	93
PID 3208 wrote to memory of 820	3208	i79422272.exe	93
PID 3208 wrote to memory of 820	3208	i79422272.exe	93

C:\Users\Admin\AppData\Local\Temp\a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe
"C:\Users\Admin\AppData\Local\Temp\a3fa82924044e101e9afaed43d9fd6dc242a12fabbb60296cd8f231846578566.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i43563383.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i43563383.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92901856.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92901856.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i21401076.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i21401076.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i79422272.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i79422272.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3208
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a39708225.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a39708225.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1080
        7⤵
        Program crash
        
        PID:3720
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b18039794.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b18039794.exe
        6⤵
        Executes dropped EXE
        
        PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4788 -ip 4788
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i43563383.exe

Filesize
1.3MB

MD5
1049b71526da4f679e60d53958472768

SHA1
6a92628cb148e682e96ee5a6824286a60e57e51b

SHA256
3bde7e66af20ab6d60e2314755ad36e899d77d9357d7968fcc5cb14aec2d229e

SHA512
b0b8e0d206a3ab5f501c02a04efe73fa37ed816e9266bbc33cf3a3aa7bf87fb751bdee5ffe09646a0d77fa92ef28a78666f55a728ce3af7514e7f3f171a7ce5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i43563383.exe

Filesize
1.3MB

MD5
1049b71526da4f679e60d53958472768

SHA1
6a92628cb148e682e96ee5a6824286a60e57e51b

SHA256
3bde7e66af20ab6d60e2314755ad36e899d77d9357d7968fcc5cb14aec2d229e

SHA512
b0b8e0d206a3ab5f501c02a04efe73fa37ed816e9266bbc33cf3a3aa7bf87fb751bdee5ffe09646a0d77fa92ef28a78666f55a728ce3af7514e7f3f171a7ce5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92901856.exe

Filesize
1.1MB

MD5
6b38f9ba29e5815bb99ba009be3cc19b

SHA1
6e0039d9c066d1a29768b3d83332c56e1bc864cd

SHA256
99dc05110c1f3ef72e261e8463b24e15087980113d9d802edfb65f6004e02d36

SHA512
c57ad22461e96ba5389cec2571c5fd2439e9a2c354fbb03133de04a3e98cc1c26449652597c21d7adbeb4b0468adccf9c9389db4834a2192bd581fbd4322fdb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i92901856.exe

Filesize
1.1MB

MD5
6b38f9ba29e5815bb99ba009be3cc19b

SHA1
6e0039d9c066d1a29768b3d83332c56e1bc864cd

SHA256
99dc05110c1f3ef72e261e8463b24e15087980113d9d802edfb65f6004e02d36

SHA512
c57ad22461e96ba5389cec2571c5fd2439e9a2c354fbb03133de04a3e98cc1c26449652597c21d7adbeb4b0468adccf9c9389db4834a2192bd581fbd4322fdb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i21401076.exe

Filesize
689KB

MD5
4e2299e4dd9fd58c43808722e29a2da6

SHA1
7dece19734acb8593549c3484a3860efed6e4221

SHA256
4c5fe6919a40d712f3a120dbed893e5d72f46f1c9d12c2f06ff73a4ba4161718

SHA512
3dbced9c44f9f5b8408cb108d90fdca59c5ad6e8850de8be8c6dea4ccd37f781559b26273c354ba871740b32a2ad699fa364cf3b8547585e8367d6598e7a068d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i21401076.exe

Filesize
689KB

MD5
4e2299e4dd9fd58c43808722e29a2da6

SHA1
7dece19734acb8593549c3484a3860efed6e4221

SHA256
4c5fe6919a40d712f3a120dbed893e5d72f46f1c9d12c2f06ff73a4ba4161718

SHA512
3dbced9c44f9f5b8408cb108d90fdca59c5ad6e8850de8be8c6dea4ccd37f781559b26273c354ba871740b32a2ad699fa364cf3b8547585e8367d6598e7a068d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i79422272.exe

Filesize
409KB

MD5
bb636b14520a4e9e518281eedf024543

SHA1
85672560f8bab56472978f49ef99645b3324ea5b

SHA256
fef6618411f88cf0b60095eeb8ed23ab8b30f9c29becd204a840a5aa755cf2bb

SHA512
bae2c44f845d066072faf7dd394e4d46daf6d5718ca15cead47bdab1f457d5a36ba97fab3959a105664296310415dc7bc849c433adbc418d3faa2ddd18821e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i79422272.exe

Filesize
409KB

MD5
bb636b14520a4e9e518281eedf024543

SHA1
85672560f8bab56472978f49ef99645b3324ea5b

SHA256
fef6618411f88cf0b60095eeb8ed23ab8b30f9c29becd204a840a5aa755cf2bb

SHA512
bae2c44f845d066072faf7dd394e4d46daf6d5718ca15cead47bdab1f457d5a36ba97fab3959a105664296310415dc7bc849c433adbc418d3faa2ddd18821e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a39708225.exe

Filesize
347KB

MD5
664f7b6be3f83e162cf6b2b6743f8721

SHA1
5f43504d69b62c0abbc4f7ec5e7a9fd8d22a1d0b

SHA256
067c3658e4e6eec911e451c61885370a205ab20ad024a80ab987d6272cff81e8

SHA512
e9d347c07cb81a0f32d6e8039091bc21b43ec75ab62a23c58889bfb4b50f452b1377ba18fa404c1868014b4f3335c3e86bdf2cd26d3ad2ecc0dba3fb97f01c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a39708225.exe

Filesize
347KB

MD5
664f7b6be3f83e162cf6b2b6743f8721

SHA1
5f43504d69b62c0abbc4f7ec5e7a9fd8d22a1d0b

SHA256
067c3658e4e6eec911e451c61885370a205ab20ad024a80ab987d6272cff81e8

SHA512
e9d347c07cb81a0f32d6e8039091bc21b43ec75ab62a23c58889bfb4b50f452b1377ba18fa404c1868014b4f3335c3e86bdf2cd26d3ad2ecc0dba3fb97f01c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b18039794.exe

Filesize
168KB

MD5
9e474affcd271db2f33d4f37931356c1

SHA1
116b666c3baa969edf72deb40aca5b13e075d8ee

SHA256
97c3c79a4170a86bc6d8acf2939f010297850d0c99b0b96ccf3868f06a99cfd1

SHA512
71f6aa482b48d7718b052ed4d0ecb68b84d4bc8da2fb6f1ce56dd067bcf638e2bf40cf6d23194e84853f74cc82bc64e5cf7d9e6b0341b49a6ca93d8c51dd02e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b18039794.exe

Filesize
168KB

MD5
9e474affcd271db2f33d4f37931356c1

SHA1
116b666c3baa969edf72deb40aca5b13e075d8ee

SHA256
97c3c79a4170a86bc6d8acf2939f010297850d0c99b0b96ccf3868f06a99cfd1

SHA512
71f6aa482b48d7718b052ed4d0ecb68b84d4bc8da2fb6f1ce56dd067bcf638e2bf40cf6d23194e84853f74cc82bc64e5cf7d9e6b0341b49a6ca93d8c51dd02e0

Download Submit
memory/820-216-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/820-215-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/820-214-0x000000000A180000-0x000000000A1BC000-memory.dmp

Filesize
240KB

Download
memory/820-213-0x000000000A160000-0x000000000A172000-memory.dmp

Filesize
72KB

Download
memory/820-212-0x000000000A270000-0x000000000A37A000-memory.dmp

Filesize
1.0MB

Download
memory/820-211-0x000000000A780000-0x000000000AD98000-memory.dmp

Filesize
6.1MB

Download
memory/820-210-0x00000000002A0000-0x00000000002D0000-memory.dmp

Filesize
192KB

Download
memory/4788-184-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4788-202-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4788-186-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4788-188-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4788-190-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4788-192-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4788-194-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4788-196-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4788-198-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4788-200-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4788-201-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4788-182-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4788-203-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4788-204-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4788-206-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4788-180-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4788-174-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4788-176-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4788-178-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4788-173-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/4788-172-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4788-171-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4788-170-0x0000000000510000-0x000000000053D000-memory.dmp

Filesize
180KB

Download
memory/4788-169-0x0000000004EB0000-0x0000000005454000-memory.dmp

Filesize
5.6MB

Download