redline | 43f0bae96ca7e25e4810ef59e650d57267bb91b486b817cb64012f636f13b49b

Analysis

max time kernel
129s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/05/2023, 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

engine734.exe
Size

1.0MB
MD5

ce69662000eca813ff07d53dc065706c
SHA1

60e6a815aa184f91d808af536108deaf6571f6cb
SHA256

43f0bae96ca7e25e4810ef59e650d57267bb91b486b817cb64012f636f13b49b
SHA512

ad509c8559a02da1d948c8286c0e5cd219fa4b1f4e6e4169a47d8a327d817ef934396dee65e47174b1b63f5ab5461b50467424c8bf31662bc9329104df0d74b7
SSDEEP

24576:yyMMMxGn7q2ZLqf4Az+B9C2j8LZalxQmmeFEfILJ:Z3Mx47RpqP24MlxQm/FEfY

Score

10^/10

redline mixa evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mixa

185.161.248.37:4138

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5929019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5929019.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5929019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5929019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5929019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5929019.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
928	v4831388.exe
1476	v6907871.exe
1120	a5929019.exe
396	b4932092.exe

Loads dropped DLL 8 IoCs

pid	Process
608	engine734.exe
928	v4831388.exe
928	v4831388.exe
1476	v6907871.exe
1476	v6907871.exe
1120	a5929019.exe
1476	v6907871.exe
396	b4932092.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	a5929019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5929019.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6907871.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	engine734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	engine734.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4831388.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4831388.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6907871.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1120	a5929019.exe
1120	a5929019.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1120	a5929019.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 608 wrote to memory of 928	608	engine734.exe	28
PID 608 wrote to memory of 928	608	engine734.exe	28
PID 608 wrote to memory of 928	608	engine734.exe	28
PID 608 wrote to memory of 928	608	engine734.exe	28
PID 608 wrote to memory of 928	608	engine734.exe	28
PID 608 wrote to memory of 928	608	engine734.exe	28
PID 608 wrote to memory of 928	608	engine734.exe	28
PID 928 wrote to memory of 1476	928	v4831388.exe	29
PID 928 wrote to memory of 1476	928	v4831388.exe	29
PID 928 wrote to memory of 1476	928	v4831388.exe	29
PID 928 wrote to memory of 1476	928	v4831388.exe	29
PID 928 wrote to memory of 1476	928	v4831388.exe	29
PID 928 wrote to memory of 1476	928	v4831388.exe	29
PID 928 wrote to memory of 1476	928	v4831388.exe	29
PID 1476 wrote to memory of 1120	1476	v6907871.exe	30
PID 1476 wrote to memory of 1120	1476	v6907871.exe	30
PID 1476 wrote to memory of 1120	1476	v6907871.exe	30
PID 1476 wrote to memory of 1120	1476	v6907871.exe	30
PID 1476 wrote to memory of 1120	1476	v6907871.exe	30
PID 1476 wrote to memory of 1120	1476	v6907871.exe	30
PID 1476 wrote to memory of 1120	1476	v6907871.exe	30
PID 1476 wrote to memory of 396	1476	v6907871.exe	31
PID 1476 wrote to memory of 396	1476	v6907871.exe	31
PID 1476 wrote to memory of 396	1476	v6907871.exe	31
PID 1476 wrote to memory of 396	1476	v6907871.exe	31
PID 1476 wrote to memory of 396	1476	v6907871.exe	31
PID 1476 wrote to memory of 396	1476	v6907871.exe	31
PID 1476 wrote to memory of 396	1476	v6907871.exe	31

C:\Users\Admin\AppData\Local\Temp\engine734.exe
"C:\Users\Admin\AppData\Local\Temp\engine734.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4831388.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4831388.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6907871.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6907871.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5929019.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5929019.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4932092.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4932092.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4831388.exe

Filesize
750KB

MD5
765f9c01b90262fe994657fa9d584be3

SHA1
aa33ea0c3f72962957fb89ca918a2f8e8c24d679

SHA256
03844dfd79ac76c297c7adb81a51fb5bcce9dee859f46187c3c9c56fd38e1198

SHA512
47057e1e786c7838f69b9faab0f53ced82eb4796588754e426a09accb042ff8981af97f2e33174180e3dac73b908ac36915f8940542adc8ccef6d3feda493af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4831388.exe

Filesize
750KB

MD5
765f9c01b90262fe994657fa9d584be3

SHA1
aa33ea0c3f72962957fb89ca918a2f8e8c24d679

SHA256
03844dfd79ac76c297c7adb81a51fb5bcce9dee859f46187c3c9c56fd38e1198

SHA512
47057e1e786c7838f69b9faab0f53ced82eb4796588754e426a09accb042ff8981af97f2e33174180e3dac73b908ac36915f8940542adc8ccef6d3feda493af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6907871.exe

Filesize
306KB

MD5
e655cf68e11fb3420bd42ce66a06043f

SHA1
521763434af4e29c6e602bc732aaa444dc3b147a

SHA256
c2878542b60977205a19b7907da40877ebb604a643da35cd30c589f6081520de

SHA512
89bb0736c61cc51782a29e5b785fd83e11f904576195d0e8a275af21c4338f6b8cd58353cfcdaf465c4736ae6fa876b5918ed4b6893e007b00b36e23451f8b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6907871.exe

Filesize
306KB

MD5
e655cf68e11fb3420bd42ce66a06043f

SHA1
521763434af4e29c6e602bc732aaa444dc3b147a

SHA256
c2878542b60977205a19b7907da40877ebb604a643da35cd30c589f6081520de

SHA512
89bb0736c61cc51782a29e5b785fd83e11f904576195d0e8a275af21c4338f6b8cd58353cfcdaf465c4736ae6fa876b5918ed4b6893e007b00b36e23451f8b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5929019.exe

Filesize
186KB

MD5
8a58bb7867c918961fde0fc6ed363813

SHA1
8f431c3659f83aeb4a097a09447fa9976e06f30c

SHA256
893b0a2523d279f96da6168a1a5a579fd0e2d1aa4239f277118031668e81fa11

SHA512
7dfcd1e10e7fe679df1c23862c2d8fe983d4c047318dfa2bff11b7cb45b519d7c8cfe5fe99411268125c544d37f5860b1a43c67ddadfd40ef6c03ebe0186ff55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5929019.exe

Filesize
186KB

MD5
8a58bb7867c918961fde0fc6ed363813

SHA1
8f431c3659f83aeb4a097a09447fa9976e06f30c

SHA256
893b0a2523d279f96da6168a1a5a579fd0e2d1aa4239f277118031668e81fa11

SHA512
7dfcd1e10e7fe679df1c23862c2d8fe983d4c047318dfa2bff11b7cb45b519d7c8cfe5fe99411268125c544d37f5860b1a43c67ddadfd40ef6c03ebe0186ff55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4932092.exe

Filesize
145KB

MD5
3de0cc4186baca52961a2f58bcfb45de

SHA1
95b3bb39b1869fd6c53078821724f41ac745ae9e

SHA256
cc31a1183d9887bce8a7280f599f123dd773feb4702410716915c5f21c7057d8

SHA512
4623a7497734203c4a866264a58da8d9f754fff332d9bc535aecfb60626252a73cef688167328d6bef303ff0899749b9a87a98e28caa0e8a0aea316a3eb14c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4932092.exe

Filesize
145KB

MD5
3de0cc4186baca52961a2f58bcfb45de

SHA1
95b3bb39b1869fd6c53078821724f41ac745ae9e

SHA256
cc31a1183d9887bce8a7280f599f123dd773feb4702410716915c5f21c7057d8

SHA512
4623a7497734203c4a866264a58da8d9f754fff332d9bc535aecfb60626252a73cef688167328d6bef303ff0899749b9a87a98e28caa0e8a0aea316a3eb14c69

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4831388.exe

Filesize
750KB

MD5
765f9c01b90262fe994657fa9d584be3

SHA1
aa33ea0c3f72962957fb89ca918a2f8e8c24d679

SHA256
03844dfd79ac76c297c7adb81a51fb5bcce9dee859f46187c3c9c56fd38e1198

SHA512
47057e1e786c7838f69b9faab0f53ced82eb4796588754e426a09accb042ff8981af97f2e33174180e3dac73b908ac36915f8940542adc8ccef6d3feda493af0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4831388.exe

Filesize
750KB

MD5
765f9c01b90262fe994657fa9d584be3

SHA1
aa33ea0c3f72962957fb89ca918a2f8e8c24d679

SHA256
03844dfd79ac76c297c7adb81a51fb5bcce9dee859f46187c3c9c56fd38e1198

SHA512
47057e1e786c7838f69b9faab0f53ced82eb4796588754e426a09accb042ff8981af97f2e33174180e3dac73b908ac36915f8940542adc8ccef6d3feda493af0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6907871.exe

Filesize
306KB

MD5
e655cf68e11fb3420bd42ce66a06043f

SHA1
521763434af4e29c6e602bc732aaa444dc3b147a

SHA256
c2878542b60977205a19b7907da40877ebb604a643da35cd30c589f6081520de

SHA512
89bb0736c61cc51782a29e5b785fd83e11f904576195d0e8a275af21c4338f6b8cd58353cfcdaf465c4736ae6fa876b5918ed4b6893e007b00b36e23451f8b0e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6907871.exe

Filesize
306KB

MD5
e655cf68e11fb3420bd42ce66a06043f

SHA1
521763434af4e29c6e602bc732aaa444dc3b147a

SHA256
c2878542b60977205a19b7907da40877ebb604a643da35cd30c589f6081520de

SHA512
89bb0736c61cc51782a29e5b785fd83e11f904576195d0e8a275af21c4338f6b8cd58353cfcdaf465c4736ae6fa876b5918ed4b6893e007b00b36e23451f8b0e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5929019.exe

Filesize
186KB

MD5
8a58bb7867c918961fde0fc6ed363813

SHA1
8f431c3659f83aeb4a097a09447fa9976e06f30c

SHA256
893b0a2523d279f96da6168a1a5a579fd0e2d1aa4239f277118031668e81fa11

SHA512
7dfcd1e10e7fe679df1c23862c2d8fe983d4c047318dfa2bff11b7cb45b519d7c8cfe5fe99411268125c544d37f5860b1a43c67ddadfd40ef6c03ebe0186ff55

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5929019.exe

Filesize
186KB

MD5
8a58bb7867c918961fde0fc6ed363813

SHA1
8f431c3659f83aeb4a097a09447fa9976e06f30c

SHA256
893b0a2523d279f96da6168a1a5a579fd0e2d1aa4239f277118031668e81fa11

SHA512
7dfcd1e10e7fe679df1c23862c2d8fe983d4c047318dfa2bff11b7cb45b519d7c8cfe5fe99411268125c544d37f5860b1a43c67ddadfd40ef6c03ebe0186ff55

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4932092.exe

Filesize
145KB

MD5
3de0cc4186baca52961a2f58bcfb45de

SHA1
95b3bb39b1869fd6c53078821724f41ac745ae9e

SHA256
cc31a1183d9887bce8a7280f599f123dd773feb4702410716915c5f21c7057d8

SHA512
4623a7497734203c4a866264a58da8d9f754fff332d9bc535aecfb60626252a73cef688167328d6bef303ff0899749b9a87a98e28caa0e8a0aea316a3eb14c69

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4932092.exe

Filesize
145KB

MD5
3de0cc4186baca52961a2f58bcfb45de

SHA1
95b3bb39b1869fd6c53078821724f41ac745ae9e

SHA256
cc31a1183d9887bce8a7280f599f123dd773feb4702410716915c5f21c7057d8

SHA512
4623a7497734203c4a866264a58da8d9f754fff332d9bc535aecfb60626252a73cef688167328d6bef303ff0899749b9a87a98e28caa0e8a0aea316a3eb14c69

Download Submit
memory/396-122-0x0000000002350000-0x0000000002390000-memory.dmp

Filesize
256KB

Download
memory/396-121-0x0000000000130000-0x000000000015A000-memory.dmp

Filesize
168KB

Download
memory/396-123-0x0000000002350000-0x0000000002390000-memory.dmp

Filesize
256KB

Download
memory/1120-92-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1120-96-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1120-98-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1120-100-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1120-102-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1120-104-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1120-106-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1120-108-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1120-110-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1120-112-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1120-114-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1120-94-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1120-90-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1120-88-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1120-87-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1120-86-0x00000000021A0000-0x00000000021E0000-memory.dmp

Filesize
256KB

Download
memory/1120-85-0x0000000000530000-0x000000000054C000-memory.dmp

Filesize
112KB

Download
memory/1120-84-0x0000000000300000-0x000000000031E000-memory.dmp

Filesize
120KB

Download