redline | 45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe
Size

1.5MB
MD5

83f88944f53ffb95730512cc5807b178
SHA1

c06b03f02a8827688ab4c0d568a8fa15a24ad456
SHA256

45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d
SHA512

1c631d254cea6adb1f859df89e5334adc4563fc1ecdff84417884cc45bba5a6f9e13aacbae053ac6ca9c2a987d9cf948f1ec0ed73f14df4eae97a435fb79a6ba
SSDEEP

24576:EyU0fZjCxu/Jrug01HTJ7QYDtRK7DPkbjfV0xO3Ov+LP2evzWavPGCEzJIL/D6B:TU7Y/01HNBKUfV0xAOv+b5x6Ir

Score

10^/10

redline maxi evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

217.196.96.56:4138

Attributes

auth_value
6e90da232d4c2e35c1a36c250f5f8904

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/2296-212-0x000000000A8B0000-0x000000000AEC8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1693777.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1693777.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1693777.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1693777.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a1693777.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1693777.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
3068	v8198418.exe
4840	v9233574.exe
4352	v7560470.exe
1748	v9130807.exe
1424	a1693777.exe
2296	b6970603.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a1693777.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1693777.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8198418.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8198418.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9233574.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9233574.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7560470.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9130807.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7560470.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v9130807.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1572	1424	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1424	a1693777.exe
1424	a1693777.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	a1693777.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 3068	4176	45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe	84
PID 4176 wrote to memory of 3068	4176	45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe	84
PID 4176 wrote to memory of 3068	4176	45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe	84
PID 3068 wrote to memory of 4840	3068	v8198418.exe	85
PID 3068 wrote to memory of 4840	3068	v8198418.exe	85
PID 3068 wrote to memory of 4840	3068	v8198418.exe	85
PID 4840 wrote to memory of 4352	4840	v9233574.exe	86
PID 4840 wrote to memory of 4352	4840	v9233574.exe	86
PID 4840 wrote to memory of 4352	4840	v9233574.exe	86
PID 4352 wrote to memory of 1748	4352	v7560470.exe	87
PID 4352 wrote to memory of 1748	4352	v7560470.exe	87
PID 4352 wrote to memory of 1748	4352	v7560470.exe	87
PID 1748 wrote to memory of 1424	1748	v9130807.exe	88
PID 1748 wrote to memory of 1424	1748	v9130807.exe	88
PID 1748 wrote to memory of 1424	1748	v9130807.exe	88
PID 1748 wrote to memory of 2296	1748	v9130807.exe	92
PID 1748 wrote to memory of 2296	1748	v9130807.exe	92
PID 1748 wrote to memory of 2296	1748	v9130807.exe	92

C:\Users\Admin\AppData\Local\Temp\45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe
"C:\Users\Admin\AppData\Local\Temp\45bbed85ebbc60dd139f50d98d9f70be979069c5cc57ae060a599e23284b1f2d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8198418.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8198418.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9233574.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9233574.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7560470.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7560470.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4352
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9130807.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9130807.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1693777.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1693777.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1092
        7⤵
        Program crash
        
        PID:1572
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6970603.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6970603.exe
        6⤵
        Executes dropped EXE
        
        PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1424 -ip 1424
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8198418.exe

Filesize
1.3MB

MD5
cf2a9aec502b51eb0ec7b67af93edd02

SHA1
8625ef4c4bed8d41ddb7b9a9d7da9c9e403783be

SHA256
b9590f62fca81715e6a15718d218231f1744a9bb3fb5362488491c89d4cedf59

SHA512
c60fbafb3b0ef76679ebcccc85d57d1a4aac6dc511277340e3ff19222393bb9adcb34161c1bc610b297e28f9a6801c924985d3f27eeeec42fa17a68ce7a766b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8198418.exe

Filesize
1.3MB

MD5
cf2a9aec502b51eb0ec7b67af93edd02

SHA1
8625ef4c4bed8d41ddb7b9a9d7da9c9e403783be

SHA256
b9590f62fca81715e6a15718d218231f1744a9bb3fb5362488491c89d4cedf59

SHA512
c60fbafb3b0ef76679ebcccc85d57d1a4aac6dc511277340e3ff19222393bb9adcb34161c1bc610b297e28f9a6801c924985d3f27eeeec42fa17a68ce7a766b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9233574.exe

Filesize
846KB

MD5
8a291cbebbbce5b33fd6780d08e1d0e3

SHA1
3dd00b1eba8f64b52a9c95a19c946b1c09cb752c

SHA256
68728a5f0060f9576ce2f0c0eb736aa70738b27f26b889b7f8882ae8a2d35eb8

SHA512
d5e2b73c44f57523761ae2fd5f63242d04d7bcc19c5da3b109afe5c2608fafd172f1b22dfb1048cf2fa91eca390f7a635ebc229b01f776f05e8afc6d830ce34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9233574.exe

Filesize
846KB

MD5
8a291cbebbbce5b33fd6780d08e1d0e3

SHA1
3dd00b1eba8f64b52a9c95a19c946b1c09cb752c

SHA256
68728a5f0060f9576ce2f0c0eb736aa70738b27f26b889b7f8882ae8a2d35eb8

SHA512
d5e2b73c44f57523761ae2fd5f63242d04d7bcc19c5da3b109afe5c2608fafd172f1b22dfb1048cf2fa91eca390f7a635ebc229b01f776f05e8afc6d830ce34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7560470.exe

Filesize
642KB

MD5
0a2e60d3355b86bb63d3d145f92db5f1

SHA1
f403e0ccd869c075c8a90dfa815b3b2e34aae9e4

SHA256
c55143207f57392395ae1baab1a70ecea5d513bf997aa0e535ac3b3cc3a98495

SHA512
3246b61f7fda07ea27eb75192eee518bfbceb765a1e1a4149df7a9bfbda92f7c47ef38c13c6a7149f81c5f79cd812d94e0b5183daf03830bfd6ed6f1922e72bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7560470.exe

Filesize
642KB

MD5
0a2e60d3355b86bb63d3d145f92db5f1

SHA1
f403e0ccd869c075c8a90dfa815b3b2e34aae9e4

SHA256
c55143207f57392395ae1baab1a70ecea5d513bf997aa0e535ac3b3cc3a98495

SHA512
3246b61f7fda07ea27eb75192eee518bfbceb765a1e1a4149df7a9bfbda92f7c47ef38c13c6a7149f81c5f79cd812d94e0b5183daf03830bfd6ed6f1922e72bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9130807.exe

Filesize
384KB

MD5
4054193c90f257e51b7828d3ab9b3d07

SHA1
e8293bcda8110a48213ff76449e4ac2532aca984

SHA256
e2f6d69846767435cc96c26256c03f66d252ee981c3929cbbfab524ff011c958

SHA512
20ccb9a3dbe2940c1659804728115f86e983d70c36bac44f850b2008a0b8cc7ea926a4c6cd95797399283d6562e6c2ab98078ddff94c3e3b863bc4906c97612d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9130807.exe

Filesize
384KB

MD5
4054193c90f257e51b7828d3ab9b3d07

SHA1
e8293bcda8110a48213ff76449e4ac2532aca984

SHA256
e2f6d69846767435cc96c26256c03f66d252ee981c3929cbbfab524ff011c958

SHA512
20ccb9a3dbe2940c1659804728115f86e983d70c36bac44f850b2008a0b8cc7ea926a4c6cd95797399283d6562e6c2ab98078ddff94c3e3b863bc4906c97612d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1693777.exe

Filesize
286KB

MD5
7fad45faee013485b07dbe2df48b77e5

SHA1
0f4748c48d0820dbccd6bcd121bde9e22a7e789f

SHA256
ae544dae0f33caf5b3cfc192accf273d26c3feb63dedd8a950ca15c4865b40ae

SHA512
446e657fbc5843769556b675502ac709b16a0ad9e63329165886bacb30654c134f8fcb7cbf7e64062c229cfee54a24f196c4fb3b340de3117eb0564e3d15b241

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1693777.exe

Filesize
286KB

MD5
7fad45faee013485b07dbe2df48b77e5

SHA1
0f4748c48d0820dbccd6bcd121bde9e22a7e789f

SHA256
ae544dae0f33caf5b3cfc192accf273d26c3feb63dedd8a950ca15c4865b40ae

SHA512
446e657fbc5843769556b675502ac709b16a0ad9e63329165886bacb30654c134f8fcb7cbf7e64062c229cfee54a24f196c4fb3b340de3117eb0564e3d15b241

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6970603.exe

Filesize
169KB

MD5
d33dca7ad0594bebe4b3461b4e0ba79c

SHA1
ad1700a0b1ed0f3d99771ee3edd24916afccb652

SHA256
f584e87f5032bcf37178f220c94d5dac86959afabf39a4c5d2fcf1a97bd2252b

SHA512
54cbdfcd5be451bc9fb2baf505a8ea5e26abc7c928bd5a778f6ac5340e4dea537414191ef546b303bb2e2e0cfdcb288d64377b2c573e44d7c74fb5a4506016dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6970603.exe

Filesize
169KB

MD5
d33dca7ad0594bebe4b3461b4e0ba79c

SHA1
ad1700a0b1ed0f3d99771ee3edd24916afccb652

SHA256
f584e87f5032bcf37178f220c94d5dac86959afabf39a4c5d2fcf1a97bd2252b

SHA512
54cbdfcd5be451bc9fb2baf505a8ea5e26abc7c928bd5a778f6ac5340e4dea537414191ef546b303bb2e2e0cfdcb288d64377b2c573e44d7c74fb5a4506016dc

Download Submit
memory/1424-185-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1424-197-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1424-173-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/1424-174-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1424-175-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1424-177-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1424-179-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1424-181-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1424-183-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1424-187-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1424-170-0x0000000000480000-0x00000000004AD000-memory.dmp

Filesize
180KB

Download
memory/1424-189-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1424-191-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1424-193-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1424-195-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1424-171-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/1424-199-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1424-201-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1424-202-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1424-203-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/1424-204-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/1424-205-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/1424-207-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1424-172-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/1424-169-0x0000000004B00000-0x00000000050A4000-memory.dmp

Filesize
5.6MB

Download
memory/2296-211-0x00000000004A0000-0x00000000004D0000-memory.dmp

Filesize
192KB

Download
memory/2296-212-0x000000000A8B0000-0x000000000AEC8000-memory.dmp

Filesize
6.1MB

Download
memory/2296-213-0x000000000A420000-0x000000000A52A000-memory.dmp

Filesize
1.0MB

Download
memory/2296-214-0x000000000A350000-0x000000000A362000-memory.dmp

Filesize
72KB

Download
memory/2296-215-0x000000000A3B0000-0x000000000A3EC000-memory.dmp

Filesize
240KB

Download
memory/2296-216-0x00000000027C0000-0x00000000027D0000-memory.dmp

Filesize
64KB

Download
memory/2296-217-0x00000000027C0000-0x00000000027D0000-memory.dmp

Filesize
64KB

Download