redline | 22551fff44698c2f7a48d2f4b8a7bcb58dd44a70e0b01db48d850bb1efcbbd56

Analysis

max time kernel
130s
max time network
143s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-06-2023 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05920899.exe
Size

580KB
MD5

4fecb1d7deb6932dfa5317593b17f8a5
SHA1

2005ff6e0b79af16512c6db32e65d2c1ae021c9d
SHA256

22551fff44698c2f7a48d2f4b8a7bcb58dd44a70e0b01db48d850bb1efcbbd56
SHA512

c502a4ff304911120b5033a7aac99d36a1d5acd5950c5ac37a70f7d236d00a8d60796e9d38602e0fc0887f8a99db606569ac363f99ba730557b94542d47fb566
SSDEEP

12288:RMrZy90+D8295Pkghk6ehZJDPhW82zqzNdiBjt5351qk:8yzdk93zr2zqHejt53v3

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a2168367.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a2168367.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2168367.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2168367.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2168367.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2168367.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2168367.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v3459164.exev7103805.exea2168367.exeb5784695.exe

pid process

1796 v3459164.exe
1512 v7103805.exe
772 a2168367.exe
1544 b5784695.exe
Loads dropped DLL 7 IoCs

Processes:

05920899.exev3459164.exev7103805.exeb5784695.exe

pid process

1392 05920899.exe
1796 v3459164.exe
1796 v3459164.exe
1512 v7103805.exe
1512 v7103805.exe
1512 v7103805.exe
1544 b5784695.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1796	v3459164.exe
1512	v7103805.exe
772	a2168367.exe
1544	b5784695.exe

pid	process
1392	05920899.exe
1796	v3459164.exe
1796	v3459164.exe
1512	v7103805.exe
1512	v7103805.exe
1512	v7103805.exe
1544	b5784695.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a2168367.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	a2168367.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2168367.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

05920899.exev3459164.exev7103805.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	05920899.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3459164.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3459164.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7103805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7103805.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	05920899.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a2168367.exeb5784695.exe

pid process

772 a2168367.exe
772 a2168367.exe
1544 b5784695.exe
1544 b5784695.exe
1544 b5784695.exe
1544 b5784695.exe
1544 b5784695.exe
1544 b5784695.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a2168367.exeb5784695.exe

description pid process

Token: SeDebugPrivilege 772 a2168367.exe
Token: SeDebugPrivilege 1544 b5784695.exe

pid	process
772	a2168367.exe
772	a2168367.exe
1544	b5784695.exe
1544	b5784695.exe
1544	b5784695.exe
1544	b5784695.exe
1544	b5784695.exe
1544	b5784695.exe

description	pid	process
Token: SeDebugPrivilege	772	a2168367.exe
Token: SeDebugPrivilege	1544	b5784695.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

05920899.exev3459164.exev7103805.exe

description	pid	process	target process
PID 1392 wrote to memory of 1796	1392	05920899.exe	v3459164.exe
PID 1392 wrote to memory of 1796	1392	05920899.exe	v3459164.exe
PID 1392 wrote to memory of 1796	1392	05920899.exe	v3459164.exe
PID 1392 wrote to memory of 1796	1392	05920899.exe	v3459164.exe
PID 1392 wrote to memory of 1796	1392	05920899.exe	v3459164.exe
PID 1392 wrote to memory of 1796	1392	05920899.exe	v3459164.exe
PID 1392 wrote to memory of 1796	1392	05920899.exe	v3459164.exe
PID 1796 wrote to memory of 1512	1796	v3459164.exe	v7103805.exe
PID 1796 wrote to memory of 1512	1796	v3459164.exe	v7103805.exe
PID 1796 wrote to memory of 1512	1796	v3459164.exe	v7103805.exe
PID 1796 wrote to memory of 1512	1796	v3459164.exe	v7103805.exe
PID 1796 wrote to memory of 1512	1796	v3459164.exe	v7103805.exe
PID 1796 wrote to memory of 1512	1796	v3459164.exe	v7103805.exe
PID 1796 wrote to memory of 1512	1796	v3459164.exe	v7103805.exe
PID 1512 wrote to memory of 772	1512	v7103805.exe	a2168367.exe
PID 1512 wrote to memory of 772	1512	v7103805.exe	a2168367.exe
PID 1512 wrote to memory of 772	1512	v7103805.exe	a2168367.exe
PID 1512 wrote to memory of 772	1512	v7103805.exe	a2168367.exe
PID 1512 wrote to memory of 772	1512	v7103805.exe	a2168367.exe
PID 1512 wrote to memory of 772	1512	v7103805.exe	a2168367.exe
PID 1512 wrote to memory of 772	1512	v7103805.exe	a2168367.exe
PID 1512 wrote to memory of 1544	1512	v7103805.exe	b5784695.exe
PID 1512 wrote to memory of 1544	1512	v7103805.exe	b5784695.exe
PID 1512 wrote to memory of 1544	1512	v7103805.exe	b5784695.exe
PID 1512 wrote to memory of 1544	1512	v7103805.exe	b5784695.exe
PID 1512 wrote to memory of 1544	1512	v7103805.exe	b5784695.exe
PID 1512 wrote to memory of 1544	1512	v7103805.exe	b5784695.exe
PID 1512 wrote to memory of 1544	1512	v7103805.exe	b5784695.exe

C:\Users\Admin\AppData\Local\Temp\05920899.exe
"C:\Users\Admin\AppData\Local\Temp\05920899.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3459164.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3459164.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7103805.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7103805.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2168367.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2168367.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5784695.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5784695.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3459164.exe

Filesize
377KB

MD5
a53262d6885b5a7051b03bf06b34715d

SHA1
1fcb207ff13c535e95ba7465ad58c82ea13ae8f5

SHA256
29e856aa1aceb80501363a97c03895179ba8b00973ca4b96bd09035d27a1eb38

SHA512
0f0898a00f386e1e02626c01d8c2c951f1a21c3fd5a3352b2a8675c48d7103f6f42e22b971cb13dfce9db73d2c52906ae2c5de21dc60daa0bed93a2abf3e0545

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3459164.exe

Filesize
377KB

MD5
a53262d6885b5a7051b03bf06b34715d

SHA1
1fcb207ff13c535e95ba7465ad58c82ea13ae8f5

SHA256
29e856aa1aceb80501363a97c03895179ba8b00973ca4b96bd09035d27a1eb38

SHA512
0f0898a00f386e1e02626c01d8c2c951f1a21c3fd5a3352b2a8675c48d7103f6f42e22b971cb13dfce9db73d2c52906ae2c5de21dc60daa0bed93a2abf3e0545

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7103805.exe

Filesize
206KB

MD5
f239f4eae5c8428d47da14d2223d9485

SHA1
e7f765ae2c80e515edbf8df4a7203027700c624c

SHA256
e640a90e5d742a961ef73a66c3f50c66aa4b84ba55f5c7adb5b416d5314a14d4

SHA512
225a12d459144673bf8d1a89d81494f3c94d4e06aaebb77a9b98c0e123fa050370d379e6bd94d08d7e26fe2788cc6c7ffc717078baefdb414d35fc65927980c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7103805.exe

Filesize
206KB

MD5
f239f4eae5c8428d47da14d2223d9485

SHA1
e7f765ae2c80e515edbf8df4a7203027700c624c

SHA256
e640a90e5d742a961ef73a66c3f50c66aa4b84ba55f5c7adb5b416d5314a14d4

SHA512
225a12d459144673bf8d1a89d81494f3c94d4e06aaebb77a9b98c0e123fa050370d379e6bd94d08d7e26fe2788cc6c7ffc717078baefdb414d35fc65927980c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2168367.exe

Filesize
11KB

MD5
74f89a0b9ff9389fd8657992b726e45e

SHA1
1aea38cc5f5a340a0c281a870f03a10ce48ed3f0

SHA256
12c6ccdb64789a5a12a760868a646ba024a8c60a631ac32b2d166fb244761dc2

SHA512
82437db3eafca5a6742764b43fbc7fec4aba8a1015019d16502e49b7f31e462831033be11847524fccb6ace4f90e7fcdff1fd48ca015dcc089ea2774f9647699

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2168367.exe

Filesize
11KB

MD5
74f89a0b9ff9389fd8657992b726e45e

SHA1
1aea38cc5f5a340a0c281a870f03a10ce48ed3f0

SHA256
12c6ccdb64789a5a12a760868a646ba024a8c60a631ac32b2d166fb244761dc2

SHA512
82437db3eafca5a6742764b43fbc7fec4aba8a1015019d16502e49b7f31e462831033be11847524fccb6ace4f90e7fcdff1fd48ca015dcc089ea2774f9647699

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5784695.exe

Filesize
172KB

MD5
7868eecca8f99b6fedf25218a3469fff

SHA1
13f5e87b84a78271cc348b2c1766386139289b2c

SHA256
4bd5bf15677e090be06a9e9713444e0ce1b1d7e3aa431639fc3dfdc74324fbf8

SHA512
ec2f5cfb3a8d7b765ce94f19581f8f732d4fec87dd9ac7129c6f1ad1f79783b9b688ceb7ae6709c7306feff88fe4ff7d1dc441ac09dacbe97faf565bd2ace2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5784695.exe

Filesize
172KB

MD5
7868eecca8f99b6fedf25218a3469fff

SHA1
13f5e87b84a78271cc348b2c1766386139289b2c

SHA256
4bd5bf15677e090be06a9e9713444e0ce1b1d7e3aa431639fc3dfdc74324fbf8

SHA512
ec2f5cfb3a8d7b765ce94f19581f8f732d4fec87dd9ac7129c6f1ad1f79783b9b688ceb7ae6709c7306feff88fe4ff7d1dc441ac09dacbe97faf565bd2ace2ce

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3459164.exe

Filesize
377KB

MD5
a53262d6885b5a7051b03bf06b34715d

SHA1
1fcb207ff13c535e95ba7465ad58c82ea13ae8f5

SHA256
29e856aa1aceb80501363a97c03895179ba8b00973ca4b96bd09035d27a1eb38

SHA512
0f0898a00f386e1e02626c01d8c2c951f1a21c3fd5a3352b2a8675c48d7103f6f42e22b971cb13dfce9db73d2c52906ae2c5de21dc60daa0bed93a2abf3e0545

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3459164.exe

Filesize
377KB

MD5
a53262d6885b5a7051b03bf06b34715d

SHA1
1fcb207ff13c535e95ba7465ad58c82ea13ae8f5

SHA256
29e856aa1aceb80501363a97c03895179ba8b00973ca4b96bd09035d27a1eb38

SHA512
0f0898a00f386e1e02626c01d8c2c951f1a21c3fd5a3352b2a8675c48d7103f6f42e22b971cb13dfce9db73d2c52906ae2c5de21dc60daa0bed93a2abf3e0545

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7103805.exe

Filesize
206KB

MD5
f239f4eae5c8428d47da14d2223d9485

SHA1
e7f765ae2c80e515edbf8df4a7203027700c624c

SHA256
e640a90e5d742a961ef73a66c3f50c66aa4b84ba55f5c7adb5b416d5314a14d4

SHA512
225a12d459144673bf8d1a89d81494f3c94d4e06aaebb77a9b98c0e123fa050370d379e6bd94d08d7e26fe2788cc6c7ffc717078baefdb414d35fc65927980c2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7103805.exe

Filesize
206KB

MD5
f239f4eae5c8428d47da14d2223d9485

SHA1
e7f765ae2c80e515edbf8df4a7203027700c624c

SHA256
e640a90e5d742a961ef73a66c3f50c66aa4b84ba55f5c7adb5b416d5314a14d4

SHA512
225a12d459144673bf8d1a89d81494f3c94d4e06aaebb77a9b98c0e123fa050370d379e6bd94d08d7e26fe2788cc6c7ffc717078baefdb414d35fc65927980c2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2168367.exe

Filesize
11KB

MD5
74f89a0b9ff9389fd8657992b726e45e

SHA1
1aea38cc5f5a340a0c281a870f03a10ce48ed3f0

SHA256
12c6ccdb64789a5a12a760868a646ba024a8c60a631ac32b2d166fb244761dc2

SHA512
82437db3eafca5a6742764b43fbc7fec4aba8a1015019d16502e49b7f31e462831033be11847524fccb6ace4f90e7fcdff1fd48ca015dcc089ea2774f9647699

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5784695.exe

Filesize
172KB

MD5
7868eecca8f99b6fedf25218a3469fff

SHA1
13f5e87b84a78271cc348b2c1766386139289b2c

SHA256
4bd5bf15677e090be06a9e9713444e0ce1b1d7e3aa431639fc3dfdc74324fbf8

SHA512
ec2f5cfb3a8d7b765ce94f19581f8f732d4fec87dd9ac7129c6f1ad1f79783b9b688ceb7ae6709c7306feff88fe4ff7d1dc441ac09dacbe97faf565bd2ace2ce

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5784695.exe

Filesize
172KB

MD5
7868eecca8f99b6fedf25218a3469fff

SHA1
13f5e87b84a78271cc348b2c1766386139289b2c

SHA256
4bd5bf15677e090be06a9e9713444e0ce1b1d7e3aa431639fc3dfdc74324fbf8

SHA512
ec2f5cfb3a8d7b765ce94f19581f8f732d4fec87dd9ac7129c6f1ad1f79783b9b688ceb7ae6709c7306feff88fe4ff7d1dc441ac09dacbe97faf565bd2ace2ce

Download Submit
memory/772-82-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/1544-89-0x0000000000820000-0x0000000000850000-memory.dmp

Filesize
192KB

Download
memory/1544-90-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/1544-91-0x0000000000B00000-0x0000000000B40000-memory.dmp

Filesize
256KB

Download
memory/1544-92-0x0000000000B00000-0x0000000000B40000-memory.dmp

Filesize
256KB

Download