redline | f01a0840d654fcbc17eb7aa7fa385cc8492141f312126971b4130a328157179b

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2023 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96a04f7eb7908d7853adbbd9ce387293.exe
Size

736KB
MD5

96a04f7eb7908d7853adbbd9ce387293
SHA1

1ff505e738deaf12a92a8567ed4fcc9b4b268b6a
SHA256

f01a0840d654fcbc17eb7aa7fa385cc8492141f312126971b4130a328157179b
SHA512

ca0a4f75d33b899cc858e5d95d6e400bb26cfc1f8042865d62f6f7caeb4224f5f914da21f15b97afeee1d2f9538638ada18ad06810f254271966da3be0041938
SSDEEP

12288:qMray90ZwcHXKOQJrN+praN6b4SkXezlnTLYy+WqsozVwGs:0yAHXKOW5+praUd+SxQBsMGV

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19048

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6631012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6631012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6631012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6631012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6631012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a6631012.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4964	v8457157.exe
1008	v7299808.exe
3380	v4488150.exe
2616	a6631012.exe
4404	b9769501.exe
1916	c9069049.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6631012.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4488150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v4488150.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	96a04f7eb7908d7853adbbd9ce387293.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	96a04f7eb7908d7853adbbd9ce387293.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8457157.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8457157.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7299808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7299808.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4404 set thread context of 3468	4404	b9769501.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4180	4404	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2616	a6631012.exe
2616	a6631012.exe
3468	AppLaunch.exe
3468	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	a6631012.exe
Token: SeDebugPrivilege	3468	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 4964	1220	96a04f7eb7908d7853adbbd9ce387293.exe	83
PID 1220 wrote to memory of 4964	1220	96a04f7eb7908d7853adbbd9ce387293.exe	83
PID 1220 wrote to memory of 4964	1220	96a04f7eb7908d7853adbbd9ce387293.exe	83
PID 4964 wrote to memory of 1008	4964	v8457157.exe	84
PID 4964 wrote to memory of 1008	4964	v8457157.exe	84
PID 4964 wrote to memory of 1008	4964	v8457157.exe	84
PID 1008 wrote to memory of 3380	1008	v7299808.exe	85
PID 1008 wrote to memory of 3380	1008	v7299808.exe	85
PID 1008 wrote to memory of 3380	1008	v7299808.exe	85
PID 3380 wrote to memory of 2616	3380	v4488150.exe	86
PID 3380 wrote to memory of 2616	3380	v4488150.exe	86
PID 3380 wrote to memory of 4404	3380	v4488150.exe	87
PID 3380 wrote to memory of 4404	3380	v4488150.exe	87
PID 3380 wrote to memory of 4404	3380	v4488150.exe	87
PID 4404 wrote to memory of 3468	4404	b9769501.exe	89
PID 4404 wrote to memory of 3468	4404	b9769501.exe	89
PID 4404 wrote to memory of 3468	4404	b9769501.exe	89
PID 4404 wrote to memory of 3468	4404	b9769501.exe	89
PID 4404 wrote to memory of 3468	4404	b9769501.exe	89
PID 1008 wrote to memory of 1916	1008	v7299808.exe	92
PID 1008 wrote to memory of 1916	1008	v7299808.exe	92
PID 1008 wrote to memory of 1916	1008	v7299808.exe	92

C:\Users\Admin\AppData\Local\Temp\96a04f7eb7908d7853adbbd9ce387293.exe
"C:\Users\Admin\AppData\Local\Temp\96a04f7eb7908d7853adbbd9ce387293.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8457157.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8457157.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7299808.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7299808.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4488150.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4488150.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3380
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6631012.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6631012.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9769501.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9769501.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 140
        6⤵
        Program crash
        
        PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9069049.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9069049.exe
      4⤵
      Executes dropped EXE
      PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4404 -ip 4404
1⤵
PID:312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8457157.exe

Filesize
530KB

MD5
6e7ced733248e7900647eaefc2418639

SHA1
4c4bd76be2b8b08e91d806c4daf59553aca96c35

SHA256
16b60b1240eca9094ceff704e9be39547db27fccc181d8772197ddb9f652053b

SHA512
34507691a83609b04909f98455cfa50c865be689d807be95db6e4cef0fd97d59730c8f196ea6d601da8e3c761ad33655631484c8f1c4f6efe19e2366e0ef018a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8457157.exe

Filesize
530KB

MD5
6e7ced733248e7900647eaefc2418639

SHA1
4c4bd76be2b8b08e91d806c4daf59553aca96c35

SHA256
16b60b1240eca9094ceff704e9be39547db27fccc181d8772197ddb9f652053b

SHA512
34507691a83609b04909f98455cfa50c865be689d807be95db6e4cef0fd97d59730c8f196ea6d601da8e3c761ad33655631484c8f1c4f6efe19e2366e0ef018a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7299808.exe

Filesize
357KB

MD5
9af69d883471f5eccecd8d2aa09a2a17

SHA1
255669fa2bcbe5a61b970197b8ed845218ad6576

SHA256
d7d258cc7eca66fb8f46495fd6261b95c2aa3ce77aab1c0858b07fa8e6bf97fd

SHA512
50d56b8cdd7d7ca63fd6037878c061410a30527e7c2e4d2c6a7288870f0a73d4d47a94a0c8fc82c389ca6934bbd91fbb1eec9c0de0b60894d8013f65211851a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7299808.exe

Filesize
357KB

MD5
9af69d883471f5eccecd8d2aa09a2a17

SHA1
255669fa2bcbe5a61b970197b8ed845218ad6576

SHA256
d7d258cc7eca66fb8f46495fd6261b95c2aa3ce77aab1c0858b07fa8e6bf97fd

SHA512
50d56b8cdd7d7ca63fd6037878c061410a30527e7c2e4d2c6a7288870f0a73d4d47a94a0c8fc82c389ca6934bbd91fbb1eec9c0de0b60894d8013f65211851a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9069049.exe

Filesize
172KB

MD5
0b802f87ff14fb8070b5a5dfe72ac445

SHA1
05e806a188fe773b664045221f1f0e0f8caaa11e

SHA256
d231767bc28f93d476f45fe5f2072c6313555b4007e205609567ad42672c267e

SHA512
1a49cf30357d15bb7e4b71b9efdae94f5f328816985e53ada3af807709025d33c329bdeb38ee60932951a3beaccfc1e2a51593fbf40c8e528dcf579378141162

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9069049.exe

Filesize
172KB

MD5
0b802f87ff14fb8070b5a5dfe72ac445

SHA1
05e806a188fe773b664045221f1f0e0f8caaa11e

SHA256
d231767bc28f93d476f45fe5f2072c6313555b4007e205609567ad42672c267e

SHA512
1a49cf30357d15bb7e4b71b9efdae94f5f328816985e53ada3af807709025d33c329bdeb38ee60932951a3beaccfc1e2a51593fbf40c8e528dcf579378141162

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4488150.exe

Filesize
202KB

MD5
35c3d1657a328e7cfa00ddb634040464

SHA1
8eaa8176298d7886956c45b52ec8a7e83b17c18e

SHA256
9ec974629be5489dc06f1671158b7b2bcf2121351c3bbe2b3f2e7562f0118788

SHA512
e5c9db44557a87f24036863a892957bec728ad01ce0a95cae24884526f5aaa6418a2ab33ee2d4749a804dad5d170f146c7b018af788adaccbf196cb1950964f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4488150.exe

Filesize
202KB

MD5
35c3d1657a328e7cfa00ddb634040464

SHA1
8eaa8176298d7886956c45b52ec8a7e83b17c18e

SHA256
9ec974629be5489dc06f1671158b7b2bcf2121351c3bbe2b3f2e7562f0118788

SHA512
e5c9db44557a87f24036863a892957bec728ad01ce0a95cae24884526f5aaa6418a2ab33ee2d4749a804dad5d170f146c7b018af788adaccbf196cb1950964f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6631012.exe

Filesize
12KB

MD5
b8b29a3f69d5b08b873bb59f2bf4453c

SHA1
6bebea790f503c4401a731e2faff883ba272d841

SHA256
f6cbf40999b12dbbb3f4eb617a47f28454c8b13f74fdcd9dcb6f20df347cb39d

SHA512
e440eee2ec9fb0422e8bd8d240db76f6faa16789b19ff3544df5bfd8823132423893cd4593e8e2730b9bb9fbbf7bf357382a9a07492b44b64367deb186362e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6631012.exe

Filesize
12KB

MD5
b8b29a3f69d5b08b873bb59f2bf4453c

SHA1
6bebea790f503c4401a731e2faff883ba272d841

SHA256
f6cbf40999b12dbbb3f4eb617a47f28454c8b13f74fdcd9dcb6f20df347cb39d

SHA512
e440eee2ec9fb0422e8bd8d240db76f6faa16789b19ff3544df5bfd8823132423893cd4593e8e2730b9bb9fbbf7bf357382a9a07492b44b64367deb186362e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9769501.exe

Filesize
117KB

MD5
9548a41dfc9f25a7583ee9a410f3a62e

SHA1
b0f8c344237a22f973ef0015c69df9a89b3a29d2

SHA256
bac4ac7ae581fa441442d8c20bd09254c8d06ed72a3c85eb1e0e706c9005b2ca

SHA512
374729425f841f2797e5819ca85148d16b782f42e977749003409357277f076ee73322d3106f1776282299fee394c5e131f9e8334560c28efb8a7cb0014a10b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9769501.exe

Filesize
117KB

MD5
9548a41dfc9f25a7583ee9a410f3a62e

SHA1
b0f8c344237a22f973ef0015c69df9a89b3a29d2

SHA256
bac4ac7ae581fa441442d8c20bd09254c8d06ed72a3c85eb1e0e706c9005b2ca

SHA512
374729425f841f2797e5819ca85148d16b782f42e977749003409357277f076ee73322d3106f1776282299fee394c5e131f9e8334560c28efb8a7cb0014a10b3

Download Submit
memory/1916-175-0x00000000000A0000-0x00000000000D0000-memory.dmp

Filesize
192KB

Download
memory/1916-176-0x000000000A440000-0x000000000AA58000-memory.dmp

Filesize
6.1MB

Download
memory/1916-177-0x0000000009F30000-0x000000000A03A000-memory.dmp

Filesize
1.0MB

Download
memory/1916-178-0x0000000009E20000-0x0000000009E32000-memory.dmp

Filesize
72KB

Download
memory/1916-179-0x0000000009E80000-0x0000000009EBC000-memory.dmp

Filesize
240KB

Download
memory/1916-180-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/1916-183-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/2616-161-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download
memory/3468-167-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download