redline | b01643a74f2e4bcd6eb34cd8d8fd677554fa45651ef8c799b3636c796cea066c

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-06-2023 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exe
Size

786KB
MD5

ffd7656707c92c1f0500fcd0661e9628
SHA1

05cf2514396955e91545ba8939a46290b108202a
SHA256

c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad
SHA512

41503d126a2f7cc02a8dd33c6579ed8617afd1c3e1d299211451e80d1e5a4fab736250870645d391ef0187d40bfc1632a74ab1022a3fe258f15c112ae453995d
SSDEEP

24576:kyb3HOzuT8hc5gVWarFqlan32T/1wvbW+:zbcu4WFoJnmT/1wC

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19046

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v3884490.exev3583531.exea9712800.exeb4250856.exe

pid process

2028 v3884490.exe
1076 v3583531.exe
1148 a9712800.exe
1896 b4250856.exe

pid	process
2028	v3884490.exe
1076	v3583531.exe
1148	a9712800.exe
1896	b4250856.exe

Loads dropped DLL 8 IoCs

Processes:

c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exev3884490.exev3583531.exea9712800.exeb4250856.exe

pid	process
2032	c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exe
2028	v3884490.exe
2028	v3884490.exe
1076	v3583531.exe
1076	v3583531.exe
1148	a9712800.exe
1076	v3583531.exe
1896	b4250856.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v3583531.exec260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exev3884490.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3583531.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3884490.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3884490.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3583531.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a9712800.exe

description pid process target process

PID 1148 set thread context of 1760 1148 a9712800.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

1760 AppLaunch.exe
1760 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1760 AppLaunch.exe

description	pid	process	target process
PID 1148 set thread context of 1760	1148	a9712800.exe	AppLaunch.exe

pid	process
1760	AppLaunch.exe
1760	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1760	AppLaunch.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exev3884490.exev3583531.exea9712800.exe

description	pid	process	target process
PID 2032 wrote to memory of 2028	2032	c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exe	v3884490.exe
PID 2032 wrote to memory of 2028	2032	c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exe	v3884490.exe
PID 2032 wrote to memory of 2028	2032	c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exe	v3884490.exe
PID 2032 wrote to memory of 2028	2032	c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exe	v3884490.exe
PID 2032 wrote to memory of 2028	2032	c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exe	v3884490.exe
PID 2032 wrote to memory of 2028	2032	c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exe	v3884490.exe
PID 2032 wrote to memory of 2028	2032	c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exe	v3884490.exe
PID 2028 wrote to memory of 1076	2028	v3884490.exe	v3583531.exe
PID 2028 wrote to memory of 1076	2028	v3884490.exe	v3583531.exe
PID 2028 wrote to memory of 1076	2028	v3884490.exe	v3583531.exe
PID 2028 wrote to memory of 1076	2028	v3884490.exe	v3583531.exe
PID 2028 wrote to memory of 1076	2028	v3884490.exe	v3583531.exe
PID 2028 wrote to memory of 1076	2028	v3884490.exe	v3583531.exe
PID 2028 wrote to memory of 1076	2028	v3884490.exe	v3583531.exe
PID 1076 wrote to memory of 1148	1076	v3583531.exe	a9712800.exe
PID 1076 wrote to memory of 1148	1076	v3583531.exe	a9712800.exe
PID 1076 wrote to memory of 1148	1076	v3583531.exe	a9712800.exe
PID 1076 wrote to memory of 1148	1076	v3583531.exe	a9712800.exe
PID 1076 wrote to memory of 1148	1076	v3583531.exe	a9712800.exe
PID 1076 wrote to memory of 1148	1076	v3583531.exe	a9712800.exe
PID 1076 wrote to memory of 1148	1076	v3583531.exe	a9712800.exe
PID 1148 wrote to memory of 1760	1148	a9712800.exe	AppLaunch.exe
PID 1148 wrote to memory of 1760	1148	a9712800.exe	AppLaunch.exe
PID 1148 wrote to memory of 1760	1148	a9712800.exe	AppLaunch.exe
PID 1148 wrote to memory of 1760	1148	a9712800.exe	AppLaunch.exe
PID 1148 wrote to memory of 1760	1148	a9712800.exe	AppLaunch.exe
PID 1148 wrote to memory of 1760	1148	a9712800.exe	AppLaunch.exe
PID 1148 wrote to memory of 1760	1148	a9712800.exe	AppLaunch.exe
PID 1148 wrote to memory of 1760	1148	a9712800.exe	AppLaunch.exe
PID 1148 wrote to memory of 1760	1148	a9712800.exe	AppLaunch.exe
PID 1076 wrote to memory of 1896	1076	v3583531.exe	b4250856.exe
PID 1076 wrote to memory of 1896	1076	v3583531.exe	b4250856.exe
PID 1076 wrote to memory of 1896	1076	v3583531.exe	b4250856.exe
PID 1076 wrote to memory of 1896	1076	v3583531.exe	b4250856.exe
PID 1076 wrote to memory of 1896	1076	v3583531.exe	b4250856.exe
PID 1076 wrote to memory of 1896	1076	v3583531.exe	b4250856.exe
PID 1076 wrote to memory of 1896	1076	v3583531.exe	b4250856.exe

C:\Users\Admin\AppData\Local\Temp\c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exe
"C:\Users\Admin\AppData\Local\Temp\c260c59382ec917b9c319749cb900eafbdff592b14e473f181b82fd29b5db9ad.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3884490.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3884490.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3583531.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3583531.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9712800.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9712800.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4250856.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4250856.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3884490.exe
Filesize
452KB

MD5
4454ea0083a79cfd3ddd198a1f02bb5a

SHA1
62b9441b0e8ff62870e7b0c6de192f828b6fa96c

SHA256
68168e875d59db8e1b215ccd9a86e2ffd71614e0dc4765f294c445ca187c3a34

SHA512
f8eb271db9d1140ba22ef0358a9b701a8102aa100bd5f739acb73183620c57da82447eb19bdf6606329b9f4a0fb3c867ad864ea1c71d8c2e161b112b6529328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3884490.exe
Filesize
452KB

MD5
4454ea0083a79cfd3ddd198a1f02bb5a

SHA1
62b9441b0e8ff62870e7b0c6de192f828b6fa96c

SHA256
68168e875d59db8e1b215ccd9a86e2ffd71614e0dc4765f294c445ca187c3a34

SHA512
f8eb271db9d1140ba22ef0358a9b701a8102aa100bd5f739acb73183620c57da82447eb19bdf6606329b9f4a0fb3c867ad864ea1c71d8c2e161b112b6529328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3583531.exe
Filesize
280KB

MD5
0f8942a68f5de55889220e1f7f751151

SHA1
6bc9d0e5547483958e8ed7b6d486924c2d276a4c

SHA256
e8c5d1a33108f461eded5e2b0277932b1cba1a2c706e09946a6fb8125596a438

SHA512
5a452e2c04c5bc03c370a242f16c5955d2ba2c622bcc0f07dea94f573bd742bbb75052b7b88933dc66813466c7ef57ef3862745c6748f5767ac67fa759ccb5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3583531.exe
Filesize
280KB

MD5
0f8942a68f5de55889220e1f7f751151

SHA1
6bc9d0e5547483958e8ed7b6d486924c2d276a4c

SHA256
e8c5d1a33108f461eded5e2b0277932b1cba1a2c706e09946a6fb8125596a438

SHA512
5a452e2c04c5bc03c370a242f16c5955d2ba2c622bcc0f07dea94f573bd742bbb75052b7b88933dc66813466c7ef57ef3862745c6748f5767ac67fa759ccb5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9712800.exe
Filesize
157KB

MD5
c1071a0a3f987a5de3522605a20213b5

SHA1
641287d1db5998d1db116414a1bb97d550224246

SHA256
9566bf7e2fa08042afa0e29f03a24f99713639bf9939180d38e1632fe63170eb

SHA512
a31c7fcc4b364366d54e0bca18edde25eb82a387e0936731ae8d45312a95cc6752e80c1d21a0346e229039ba06cecd7efe690afacffe09960c557b21af9057f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9712800.exe
Filesize
157KB

MD5
c1071a0a3f987a5de3522605a20213b5

SHA1
641287d1db5998d1db116414a1bb97d550224246

SHA256
9566bf7e2fa08042afa0e29f03a24f99713639bf9939180d38e1632fe63170eb

SHA512
a31c7fcc4b364366d54e0bca18edde25eb82a387e0936731ae8d45312a95cc6752e80c1d21a0346e229039ba06cecd7efe690afacffe09960c557b21af9057f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4250856.exe
Filesize
168KB

MD5
28574ddfdfd90307cba658cc45a3df27

SHA1
0d287b5cb8ee5404dbc93544eee56b5b2aa2f9a2

SHA256
65deb77712ab9818f704f60c24aadaa7db9a76773307eb64882140e81fdaae98

SHA512
35d0b9cbb9aa99ac5a7bd7cbef0fff7708f974a4e6db0c6afc7fbdd195dee126a63134e13f4d5b94af0d88f16c8f84bbe5c0a05c4bd31317a71ef9c07f98883d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4250856.exe
Filesize
168KB

MD5
28574ddfdfd90307cba658cc45a3df27

SHA1
0d287b5cb8ee5404dbc93544eee56b5b2aa2f9a2

SHA256
65deb77712ab9818f704f60c24aadaa7db9a76773307eb64882140e81fdaae98

SHA512
35d0b9cbb9aa99ac5a7bd7cbef0fff7708f974a4e6db0c6afc7fbdd195dee126a63134e13f4d5b94af0d88f16c8f84bbe5c0a05c4bd31317a71ef9c07f98883d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3884490.exe
Filesize
452KB

MD5
4454ea0083a79cfd3ddd198a1f02bb5a

SHA1
62b9441b0e8ff62870e7b0c6de192f828b6fa96c

SHA256
68168e875d59db8e1b215ccd9a86e2ffd71614e0dc4765f294c445ca187c3a34

SHA512
f8eb271db9d1140ba22ef0358a9b701a8102aa100bd5f739acb73183620c57da82447eb19bdf6606329b9f4a0fb3c867ad864ea1c71d8c2e161b112b6529328d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3884490.exe
Filesize
452KB

MD5
4454ea0083a79cfd3ddd198a1f02bb5a

SHA1
62b9441b0e8ff62870e7b0c6de192f828b6fa96c

SHA256
68168e875d59db8e1b215ccd9a86e2ffd71614e0dc4765f294c445ca187c3a34

SHA512
f8eb271db9d1140ba22ef0358a9b701a8102aa100bd5f739acb73183620c57da82447eb19bdf6606329b9f4a0fb3c867ad864ea1c71d8c2e161b112b6529328d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3583531.exe
Filesize
280KB

MD5
0f8942a68f5de55889220e1f7f751151

SHA1
6bc9d0e5547483958e8ed7b6d486924c2d276a4c

SHA256
e8c5d1a33108f461eded5e2b0277932b1cba1a2c706e09946a6fb8125596a438

SHA512
5a452e2c04c5bc03c370a242f16c5955d2ba2c622bcc0f07dea94f573bd742bbb75052b7b88933dc66813466c7ef57ef3862745c6748f5767ac67fa759ccb5cc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3583531.exe
Filesize
280KB

MD5
0f8942a68f5de55889220e1f7f751151

SHA1
6bc9d0e5547483958e8ed7b6d486924c2d276a4c

SHA256
e8c5d1a33108f461eded5e2b0277932b1cba1a2c706e09946a6fb8125596a438

SHA512
5a452e2c04c5bc03c370a242f16c5955d2ba2c622bcc0f07dea94f573bd742bbb75052b7b88933dc66813466c7ef57ef3862745c6748f5767ac67fa759ccb5cc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9712800.exe
Filesize
157KB

MD5
c1071a0a3f987a5de3522605a20213b5

SHA1
641287d1db5998d1db116414a1bb97d550224246

SHA256
9566bf7e2fa08042afa0e29f03a24f99713639bf9939180d38e1632fe63170eb

SHA512
a31c7fcc4b364366d54e0bca18edde25eb82a387e0936731ae8d45312a95cc6752e80c1d21a0346e229039ba06cecd7efe690afacffe09960c557b21af9057f8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9712800.exe
Filesize
157KB

MD5
c1071a0a3f987a5de3522605a20213b5

SHA1
641287d1db5998d1db116414a1bb97d550224246

SHA256
9566bf7e2fa08042afa0e29f03a24f99713639bf9939180d38e1632fe63170eb

SHA512
a31c7fcc4b364366d54e0bca18edde25eb82a387e0936731ae8d45312a95cc6752e80c1d21a0346e229039ba06cecd7efe690afacffe09960c557b21af9057f8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4250856.exe
Filesize
168KB

MD5
28574ddfdfd90307cba658cc45a3df27

SHA1
0d287b5cb8ee5404dbc93544eee56b5b2aa2f9a2

SHA256
65deb77712ab9818f704f60c24aadaa7db9a76773307eb64882140e81fdaae98

SHA512
35d0b9cbb9aa99ac5a7bd7cbef0fff7708f974a4e6db0c6afc7fbdd195dee126a63134e13f4d5b94af0d88f16c8f84bbe5c0a05c4bd31317a71ef9c07f98883d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4250856.exe
Filesize
168KB

MD5
28574ddfdfd90307cba658cc45a3df27

SHA1
0d287b5cb8ee5404dbc93544eee56b5b2aa2f9a2

SHA256
65deb77712ab9818f704f60c24aadaa7db9a76773307eb64882140e81fdaae98

SHA512
35d0b9cbb9aa99ac5a7bd7cbef0fff7708f974a4e6db0c6afc7fbdd195dee126a63134e13f4d5b94af0d88f16c8f84bbe5c0a05c4bd31317a71ef9c07f98883d

Download Submit
memory/1760-91-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1760-92-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1760-84-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1760-89-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1760-85-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1896-99-0x0000000001210000-0x000000000123E000-memory.dmp

Filesize
184KB

Download
memory/1896-100-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/1896-101-0x0000000000BF0000-0x0000000000C30000-memory.dmp

Filesize
256KB

Download
memory/1896-102-0x0000000000BF0000-0x0000000000C30000-memory.dmp

Filesize
256KB

Download