redline | 555f09b84080a59fdc30cc4445aad71519ee74d535852295ed270a25f6274287

Analysis

max time kernel
185s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

555f09b84080a59fdc30cc4445aad71519ee74d535852295ed270a25f6274287.exe
Size

1.4MB
MD5

4609e193fe7722c7a872d8dff7f4e6f8
SHA1

3bd638423b49dd8ab9b7b25114a2effd1f0b6f3c
SHA256

555f09b84080a59fdc30cc4445aad71519ee74d535852295ed270a25f6274287
SHA512

1e263e46d3061cfae976d0937aa5b3e60e032de854811d4a4e3d74fa172007cdd6183df3d89554132d5e2049ffb8554fc5cf9d9e0a68fc7146021e459c26d115
SSDEEP

24576:YyRDxazhpId6jnQuZTL0EgcVkPHfMghtXYbBkOEPVO3u4blpDX5ZLbkKF0c:fUpISnbJoEgcVCHdtXY955blpjwKF

Score

10^/10

redline maxbi evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxbi

185.161.248.73:4164

Attributes

auth_value
6aa7dba884fe45693dfa04c91440daef

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/4180-217-0x00000000057C0000-0x0000000005DD8000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a65692848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a65692848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a65692848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a65692848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a65692848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a65692848.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
2664	i67646873.exe
5040	i04371890.exe
340	i03537283.exe
2372	i43794111.exe
2736	a65692848.exe
4180	b65758189.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a65692848.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a65692848.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i67646873.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i04371890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i04371890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i03537283.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i43794111.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	555f09b84080a59fdc30cc4445aad71519ee74d535852295ed270a25f6274287.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	555f09b84080a59fdc30cc4445aad71519ee74d535852295ed270a25f6274287.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i43794111.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i67646873.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i03537283.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2056	2736	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2736	a65692848.exe
2736	a65692848.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	a65692848.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2664	1520	555f09b84080a59fdc30cc4445aad71519ee74d535852295ed270a25f6274287.exe	77
PID 1520 wrote to memory of 2664	1520	555f09b84080a59fdc30cc4445aad71519ee74d535852295ed270a25f6274287.exe	77
PID 1520 wrote to memory of 2664	1520	555f09b84080a59fdc30cc4445aad71519ee74d535852295ed270a25f6274287.exe	77
PID 2664 wrote to memory of 5040	2664	i67646873.exe	78
PID 2664 wrote to memory of 5040	2664	i67646873.exe	78
PID 2664 wrote to memory of 5040	2664	i67646873.exe	78
PID 5040 wrote to memory of 340	5040	i04371890.exe	79
PID 5040 wrote to memory of 340	5040	i04371890.exe	79
PID 5040 wrote to memory of 340	5040	i04371890.exe	79
PID 340 wrote to memory of 2372	340	i03537283.exe	80
PID 340 wrote to memory of 2372	340	i03537283.exe	80
PID 340 wrote to memory of 2372	340	i03537283.exe	80
PID 2372 wrote to memory of 2736	2372	i43794111.exe	81
PID 2372 wrote to memory of 2736	2372	i43794111.exe	81
PID 2372 wrote to memory of 2736	2372	i43794111.exe	81
PID 2372 wrote to memory of 4180	2372	i43794111.exe	88
PID 2372 wrote to memory of 4180	2372	i43794111.exe	88
PID 2372 wrote to memory of 4180	2372	i43794111.exe	88

C:\Users\Admin\AppData\Local\Temp\555f09b84080a59fdc30cc4445aad71519ee74d535852295ed270a25f6274287.exe
"C:\Users\Admin\AppData\Local\Temp\555f09b84080a59fdc30cc4445aad71519ee74d535852295ed270a25f6274287.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i67646873.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i67646873.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04371890.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04371890.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03537283.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03537283.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:340
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i43794111.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i43794111.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2372
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a65692848.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a65692848.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 1092
        7⤵
        Program crash
        
        PID:2056
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b65758189.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b65758189.exe
        6⤵
        Executes dropped EXE
        
        PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2736 -ip 2736
1⤵
PID:4324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i67646873.exe

Filesize
1.2MB

MD5
d7d45881310b25abbc62aaf2efd2d708

SHA1
5c15f914094c4fa606364a17277042a438062093

SHA256
ef6337fe0f19bb31beb4c9cd391a3aca184bddc0d08851fb4192a1014f1d9f24

SHA512
29126e7bfaf4452db4611d8a9b54afceed7b8fa6f81c84bc2810f5ae5871d5a1e5e9de196cb7978a4f9b75413a6311b86b32c874275cbfb8c8d27cefc2662c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i67646873.exe

Filesize
1.2MB

MD5
d7d45881310b25abbc62aaf2efd2d708

SHA1
5c15f914094c4fa606364a17277042a438062093

SHA256
ef6337fe0f19bb31beb4c9cd391a3aca184bddc0d08851fb4192a1014f1d9f24

SHA512
29126e7bfaf4452db4611d8a9b54afceed7b8fa6f81c84bc2810f5ae5871d5a1e5e9de196cb7978a4f9b75413a6311b86b32c874275cbfb8c8d27cefc2662c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04371890.exe

Filesize
1.1MB

MD5
b9384672fe1b4f3a7e9adb352d154691

SHA1
c1db9a2d41abd2554bd45a3ecdb067e38e99e28a

SHA256
ad13c600998862c936c886f2b07c30e67bf71bb2d1fdfad52858e2eef6d1adb5

SHA512
d912b8a814d27ebd3c919de633ca05f18fcb0fbca9e248f39a34d992afae3a2116e1850521c2d31a950453f78569542ea2dff480b38f7746f63f54f4da5eadbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i04371890.exe

Filesize
1.1MB

MD5
b9384672fe1b4f3a7e9adb352d154691

SHA1
c1db9a2d41abd2554bd45a3ecdb067e38e99e28a

SHA256
ad13c600998862c936c886f2b07c30e67bf71bb2d1fdfad52858e2eef6d1adb5

SHA512
d912b8a814d27ebd3c919de633ca05f18fcb0fbca9e248f39a34d992afae3a2116e1850521c2d31a950453f78569542ea2dff480b38f7746f63f54f4da5eadbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03537283.exe

Filesize
644KB

MD5
06bce206b21570cf56228ed2467b501c

SHA1
13ab697827ee3f26a75bd0368526cfa933acfbcb

SHA256
b2ad465b00e5bb7c6a369868c164de95c14270cb20982581629719a439be86bb

SHA512
d1eea6b231d6e799f223f41476585d4437ee5fc2ab762ea2db4cb132231d2fb6f3bf12e1a0790a8d6c285827850a5c7f90923f3de9b1e0a1f2e8f761bba544cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i03537283.exe

Filesize
644KB

MD5
06bce206b21570cf56228ed2467b501c

SHA1
13ab697827ee3f26a75bd0368526cfa933acfbcb

SHA256
b2ad465b00e5bb7c6a369868c164de95c14270cb20982581629719a439be86bb

SHA512
d1eea6b231d6e799f223f41476585d4437ee5fc2ab762ea2db4cb132231d2fb6f3bf12e1a0790a8d6c285827850a5c7f90923f3de9b1e0a1f2e8f761bba544cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i43794111.exe

Filesize
385KB

MD5
e0291881a875fe7e1ba97ddbcddb7c91

SHA1
ca5eeabe1d0bff47a26edb21c7aa01ee3af293a4

SHA256
fd548d9807169259f7ca512beeb1a38ac3da9a4d5de6df882780a459a3dc8c0e

SHA512
863460c70ea397f06af273cdae5e159138946fba6d5593c89f2bd8ec942b9a7d6f3f239d7b8bbd0f8b7fc362370cce4a97798f9cb4d173f369a880ec1a77c9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i43794111.exe

Filesize
385KB

MD5
e0291881a875fe7e1ba97ddbcddb7c91

SHA1
ca5eeabe1d0bff47a26edb21c7aa01ee3af293a4

SHA256
fd548d9807169259f7ca512beeb1a38ac3da9a4d5de6df882780a459a3dc8c0e

SHA512
863460c70ea397f06af273cdae5e159138946fba6d5593c89f2bd8ec942b9a7d6f3f239d7b8bbd0f8b7fc362370cce4a97798f9cb4d173f369a880ec1a77c9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a65692848.exe

Filesize
294KB

MD5
e05470c84484b430c60ce33e9bb26219

SHA1
b88da6f58327aae3b544d20f8ec04dcf18c7cbd6

SHA256
aa061f1096ff17738e46eb6d21e784719238e839f0d170f05ea959799b2eeaa5

SHA512
c078d832f291cd1066c4f5476ec4e7d769e84d5f7a81605f1262b07423e23d78930aaebaf163ff29fab2019c61d620a55850be606964a7006b91b0f39ae80c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a65692848.exe

Filesize
294KB

MD5
e05470c84484b430c60ce33e9bb26219

SHA1
b88da6f58327aae3b544d20f8ec04dcf18c7cbd6

SHA256
aa061f1096ff17738e46eb6d21e784719238e839f0d170f05ea959799b2eeaa5

SHA512
c078d832f291cd1066c4f5476ec4e7d769e84d5f7a81605f1262b07423e23d78930aaebaf163ff29fab2019c61d620a55850be606964a7006b91b0f39ae80c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b65758189.exe

Filesize
168KB

MD5
174b94edefccf9e918a5fd08ead4bc54

SHA1
f48e9ef0a72cf96349d0b6f6001f9ddc9217da60

SHA256
48651666b0610ae63461c12713b380fb1404da3824abdaf26c142b1af31216db

SHA512
85b5299b5af01129e2d509da25868a4ea320a396d4c7f6c682f880bbb3fa76b7da81846de2bb942d4ab876a6766f247a62d1031768e68d149928960e239b8994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b65758189.exe

Filesize
168KB

MD5
174b94edefccf9e918a5fd08ead4bc54

SHA1
f48e9ef0a72cf96349d0b6f6001f9ddc9217da60

SHA256
48651666b0610ae63461c12713b380fb1404da3824abdaf26c142b1af31216db

SHA512
85b5299b5af01129e2d509da25868a4ea320a396d4c7f6c682f880bbb3fa76b7da81846de2bb942d4ab876a6766f247a62d1031768e68d149928960e239b8994

Download Submit
memory/2736-191-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2736-200-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2736-175-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2736-177-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2736-181-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2736-183-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2736-185-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2736-187-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2736-179-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2736-189-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2736-171-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2736-193-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2736-195-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2736-197-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2736-198-0x00000000007A0000-0x00000000007CD000-memory.dmp

Filesize
180KB

Download
memory/2736-173-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2736-199-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2736-201-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2736-202-0x0000000000400000-0x00000000006CA000-memory.dmp

Filesize
2.8MB

Download
memory/2736-204-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2736-205-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2736-206-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2736-208-0x0000000000400000-0x00000000006CA000-memory.dmp

Filesize
2.8MB

Download
memory/2736-170-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2736-169-0x0000000004E90000-0x0000000005434000-memory.dmp

Filesize
5.6MB

Download
memory/4180-216-0x0000000000620000-0x0000000000650000-memory.dmp

Filesize
192KB

Download
memory/4180-217-0x00000000057C0000-0x0000000005DD8000-memory.dmp

Filesize
6.1MB

Download
memory/4180-218-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/4180-219-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/4180-220-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4180-221-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/4180-222-0x00000000053C0000-0x00000000053FC000-memory.dmp

Filesize
240KB

Download