redline | 670c7ea2cdf1c556ef6be7b1f91c49eb25bae63c4e646e8f300609472e54ed0b

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2023, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

670c7ea2cdf1c556ef6be7b1f91c49eb25bae63c4e646e8f300609472e54ed0b.exe
Size

735KB
MD5

236c6160a6c82bba4a0e2d1ad23632d9
SHA1

deec3fa40fb1e92c4d30ce582cc2b9cd19e0abc0
SHA256

670c7ea2cdf1c556ef6be7b1f91c49eb25bae63c4e646e8f300609472e54ed0b
SHA512

6810de657a8e4cd42431b716e0cfc1b443b083937852c209d44be14d2f2faf868cb07089a41ee6c6415f3c99392846166197cb9ddaada08e525acd4a8d4019d4
SSDEEP

12288:zMrPy90DM3sdrLw14kMalKtMRS4Sl2VUpf+7uDLOsqt5UQkITOpM7IvP0JcaP1X:UyGM3s/9alK2RS41Z7IHl4OpM72i

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19048

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9445946.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9445946.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9445946.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9445946.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9445946.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9445946.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1044	v2172496.exe
5008	v8770239.exe
4220	v9301795.exe
4240	a9445946.exe
3148	b2572306.exe
1460	c5074829.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9445946.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	670c7ea2cdf1c556ef6be7b1f91c49eb25bae63c4e646e8f300609472e54ed0b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2172496.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2172496.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8770239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8770239.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9301795.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9301795.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	670c7ea2cdf1c556ef6be7b1f91c49eb25bae63c4e646e8f300609472e54ed0b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3148 set thread context of 212	3148	b2572306.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4276	3148	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4240	a9445946.exe
4240	a9445946.exe
212	AppLaunch.exe
212	AppLaunch.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe
1460	c5074829.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4240	a9445946.exe
Token: SeDebugPrivilege	212	AppLaunch.exe
Token: SeDebugPrivilege	1460	c5074829.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 1044	4632	670c7ea2cdf1c556ef6be7b1f91c49eb25bae63c4e646e8f300609472e54ed0b.exe	82
PID 4632 wrote to memory of 1044	4632	670c7ea2cdf1c556ef6be7b1f91c49eb25bae63c4e646e8f300609472e54ed0b.exe	82
PID 4632 wrote to memory of 1044	4632	670c7ea2cdf1c556ef6be7b1f91c49eb25bae63c4e646e8f300609472e54ed0b.exe	82
PID 1044 wrote to memory of 5008	1044	v2172496.exe	83
PID 1044 wrote to memory of 5008	1044	v2172496.exe	83
PID 1044 wrote to memory of 5008	1044	v2172496.exe	83
PID 5008 wrote to memory of 4220	5008	v8770239.exe	84
PID 5008 wrote to memory of 4220	5008	v8770239.exe	84
PID 5008 wrote to memory of 4220	5008	v8770239.exe	84
PID 4220 wrote to memory of 4240	4220	v9301795.exe	85
PID 4220 wrote to memory of 4240	4220	v9301795.exe	85
PID 4220 wrote to memory of 3148	4220	v9301795.exe	88
PID 4220 wrote to memory of 3148	4220	v9301795.exe	88
PID 4220 wrote to memory of 3148	4220	v9301795.exe	88
PID 3148 wrote to memory of 212	3148	b2572306.exe	90
PID 3148 wrote to memory of 212	3148	b2572306.exe	90
PID 3148 wrote to memory of 212	3148	b2572306.exe	90
PID 3148 wrote to memory of 212	3148	b2572306.exe	90
PID 3148 wrote to memory of 212	3148	b2572306.exe	90
PID 5008 wrote to memory of 1460	5008	v8770239.exe	93
PID 5008 wrote to memory of 1460	5008	v8770239.exe	93
PID 5008 wrote to memory of 1460	5008	v8770239.exe	93

C:\Users\Admin\AppData\Local\Temp\670c7ea2cdf1c556ef6be7b1f91c49eb25bae63c4e646e8f300609472e54ed0b.exe
"C:\Users\Admin\AppData\Local\Temp\670c7ea2cdf1c556ef6be7b1f91c49eb25bae63c4e646e8f300609472e54ed0b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2172496.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2172496.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8770239.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8770239.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9301795.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9301795.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9445946.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9445946.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2572306.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2572306.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3148
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 140
        6⤵
        Program crash
        
        PID:4276
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5074829.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5074829.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3148 -ip 3148
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2172496.exe

Filesize
529KB

MD5
ef91c9650f6485ae63444869660e4c6a

SHA1
a383d13f004ce547b7f3ca0ec8e9074379924fda

SHA256
fded6511026e3b14db4c0d1bba4795ff1b533751b966f46e80bee37f466d2647

SHA512
390463a8f5639900a9ed0fd41dcb3ee7a102b5d0f89948cc9be681c90de446f3ae603d2e2f1e3ad67bee0ea7e27c029c186c1b81d7836d6ee5dfd7591c0e2ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2172496.exe

Filesize
529KB

MD5
ef91c9650f6485ae63444869660e4c6a

SHA1
a383d13f004ce547b7f3ca0ec8e9074379924fda

SHA256
fded6511026e3b14db4c0d1bba4795ff1b533751b966f46e80bee37f466d2647

SHA512
390463a8f5639900a9ed0fd41dcb3ee7a102b5d0f89948cc9be681c90de446f3ae603d2e2f1e3ad67bee0ea7e27c029c186c1b81d7836d6ee5dfd7591c0e2ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8770239.exe

Filesize
357KB

MD5
ddb69a95e759fb7454dff4415e093793

SHA1
9e8c4230bb510baae4c869d13b4338ae3ff8940e

SHA256
37393af57ef669c737ddbc4219fd795c04fd41c27717dc22807557e941a44177

SHA512
e4f8f800ae3da4c53f163aeb1466d4f6a4646e26b84b1d578c3709ce910b6f04a55ad554509b59166a8dec2219a56bf086a0b589884bd733fe0b1acb82e18af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8770239.exe

Filesize
357KB

MD5
ddb69a95e759fb7454dff4415e093793

SHA1
9e8c4230bb510baae4c869d13b4338ae3ff8940e

SHA256
37393af57ef669c737ddbc4219fd795c04fd41c27717dc22807557e941a44177

SHA512
e4f8f800ae3da4c53f163aeb1466d4f6a4646e26b84b1d578c3709ce910b6f04a55ad554509b59166a8dec2219a56bf086a0b589884bd733fe0b1acb82e18af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5074829.exe

Filesize
172KB

MD5
99daf29102f3347036f5f31626529fdc

SHA1
c2e9ff56ee0366c035921dc5a4bcd79fb6f99d13

SHA256
800594365f4586f2b7269e9807a3411bfc7fa5fb28a081ca8e496c6d89eb7f7c

SHA512
b38bd22e3784b7eb7eeeb0d7cd17d1c3bc4f5a53415b7cefa6b3dba7589efd3bf616b27de1a2204ce5141cc9b091ff1ce7c03a92051813116f0c4a3c0a3559e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5074829.exe

Filesize
172KB

MD5
99daf29102f3347036f5f31626529fdc

SHA1
c2e9ff56ee0366c035921dc5a4bcd79fb6f99d13

SHA256
800594365f4586f2b7269e9807a3411bfc7fa5fb28a081ca8e496c6d89eb7f7c

SHA512
b38bd22e3784b7eb7eeeb0d7cd17d1c3bc4f5a53415b7cefa6b3dba7589efd3bf616b27de1a2204ce5141cc9b091ff1ce7c03a92051813116f0c4a3c0a3559e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9301795.exe

Filesize
202KB

MD5
3b370b3246bab0710bf9131813aa64fd

SHA1
ffce739845fc31185e67f55f79de64198d71e4a5

SHA256
f0106e319d6b2a8a304a2565efd5cf7485ccdbb97496f3006afb5929c6939113

SHA512
c902c85b4a613ef1622d7838a52e7cc90b3d67b4033a89efe946f4ff4a94666a9bc1ad67c1dd5062c14a2153439d9fd8b04f9457af05e9afa30ff35a29e83043

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9301795.exe

Filesize
202KB

MD5
3b370b3246bab0710bf9131813aa64fd

SHA1
ffce739845fc31185e67f55f79de64198d71e4a5

SHA256
f0106e319d6b2a8a304a2565efd5cf7485ccdbb97496f3006afb5929c6939113

SHA512
c902c85b4a613ef1622d7838a52e7cc90b3d67b4033a89efe946f4ff4a94666a9bc1ad67c1dd5062c14a2153439d9fd8b04f9457af05e9afa30ff35a29e83043

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9445946.exe

Filesize
12KB

MD5
8d96a3a25a93bf7c3cb64233e78d3e3e

SHA1
adbbbbfea625b264040bb80ec162911b78df538e

SHA256
3338547cde7a5c2eb5db9d7fc3f5af7e10af87f5f1a3622dcd6d85f5d311bba2

SHA512
1019d8ff51a87848c56c70e568187dd7ae0b8a3b0123d588ba3770de726e9a10a4b4c5914aa54f84a4a3ecdc1bf6c959df32b2b2a2fb79d7edd4c737f0ef1bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9445946.exe

Filesize
12KB

MD5
8d96a3a25a93bf7c3cb64233e78d3e3e

SHA1
adbbbbfea625b264040bb80ec162911b78df538e

SHA256
3338547cde7a5c2eb5db9d7fc3f5af7e10af87f5f1a3622dcd6d85f5d311bba2

SHA512
1019d8ff51a87848c56c70e568187dd7ae0b8a3b0123d588ba3770de726e9a10a4b4c5914aa54f84a4a3ecdc1bf6c959df32b2b2a2fb79d7edd4c737f0ef1bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2572306.exe

Filesize
117KB

MD5
490445a84ffa0fb1b0bf8491f7929d5d

SHA1
cac978801831331a4d353781d4a4fbbf705753e1

SHA256
38db49eca117e1a42beb4a87dd24d83d9c7b87efa3af6f4376ac8a386e2aa714

SHA512
e77ab53ec9b8995622a74a3ba3ce48acfd2ed9659478392f2a88f98f1c19f49e8eb77d92397319e2de5092dc97268784fc799e8fe0c17e3e526166f9f633d74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2572306.exe

Filesize
117KB

MD5
490445a84ffa0fb1b0bf8491f7929d5d

SHA1
cac978801831331a4d353781d4a4fbbf705753e1

SHA256
38db49eca117e1a42beb4a87dd24d83d9c7b87efa3af6f4376ac8a386e2aa714

SHA512
e77ab53ec9b8995622a74a3ba3ce48acfd2ed9659478392f2a88f98f1c19f49e8eb77d92397319e2de5092dc97268784fc799e8fe0c17e3e526166f9f633d74f

Download Submit
memory/212-167-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1460-175-0x0000000000C80000-0x0000000000CB0000-memory.dmp

Filesize
192KB

Download
memory/1460-181-0x000000000AEB0000-0x000000000AF26000-memory.dmp

Filesize
472KB

Download
memory/1460-176-0x000000000B0F0000-0x000000000B708000-memory.dmp

Filesize
6.1MB

Download
memory/1460-177-0x000000000AC00000-0x000000000AD0A000-memory.dmp

Filesize
1.0MB

Download
memory/1460-178-0x000000000AB40000-0x000000000AB52000-memory.dmp

Filesize
72KB

Download
memory/1460-179-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/1460-180-0x000000000ABA0000-0x000000000ABDC000-memory.dmp

Filesize
240KB

Download
memory/1460-189-0x000000000CBE0000-0x000000000D10C000-memory.dmp

Filesize
5.2MB

Download
memory/1460-182-0x000000000B710000-0x000000000B7A2000-memory.dmp

Filesize
584KB

Download
memory/1460-183-0x000000000BD60000-0x000000000C304000-memory.dmp

Filesize
5.6MB

Download
memory/1460-184-0x000000000B7B0000-0x000000000B816000-memory.dmp

Filesize
408KB

Download
memory/1460-186-0x000000000BBF0000-0x000000000BC40000-memory.dmp

Filesize
320KB

Download
memory/1460-187-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/1460-188-0x000000000C4E0000-0x000000000C6A2000-memory.dmp

Filesize
1.8MB

Download
memory/4240-161-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download