redline | 8d51c0c45b65c209659c51316e70248666bf222edde342c05de339b08a321dde

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-06-2023 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

581KB
MD5

7fd8e27f84cae9e9a0ad97cac4c82f9b
SHA1

065d24760ddc93a5388c2c292927d0028df2afd8
SHA256

8d51c0c45b65c209659c51316e70248666bf222edde342c05de339b08a321dde
SHA512

7e574b28bf709c251617a6805c6fb74caee5eb068897de216b4fa3dcf400f5155350de4f38fc86f02f12d1f44c42a8a1dc13dfdccd72bb6b1bd608353763e304
SSDEEP

12288:/MrDy90Xn9rDlvopmX3uyVEbshemzZu3ICmH:wyy93juyVEbyFzZSjq

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a1201585.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a1201585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1201585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1201585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1201585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1201585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1201585.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v6519836.exev7423031.exea1201585.exeb3208241.exe

pid process

1984 v6519836.exe
1484 v7423031.exe
472 a1201585.exe
984 b3208241.exe
Loads dropped DLL 7 IoCs

Processes:

file.exev6519836.exev7423031.exeb3208241.exe

pid process

2012 file.exe
1984 v6519836.exe
1984 v6519836.exe
1484 v7423031.exe
1484 v7423031.exe
1484 v7423031.exe
984 b3208241.exe

pid	process
1984	v6519836.exe
1484	v7423031.exe
472	a1201585.exe
984	b3208241.exe

pid	process
2012	file.exe
1984	v6519836.exe
1984	v6519836.exe
1484	v7423031.exe
1484	v7423031.exe
1484	v7423031.exe
984	b3208241.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a1201585.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	a1201585.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1201585.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v7423031.exefile.exev6519836.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7423031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7423031.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6519836.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6519836.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a1201585.exe

pid process

472 a1201585.exe
472 a1201585.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a1201585.exe

description pid process

Token: SeDebugPrivilege 472 a1201585.exe

pid	process
472	a1201585.exe
472	a1201585.exe

description	pid	process
Token: SeDebugPrivilege	472	a1201585.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

file.exev6519836.exev7423031.exe

description	pid	process	target process
PID 2012 wrote to memory of 1984	2012	file.exe	v6519836.exe
PID 2012 wrote to memory of 1984	2012	file.exe	v6519836.exe
PID 2012 wrote to memory of 1984	2012	file.exe	v6519836.exe
PID 2012 wrote to memory of 1984	2012	file.exe	v6519836.exe
PID 2012 wrote to memory of 1984	2012	file.exe	v6519836.exe
PID 2012 wrote to memory of 1984	2012	file.exe	v6519836.exe
PID 2012 wrote to memory of 1984	2012	file.exe	v6519836.exe
PID 1984 wrote to memory of 1484	1984	v6519836.exe	v7423031.exe
PID 1984 wrote to memory of 1484	1984	v6519836.exe	v7423031.exe
PID 1984 wrote to memory of 1484	1984	v6519836.exe	v7423031.exe
PID 1984 wrote to memory of 1484	1984	v6519836.exe	v7423031.exe
PID 1984 wrote to memory of 1484	1984	v6519836.exe	v7423031.exe
PID 1984 wrote to memory of 1484	1984	v6519836.exe	v7423031.exe
PID 1984 wrote to memory of 1484	1984	v6519836.exe	v7423031.exe
PID 1484 wrote to memory of 472	1484	v7423031.exe	a1201585.exe
PID 1484 wrote to memory of 472	1484	v7423031.exe	a1201585.exe
PID 1484 wrote to memory of 472	1484	v7423031.exe	a1201585.exe
PID 1484 wrote to memory of 472	1484	v7423031.exe	a1201585.exe
PID 1484 wrote to memory of 472	1484	v7423031.exe	a1201585.exe
PID 1484 wrote to memory of 472	1484	v7423031.exe	a1201585.exe
PID 1484 wrote to memory of 472	1484	v7423031.exe	a1201585.exe
PID 1484 wrote to memory of 984	1484	v7423031.exe	b3208241.exe
PID 1484 wrote to memory of 984	1484	v7423031.exe	b3208241.exe
PID 1484 wrote to memory of 984	1484	v7423031.exe	b3208241.exe
PID 1484 wrote to memory of 984	1484	v7423031.exe	b3208241.exe
PID 1484 wrote to memory of 984	1484	v7423031.exe	b3208241.exe
PID 1484 wrote to memory of 984	1484	v7423031.exe	b3208241.exe
PID 1484 wrote to memory of 984	1484	v7423031.exe	b3208241.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6519836.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6519836.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7423031.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7423031.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1201585.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1201585.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3208241.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3208241.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6519836.exe
Filesize
377KB

MD5
4509eddf249eb57731e96b3e29bc6a99

SHA1
d23cb05e8195033e6375b6cb91df2b365d376c66

SHA256
01c0fd839efd74529aaf1dbfa6a74eca70a7bd5bb126d42a1702d1c1fe283927

SHA512
8d3e6b430bca61618eac426e1fb54512599afd66d3483dc1df2326fff4adfa7a95bd501ae2c66a0e6998f206e6b72c935ce46e475a69a7633793ce867ea09bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6519836.exe
Filesize
377KB

MD5
4509eddf249eb57731e96b3e29bc6a99

SHA1
d23cb05e8195033e6375b6cb91df2b365d376c66

SHA256
01c0fd839efd74529aaf1dbfa6a74eca70a7bd5bb126d42a1702d1c1fe283927

SHA512
8d3e6b430bca61618eac426e1fb54512599afd66d3483dc1df2326fff4adfa7a95bd501ae2c66a0e6998f206e6b72c935ce46e475a69a7633793ce867ea09bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7423031.exe
Filesize
206KB

MD5
248cbbcf017e01aae9949c761ad99b80

SHA1
025325eefeca66c37e9a7b1e621f6f69f04ac74d

SHA256
8f91b7fc691fd45fdec97e9d6d63af6d0f15c47a64f43abd5aca2425ad516383

SHA512
d209f5656c46e1c368010e1a0f165857fe2e8069841ba9458772258a4e4852aba57ec4eac256bca55a7e17cb430c127346089906fe4f5404b5d1b508020fa3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7423031.exe
Filesize
206KB

MD5
248cbbcf017e01aae9949c761ad99b80

SHA1
025325eefeca66c37e9a7b1e621f6f69f04ac74d

SHA256
8f91b7fc691fd45fdec97e9d6d63af6d0f15c47a64f43abd5aca2425ad516383

SHA512
d209f5656c46e1c368010e1a0f165857fe2e8069841ba9458772258a4e4852aba57ec4eac256bca55a7e17cb430c127346089906fe4f5404b5d1b508020fa3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1201585.exe
Filesize
11KB

MD5
a01a1db37eba3e42874ca4a2fffb6aab

SHA1
574787ab4af5753f818970f65921d48ae7ddb60d

SHA256
a14ff4922710895133855e9884ee4cbdb1762fa0c242cd51dbb6b0fda6dacbf5

SHA512
25006dc2adc9ef3fb301d448cafa869159ab6ad56cbeb6d056bbefd8b579a83e3ee912fc2260d7d5b1bc40969ae95fe33714cd213c61ae9b832211ed74318a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1201585.exe
Filesize
11KB

MD5
a01a1db37eba3e42874ca4a2fffb6aab

SHA1
574787ab4af5753f818970f65921d48ae7ddb60d

SHA256
a14ff4922710895133855e9884ee4cbdb1762fa0c242cd51dbb6b0fda6dacbf5

SHA512
25006dc2adc9ef3fb301d448cafa869159ab6ad56cbeb6d056bbefd8b579a83e3ee912fc2260d7d5b1bc40969ae95fe33714cd213c61ae9b832211ed74318a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3208241.exe
Filesize
172KB

MD5
4e3c09ee59646ea262cde62adfcec61e

SHA1
d98a9a9a508b0c48917b7d5e67e8666e1e5b448d

SHA256
7a37250601ecfbf0ba498eab4e4865698a8130265d19ab7a2f04117353850db0

SHA512
814a5fe78076fa9b142afc16d3f5cae958fff76605b0d766ca95098ec6c156fb812d5c45881b034af0ba2186f2faf63b450173ca1ccb425907b307231d399cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3208241.exe
Filesize
172KB

MD5
4e3c09ee59646ea262cde62adfcec61e

SHA1
d98a9a9a508b0c48917b7d5e67e8666e1e5b448d

SHA256
7a37250601ecfbf0ba498eab4e4865698a8130265d19ab7a2f04117353850db0

SHA512
814a5fe78076fa9b142afc16d3f5cae958fff76605b0d766ca95098ec6c156fb812d5c45881b034af0ba2186f2faf63b450173ca1ccb425907b307231d399cf5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6519836.exe
Filesize
377KB

MD5
4509eddf249eb57731e96b3e29bc6a99

SHA1
d23cb05e8195033e6375b6cb91df2b365d376c66

SHA256
01c0fd839efd74529aaf1dbfa6a74eca70a7bd5bb126d42a1702d1c1fe283927

SHA512
8d3e6b430bca61618eac426e1fb54512599afd66d3483dc1df2326fff4adfa7a95bd501ae2c66a0e6998f206e6b72c935ce46e475a69a7633793ce867ea09bdc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6519836.exe
Filesize
377KB

MD5
4509eddf249eb57731e96b3e29bc6a99

SHA1
d23cb05e8195033e6375b6cb91df2b365d376c66

SHA256
01c0fd839efd74529aaf1dbfa6a74eca70a7bd5bb126d42a1702d1c1fe283927

SHA512
8d3e6b430bca61618eac426e1fb54512599afd66d3483dc1df2326fff4adfa7a95bd501ae2c66a0e6998f206e6b72c935ce46e475a69a7633793ce867ea09bdc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7423031.exe
Filesize
206KB

MD5
248cbbcf017e01aae9949c761ad99b80

SHA1
025325eefeca66c37e9a7b1e621f6f69f04ac74d

SHA256
8f91b7fc691fd45fdec97e9d6d63af6d0f15c47a64f43abd5aca2425ad516383

SHA512
d209f5656c46e1c368010e1a0f165857fe2e8069841ba9458772258a4e4852aba57ec4eac256bca55a7e17cb430c127346089906fe4f5404b5d1b508020fa3c4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7423031.exe
Filesize
206KB

MD5
248cbbcf017e01aae9949c761ad99b80

SHA1
025325eefeca66c37e9a7b1e621f6f69f04ac74d

SHA256
8f91b7fc691fd45fdec97e9d6d63af6d0f15c47a64f43abd5aca2425ad516383

SHA512
d209f5656c46e1c368010e1a0f165857fe2e8069841ba9458772258a4e4852aba57ec4eac256bca55a7e17cb430c127346089906fe4f5404b5d1b508020fa3c4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1201585.exe
Filesize
11KB

MD5
a01a1db37eba3e42874ca4a2fffb6aab

SHA1
574787ab4af5753f818970f65921d48ae7ddb60d

SHA256
a14ff4922710895133855e9884ee4cbdb1762fa0c242cd51dbb6b0fda6dacbf5

SHA512
25006dc2adc9ef3fb301d448cafa869159ab6ad56cbeb6d056bbefd8b579a83e3ee912fc2260d7d5b1bc40969ae95fe33714cd213c61ae9b832211ed74318a08

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3208241.exe
Filesize
172KB

MD5
4e3c09ee59646ea262cde62adfcec61e

SHA1
d98a9a9a508b0c48917b7d5e67e8666e1e5b448d

SHA256
7a37250601ecfbf0ba498eab4e4865698a8130265d19ab7a2f04117353850db0

SHA512
814a5fe78076fa9b142afc16d3f5cae958fff76605b0d766ca95098ec6c156fb812d5c45881b034af0ba2186f2faf63b450173ca1ccb425907b307231d399cf5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3208241.exe
Filesize
172KB

MD5
4e3c09ee59646ea262cde62adfcec61e

SHA1
d98a9a9a508b0c48917b7d5e67e8666e1e5b448d

SHA256
7a37250601ecfbf0ba498eab4e4865698a8130265d19ab7a2f04117353850db0

SHA512
814a5fe78076fa9b142afc16d3f5cae958fff76605b0d766ca95098ec6c156fb812d5c45881b034af0ba2186f2faf63b450173ca1ccb425907b307231d399cf5

Download Submit
memory/472-82-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/984-89-0x00000000012F0000-0x0000000001320000-memory.dmp

Filesize
192KB

Download
memory/984-90-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/984-91-0x0000000002850000-0x0000000002890000-memory.dmp

Filesize
256KB

Download
memory/984-92-0x0000000002850000-0x0000000002890000-memory.dmp

Filesize
256KB

Download