redline | 9a472b0c97378c4b88ed92ce10e71b2bba9dca1763a229d582692a82a20ae379

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2023 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a472b0c97378c4b88ed92ce10e71b2bba9dca1763a229d582692a82a20ae379.exe
Size

728KB
MD5

e62fef3a9c5d0c2dfad1bdb1e91dcb9e
SHA1

71d84ebb595d60690b501ddd13c919bf8f8f0d68
SHA256

9a472b0c97378c4b88ed92ce10e71b2bba9dca1763a229d582692a82a20ae379
SHA512

2455470cd945e9e2a61b83b9c1127e263fafe4cb2d0ab1b2281288cb3a65265989b795d613cb6e64566a3034ca3ff556a61f344d7873eae70ec6dd37b221bb76
SSDEEP

12288:DMrHy90OjaIyVN/0pHP5kizHKAUNdd/SztvaVVesPHaHLEJFRYLh/e2RyN:4yXaIy3M15tzHVAPHSEJF0deUyN

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a5354283.exeAppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5354283.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5354283.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5354283.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5354283.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5354283.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5354283.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 6 IoCs

Processes:

v8524570.exev0336868.exev6738877.exea5354283.exeb0767219.exec1130499.exe

pid process

3372 v8524570.exe
2972 v0336868.exe
2064 v6738877.exe
4420 a5354283.exe
4488 b0767219.exe
4884 c1130499.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a5354283.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5354283.exe

pid	process
3372	v8524570.exe
2972	v0336868.exe
2064	v6738877.exe
4420	a5354283.exe
4488	b0767219.exe
4884	c1130499.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5354283.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v8524570.exev0336868.exev6738877.exe9a472b0c97378c4b88ed92ce10e71b2bba9dca1763a229d582692a82a20ae379.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8524570.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0336868.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0336868.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6738877.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6738877.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9a472b0c97378c4b88ed92ce10e71b2bba9dca1763a229d582692a82a20ae379.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9a472b0c97378c4b88ed92ce10e71b2bba9dca1763a229d582692a82a20ae379.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8524570.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b0767219.exe

description pid process target process

PID 4488 set thread context of 4588 4488 b0767219.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a5354283.exeAppLaunch.exe

pid process

4420 a5354283.exe
4420 a5354283.exe
4588 AppLaunch.exe
4588 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a5354283.exeAppLaunch.exe

description pid process

Token: SeDebugPrivilege 4420 a5354283.exe
Token: SeDebugPrivilege 4588 AppLaunch.exe

description	pid	process	target process
PID 4488 set thread context of 4588	4488	b0767219.exe	AppLaunch.exe

pid	process
4420	a5354283.exe
4420	a5354283.exe
4588	AppLaunch.exe
4588	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4420	a5354283.exe
Token: SeDebugPrivilege	4588	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

9a472b0c97378c4b88ed92ce10e71b2bba9dca1763a229d582692a82a20ae379.exev8524570.exev0336868.exev6738877.exeb0767219.exe

description	pid	process	target process
PID 3532 wrote to memory of 3372	3532	9a472b0c97378c4b88ed92ce10e71b2bba9dca1763a229d582692a82a20ae379.exe	v8524570.exe
PID 3532 wrote to memory of 3372	3532	9a472b0c97378c4b88ed92ce10e71b2bba9dca1763a229d582692a82a20ae379.exe	v8524570.exe
PID 3532 wrote to memory of 3372	3532	9a472b0c97378c4b88ed92ce10e71b2bba9dca1763a229d582692a82a20ae379.exe	v8524570.exe
PID 3372 wrote to memory of 2972	3372	v8524570.exe	v0336868.exe
PID 3372 wrote to memory of 2972	3372	v8524570.exe	v0336868.exe
PID 3372 wrote to memory of 2972	3372	v8524570.exe	v0336868.exe
PID 2972 wrote to memory of 2064	2972	v0336868.exe	v6738877.exe
PID 2972 wrote to memory of 2064	2972	v0336868.exe	v6738877.exe
PID 2972 wrote to memory of 2064	2972	v0336868.exe	v6738877.exe
PID 2064 wrote to memory of 4420	2064	v6738877.exe	a5354283.exe
PID 2064 wrote to memory of 4420	2064	v6738877.exe	a5354283.exe
PID 2064 wrote to memory of 4488	2064	v6738877.exe	b0767219.exe
PID 2064 wrote to memory of 4488	2064	v6738877.exe	b0767219.exe
PID 2064 wrote to memory of 4488	2064	v6738877.exe	b0767219.exe
PID 4488 wrote to memory of 4588	4488	b0767219.exe	AppLaunch.exe
PID 4488 wrote to memory of 4588	4488	b0767219.exe	AppLaunch.exe
PID 4488 wrote to memory of 4588	4488	b0767219.exe	AppLaunch.exe
PID 4488 wrote to memory of 4588	4488	b0767219.exe	AppLaunch.exe
PID 4488 wrote to memory of 4588	4488	b0767219.exe	AppLaunch.exe
PID 2972 wrote to memory of 4884	2972	v0336868.exe	c1130499.exe
PID 2972 wrote to memory of 4884	2972	v0336868.exe	c1130499.exe
PID 2972 wrote to memory of 4884	2972	v0336868.exe	c1130499.exe

C:\Users\Admin\AppData\Local\Temp\9a472b0c97378c4b88ed92ce10e71b2bba9dca1763a229d582692a82a20ae379.exe
"C:\Users\Admin\AppData\Local\Temp\9a472b0c97378c4b88ed92ce10e71b2bba9dca1763a229d582692a82a20ae379.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8524570.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8524570.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3372

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0336868.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0336868.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6738877.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6738877.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5354283.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5354283.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0767219.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0767219.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1130499.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1130499.exe
4⤵
- Executes dropped EXE
PID:4884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8524570.exe

Filesize
526KB

MD5
6b682aa74ec8cd5e57bd21b8abb584bd

SHA1
d34af992a3efce21f6f2d931c97fb526c53462f4

SHA256
5c4c776577c94f5dce199e445be71201412a592ea63e574c8a1b1fc50396b012

SHA512
757564b476a4afd52d40a3b37dc93dd2dd714517797576b071a607c1487b89cc99b557b70d9bdfd0f829c1a947405fb39a00a2dc431be904c1ac8cbb71d211b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8524570.exe

Filesize
526KB

MD5
6b682aa74ec8cd5e57bd21b8abb584bd

SHA1
d34af992a3efce21f6f2d931c97fb526c53462f4

SHA256
5c4c776577c94f5dce199e445be71201412a592ea63e574c8a1b1fc50396b012

SHA512
757564b476a4afd52d40a3b37dc93dd2dd714517797576b071a607c1487b89cc99b557b70d9bdfd0f829c1a947405fb39a00a2dc431be904c1ac8cbb71d211b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0336868.exe

Filesize
354KB

MD5
2687e9aa861da1d57cf84b2f43b610d2

SHA1
35d4e2a428cfa32c3fa031cf265a14b5af1ee01f

SHA256
8bb1a2bf8c2ca702d99e7730063808d55d138ce2ca5b64005e7c3f2489c24e39

SHA512
70a2a597b2394a6a2adef9457940b7587b034039332a75fa66a0817fc9473976774ededf309874a20a32be6d22df0ad947511b619abfd041c4c4d5a0c5047645

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0336868.exe

Filesize
354KB

MD5
2687e9aa861da1d57cf84b2f43b610d2

SHA1
35d4e2a428cfa32c3fa031cf265a14b5af1ee01f

SHA256
8bb1a2bf8c2ca702d99e7730063808d55d138ce2ca5b64005e7c3f2489c24e39

SHA512
70a2a597b2394a6a2adef9457940b7587b034039332a75fa66a0817fc9473976774ededf309874a20a32be6d22df0ad947511b619abfd041c4c4d5a0c5047645

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1130499.exe

Filesize
172KB

MD5
b65882607ff155289a2a531ea32b2cc2

SHA1
f12508ff5b501bf562f36665bb658147af37607a

SHA256
e5f3ada9a58847170c18ff34635e7cae2363d2b54654ea4062292d3f0220abf9

SHA512
068b867e2e9d067d9d157788662eadac1178b68459ec0bf046875188ad86147828e471f227df944d6adad6fdb804349123c0bfda9f201a9d0a8ee5af4e786c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1130499.exe

Filesize
172KB

MD5
b65882607ff155289a2a531ea32b2cc2

SHA1
f12508ff5b501bf562f36665bb658147af37607a

SHA256
e5f3ada9a58847170c18ff34635e7cae2363d2b54654ea4062292d3f0220abf9

SHA512
068b867e2e9d067d9d157788662eadac1178b68459ec0bf046875188ad86147828e471f227df944d6adad6fdb804349123c0bfda9f201a9d0a8ee5af4e786c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6738877.exe

Filesize
199KB

MD5
6f96069962901115cd9385e5f8bc0c90

SHA1
1c56fd79021f406ba16bc1d55f8898c26eaf5e6a

SHA256
886a9fccd59e5fee4fbc6f9e6c48b45229bd36ff10338e7a0c4ade8ef28a7222

SHA512
4116dcf7949999d455beeacd0b45f2662d2f2fd7e3dddff27db2f7ac7c67e45e28f78f3f5ae5abac83816fe235a59349dfec4ee3f09e8c60eb5f49b31eacd85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6738877.exe

Filesize
199KB

MD5
6f96069962901115cd9385e5f8bc0c90

SHA1
1c56fd79021f406ba16bc1d55f8898c26eaf5e6a

SHA256
886a9fccd59e5fee4fbc6f9e6c48b45229bd36ff10338e7a0c4ade8ef28a7222

SHA512
4116dcf7949999d455beeacd0b45f2662d2f2fd7e3dddff27db2f7ac7c67e45e28f78f3f5ae5abac83816fe235a59349dfec4ee3f09e8c60eb5f49b31eacd85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5354283.exe

Filesize
12KB

MD5
f900b07411b5555ffc3775e25a423fcf

SHA1
d022123c255f527778efc9d92535e0630a87abd7

SHA256
8a38c2f849ad02064bf8e57e70a8e79331afad8d59f34f72466804491d0de4ef

SHA512
ead2fa3561e6bbac875a0f3ee70e4ab3046853e4787373fba7455c99ff00ca572e1c86bacea9b7c3b77ef902378ec453dbc4f38d4ba80df53a9ed0cc5710b6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5354283.exe

Filesize
12KB

MD5
f900b07411b5555ffc3775e25a423fcf

SHA1
d022123c255f527778efc9d92535e0630a87abd7

SHA256
8a38c2f849ad02064bf8e57e70a8e79331afad8d59f34f72466804491d0de4ef

SHA512
ead2fa3561e6bbac875a0f3ee70e4ab3046853e4787373fba7455c99ff00ca572e1c86bacea9b7c3b77ef902378ec453dbc4f38d4ba80df53a9ed0cc5710b6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0767219.exe

Filesize
105KB

MD5
78887be303c9e99ee91e63c196608269

SHA1
a1cbfcf74ead91294069a947832d2c5a94116195

SHA256
dc35ac1f6a472993a803375ec6f5d353dadbce25f641c44888e42595dfdc5c4f

SHA512
052b2f855a129a303e534e83b3ca53628c483ce755984f1ae3310f5f117a1670581e86751cd2f053c0cebc871733fc7e93a8270de931742b1095c852cd6b3877

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0767219.exe

Filesize
105KB

MD5
78887be303c9e99ee91e63c196608269

SHA1
a1cbfcf74ead91294069a947832d2c5a94116195

SHA256
dc35ac1f6a472993a803375ec6f5d353dadbce25f641c44888e42595dfdc5c4f

SHA512
052b2f855a129a303e534e83b3ca53628c483ce755984f1ae3310f5f117a1670581e86751cd2f053c0cebc871733fc7e93a8270de931742b1095c852cd6b3877

Download Submit
memory/4420-161-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/4588-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4884-174-0x0000000000F30000-0x0000000000F60000-memory.dmp

Filesize
192KB

Download
memory/4884-175-0x0000000005F50000-0x0000000006568000-memory.dmp

Filesize
6.1MB

Download
memory/4884-176-0x0000000005A90000-0x0000000005B9A000-memory.dmp

Filesize
1.0MB

Download
memory/4884-177-0x00000000059D0000-0x00000000059E2000-memory.dmp

Filesize
72KB

Download
memory/4884-178-0x0000000005A30000-0x0000000005A6C000-memory.dmp

Filesize
240KB

Download
memory/4884-179-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/4884-181-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download