redline | 5c0c8522adeb0b2b5c492e9458b97ef0a2205ce81b7b831010cfe54b2b46db48

Resubmissions

05-06-2023 14:45

230605-r414jahb43 6

05-06-2023 14:42

230605-r26k8shb24 10

05-06-2023 14:41

230605-r2q6jshf8y 3

05-06-2023 14:35

230605-rxy1lahf7t 10

Analysis

max time kernel
63s
max time network
83s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
05-06-2023 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c0c8522adeb0b2b5c492e9458b97ef0a2205ce81b7b831010cfe54b2b46db48.exe
Size

720KB
MD5

89541d318cbcbd02be55b6cf1413e952
SHA1

993b6b723732f26e83475336824ad4a0df0651e0
SHA256

5c0c8522adeb0b2b5c492e9458b97ef0a2205ce81b7b831010cfe54b2b46db48
SHA512

ad9dfbaf1b001f62b2af626e63937421d914aab2a754c1535fc73f63522b2296973ec9cdd0a713a7289333a66dced8765f3bb43103b694d3a43c8b1e23245125
SSDEEP

12288:9MrLy90pnKSGK56I3MbmB4mLCEqh5jgzaGl097e3/HXbQ3QiEqFbMRi:yywnEgCZUcjgzX3Ps3bEIbSi

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19048

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a6418695.exeAppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6418695.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6418695.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6418695.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6418695.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6418695.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 6 IoCs

Processes:

v0130411.exev6788102.exev1322017.exea6418695.exeb4705610.exec4058479.exe

pid process

3556 v0130411.exe
3632 v6788102.exe
4184 v1322017.exe
5036 a6418695.exe
4416 b4705610.exe
4140 c4058479.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a6418695.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a6418695.exe

pid	process
3556	v0130411.exe
3632	v6788102.exe
4184	v1322017.exe
5036	a6418695.exe
4416	b4705610.exe
4140	c4058479.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6418695.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v0130411.exev6788102.exev1322017.exe5c0c8522adeb0b2b5c492e9458b97ef0a2205ce81b7b831010cfe54b2b46db48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0130411.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0130411.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6788102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6788102.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1322017.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1322017.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5c0c8522adeb0b2b5c492e9458b97ef0a2205ce81b7b831010cfe54b2b46db48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5c0c8522adeb0b2b5c492e9458b97ef0a2205ce81b7b831010cfe54b2b46db48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b4705610.exe

description pid process target process

PID 4416 set thread context of 3120 4416 b4705610.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3876 4140 WerFault.exe c4058479.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a6418695.exeAppLaunch.exe

pid process

5036 a6418695.exe
5036 a6418695.exe
3120 AppLaunch.exe
3120 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a6418695.exeAppLaunch.exe

description pid process

Token: SeDebugPrivilege 5036 a6418695.exe
Token: SeDebugPrivilege 3120 AppLaunch.exe

description	pid	process	target process
PID 4416 set thread context of 3120	4416	b4705610.exe	AppLaunch.exe

pid	pid_target	process	target process
3876	4140	WerFault.exe	c4058479.exe

pid	process
5036	a6418695.exe
5036	a6418695.exe
3120	AppLaunch.exe
3120	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	5036	a6418695.exe
Token: SeDebugPrivilege	3120	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

5c0c8522adeb0b2b5c492e9458b97ef0a2205ce81b7b831010cfe54b2b46db48.exev0130411.exev6788102.exev1322017.exeb4705610.exe

description	pid	process	target process
PID 3068 wrote to memory of 3556	3068	5c0c8522adeb0b2b5c492e9458b97ef0a2205ce81b7b831010cfe54b2b46db48.exe	v0130411.exe
PID 3068 wrote to memory of 3556	3068	5c0c8522adeb0b2b5c492e9458b97ef0a2205ce81b7b831010cfe54b2b46db48.exe	v0130411.exe
PID 3068 wrote to memory of 3556	3068	5c0c8522adeb0b2b5c492e9458b97ef0a2205ce81b7b831010cfe54b2b46db48.exe	v0130411.exe
PID 3556 wrote to memory of 3632	3556	v0130411.exe	v6788102.exe
PID 3556 wrote to memory of 3632	3556	v0130411.exe	v6788102.exe
PID 3556 wrote to memory of 3632	3556	v0130411.exe	v6788102.exe
PID 3632 wrote to memory of 4184	3632	v6788102.exe	v1322017.exe
PID 3632 wrote to memory of 4184	3632	v6788102.exe	v1322017.exe
PID 3632 wrote to memory of 4184	3632	v6788102.exe	v1322017.exe
PID 4184 wrote to memory of 5036	4184	v1322017.exe	a6418695.exe
PID 4184 wrote to memory of 5036	4184	v1322017.exe	a6418695.exe
PID 4184 wrote to memory of 4416	4184	v1322017.exe	b4705610.exe
PID 4184 wrote to memory of 4416	4184	v1322017.exe	b4705610.exe
PID 4184 wrote to memory of 4416	4184	v1322017.exe	b4705610.exe
PID 4416 wrote to memory of 3120	4416	b4705610.exe	AppLaunch.exe
PID 4416 wrote to memory of 3120	4416	b4705610.exe	AppLaunch.exe
PID 4416 wrote to memory of 3120	4416	b4705610.exe	AppLaunch.exe
PID 4416 wrote to memory of 3120	4416	b4705610.exe	AppLaunch.exe
PID 4416 wrote to memory of 3120	4416	b4705610.exe	AppLaunch.exe
PID 3632 wrote to memory of 4140	3632	v6788102.exe	c4058479.exe
PID 3632 wrote to memory of 4140	3632	v6788102.exe	c4058479.exe
PID 3632 wrote to memory of 4140	3632	v6788102.exe	c4058479.exe

C:\Users\Admin\AppData\Local\Temp\5c0c8522adeb0b2b5c492e9458b97ef0a2205ce81b7b831010cfe54b2b46db48.exe
"C:\Users\Admin\AppData\Local\Temp\5c0c8522adeb0b2b5c492e9458b97ef0a2205ce81b7b831010cfe54b2b46db48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0130411.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0130411.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3556

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6788102.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6788102.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3632

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1322017.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1322017.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4184

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6418695.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6418695.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4705610.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4705610.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4058479.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4058479.exe
4⤵
- Executes dropped EXE
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 948
5⤵
- Program crash
PID:3876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0130411.exe
Filesize
527KB

MD5
9a5f81998531a1d7f8e4b8a548872d85

SHA1
dea0ee9bc7b27540d6d882f20fad65084026cc8a

SHA256
99421f1d06a7bfee15f185beec6233d4abc01830a1d053c5414fabc48bd6b8e4

SHA512
0fda024d7b382cf52af8916773dd5ac208a0b379a0e46e682fe73a888d6fcd05129331f8379ac92aea4693dbdb116d9f2b977b40201476b5945dae8898f458e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0130411.exe
Filesize
527KB

MD5
9a5f81998531a1d7f8e4b8a548872d85

SHA1
dea0ee9bc7b27540d6d882f20fad65084026cc8a

SHA256
99421f1d06a7bfee15f185beec6233d4abc01830a1d053c5414fabc48bd6b8e4

SHA512
0fda024d7b382cf52af8916773dd5ac208a0b379a0e46e682fe73a888d6fcd05129331f8379ac92aea4693dbdb116d9f2b977b40201476b5945dae8898f458e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6788102.exe
Filesize
354KB

MD5
fa3a895c99b11f3ef4ffd67ef9772515

SHA1
d56eb3dacccd4c446433cc64d05e7b18f3e2819d

SHA256
7ad3fb4705fcf31036cc44b2fa41481d51535d036489df9dacb853efc9b42103

SHA512
8739e98cc55061db99aeced2247f4fc4db9062ea250c40076caf3082b3b5ed98cef7f3fe5a53a378cf10cd74a6926486000397dbecf1f937aceeb5fcec81b7be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6788102.exe
Filesize
354KB

MD5
fa3a895c99b11f3ef4ffd67ef9772515

SHA1
d56eb3dacccd4c446433cc64d05e7b18f3e2819d

SHA256
7ad3fb4705fcf31036cc44b2fa41481d51535d036489df9dacb853efc9b42103

SHA512
8739e98cc55061db99aeced2247f4fc4db9062ea250c40076caf3082b3b5ed98cef7f3fe5a53a378cf10cd74a6926486000397dbecf1f937aceeb5fcec81b7be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4058479.exe
Filesize
172KB

MD5
cc5efa1616a38527ca0d524e35384b3f

SHA1
eb7c696046014c4eaa74a7fb53f826f0ba8a814c

SHA256
f1e754a8a15d74e9966bc323bd942e0597349e7d7a4c2da5d896735f27715182

SHA512
8082bdce1a45dcb4c1696a29d194bbd991ae99a29d6bd468182975033abc2ebef72c52584e0fecfa1da1c1e328c909a17c466d3bf1c42c68cd0125577184b2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4058479.exe
Filesize
172KB

MD5
cc5efa1616a38527ca0d524e35384b3f

SHA1
eb7c696046014c4eaa74a7fb53f826f0ba8a814c

SHA256
f1e754a8a15d74e9966bc323bd942e0597349e7d7a4c2da5d896735f27715182

SHA512
8082bdce1a45dcb4c1696a29d194bbd991ae99a29d6bd468182975033abc2ebef72c52584e0fecfa1da1c1e328c909a17c466d3bf1c42c68cd0125577184b2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1322017.exe
Filesize
199KB

MD5
449d2a3b925b8c7ac721351ff370a7d4

SHA1
7a6bbabe7a9ba8ddfe57be7557a72a1fe5d0b942

SHA256
ae529088c95bb8581a829a9d17d640b75610945c9a08f3373924e9f544119f9f

SHA512
10ec0fd1395040a20de00d3b68ad8d7e4004c1109a6b073c19a4fb154a3556f2c2dc3e656403755d0c139003aae5eaf1310c55575dcbbe1cb38987e16b28dffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1322017.exe
Filesize
199KB

MD5
449d2a3b925b8c7ac721351ff370a7d4

SHA1
7a6bbabe7a9ba8ddfe57be7557a72a1fe5d0b942

SHA256
ae529088c95bb8581a829a9d17d640b75610945c9a08f3373924e9f544119f9f

SHA512
10ec0fd1395040a20de00d3b68ad8d7e4004c1109a6b073c19a4fb154a3556f2c2dc3e656403755d0c139003aae5eaf1310c55575dcbbe1cb38987e16b28dffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6418695.exe
Filesize
12KB

MD5
687501c0d258bcf318f9b05c384abed3

SHA1
34d6f827dbe4b5240de5d9a1fcad103e4011f50e

SHA256
ca4572ebfa46fe65e3dc623d434f1adb6ea6ae4aff3ad5252e49fac7365f0fec

SHA512
b6656e495739944e886bb357c2ff3f246b37c67682541fbddc5d5c804d7ca728cb214b2d00069a16b027ed68e66bf10a26fc7875dc559d6606fa12a58f33de7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6418695.exe
Filesize
12KB

MD5
687501c0d258bcf318f9b05c384abed3

SHA1
34d6f827dbe4b5240de5d9a1fcad103e4011f50e

SHA256
ca4572ebfa46fe65e3dc623d434f1adb6ea6ae4aff3ad5252e49fac7365f0fec

SHA512
b6656e495739944e886bb357c2ff3f246b37c67682541fbddc5d5c804d7ca728cb214b2d00069a16b027ed68e66bf10a26fc7875dc559d6606fa12a58f33de7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4705610.exe
Filesize
105KB

MD5
e7fc1517cf9f8df8f724b247f3e52ff1

SHA1
2890a775f83c73fd06dfbc8478e9fcc1547dd021

SHA256
fed26bb7e8bc93b09723f624bb591e463c315888158811ce9b229f3331a78c06

SHA512
cbead6379ab4152832876e4e59c61335954abcff4dd0131e469c4d24f55c7abf1b8e1cc5f62feef5dfb0fc70e6da92ec08945d122e254adc2c9c4ec80332afa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4705610.exe
Filesize
105KB

MD5
e7fc1517cf9f8df8f724b247f3e52ff1

SHA1
2890a775f83c73fd06dfbc8478e9fcc1547dd021

SHA256
fed26bb7e8bc93b09723f624bb591e463c315888158811ce9b229f3331a78c06

SHA512
cbead6379ab4152832876e4e59c61335954abcff4dd0131e469c4d24f55c7abf1b8e1cc5f62feef5dfb0fc70e6da92ec08945d122e254adc2c9c4ec80332afa8

Download Submit
memory/3120-154-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4140-165-0x00000000007E0000-0x0000000000810000-memory.dmp

Filesize
192KB

Download
memory/5036-149-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download