redline | fe78b4b8c859b03bee590cfce5f880a1b6c73d3ea8b7a665e33ff0d1857be9a3

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2023, 22:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fe78b4b8c859b03bee590cfce5f880a1b6c73d3ea8b7a665e33ff0d1857be9a3.exe
Size

736KB
MD5

dacf7df0c7c9d08f2682108f2ae1f1e9
SHA1

386971b2ac7a2fd08f409762bb283b57b69acd1f
SHA256

fe78b4b8c859b03bee590cfce5f880a1b6c73d3ea8b7a665e33ff0d1857be9a3
SHA512

734e2bd55c96caab115520f19b1055b81b241b9a611b97f27fad05d6a3dea26cf462974bb3418673c48d0f300c415ea760aa551a009dc1fe0278b155165213aa
SSDEEP

12288:zMriy90urYMku7FY4TcJKKmQz4DCvfwTdPSaF2kdpd1pqtqmyXi7M0:9yHYei4oJ5mNDeYB2G7tih

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19048

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5817277.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5817277.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5817277.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5817277.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5817277.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5817277.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4272	v6370010.exe
1936	v2157132.exe
3380	v3505864.exe
2616	a5817277.exe
3948	b6294305.exe
3132	c8411635.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5817277.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6370010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6370010.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2157132.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2157132.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3505864.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3505864.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fe78b4b8c859b03bee590cfce5f880a1b6c73d3ea8b7a665e33ff0d1857be9a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fe78b4b8c859b03bee590cfce5f880a1b6c73d3ea8b7a665e33ff0d1857be9a3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3948 set thread context of 2896	3948	b6294305.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4180	3948	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2616	a5817277.exe
2616	a5817277.exe
2896	AppLaunch.exe
2896	AppLaunch.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe
3132	c8411635.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	a5817277.exe
Token: SeDebugPrivilege	2896	AppLaunch.exe
Token: SeDebugPrivilege	3132	c8411635.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 4272	3288	fe78b4b8c859b03bee590cfce5f880a1b6c73d3ea8b7a665e33ff0d1857be9a3.exe	84
PID 3288 wrote to memory of 4272	3288	fe78b4b8c859b03bee590cfce5f880a1b6c73d3ea8b7a665e33ff0d1857be9a3.exe	84
PID 3288 wrote to memory of 4272	3288	fe78b4b8c859b03bee590cfce5f880a1b6c73d3ea8b7a665e33ff0d1857be9a3.exe	84
PID 4272 wrote to memory of 1936	4272	v6370010.exe	85
PID 4272 wrote to memory of 1936	4272	v6370010.exe	85
PID 4272 wrote to memory of 1936	4272	v6370010.exe	85
PID 1936 wrote to memory of 3380	1936	v2157132.exe	86
PID 1936 wrote to memory of 3380	1936	v2157132.exe	86
PID 1936 wrote to memory of 3380	1936	v2157132.exe	86
PID 3380 wrote to memory of 2616	3380	v3505864.exe	87
PID 3380 wrote to memory of 2616	3380	v3505864.exe	87
PID 3380 wrote to memory of 3948	3380	v3505864.exe	88
PID 3380 wrote to memory of 3948	3380	v3505864.exe	88
PID 3380 wrote to memory of 3948	3380	v3505864.exe	88
PID 3948 wrote to memory of 2896	3948	b6294305.exe	90
PID 3948 wrote to memory of 2896	3948	b6294305.exe	90
PID 3948 wrote to memory of 2896	3948	b6294305.exe	90
PID 3948 wrote to memory of 2896	3948	b6294305.exe	90
PID 3948 wrote to memory of 2896	3948	b6294305.exe	90
PID 1936 wrote to memory of 3132	1936	v2157132.exe	93
PID 1936 wrote to memory of 3132	1936	v2157132.exe	93
PID 1936 wrote to memory of 3132	1936	v2157132.exe	93

C:\Users\Admin\AppData\Local\Temp\fe78b4b8c859b03bee590cfce5f880a1b6c73d3ea8b7a665e33ff0d1857be9a3.exe
"C:\Users\Admin\AppData\Local\Temp\fe78b4b8c859b03bee590cfce5f880a1b6c73d3ea8b7a665e33ff0d1857be9a3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6370010.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6370010.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2157132.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2157132.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3505864.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3505864.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3380
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5817277.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5817277.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6294305.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6294305.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3948
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 140
        6⤵
        Program crash
        
        PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8411635.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8411635.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 3948 -ip 3948
1⤵
PID:2368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6370010.exe

Filesize
529KB

MD5
47ea3d3e8f6837993fb197aa1a4703ba

SHA1
7f2171a474b291b87a38a466035f89f9111a371a

SHA256
bb5e77cb5722a3fb3678966a8492393c7d2a5f0480f3e21528df8949a1d4ea76

SHA512
7c3541d59bd0ed13e8584a04841e052646023c924294bd5a1a88b1e350c3a6c98b1532a98a69ea8061afde06137c2e0c856ad8e408a55fb459b819659e902820

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6370010.exe

Filesize
529KB

MD5
47ea3d3e8f6837993fb197aa1a4703ba

SHA1
7f2171a474b291b87a38a466035f89f9111a371a

SHA256
bb5e77cb5722a3fb3678966a8492393c7d2a5f0480f3e21528df8949a1d4ea76

SHA512
7c3541d59bd0ed13e8584a04841e052646023c924294bd5a1a88b1e350c3a6c98b1532a98a69ea8061afde06137c2e0c856ad8e408a55fb459b819659e902820

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2157132.exe

Filesize
357KB

MD5
e27743e93ca4722ec2697ac01170af1d

SHA1
86aa5ec2466eb3e107eb23ae39fb2bb4cc65645c

SHA256
ba6741815670abfd2fabf77a097c8c687e230cc0299094f070abc09d983a62ca

SHA512
d7bcd255c6d263e9aa18d40786551fd0a0596c77d49c00fcdd938229a6274d5de26cd7242d16aa433132cb50d90f6299aa76aef13a3b27cb073a9beb3ad16e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2157132.exe

Filesize
357KB

MD5
e27743e93ca4722ec2697ac01170af1d

SHA1
86aa5ec2466eb3e107eb23ae39fb2bb4cc65645c

SHA256
ba6741815670abfd2fabf77a097c8c687e230cc0299094f070abc09d983a62ca

SHA512
d7bcd255c6d263e9aa18d40786551fd0a0596c77d49c00fcdd938229a6274d5de26cd7242d16aa433132cb50d90f6299aa76aef13a3b27cb073a9beb3ad16e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8411635.exe

Filesize
172KB

MD5
b85e79e4ac11ed365b7893f48054b1dd

SHA1
dd74d83098429f2e23f0472b1e614b52d8ce0d1c

SHA256
040bc3077ec27a4fc206b24626674ee66581064a44511b4bf5ace080465dfac2

SHA512
96653df37db66a99eee0ec6e00c45972d614564ca6c758cfc994cd078958bf6da3c497fd20808e2dd48a5f5f9e5def5fe1dc4e40427ed5bde9583d3da92e2e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8411635.exe

Filesize
172KB

MD5
b85e79e4ac11ed365b7893f48054b1dd

SHA1
dd74d83098429f2e23f0472b1e614b52d8ce0d1c

SHA256
040bc3077ec27a4fc206b24626674ee66581064a44511b4bf5ace080465dfac2

SHA512
96653df37db66a99eee0ec6e00c45972d614564ca6c758cfc994cd078958bf6da3c497fd20808e2dd48a5f5f9e5def5fe1dc4e40427ed5bde9583d3da92e2e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3505864.exe

Filesize
202KB

MD5
c6181ad2470194e3689a7a48eeb63335

SHA1
eb3095649790b36a1af7e1043eb1d959ff09bd38

SHA256
3ee905db801ee103b05d07a3a3e82987e06dacb55b5e86eec137b71f46f446b9

SHA512
d6b4526e56e3b9c803b548047d1b2f848a468fa4ccbbe1d9099afdb645b78500ee4057322a7f725896cb0bc7cf009552690b303863989a9226e16efa909de7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3505864.exe

Filesize
202KB

MD5
c6181ad2470194e3689a7a48eeb63335

SHA1
eb3095649790b36a1af7e1043eb1d959ff09bd38

SHA256
3ee905db801ee103b05d07a3a3e82987e06dacb55b5e86eec137b71f46f446b9

SHA512
d6b4526e56e3b9c803b548047d1b2f848a468fa4ccbbe1d9099afdb645b78500ee4057322a7f725896cb0bc7cf009552690b303863989a9226e16efa909de7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5817277.exe

Filesize
12KB

MD5
9d217eac08cadddd92348182648b9bef

SHA1
2d31eb6250704f58a86a1fa19925335d5f92f342

SHA256
1e8c10837147d4c73f1b8c87d4b88db98551c4489b094403e568eb316d775931

SHA512
2d8401a8604578a86c4d722d69816fa2a2be1e6ee1c0f3d5c399b3a35d72bca4c61fbbab3deb8308a9ad4fbf146ee167da63d5c4e14a155bddd6c1d8909d5f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5817277.exe

Filesize
12KB

MD5
9d217eac08cadddd92348182648b9bef

SHA1
2d31eb6250704f58a86a1fa19925335d5f92f342

SHA256
1e8c10837147d4c73f1b8c87d4b88db98551c4489b094403e568eb316d775931

SHA512
2d8401a8604578a86c4d722d69816fa2a2be1e6ee1c0f3d5c399b3a35d72bca4c61fbbab3deb8308a9ad4fbf146ee167da63d5c4e14a155bddd6c1d8909d5f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6294305.exe

Filesize
117KB

MD5
136252c5661dec75902aa20a7d7f83a7

SHA1
b2b92e8ae6035af842ddd2196a0ae73962dd19b9

SHA256
a25224b758bf5541814aea99ecb3b4fd80ee6047eff4372ccf3fa86a049c8e4c

SHA512
d49c81828312bbb614c6dada0169745645d71570ea5e10cbe21ba0c0316970c727db31cd9189ed387ed0bce6f15aeaffa09f7c9b3b2dab6228407c8b1d436f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6294305.exe

Filesize
117KB

MD5
136252c5661dec75902aa20a7d7f83a7

SHA1
b2b92e8ae6035af842ddd2196a0ae73962dd19b9

SHA256
a25224b758bf5541814aea99ecb3b4fd80ee6047eff4372ccf3fa86a049c8e4c

SHA512
d49c81828312bbb614c6dada0169745645d71570ea5e10cbe21ba0c0316970c727db31cd9189ed387ed0bce6f15aeaffa09f7c9b3b2dab6228407c8b1d436f9f

Download Submit
memory/2616-161-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/2896-167-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3132-175-0x0000000000690000-0x00000000006C0000-memory.dmp

Filesize
192KB

Download
memory/3132-176-0x000000000AA90000-0x000000000B0A8000-memory.dmp

Filesize
6.1MB

Download
memory/3132-177-0x000000000A610000-0x000000000A71A000-memory.dmp

Filesize
1.0MB

Download
memory/3132-178-0x000000000A550000-0x000000000A562000-memory.dmp

Filesize
72KB

Download
memory/3132-179-0x000000000A5B0000-0x000000000A5EC000-memory.dmp

Filesize
240KB

Download
memory/3132-180-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/3132-181-0x000000000A9C0000-0x000000000AA36000-memory.dmp

Filesize
472KB

Download
memory/3132-182-0x000000000B150000-0x000000000B1E2000-memory.dmp

Filesize
584KB

Download
memory/3132-183-0x000000000B0B0000-0x000000000B116000-memory.dmp

Filesize
408KB

Download
memory/3132-184-0x000000000BAA0000-0x000000000C044000-memory.dmp

Filesize
5.6MB

Download
memory/3132-185-0x000000000B5D0000-0x000000000B620000-memory.dmp

Filesize
320KB

Download
memory/3132-187-0x000000000C050000-0x000000000C212000-memory.dmp

Filesize
1.8MB

Download
memory/3132-188-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/3132-189-0x000000000C750000-0x000000000CC7C000-memory.dmp

Filesize
5.2MB

Download