redline | 53e8c50e13111ea74fe9a0a315dc9311233c7bdde45702e80c40f168668a538e

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-06-2023 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08885799.exe
Size

581KB
MD5

ff5d1e04d3ab7b200989a063c75e2461
SHA1

6088ab645636e8e954cbfead71308a6f56052d97
SHA256

53e8c50e13111ea74fe9a0a315dc9311233c7bdde45702e80c40f168668a538e
SHA512

bc04cd141c9a9489234aafc4bd35aaa13a6b43679a8d96079a9e56136506bf3f652117b5e544028c53ae61d7af939f989eab7ffa1ed13146044858ecc3df7b71
SSDEEP

12288:8Mrky90O9+7mtSIoKH0XxaIVwomNUXpFs+5B4ZvO+uEs0CIPmsP:Qy1k7WEKMyUXpd5B4ZG+uX0COmsP

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a4012019.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a4012019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4012019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4012019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4012019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4012019.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4012019.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v8927430.exev6392619.exea4012019.exeb5184495.exe

pid process

1304 v8927430.exe
764 v6392619.exe
680 a4012019.exe
1920 b5184495.exe
Loads dropped DLL 7 IoCs

Processes:

08885799.exev8927430.exev6392619.exeb5184495.exe

pid process

944 08885799.exe
1304 v8927430.exe
1304 v8927430.exe
764 v6392619.exe
764 v6392619.exe
764 v6392619.exe
1920 b5184495.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1304	v8927430.exe
764	v6392619.exe
680	a4012019.exe
1920	b5184495.exe

pid	process
944	08885799.exe
1304	v8927430.exe
1304	v8927430.exe
764	v6392619.exe
764	v6392619.exe
764	v6392619.exe
1920	b5184495.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a4012019.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4012019.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	a4012019.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

08885799.exev8927430.exev6392619.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	08885799.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	08885799.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8927430.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8927430.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6392619.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6392619.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

a4012019.exeb5184495.exe

pid	process
680	a4012019.exe
680	a4012019.exe
1920	b5184495.exe
1920	b5184495.exe
1920	b5184495.exe
1920	b5184495.exe
1920	b5184495.exe
1920	b5184495.exe
1920	b5184495.exe
1920	b5184495.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a4012019.exeb5184495.exe

description pid process

Token: SeDebugPrivilege 680 a4012019.exe
Token: SeDebugPrivilege 1920 b5184495.exe

description	pid	process
Token: SeDebugPrivilege	680	a4012019.exe
Token: SeDebugPrivilege	1920	b5184495.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

08885799.exev8927430.exev6392619.exe

description	pid	process	target process
PID 944 wrote to memory of 1304	944	08885799.exe	v8927430.exe
PID 944 wrote to memory of 1304	944	08885799.exe	v8927430.exe
PID 944 wrote to memory of 1304	944	08885799.exe	v8927430.exe
PID 944 wrote to memory of 1304	944	08885799.exe	v8927430.exe
PID 944 wrote to memory of 1304	944	08885799.exe	v8927430.exe
PID 944 wrote to memory of 1304	944	08885799.exe	v8927430.exe
PID 944 wrote to memory of 1304	944	08885799.exe	v8927430.exe
PID 1304 wrote to memory of 764	1304	v8927430.exe	v6392619.exe
PID 1304 wrote to memory of 764	1304	v8927430.exe	v6392619.exe
PID 1304 wrote to memory of 764	1304	v8927430.exe	v6392619.exe
PID 1304 wrote to memory of 764	1304	v8927430.exe	v6392619.exe
PID 1304 wrote to memory of 764	1304	v8927430.exe	v6392619.exe
PID 1304 wrote to memory of 764	1304	v8927430.exe	v6392619.exe
PID 1304 wrote to memory of 764	1304	v8927430.exe	v6392619.exe
PID 764 wrote to memory of 680	764	v6392619.exe	a4012019.exe
PID 764 wrote to memory of 680	764	v6392619.exe	a4012019.exe
PID 764 wrote to memory of 680	764	v6392619.exe	a4012019.exe
PID 764 wrote to memory of 680	764	v6392619.exe	a4012019.exe
PID 764 wrote to memory of 680	764	v6392619.exe	a4012019.exe
PID 764 wrote to memory of 680	764	v6392619.exe	a4012019.exe
PID 764 wrote to memory of 680	764	v6392619.exe	a4012019.exe
PID 764 wrote to memory of 1920	764	v6392619.exe	b5184495.exe
PID 764 wrote to memory of 1920	764	v6392619.exe	b5184495.exe
PID 764 wrote to memory of 1920	764	v6392619.exe	b5184495.exe
PID 764 wrote to memory of 1920	764	v6392619.exe	b5184495.exe
PID 764 wrote to memory of 1920	764	v6392619.exe	b5184495.exe
PID 764 wrote to memory of 1920	764	v6392619.exe	b5184495.exe
PID 764 wrote to memory of 1920	764	v6392619.exe	b5184495.exe

C:\Users\Admin\AppData\Local\Temp\08885799.exe
"C:\Users\Admin\AppData\Local\Temp\08885799.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8927430.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8927430.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6392619.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6392619.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4012019.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4012019.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5184495.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5184495.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8927430.exe

Filesize
377KB

MD5
9e10117012d19841ff3641aa051363ee

SHA1
b5add5712375f58966fb01646d0c96e4031dd763

SHA256
343a93249c65cbfa0a30518bd5bd3b75353bce94c57aca97a1998d189d909980

SHA512
a132f6fc7723f88820de645efb9592a75beeccf84283d1a3668d716ee9754fa320ae66af7197650e186f8dded9b8833716ce7e689c5c7a719dd651a5f3fc7181

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8927430.exe

Filesize
377KB

MD5
9e10117012d19841ff3641aa051363ee

SHA1
b5add5712375f58966fb01646d0c96e4031dd763

SHA256
343a93249c65cbfa0a30518bd5bd3b75353bce94c57aca97a1998d189d909980

SHA512
a132f6fc7723f88820de645efb9592a75beeccf84283d1a3668d716ee9754fa320ae66af7197650e186f8dded9b8833716ce7e689c5c7a719dd651a5f3fc7181

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6392619.exe

Filesize
206KB

MD5
45eb4999184fbea0565929468db8b323

SHA1
a823c6bd2886a66dc534fdee80ed432b8f87555e

SHA256
6138f5763b9fd0a0203bbda64b42e5cae185a40fbd7f28520e16d40cf623c728

SHA512
3c77d31eaa5695bb63cd157a7f2a8d6c56b3c09e0ce50d93d9e29c98c1210444660955da0dd5606016c7ee4508ec5e32254f3db1d46b167287020227bf695b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6392619.exe

Filesize
206KB

MD5
45eb4999184fbea0565929468db8b323

SHA1
a823c6bd2886a66dc534fdee80ed432b8f87555e

SHA256
6138f5763b9fd0a0203bbda64b42e5cae185a40fbd7f28520e16d40cf623c728

SHA512
3c77d31eaa5695bb63cd157a7f2a8d6c56b3c09e0ce50d93d9e29c98c1210444660955da0dd5606016c7ee4508ec5e32254f3db1d46b167287020227bf695b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4012019.exe

Filesize
11KB

MD5
dc60801fd9e0ca4edcaf57ae68675c31

SHA1
5ad54ba5d8d424a27da7579f3853f5d60a7fcbe3

SHA256
7a3e60dbec28e18927d13cbee7784b016d9bdc162a7f25f6f27d19ac466ff05e

SHA512
46d8016f01195a6c63ecca7eb92c0d3ed9c06fb57f2411686b7b56def9ae3624789cb9881b47017160439370a86d4c16841ca57744f8fd3e6202e78c258e67f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4012019.exe

Filesize
11KB

MD5
dc60801fd9e0ca4edcaf57ae68675c31

SHA1
5ad54ba5d8d424a27da7579f3853f5d60a7fcbe3

SHA256
7a3e60dbec28e18927d13cbee7784b016d9bdc162a7f25f6f27d19ac466ff05e

SHA512
46d8016f01195a6c63ecca7eb92c0d3ed9c06fb57f2411686b7b56def9ae3624789cb9881b47017160439370a86d4c16841ca57744f8fd3e6202e78c258e67f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5184495.exe

Filesize
172KB

MD5
f4f7f0244f7044232c558f1f0b90bb62

SHA1
ebbe23753f3c661a924c05c6dcab37e486803f93

SHA256
73a648d8c6c2af163c8f2f6aa4286959be20b1abd94ab17ca82d78c0970b5f2a

SHA512
2029d8a700e41d7771d675033b1ce151ab1a44f69de54b815d00306d55a1ef8513746f179915e7ddd6c780c4076d4b22dfd6bad34a3f784b56fccbe5d11ce284

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5184495.exe

Filesize
172KB

MD5
f4f7f0244f7044232c558f1f0b90bb62

SHA1
ebbe23753f3c661a924c05c6dcab37e486803f93

SHA256
73a648d8c6c2af163c8f2f6aa4286959be20b1abd94ab17ca82d78c0970b5f2a

SHA512
2029d8a700e41d7771d675033b1ce151ab1a44f69de54b815d00306d55a1ef8513746f179915e7ddd6c780c4076d4b22dfd6bad34a3f784b56fccbe5d11ce284

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8927430.exe

Filesize
377KB

MD5
9e10117012d19841ff3641aa051363ee

SHA1
b5add5712375f58966fb01646d0c96e4031dd763

SHA256
343a93249c65cbfa0a30518bd5bd3b75353bce94c57aca97a1998d189d909980

SHA512
a132f6fc7723f88820de645efb9592a75beeccf84283d1a3668d716ee9754fa320ae66af7197650e186f8dded9b8833716ce7e689c5c7a719dd651a5f3fc7181

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8927430.exe

Filesize
377KB

MD5
9e10117012d19841ff3641aa051363ee

SHA1
b5add5712375f58966fb01646d0c96e4031dd763

SHA256
343a93249c65cbfa0a30518bd5bd3b75353bce94c57aca97a1998d189d909980

SHA512
a132f6fc7723f88820de645efb9592a75beeccf84283d1a3668d716ee9754fa320ae66af7197650e186f8dded9b8833716ce7e689c5c7a719dd651a5f3fc7181

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6392619.exe

Filesize
206KB

MD5
45eb4999184fbea0565929468db8b323

SHA1
a823c6bd2886a66dc534fdee80ed432b8f87555e

SHA256
6138f5763b9fd0a0203bbda64b42e5cae185a40fbd7f28520e16d40cf623c728

SHA512
3c77d31eaa5695bb63cd157a7f2a8d6c56b3c09e0ce50d93d9e29c98c1210444660955da0dd5606016c7ee4508ec5e32254f3db1d46b167287020227bf695b15

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6392619.exe

Filesize
206KB

MD5
45eb4999184fbea0565929468db8b323

SHA1
a823c6bd2886a66dc534fdee80ed432b8f87555e

SHA256
6138f5763b9fd0a0203bbda64b42e5cae185a40fbd7f28520e16d40cf623c728

SHA512
3c77d31eaa5695bb63cd157a7f2a8d6c56b3c09e0ce50d93d9e29c98c1210444660955da0dd5606016c7ee4508ec5e32254f3db1d46b167287020227bf695b15

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4012019.exe

Filesize
11KB

MD5
dc60801fd9e0ca4edcaf57ae68675c31

SHA1
5ad54ba5d8d424a27da7579f3853f5d60a7fcbe3

SHA256
7a3e60dbec28e18927d13cbee7784b016d9bdc162a7f25f6f27d19ac466ff05e

SHA512
46d8016f01195a6c63ecca7eb92c0d3ed9c06fb57f2411686b7b56def9ae3624789cb9881b47017160439370a86d4c16841ca57744f8fd3e6202e78c258e67f9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5184495.exe

Filesize
172KB

MD5
f4f7f0244f7044232c558f1f0b90bb62

SHA1
ebbe23753f3c661a924c05c6dcab37e486803f93

SHA256
73a648d8c6c2af163c8f2f6aa4286959be20b1abd94ab17ca82d78c0970b5f2a

SHA512
2029d8a700e41d7771d675033b1ce151ab1a44f69de54b815d00306d55a1ef8513746f179915e7ddd6c780c4076d4b22dfd6bad34a3f784b56fccbe5d11ce284

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5184495.exe

Filesize
172KB

MD5
f4f7f0244f7044232c558f1f0b90bb62

SHA1
ebbe23753f3c661a924c05c6dcab37e486803f93

SHA256
73a648d8c6c2af163c8f2f6aa4286959be20b1abd94ab17ca82d78c0970b5f2a

SHA512
2029d8a700e41d7771d675033b1ce151ab1a44f69de54b815d00306d55a1ef8513746f179915e7ddd6c780c4076d4b22dfd6bad34a3f784b56fccbe5d11ce284

Download Submit
memory/680-82-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/1920-89-0x00000000001F0000-0x0000000000220000-memory.dmp

Filesize
192KB

Download
memory/1920-90-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1920-91-0x00000000049E0000-0x0000000004A20000-memory.dmp

Filesize
256KB

Download
memory/1920-92-0x00000000049E0000-0x0000000004A20000-memory.dmp

Filesize
256KB

Download