redline | c5c0d8259b0179d3893845ee37f6cf226e7b5f5e0f86d89c25f67f25c5111f5d

Analysis

max time kernel
127s
max time network
141s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-06-2023 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02823199.exe
Size

580KB
MD5

b8a552548110bda4128f4898a2d91880
SHA1

f3157dcedfc0225ee4fd27d89aceb38f5755c17e
SHA256

c5c0d8259b0179d3893845ee37f6cf226e7b5f5e0f86d89c25f67f25c5111f5d
SHA512

cb0d140a0c916364106055cb4a7b8f458d14373d08c510abd6dab889aa821cde139486ae6663c994c016b212fb8bf80cb8318615bb69a4e44e80bc374cebfed2
SSDEEP

12288:fMr3y90FMHuYwinCm9AWt7GJLNE789d1CvM:4yHfjCmGU7YLNTCM

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a5670341.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5670341.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5670341.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5670341.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5670341.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5670341.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5670341.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v7801997.exev5528468.exea5670341.exeb5107172.exe

pid process

1144 v7801997.exe
1728 v5528468.exe
1908 a5670341.exe
2008 b5107172.exe
Loads dropped DLL 7 IoCs

Processes:

02823199.exev7801997.exev5528468.exeb5107172.exe

pid process

884 02823199.exe
1144 v7801997.exe
1144 v7801997.exe
1728 v5528468.exe
1728 v5528468.exe
1728 v5528468.exe
2008 b5107172.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1144	v7801997.exe
1728	v5528468.exe
1908	a5670341.exe
2008	b5107172.exe

pid	process
884	02823199.exe
1144	v7801997.exe
1144	v7801997.exe
1728	v5528468.exe
1728	v5528468.exe
1728	v5528468.exe
2008	b5107172.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a5670341.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	a5670341.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5670341.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v7801997.exev5528468.exe02823199.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7801997.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7801997.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5528468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5528468.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	02823199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	02823199.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

a5670341.exeb5107172.exe

pid	process
1908	a5670341.exe
1908	a5670341.exe
2008	b5107172.exe
2008	b5107172.exe
2008	b5107172.exe
2008	b5107172.exe
2008	b5107172.exe
2008	b5107172.exe
2008	b5107172.exe
2008	b5107172.exe
2008	b5107172.exe
2008	b5107172.exe
2008	b5107172.exe
2008	b5107172.exe
2008	b5107172.exe
2008	b5107172.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a5670341.exeb5107172.exe

description pid process

Token: SeDebugPrivilege 1908 a5670341.exe
Token: SeDebugPrivilege 2008 b5107172.exe

description	pid	process
Token: SeDebugPrivilege	1908	a5670341.exe
Token: SeDebugPrivilege	2008	b5107172.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

02823199.exev7801997.exev5528468.exe

description	pid	process	target process
PID 884 wrote to memory of 1144	884	02823199.exe	v7801997.exe
PID 884 wrote to memory of 1144	884	02823199.exe	v7801997.exe
PID 884 wrote to memory of 1144	884	02823199.exe	v7801997.exe
PID 884 wrote to memory of 1144	884	02823199.exe	v7801997.exe
PID 884 wrote to memory of 1144	884	02823199.exe	v7801997.exe
PID 884 wrote to memory of 1144	884	02823199.exe	v7801997.exe
PID 884 wrote to memory of 1144	884	02823199.exe	v7801997.exe
PID 1144 wrote to memory of 1728	1144	v7801997.exe	v5528468.exe
PID 1144 wrote to memory of 1728	1144	v7801997.exe	v5528468.exe
PID 1144 wrote to memory of 1728	1144	v7801997.exe	v5528468.exe
PID 1144 wrote to memory of 1728	1144	v7801997.exe	v5528468.exe
PID 1144 wrote to memory of 1728	1144	v7801997.exe	v5528468.exe
PID 1144 wrote to memory of 1728	1144	v7801997.exe	v5528468.exe
PID 1144 wrote to memory of 1728	1144	v7801997.exe	v5528468.exe
PID 1728 wrote to memory of 1908	1728	v5528468.exe	a5670341.exe
PID 1728 wrote to memory of 1908	1728	v5528468.exe	a5670341.exe
PID 1728 wrote to memory of 1908	1728	v5528468.exe	a5670341.exe
PID 1728 wrote to memory of 1908	1728	v5528468.exe	a5670341.exe
PID 1728 wrote to memory of 1908	1728	v5528468.exe	a5670341.exe
PID 1728 wrote to memory of 1908	1728	v5528468.exe	a5670341.exe
PID 1728 wrote to memory of 1908	1728	v5528468.exe	a5670341.exe
PID 1728 wrote to memory of 2008	1728	v5528468.exe	b5107172.exe
PID 1728 wrote to memory of 2008	1728	v5528468.exe	b5107172.exe
PID 1728 wrote to memory of 2008	1728	v5528468.exe	b5107172.exe
PID 1728 wrote to memory of 2008	1728	v5528468.exe	b5107172.exe
PID 1728 wrote to memory of 2008	1728	v5528468.exe	b5107172.exe
PID 1728 wrote to memory of 2008	1728	v5528468.exe	b5107172.exe
PID 1728 wrote to memory of 2008	1728	v5528468.exe	b5107172.exe

C:\Users\Admin\AppData\Local\Temp\02823199.exe
"C:\Users\Admin\AppData\Local\Temp\02823199.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7801997.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7801997.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5528468.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5528468.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5670341.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5670341.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5107172.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5107172.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7801997.exe
Filesize
377KB

MD5
be4d981dd2929502bb640d0de9ad2a2a

SHA1
0b5cbaa734dd8b20927f116dc0ae25ef475a9ba2

SHA256
40af033d1371abced7086f5d26cba872cd35f51acf913ebc016e8806eb997c8a

SHA512
b1a3ae76a63e1f79d747a53e2e003c1321ef1dd14ec206a44600c49456852943db3aeee5b5dd26b9aa74ce758977fc1dda2a314e3ca9ce91b48fc354225f61e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7801997.exe
Filesize
377KB

MD5
be4d981dd2929502bb640d0de9ad2a2a

SHA1
0b5cbaa734dd8b20927f116dc0ae25ef475a9ba2

SHA256
40af033d1371abced7086f5d26cba872cd35f51acf913ebc016e8806eb997c8a

SHA512
b1a3ae76a63e1f79d747a53e2e003c1321ef1dd14ec206a44600c49456852943db3aeee5b5dd26b9aa74ce758977fc1dda2a314e3ca9ce91b48fc354225f61e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5528468.exe
Filesize
206KB

MD5
881be49873e76e896dcd922f756fb4e6

SHA1
e1e11d256ddb75932eafcf2f313085d360d20547

SHA256
58fe7ffe2e6f947bc63703f23b89f8bada8f6907399935792ec6fd0d955619c9

SHA512
c6871e2223669107d69b0f71a1ed68316869016f3d39e77463ef13fb8c4305101418cb6cee79260ee14c9bfeddd588d6f8cbd00e5c1d1b98cb6542926b37b802

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5528468.exe
Filesize
206KB

MD5
881be49873e76e896dcd922f756fb4e6

SHA1
e1e11d256ddb75932eafcf2f313085d360d20547

SHA256
58fe7ffe2e6f947bc63703f23b89f8bada8f6907399935792ec6fd0d955619c9

SHA512
c6871e2223669107d69b0f71a1ed68316869016f3d39e77463ef13fb8c4305101418cb6cee79260ee14c9bfeddd588d6f8cbd00e5c1d1b98cb6542926b37b802

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5670341.exe
Filesize
11KB

MD5
fd9683ec29c78745ed8fd3373c804bd2

SHA1
01294920799cb1e7ed2595f618b2b6e16b5fd551

SHA256
e6e75520e77cb413bb91253a69aed590b4e43606b1a51c28da1d120f3bd8af35

SHA512
9ee71ae591b5bd2a7e2e2c767b2b361772ff8d162f0077faa1821258e6c4bf44a6934b54cd5e7de26241ec512fbfebb800b4a3df092c866a0f6bbbc5fc346b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5670341.exe
Filesize
11KB

MD5
fd9683ec29c78745ed8fd3373c804bd2

SHA1
01294920799cb1e7ed2595f618b2b6e16b5fd551

SHA256
e6e75520e77cb413bb91253a69aed590b4e43606b1a51c28da1d120f3bd8af35

SHA512
9ee71ae591b5bd2a7e2e2c767b2b361772ff8d162f0077faa1821258e6c4bf44a6934b54cd5e7de26241ec512fbfebb800b4a3df092c866a0f6bbbc5fc346b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5107172.exe
Filesize
172KB

MD5
45da8a914cedfeab596ef8651b33599b

SHA1
be96c30cc9952c337f15ba9db86810595917ce13

SHA256
fbdaf66fa8507628efaa88ba789c14ffb3c3fc83d03e7184a73e7f8fa0b6734e

SHA512
0ade6977b1c95effcabce1e7bb1be1f5ca7e4dab1feacfd3ebffa2e827fd2fb5f5b4164a52559f2813b0eabc8f12461d1e79956a80df4d87bf2db92ded8cf1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5107172.exe
Filesize
172KB

MD5
45da8a914cedfeab596ef8651b33599b

SHA1
be96c30cc9952c337f15ba9db86810595917ce13

SHA256
fbdaf66fa8507628efaa88ba789c14ffb3c3fc83d03e7184a73e7f8fa0b6734e

SHA512
0ade6977b1c95effcabce1e7bb1be1f5ca7e4dab1feacfd3ebffa2e827fd2fb5f5b4164a52559f2813b0eabc8f12461d1e79956a80df4d87bf2db92ded8cf1b5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7801997.exe
Filesize
377KB

MD5
be4d981dd2929502bb640d0de9ad2a2a

SHA1
0b5cbaa734dd8b20927f116dc0ae25ef475a9ba2

SHA256
40af033d1371abced7086f5d26cba872cd35f51acf913ebc016e8806eb997c8a

SHA512
b1a3ae76a63e1f79d747a53e2e003c1321ef1dd14ec206a44600c49456852943db3aeee5b5dd26b9aa74ce758977fc1dda2a314e3ca9ce91b48fc354225f61e8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7801997.exe
Filesize
377KB

MD5
be4d981dd2929502bb640d0de9ad2a2a

SHA1
0b5cbaa734dd8b20927f116dc0ae25ef475a9ba2

SHA256
40af033d1371abced7086f5d26cba872cd35f51acf913ebc016e8806eb997c8a

SHA512
b1a3ae76a63e1f79d747a53e2e003c1321ef1dd14ec206a44600c49456852943db3aeee5b5dd26b9aa74ce758977fc1dda2a314e3ca9ce91b48fc354225f61e8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5528468.exe
Filesize
206KB

MD5
881be49873e76e896dcd922f756fb4e6

SHA1
e1e11d256ddb75932eafcf2f313085d360d20547

SHA256
58fe7ffe2e6f947bc63703f23b89f8bada8f6907399935792ec6fd0d955619c9

SHA512
c6871e2223669107d69b0f71a1ed68316869016f3d39e77463ef13fb8c4305101418cb6cee79260ee14c9bfeddd588d6f8cbd00e5c1d1b98cb6542926b37b802

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5528468.exe
Filesize
206KB

MD5
881be49873e76e896dcd922f756fb4e6

SHA1
e1e11d256ddb75932eafcf2f313085d360d20547

SHA256
58fe7ffe2e6f947bc63703f23b89f8bada8f6907399935792ec6fd0d955619c9

SHA512
c6871e2223669107d69b0f71a1ed68316869016f3d39e77463ef13fb8c4305101418cb6cee79260ee14c9bfeddd588d6f8cbd00e5c1d1b98cb6542926b37b802

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5670341.exe
Filesize
11KB

MD5
fd9683ec29c78745ed8fd3373c804bd2

SHA1
01294920799cb1e7ed2595f618b2b6e16b5fd551

SHA256
e6e75520e77cb413bb91253a69aed590b4e43606b1a51c28da1d120f3bd8af35

SHA512
9ee71ae591b5bd2a7e2e2c767b2b361772ff8d162f0077faa1821258e6c4bf44a6934b54cd5e7de26241ec512fbfebb800b4a3df092c866a0f6bbbc5fc346b52

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5107172.exe
Filesize
172KB

MD5
45da8a914cedfeab596ef8651b33599b

SHA1
be96c30cc9952c337f15ba9db86810595917ce13

SHA256
fbdaf66fa8507628efaa88ba789c14ffb3c3fc83d03e7184a73e7f8fa0b6734e

SHA512
0ade6977b1c95effcabce1e7bb1be1f5ca7e4dab1feacfd3ebffa2e827fd2fb5f5b4164a52559f2813b0eabc8f12461d1e79956a80df4d87bf2db92ded8cf1b5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5107172.exe
Filesize
172KB

MD5
45da8a914cedfeab596ef8651b33599b

SHA1
be96c30cc9952c337f15ba9db86810595917ce13

SHA256
fbdaf66fa8507628efaa88ba789c14ffb3c3fc83d03e7184a73e7f8fa0b6734e

SHA512
0ade6977b1c95effcabce1e7bb1be1f5ca7e4dab1feacfd3ebffa2e827fd2fb5f5b4164a52559f2813b0eabc8f12461d1e79956a80df4d87bf2db92ded8cf1b5

Download Submit
memory/1908-82-0x0000000001260000-0x000000000126A000-memory.dmp

Filesize
40KB

Download
memory/2008-89-0x0000000000370000-0x00000000003A0000-memory.dmp

Filesize
192KB

Download
memory/2008-90-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2008-91-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download
memory/2008-92-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download