redline | 4ec286e74acba9ce0a7a415ceadee38a00a60cf30598b030bddc4df2239443a9

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2023, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ec286e74acba9ce0a7a415ceadee38a00a60cf30598b030bddc4df2239443a9.exe
Size

735KB
MD5

9b6cf7d31209584d8156bdab9864f4a5
SHA1

d3d7e6525ca965bb3a0bc9453512d0e38a1a94bd
SHA256

4ec286e74acba9ce0a7a415ceadee38a00a60cf30598b030bddc4df2239443a9
SHA512

5e8c392b25bc616541795e7365a09c4618c6feca6d5dd1b9d634cd930fb9b705e1447fc9bcd43968e8588bb49ed876ee57bf30b995282d7600a56436071a0097
SSDEEP

12288:VMrCy90GnRejmDeYvzA09IyIfBQozZN+vtSqe2LpthW:vyQjO/vqyB0N+voq5V3W

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19048

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6322769.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6322769.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a6322769.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6322769.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6322769.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6322769.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4796	v0051612.exe
5084	v5813734.exe
2272	v7539679.exe
4992	a6322769.exe
1620	b5062989.exe
4480	c5192922.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6322769.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0051612.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5813734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5813734.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7539679.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7539679.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4ec286e74acba9ce0a7a415ceadee38a00a60cf30598b030bddc4df2239443a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ec286e74acba9ce0a7a415ceadee38a00a60cf30598b030bddc4df2239443a9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0051612.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 3932	1620	b5062989.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4012	1620	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4992	a6322769.exe
4992	a6322769.exe
3932	AppLaunch.exe
3932	AppLaunch.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe
4480	c5192922.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4992	a6322769.exe
Token: SeDebugPrivilege	3932	AppLaunch.exe
Token: SeDebugPrivilege	4480	c5192922.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 4796	3052	4ec286e74acba9ce0a7a415ceadee38a00a60cf30598b030bddc4df2239443a9.exe	83
PID 3052 wrote to memory of 4796	3052	4ec286e74acba9ce0a7a415ceadee38a00a60cf30598b030bddc4df2239443a9.exe	83
PID 3052 wrote to memory of 4796	3052	4ec286e74acba9ce0a7a415ceadee38a00a60cf30598b030bddc4df2239443a9.exe	83
PID 4796 wrote to memory of 5084	4796	v0051612.exe	84
PID 4796 wrote to memory of 5084	4796	v0051612.exe	84
PID 4796 wrote to memory of 5084	4796	v0051612.exe	84
PID 5084 wrote to memory of 2272	5084	v5813734.exe	85
PID 5084 wrote to memory of 2272	5084	v5813734.exe	85
PID 5084 wrote to memory of 2272	5084	v5813734.exe	85
PID 2272 wrote to memory of 4992	2272	v7539679.exe	86
PID 2272 wrote to memory of 4992	2272	v7539679.exe	86
PID 2272 wrote to memory of 1620	2272	v7539679.exe	87
PID 2272 wrote to memory of 1620	2272	v7539679.exe	87
PID 2272 wrote to memory of 1620	2272	v7539679.exe	87
PID 1620 wrote to memory of 3932	1620	b5062989.exe	89
PID 1620 wrote to memory of 3932	1620	b5062989.exe	89
PID 1620 wrote to memory of 3932	1620	b5062989.exe	89
PID 1620 wrote to memory of 3932	1620	b5062989.exe	89
PID 1620 wrote to memory of 3932	1620	b5062989.exe	89
PID 5084 wrote to memory of 4480	5084	v5813734.exe	93
PID 5084 wrote to memory of 4480	5084	v5813734.exe	93
PID 5084 wrote to memory of 4480	5084	v5813734.exe	93

C:\Users\Admin\AppData\Local\Temp\4ec286e74acba9ce0a7a415ceadee38a00a60cf30598b030bddc4df2239443a9.exe
"C:\Users\Admin\AppData\Local\Temp\4ec286e74acba9ce0a7a415ceadee38a00a60cf30598b030bddc4df2239443a9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0051612.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0051612.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5813734.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5813734.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7539679.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7539679.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6322769.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6322769.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5062989.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5062989.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 572
        6⤵
        Program crash
        
        PID:4012
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5192922.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5192922.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1620 -ip 1620
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0051612.exe

Filesize
529KB

MD5
f39783ff5b0a38cd11a837e2c1f72bbf

SHA1
fd62670ef6b0aec4fa8170485aa599e603cad2ca

SHA256
fdd265da35e6c2062e387c4b63c1148cd75414fab4a6df23d0832bab1afc06ef

SHA512
7a5941f08ec7404d6a00e231316a413b36eb54f14181f9f9d91a71b0eb5862c4662339bf7821e33b567a6e95030cd9255e3cf043435959dad1399f5ab5f85550

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0051612.exe

Filesize
529KB

MD5
f39783ff5b0a38cd11a837e2c1f72bbf

SHA1
fd62670ef6b0aec4fa8170485aa599e603cad2ca

SHA256
fdd265da35e6c2062e387c4b63c1148cd75414fab4a6df23d0832bab1afc06ef

SHA512
7a5941f08ec7404d6a00e231316a413b36eb54f14181f9f9d91a71b0eb5862c4662339bf7821e33b567a6e95030cd9255e3cf043435959dad1399f5ab5f85550

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5813734.exe

Filesize
357KB

MD5
775a5c0649b18cbac2e7a76adf7f448a

SHA1
595ebe790d2801698c5e6647989a4cae482a553e

SHA256
769856a3ef9d76ad22086f94660455c448f6bf7b1fe8a84799b2239e6a4b9d6d

SHA512
30287c4e62aab798441ffb7c693ad3c52845c13a65677da7a758d4894a8c0eaac2294fd267bc5e65bc85e8d094d235bb90a8807a56128bd082a0e02af196ed72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5813734.exe

Filesize
357KB

MD5
775a5c0649b18cbac2e7a76adf7f448a

SHA1
595ebe790d2801698c5e6647989a4cae482a553e

SHA256
769856a3ef9d76ad22086f94660455c448f6bf7b1fe8a84799b2239e6a4b9d6d

SHA512
30287c4e62aab798441ffb7c693ad3c52845c13a65677da7a758d4894a8c0eaac2294fd267bc5e65bc85e8d094d235bb90a8807a56128bd082a0e02af196ed72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5192922.exe

Filesize
172KB

MD5
0bfb9767ce3c364ec5e2c630a17a57be

SHA1
6588cf3f004d3785e9652ce4ca71bf0d8d57c0c1

SHA256
47e2d1de61f00652d88e77cba20d5931e7158241fd797f19bab8e504363f278f

SHA512
fd0c69abb90ac7bc98f155136aa44dd7fa69c4888d22bcf733ab8416283ade6a37d36991e46f87e36c9137cff7d0711a23016388615110f88191de7d80e15b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5192922.exe

Filesize
172KB

MD5
0bfb9767ce3c364ec5e2c630a17a57be

SHA1
6588cf3f004d3785e9652ce4ca71bf0d8d57c0c1

SHA256
47e2d1de61f00652d88e77cba20d5931e7158241fd797f19bab8e504363f278f

SHA512
fd0c69abb90ac7bc98f155136aa44dd7fa69c4888d22bcf733ab8416283ade6a37d36991e46f87e36c9137cff7d0711a23016388615110f88191de7d80e15b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7539679.exe

Filesize
202KB

MD5
7bb4e939d2b2773083ec36e6e59128ac

SHA1
3b7196e04980d1146173f259d00b52f42d710556

SHA256
c60ee39528d0b6566389b0a975ed2606af65719af32486e4d3799bd88eaef794

SHA512
490816de12e8d73807b3fce659c8eaea9aac9c83f87cda61682dca9096d6d30e22694e6cfd57a8d827145697e39060e1c40a1bf6dcadfb39ca3a53f88653a70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7539679.exe

Filesize
202KB

MD5
7bb4e939d2b2773083ec36e6e59128ac

SHA1
3b7196e04980d1146173f259d00b52f42d710556

SHA256
c60ee39528d0b6566389b0a975ed2606af65719af32486e4d3799bd88eaef794

SHA512
490816de12e8d73807b3fce659c8eaea9aac9c83f87cda61682dca9096d6d30e22694e6cfd57a8d827145697e39060e1c40a1bf6dcadfb39ca3a53f88653a70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6322769.exe

Filesize
12KB

MD5
1be42356ce5cf66de9b55c0bb661ba6a

SHA1
91454f4c9d8e93923b3ea12ee13ea69b9e7591ae

SHA256
9babc9dc5ba988dab254f1fde63f0e704c58b9e72fd20d88900845291bf87f8d

SHA512
88c122246573c9ec8826cc488c6899104530572d09545cef959bf0d463b372aab3e5fdd2e0534a633e5fdacf23068b070ac4897674eb4cd00ffbba1dd20340c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6322769.exe

Filesize
12KB

MD5
1be42356ce5cf66de9b55c0bb661ba6a

SHA1
91454f4c9d8e93923b3ea12ee13ea69b9e7591ae

SHA256
9babc9dc5ba988dab254f1fde63f0e704c58b9e72fd20d88900845291bf87f8d

SHA512
88c122246573c9ec8826cc488c6899104530572d09545cef959bf0d463b372aab3e5fdd2e0534a633e5fdacf23068b070ac4897674eb4cd00ffbba1dd20340c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5062989.exe

Filesize
117KB

MD5
717b3e755736172c7a3e6b8b8ebdb5c7

SHA1
f6938b53ae457288f34fa097a3a1dd44f4445ce6

SHA256
f53ac6f7e8d40def0afce055d6e02395ba11b75fdc64fa527d9a5385a2be3006

SHA512
8a0762e7af5ff1a5e0ce228f4f65d459423ed0f01881021a95c2114fea405625990389842b552522d88e1aea69a0bfe028b3b0d0451b4d536186aa029a0c2d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5062989.exe

Filesize
117KB

MD5
717b3e755736172c7a3e6b8b8ebdb5c7

SHA1
f6938b53ae457288f34fa097a3a1dd44f4445ce6

SHA256
f53ac6f7e8d40def0afce055d6e02395ba11b75fdc64fa527d9a5385a2be3006

SHA512
8a0762e7af5ff1a5e0ce228f4f65d459423ed0f01881021a95c2114fea405625990389842b552522d88e1aea69a0bfe028b3b0d0451b4d536186aa029a0c2d59

Download Submit
memory/3932-167-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4480-175-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/4480-181-0x000000000A2B0000-0x000000000A326000-memory.dmp

Filesize
472KB

Download
memory/4480-176-0x000000000A480000-0x000000000AA98000-memory.dmp

Filesize
6.1MB

Download
memory/4480-177-0x000000000A000000-0x000000000A10A000-memory.dmp

Filesize
1.0MB

Download
memory/4480-179-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/4480-178-0x0000000009F40000-0x0000000009F52000-memory.dmp

Filesize
72KB

Download
memory/4480-180-0x0000000009FA0000-0x0000000009FDC000-memory.dmp

Filesize
240KB

Download
memory/4480-189-0x000000000B7A0000-0x000000000B7F0000-memory.dmp

Filesize
320KB

Download
memory/4480-182-0x000000000A3D0000-0x000000000A462000-memory.dmp

Filesize
584KB

Download
memory/4480-183-0x000000000B050000-0x000000000B5F4000-memory.dmp

Filesize
5.6MB

Download
memory/4480-184-0x000000000ABA0000-0x000000000AC06000-memory.dmp

Filesize
408KB

Download
memory/4480-186-0x00000000049D0000-0x00000000049E0000-memory.dmp

Filesize
64KB

Download
memory/4480-187-0x000000000B8D0000-0x000000000BA92000-memory.dmp

Filesize
1.8MB

Download
memory/4480-188-0x000000000BFD0000-0x000000000C4FC000-memory.dmp

Filesize
5.2MB

Download
memory/4992-161-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download