redline | 544d8874ed1e19469aa9809860116fe715355dbdeb88693566efc992868a1f37

General

Target

b2ef6152c28d194375f2a5398ff7f2f9141b854a4e71f5e27ed7793bccb705a7.exe
Size

786KB
MD5

7008a6317fd9009852f4bf6267131b4d
SHA1

51d6f93d427c93e57648d156f73eedb07d971de2
SHA256

b2ef6152c28d194375f2a5398ff7f2f9141b854a4e71f5e27ed7793bccb705a7
SHA512

35a39d0fffb1b3ed957c6bc1b2095c2c4c9c340baa6565c952f78c2600654316dadf3094cf24fbdeb5269828fb72c160353bb94abb3f2fd2bd840f3410b7e900
SSDEEP

24576:PyJ82wFqgfDwsjiN8w2tnXIlwv/WHFjS:aCZ7Z/Ylw2H1

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v8995080.exev7463971.exea8535070.exeb7653130.exe

pid process

3280 v8995080.exe
1696 v7463971.exe
876 a8535070.exe
3164 b7653130.exe

pid	process
3280	v8995080.exe
1696	v7463971.exe
876	a8535070.exe
3164	b7653130.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v8995080.exev7463971.exeb2ef6152c28d194375f2a5398ff7f2f9141b854a4e71f5e27ed7793bccb705a7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8995080.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8995080.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7463971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7463971.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b2ef6152c28d194375f2a5398ff7f2f9141b854a4e71f5e27ed7793bccb705a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b2ef6152c28d194375f2a5398ff7f2f9141b854a4e71f5e27ed7793bccb705a7.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a8535070.exe

description pid process target process

PID 876 set thread context of 2516 876 a8535070.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2516 AppLaunch.exe
2516 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2516 AppLaunch.exe

description	pid	process	target process
PID 876 set thread context of 2516	876	a8535070.exe	AppLaunch.exe

pid	process
2516	AppLaunch.exe
2516	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2516	AppLaunch.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

b2ef6152c28d194375f2a5398ff7f2f9141b854a4e71f5e27ed7793bccb705a7.exev8995080.exev7463971.exea8535070.exe

description	pid	process	target process
PID 3704 wrote to memory of 3280	3704	b2ef6152c28d194375f2a5398ff7f2f9141b854a4e71f5e27ed7793bccb705a7.exe	v8995080.exe
PID 3704 wrote to memory of 3280	3704	b2ef6152c28d194375f2a5398ff7f2f9141b854a4e71f5e27ed7793bccb705a7.exe	v8995080.exe
PID 3704 wrote to memory of 3280	3704	b2ef6152c28d194375f2a5398ff7f2f9141b854a4e71f5e27ed7793bccb705a7.exe	v8995080.exe
PID 3280 wrote to memory of 1696	3280	v8995080.exe	v7463971.exe
PID 3280 wrote to memory of 1696	3280	v8995080.exe	v7463971.exe
PID 3280 wrote to memory of 1696	3280	v8995080.exe	v7463971.exe
PID 1696 wrote to memory of 876	1696	v7463971.exe	a8535070.exe
PID 1696 wrote to memory of 876	1696	v7463971.exe	a8535070.exe
PID 1696 wrote to memory of 876	1696	v7463971.exe	a8535070.exe
PID 876 wrote to memory of 2516	876	a8535070.exe	AppLaunch.exe
PID 876 wrote to memory of 2516	876	a8535070.exe	AppLaunch.exe
PID 876 wrote to memory of 2516	876	a8535070.exe	AppLaunch.exe
PID 876 wrote to memory of 2516	876	a8535070.exe	AppLaunch.exe
PID 876 wrote to memory of 2516	876	a8535070.exe	AppLaunch.exe
PID 1696 wrote to memory of 3164	1696	v7463971.exe	b7653130.exe
PID 1696 wrote to memory of 3164	1696	v7463971.exe	b7653130.exe
PID 1696 wrote to memory of 3164	1696	v7463971.exe	b7653130.exe

C:\Users\Admin\AppData\Local\Temp\b2ef6152c28d194375f2a5398ff7f2f9141b854a4e71f5e27ed7793bccb705a7.exe
"C:\Users\Admin\AppData\Local\Temp\b2ef6152c28d194375f2a5398ff7f2f9141b854a4e71f5e27ed7793bccb705a7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8995080.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8995080.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3280

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7463971.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7463971.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8535070.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8535070.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7653130.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7653130.exe
4⤵
- Executes dropped EXE
PID:3164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

1

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8995080.exe
Filesize
452KB

MD5
557a60be95133a91e0bdc02ad33cd15c

SHA1
169f466aed9078abe92c2e8820d5ae8f9089f640

SHA256
d025eb3afd2eb6a7355ad9648f66813db51b408f827291e5faa2ac7746396729

SHA512
9ad1fa39d205d7660674254d0ebf1b71ecb7c9522ac6ab69af5e981a186b7672595f180e519ba81684e08fdd864f24b590f7f96ba7701e49f8e695d5d0eec4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8995080.exe
Filesize
452KB

MD5
557a60be95133a91e0bdc02ad33cd15c

SHA1
169f466aed9078abe92c2e8820d5ae8f9089f640

SHA256
d025eb3afd2eb6a7355ad9648f66813db51b408f827291e5faa2ac7746396729

SHA512
9ad1fa39d205d7660674254d0ebf1b71ecb7c9522ac6ab69af5e981a186b7672595f180e519ba81684e08fdd864f24b590f7f96ba7701e49f8e695d5d0eec4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7463971.exe
Filesize
280KB

MD5
616253e82cabd73a9253b155485163dc

SHA1
47146c9a9ef55101d119686bf2cd4ca7f7b04476

SHA256
98d950f56029fc38a2b9d4c45cda9667e59b7b0573931b434251065b875a67c4

SHA512
f837d064ad2d696a0715f25234d3ef751b71974f1fc579674142e7b44d0eb5caec64d620313707a5b01182edd72562ff4913eddbd8455e224f596302ec0a211e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7463971.exe
Filesize
280KB

MD5
616253e82cabd73a9253b155485163dc

SHA1
47146c9a9ef55101d119686bf2cd4ca7f7b04476

SHA256
98d950f56029fc38a2b9d4c45cda9667e59b7b0573931b434251065b875a67c4

SHA512
f837d064ad2d696a0715f25234d3ef751b71974f1fc579674142e7b44d0eb5caec64d620313707a5b01182edd72562ff4913eddbd8455e224f596302ec0a211e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8535070.exe
Filesize
157KB

MD5
873ad19fe63250adfa598de0243101c8

SHA1
3ae506442628c120e447304a23c5a9441acd0396

SHA256
c7ce5bb7a131507ea5b5ec49b20cf24b6b6c581739eca6ac2df419cac6a4ec85

SHA512
0b88da3140687280785742cd1c43fce803fe2e01f76cb94be8c99240e1a3718f8fd5c176c464509ed0a115c2c70d800785a057c350c9c441dbf05c5e34366b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8535070.exe
Filesize
157KB

MD5
873ad19fe63250adfa598de0243101c8

SHA1
3ae506442628c120e447304a23c5a9441acd0396

SHA256
c7ce5bb7a131507ea5b5ec49b20cf24b6b6c581739eca6ac2df419cac6a4ec85

SHA512
0b88da3140687280785742cd1c43fce803fe2e01f76cb94be8c99240e1a3718f8fd5c176c464509ed0a115c2c70d800785a057c350c9c441dbf05c5e34366b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7653130.exe
Filesize
168KB

MD5
c68831e38ce6abe3e479cf8ac4f3ee78

SHA1
4d09ff623bdd29672a2e1d3c8cf60e86d242e6d2

SHA256
a2e46d63973cc8aedb3277df7c1e991a460c0ac83f3f5d9e47529f7ed177fb4c

SHA512
ca7c93cb143397c9e392a9d8a7e304b490b064e8a1aeafda70e79169f4bfd8cbbd2b214ed19ad97947d3801ebb34c9990f3639a4d37b140b8f8cfc012288d5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7653130.exe
Filesize
168KB

MD5
c68831e38ce6abe3e479cf8ac4f3ee78

SHA1
4d09ff623bdd29672a2e1d3c8cf60e86d242e6d2

SHA256
a2e46d63973cc8aedb3277df7c1e991a460c0ac83f3f5d9e47529f7ed177fb4c

SHA512
ca7c93cb143397c9e392a9d8a7e304b490b064e8a1aeafda70e79169f4bfd8cbbd2b214ed19ad97947d3801ebb34c9990f3639a4d37b140b8f8cfc012288d5db

Download Submit
memory/2516-154-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/3164-162-0x0000000000E10000-0x0000000000E3E000-memory.dmp

Filesize
184KB

Download
memory/3164-163-0x0000000005DA0000-0x00000000063B8000-memory.dmp

Filesize
6.1MB

Download
memory/3164-164-0x0000000005890000-0x000000000599A000-memory.dmp

Filesize
1.0MB

Download
memory/3164-165-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/3164-166-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/3164-167-0x00000000057C0000-0x00000000057FC000-memory.dmp

Filesize
240KB

Download
memory/3164-169-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads