redline | ebebb7a0e4f0a8514b0b1e142d7e17fe0b6c336970066567601aa7ec17b4d13a

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-06-2023 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

627KB
MD5

d2def0084106d6e71ec3f01bf112d82e
SHA1

2480ff75eb470c56db4762545b3d70a1a79696b3
SHA256

ebebb7a0e4f0a8514b0b1e142d7e17fe0b6c336970066567601aa7ec17b4d13a
SHA512

32c910ddd3a22fe236e0ec2df8ee0e70106063559064ead304770f6d066dcaa6464e812d9222c4f5bf1061a9a2e93ae9980ed7cb38486cccc9176494b14abb0c
SSDEEP

12288:cMrMy90qYyW041SoNPrKVbFIWffdpo2nyKZxcLcgM/RFC/Z8auqD:Iy7odSoVrqd3fy9Lcg0RFCR8av

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v5387363.exev6541230.exea7621364.exeb3511224.exe

pid process

1604 v5387363.exe
680 v6541230.exe
1116 a7621364.exe
1680 b3511224.exe
Loads dropped DLL 8 IoCs

Processes:

tmp.exev5387363.exev6541230.exea7621364.exeb3511224.exe

pid process

1468 tmp.exe
1604 v5387363.exe
1604 v5387363.exe
680 v6541230.exe
680 v6541230.exe
1116 a7621364.exe
680 v6541230.exe
1680 b3511224.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1604	v5387363.exe
680	v6541230.exe
1116	a7621364.exe
1680	b3511224.exe

pid	process
1468	tmp.exe
1604	v5387363.exe
1604	v5387363.exe
680	v6541230.exe
680	v6541230.exe
1116	a7621364.exe
680	v6541230.exe
1680	b3511224.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v5387363.exev6541230.exetmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5387363.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5387363.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6541230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6541230.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	tmp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

a7621364.exe

description pid process target process

PID 1116 set thread context of 1104 1116 a7621364.exe AppLaunch.exe

description	pid	process	target process
PID 1116 set thread context of 1104	1116	a7621364.exe	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

AppLaunch.exeb3511224.exe

pid	process
1104	AppLaunch.exe
1104	AppLaunch.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe
1680	b3511224.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AppLaunch.exeb3511224.exe

description pid process

Token: SeDebugPrivilege 1104 AppLaunch.exe
Token: SeDebugPrivilege 1680 b3511224.exe

description	pid	process
Token: SeDebugPrivilege	1104	AppLaunch.exe
Token: SeDebugPrivilege	1680	b3511224.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

tmp.exev5387363.exev6541230.exea7621364.exe

description	pid	process	target process
PID 1468 wrote to memory of 1604	1468	tmp.exe	v5387363.exe
PID 1468 wrote to memory of 1604	1468	tmp.exe	v5387363.exe
PID 1468 wrote to memory of 1604	1468	tmp.exe	v5387363.exe
PID 1468 wrote to memory of 1604	1468	tmp.exe	v5387363.exe
PID 1468 wrote to memory of 1604	1468	tmp.exe	v5387363.exe
PID 1468 wrote to memory of 1604	1468	tmp.exe	v5387363.exe
PID 1468 wrote to memory of 1604	1468	tmp.exe	v5387363.exe
PID 1604 wrote to memory of 680	1604	v5387363.exe	v6541230.exe
PID 1604 wrote to memory of 680	1604	v5387363.exe	v6541230.exe
PID 1604 wrote to memory of 680	1604	v5387363.exe	v6541230.exe
PID 1604 wrote to memory of 680	1604	v5387363.exe	v6541230.exe
PID 1604 wrote to memory of 680	1604	v5387363.exe	v6541230.exe
PID 1604 wrote to memory of 680	1604	v5387363.exe	v6541230.exe
PID 1604 wrote to memory of 680	1604	v5387363.exe	v6541230.exe
PID 680 wrote to memory of 1116	680	v6541230.exe	a7621364.exe
PID 680 wrote to memory of 1116	680	v6541230.exe	a7621364.exe
PID 680 wrote to memory of 1116	680	v6541230.exe	a7621364.exe
PID 680 wrote to memory of 1116	680	v6541230.exe	a7621364.exe
PID 680 wrote to memory of 1116	680	v6541230.exe	a7621364.exe
PID 680 wrote to memory of 1116	680	v6541230.exe	a7621364.exe
PID 680 wrote to memory of 1116	680	v6541230.exe	a7621364.exe
PID 1116 wrote to memory of 1104	1116	a7621364.exe	AppLaunch.exe
PID 1116 wrote to memory of 1104	1116	a7621364.exe	AppLaunch.exe
PID 1116 wrote to memory of 1104	1116	a7621364.exe	AppLaunch.exe
PID 1116 wrote to memory of 1104	1116	a7621364.exe	AppLaunch.exe
PID 1116 wrote to memory of 1104	1116	a7621364.exe	AppLaunch.exe
PID 1116 wrote to memory of 1104	1116	a7621364.exe	AppLaunch.exe
PID 1116 wrote to memory of 1104	1116	a7621364.exe	AppLaunch.exe
PID 1116 wrote to memory of 1104	1116	a7621364.exe	AppLaunch.exe
PID 1116 wrote to memory of 1104	1116	a7621364.exe	AppLaunch.exe
PID 680 wrote to memory of 1680	680	v6541230.exe	b3511224.exe
PID 680 wrote to memory of 1680	680	v6541230.exe	b3511224.exe
PID 680 wrote to memory of 1680	680	v6541230.exe	b3511224.exe
PID 680 wrote to memory of 1680	680	v6541230.exe	b3511224.exe
PID 680 wrote to memory of 1680	680	v6541230.exe	b3511224.exe
PID 680 wrote to memory of 1680	680	v6541230.exe	b3511224.exe
PID 680 wrote to memory of 1680	680	v6541230.exe	b3511224.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5387363.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5387363.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6541230.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6541230.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7621364.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7621364.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3511224.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3511224.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5387363.exe
Filesize
425KB

MD5
d67bbeee039b8d650bcd1065abc87961

SHA1
f9301c877e491f0750d38f66d2e7448f1b551743

SHA256
aab805e421a7eb381e46f363c5ee5dbfd997f847560c24e449a017c360645072

SHA512
44da3ec7e40bbc9e136f70841530bdd91f5dd1715cb8860bac65ea296608e339dae429fcec7a005908654f724c4dc9850da05ccc1e8f7e59373e8a0d78d37acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5387363.exe
Filesize
425KB

MD5
d67bbeee039b8d650bcd1065abc87961

SHA1
f9301c877e491f0750d38f66d2e7448f1b551743

SHA256
aab805e421a7eb381e46f363c5ee5dbfd997f847560c24e449a017c360645072

SHA512
44da3ec7e40bbc9e136f70841530bdd91f5dd1715cb8860bac65ea296608e339dae429fcec7a005908654f724c4dc9850da05ccc1e8f7e59373e8a0d78d37acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6541230.exe
Filesize
254KB

MD5
7f991f72157b903cac0c69532f65c422

SHA1
06209f2c7341ef82195e0c480753caed0dd4eed4

SHA256
ef4c5bf7b4cc7fb3fe1c6cbb4893f90807d9916b9630333cf623338071d7c1a6

SHA512
f2434e058d98a37bbb856bddc6a59ab7fe96b40e8325e9662fc2c92490a7cd27b3848251c1b60d958029e63e84cdb70f576352e818b73924db2cf68491a7d7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6541230.exe
Filesize
254KB

MD5
7f991f72157b903cac0c69532f65c422

SHA1
06209f2c7341ef82195e0c480753caed0dd4eed4

SHA256
ef4c5bf7b4cc7fb3fe1c6cbb4893f90807d9916b9630333cf623338071d7c1a6

SHA512
f2434e058d98a37bbb856bddc6a59ab7fe96b40e8325e9662fc2c92490a7cd27b3848251c1b60d958029e63e84cdb70f576352e818b73924db2cf68491a7d7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7621364.exe
Filesize
108KB

MD5
edd967e9176e91837da5d1ddcee897c0

SHA1
a68799909279d6b3040300701808b71c5e1995c4

SHA256
fe4842288e041020243b724386e9167707db41abf362a9f2aa784b5979c3f805

SHA512
56a5f6e5bbef59ac1e8cd05d7d0967c320d02d9e6480aac860503193e6efbaba549fa7e49f8a2d43ff6b42ea7092efe57e5fcd94a0be343c8c329a44e12a53f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7621364.exe
Filesize
108KB

MD5
edd967e9176e91837da5d1ddcee897c0

SHA1
a68799909279d6b3040300701808b71c5e1995c4

SHA256
fe4842288e041020243b724386e9167707db41abf362a9f2aa784b5979c3f805

SHA512
56a5f6e5bbef59ac1e8cd05d7d0967c320d02d9e6480aac860503193e6efbaba549fa7e49f8a2d43ff6b42ea7092efe57e5fcd94a0be343c8c329a44e12a53f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3511224.exe
Filesize
172KB

MD5
d1925563c6a3da713c97baead6741903

SHA1
d9f680d3e0af2ef7fdc5d6e490a65c10abe47840

SHA256
147591c3ea3dd79c626062a17dc718441cd98728a5adf7a82bf207a263e7355f

SHA512
26fa7b5cd63f7aa36f65eec66ddb5690e4d93cc45bc124bb04b4890297dfcdfee59bc3c42272da11b56ddff895193cbe9a8cbf95c2a75253e7c4b0b684cded60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3511224.exe
Filesize
172KB

MD5
d1925563c6a3da713c97baead6741903

SHA1
d9f680d3e0af2ef7fdc5d6e490a65c10abe47840

SHA256
147591c3ea3dd79c626062a17dc718441cd98728a5adf7a82bf207a263e7355f

SHA512
26fa7b5cd63f7aa36f65eec66ddb5690e4d93cc45bc124bb04b4890297dfcdfee59bc3c42272da11b56ddff895193cbe9a8cbf95c2a75253e7c4b0b684cded60

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5387363.exe
Filesize
425KB

MD5
d67bbeee039b8d650bcd1065abc87961

SHA1
f9301c877e491f0750d38f66d2e7448f1b551743

SHA256
aab805e421a7eb381e46f363c5ee5dbfd997f847560c24e449a017c360645072

SHA512
44da3ec7e40bbc9e136f70841530bdd91f5dd1715cb8860bac65ea296608e339dae429fcec7a005908654f724c4dc9850da05ccc1e8f7e59373e8a0d78d37acc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5387363.exe
Filesize
425KB

MD5
d67bbeee039b8d650bcd1065abc87961

SHA1
f9301c877e491f0750d38f66d2e7448f1b551743

SHA256
aab805e421a7eb381e46f363c5ee5dbfd997f847560c24e449a017c360645072

SHA512
44da3ec7e40bbc9e136f70841530bdd91f5dd1715cb8860bac65ea296608e339dae429fcec7a005908654f724c4dc9850da05ccc1e8f7e59373e8a0d78d37acc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6541230.exe
Filesize
254KB

MD5
7f991f72157b903cac0c69532f65c422

SHA1
06209f2c7341ef82195e0c480753caed0dd4eed4

SHA256
ef4c5bf7b4cc7fb3fe1c6cbb4893f90807d9916b9630333cf623338071d7c1a6

SHA512
f2434e058d98a37bbb856bddc6a59ab7fe96b40e8325e9662fc2c92490a7cd27b3848251c1b60d958029e63e84cdb70f576352e818b73924db2cf68491a7d7de

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6541230.exe
Filesize
254KB

MD5
7f991f72157b903cac0c69532f65c422

SHA1
06209f2c7341ef82195e0c480753caed0dd4eed4

SHA256
ef4c5bf7b4cc7fb3fe1c6cbb4893f90807d9916b9630333cf623338071d7c1a6

SHA512
f2434e058d98a37bbb856bddc6a59ab7fe96b40e8325e9662fc2c92490a7cd27b3848251c1b60d958029e63e84cdb70f576352e818b73924db2cf68491a7d7de

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7621364.exe
Filesize
108KB

MD5
edd967e9176e91837da5d1ddcee897c0

SHA1
a68799909279d6b3040300701808b71c5e1995c4

SHA256
fe4842288e041020243b724386e9167707db41abf362a9f2aa784b5979c3f805

SHA512
56a5f6e5bbef59ac1e8cd05d7d0967c320d02d9e6480aac860503193e6efbaba549fa7e49f8a2d43ff6b42ea7092efe57e5fcd94a0be343c8c329a44e12a53f3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7621364.exe
Filesize
108KB

MD5
edd967e9176e91837da5d1ddcee897c0

SHA1
a68799909279d6b3040300701808b71c5e1995c4

SHA256
fe4842288e041020243b724386e9167707db41abf362a9f2aa784b5979c3f805

SHA512
56a5f6e5bbef59ac1e8cd05d7d0967c320d02d9e6480aac860503193e6efbaba549fa7e49f8a2d43ff6b42ea7092efe57e5fcd94a0be343c8c329a44e12a53f3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3511224.exe
Filesize
172KB

MD5
d1925563c6a3da713c97baead6741903

SHA1
d9f680d3e0af2ef7fdc5d6e490a65c10abe47840

SHA256
147591c3ea3dd79c626062a17dc718441cd98728a5adf7a82bf207a263e7355f

SHA512
26fa7b5cd63f7aa36f65eec66ddb5690e4d93cc45bc124bb04b4890297dfcdfee59bc3c42272da11b56ddff895193cbe9a8cbf95c2a75253e7c4b0b684cded60

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3511224.exe
Filesize
172KB

MD5
d1925563c6a3da713c97baead6741903

SHA1
d9f680d3e0af2ef7fdc5d6e490a65c10abe47840

SHA256
147591c3ea3dd79c626062a17dc718441cd98728a5adf7a82bf207a263e7355f

SHA512
26fa7b5cd63f7aa36f65eec66ddb5690e4d93cc45bc124bb04b4890297dfcdfee59bc3c42272da11b56ddff895193cbe9a8cbf95c2a75253e7c4b0b684cded60

Download Submit
memory/1104-91-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1104-92-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1104-84-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1104-89-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1104-85-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1680-99-0x0000000000ED0000-0x0000000000F00000-memory.dmp

Filesize
192KB

Download
memory/1680-100-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/1680-101-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/1680-102-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download