redline | 2e6f8546a5d18f6199355eae0997aab4a47a3ae0ec4177c171a31cfcb49b69f6

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2023 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e6f8546a5d18f6199355eae0997aab4a47a3ae0ec4177c171a31cfcb49b69f6.exe
Size

730KB
MD5

75515bf34e0199bc0e105762182c554b
SHA1

50d6c2caf69d60325891f86ddd5b15b410bc771e
SHA256

2e6f8546a5d18f6199355eae0997aab4a47a3ae0ec4177c171a31cfcb49b69f6
SHA512

61e6945e0a7d5a446a9e68e89e60e0971c1249659ef5697b3e2da6490cb898e8d42396597affb59e8bf2c30a8befdb354d950d771971a53147ba592d8bf0e1f2
SSDEEP

12288:5Mrgy90Jrz2zj/KAm+Kh8LtqxpypyWUKdDoY+TgBpZMt+P2W:tyOP2zj/DFLAxp8yfUugBh2W

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19048

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exea7640138.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7640138.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7640138.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7640138.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7640138.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7640138.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7640138.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 6 IoCs

Processes:

v7076905.exev7382453.exev2006535.exea7640138.exeb9084967.exec0767348.exe

pid process

4496 v7076905.exe
4524 v7382453.exe
1028 v2006535.exe
4276 a7640138.exe
4404 b9084967.exe
3316 c0767348.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a7640138.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7640138.exe

pid	process
4496	v7076905.exe
4524	v7382453.exe
1028	v2006535.exe
4276	a7640138.exe
4404	b9084967.exe
3316	c0767348.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7640138.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v2006535.exe2e6f8546a5d18f6199355eae0997aab4a47a3ae0ec4177c171a31cfcb49b69f6.exev7076905.exev7382453.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2006535.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2006535.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2e6f8546a5d18f6199355eae0997aab4a47a3ae0ec4177c171a31cfcb49b69f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2e6f8546a5d18f6199355eae0997aab4a47a3ae0ec4177c171a31cfcb49b69f6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7076905.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7076905.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7382453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7382453.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b9084967.exe

description pid process target process

PID 4404 set thread context of 3444 4404 b9084967.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2496 4404 WerFault.exe b9084967.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a7640138.exeAppLaunch.exe

pid process

4276 a7640138.exe
4276 a7640138.exe
3444 AppLaunch.exe
3444 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a7640138.exeAppLaunch.exe

description pid process

Token: SeDebugPrivilege 4276 a7640138.exe
Token: SeDebugPrivilege 3444 AppLaunch.exe

description	pid	process	target process
PID 4404 set thread context of 3444	4404	b9084967.exe	AppLaunch.exe

pid	pid_target	process	target process
2496	4404	WerFault.exe	b9084967.exe

pid	process
4276	a7640138.exe
4276	a7640138.exe
3444	AppLaunch.exe
3444	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4276	a7640138.exe
Token: SeDebugPrivilege	3444	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

2e6f8546a5d18f6199355eae0997aab4a47a3ae0ec4177c171a31cfcb49b69f6.exev7076905.exev7382453.exev2006535.exeb9084967.exe

description	pid	process	target process
PID 4112 wrote to memory of 4496	4112	2e6f8546a5d18f6199355eae0997aab4a47a3ae0ec4177c171a31cfcb49b69f6.exe	v7076905.exe
PID 4112 wrote to memory of 4496	4112	2e6f8546a5d18f6199355eae0997aab4a47a3ae0ec4177c171a31cfcb49b69f6.exe	v7076905.exe
PID 4112 wrote to memory of 4496	4112	2e6f8546a5d18f6199355eae0997aab4a47a3ae0ec4177c171a31cfcb49b69f6.exe	v7076905.exe
PID 4496 wrote to memory of 4524	4496	v7076905.exe	v7382453.exe
PID 4496 wrote to memory of 4524	4496	v7076905.exe	v7382453.exe
PID 4496 wrote to memory of 4524	4496	v7076905.exe	v7382453.exe
PID 4524 wrote to memory of 1028	4524	v7382453.exe	v2006535.exe
PID 4524 wrote to memory of 1028	4524	v7382453.exe	v2006535.exe
PID 4524 wrote to memory of 1028	4524	v7382453.exe	v2006535.exe
PID 1028 wrote to memory of 4276	1028	v2006535.exe	a7640138.exe
PID 1028 wrote to memory of 4276	1028	v2006535.exe	a7640138.exe
PID 1028 wrote to memory of 4404	1028	v2006535.exe	b9084967.exe
PID 1028 wrote to memory of 4404	1028	v2006535.exe	b9084967.exe
PID 1028 wrote to memory of 4404	1028	v2006535.exe	b9084967.exe
PID 4404 wrote to memory of 3444	4404	b9084967.exe	AppLaunch.exe
PID 4404 wrote to memory of 3444	4404	b9084967.exe	AppLaunch.exe
PID 4404 wrote to memory of 3444	4404	b9084967.exe	AppLaunch.exe
PID 4404 wrote to memory of 3444	4404	b9084967.exe	AppLaunch.exe
PID 4404 wrote to memory of 3444	4404	b9084967.exe	AppLaunch.exe
PID 4524 wrote to memory of 3316	4524	v7382453.exe	c0767348.exe
PID 4524 wrote to memory of 3316	4524	v7382453.exe	c0767348.exe
PID 4524 wrote to memory of 3316	4524	v7382453.exe	c0767348.exe

C:\Users\Admin\AppData\Local\Temp\2e6f8546a5d18f6199355eae0997aab4a47a3ae0ec4177c171a31cfcb49b69f6.exe
"C:\Users\Admin\AppData\Local\Temp\2e6f8546a5d18f6199355eae0997aab4a47a3ae0ec4177c171a31cfcb49b69f6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7076905.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7076905.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4496

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7382453.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7382453.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4524

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2006535.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2006535.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7640138.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7640138.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9084967.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9084967.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 140
6⤵
- Program crash
PID:2496

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0767348.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0767348.exe
4⤵
- Executes dropped EXE
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4404 -ip 4404
1⤵
PID:4740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7076905.exe
Filesize
530KB

MD5
9e0c618751087ee29823183a4ac217dd

SHA1
54bdf70fd3a735edef143c383bc48e55b02ba3b5

SHA256
5c3e8e711f64a373b53829d92f864eca2846fa7ba0a808c9c62e6d6d73968b1f

SHA512
b7fdd4381e9ed189e4be2807b63bc02fdd7982b2d038f983845c46a29c4db333f3d6154b6a3c19851d81b6ab639f905a2cf5a8d6c41eb830c29310e5d5bf46c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7076905.exe
Filesize
530KB

MD5
9e0c618751087ee29823183a4ac217dd

SHA1
54bdf70fd3a735edef143c383bc48e55b02ba3b5

SHA256
5c3e8e711f64a373b53829d92f864eca2846fa7ba0a808c9c62e6d6d73968b1f

SHA512
b7fdd4381e9ed189e4be2807b63bc02fdd7982b2d038f983845c46a29c4db333f3d6154b6a3c19851d81b6ab639f905a2cf5a8d6c41eb830c29310e5d5bf46c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7382453.exe
Filesize
358KB

MD5
fdeaa7b1ddfe0a84ee108668ebfdc882

SHA1
b4d1405818d9fcc2cae6c7b33432edf5eb989908

SHA256
f672be9bfd0c215d4d18d558670c3001279ec6574c1a261185f81170f6b2e2ab

SHA512
fc2f84498876a312a78f0eebac1f0eeceefe35613942ae7d54972bff9ca6381d619cd15e8902dac0b9da8d9ce895d2a2494ae78f2b475d461a1f53c88c968dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7382453.exe
Filesize
358KB

MD5
fdeaa7b1ddfe0a84ee108668ebfdc882

SHA1
b4d1405818d9fcc2cae6c7b33432edf5eb989908

SHA256
f672be9bfd0c215d4d18d558670c3001279ec6574c1a261185f81170f6b2e2ab

SHA512
fc2f84498876a312a78f0eebac1f0eeceefe35613942ae7d54972bff9ca6381d619cd15e8902dac0b9da8d9ce895d2a2494ae78f2b475d461a1f53c88c968dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0767348.exe
Filesize
172KB

MD5
df0b5144ba9d0f6c8eb1ec88e43faf4b

SHA1
bb21ae591b1f9be6243ad53931dc8455436c7ee6

SHA256
26e7bb7d83c08a43b79843ebd6ccd7d991b205458a6f7b01e6dd796684bf1f61

SHA512
7a3546d1c0dbc8987bb70c34f108c19e23916194a29d4738295815a0eaf576a414a88725d9c3bc74af0a58fa18631d222b852d1c00a19b624b03c36fca59ff41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0767348.exe
Filesize
172KB

MD5
df0b5144ba9d0f6c8eb1ec88e43faf4b

SHA1
bb21ae591b1f9be6243ad53931dc8455436c7ee6

SHA256
26e7bb7d83c08a43b79843ebd6ccd7d991b205458a6f7b01e6dd796684bf1f61

SHA512
7a3546d1c0dbc8987bb70c34f108c19e23916194a29d4738295815a0eaf576a414a88725d9c3bc74af0a58fa18631d222b852d1c00a19b624b03c36fca59ff41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2006535.exe
Filesize
203KB

MD5
a05cb921b96d4f164eaed4fe1abd90a6

SHA1
2b9d7afec56b8c3f7e47870a673f512136567ab9

SHA256
fb6beb872691fec7f7dd00f040bd621d1dc446debe030ba557ef2cd28dea970b

SHA512
94e998eef45d1d924e33da212b25cb61c4877d8e780a7408d4705d09f6f9ea40abbed0b61e96791f5e16b8b9ee8d19388afd9c0e7dec153cb387d15c0f99d2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2006535.exe
Filesize
203KB

MD5
a05cb921b96d4f164eaed4fe1abd90a6

SHA1
2b9d7afec56b8c3f7e47870a673f512136567ab9

SHA256
fb6beb872691fec7f7dd00f040bd621d1dc446debe030ba557ef2cd28dea970b

SHA512
94e998eef45d1d924e33da212b25cb61c4877d8e780a7408d4705d09f6f9ea40abbed0b61e96791f5e16b8b9ee8d19388afd9c0e7dec153cb387d15c0f99d2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7640138.exe
Filesize
13KB

MD5
3470fb456825c284f5a1a9713463b4d3

SHA1
87fe5d42c6678cdac3c43191f84edffd04cf0da0

SHA256
dc3997d7aeaf6f8cc4924d024464339ad301161b78eea171c18630892df9d72e

SHA512
27d6e7c39fe81e6dc821fb7d5a9d1fbea4d575ff40a2c491ca488891e7faaa6dc543dbfe8d66f48d223a515712341e5c78ddff838e8a992e9a6af133822381b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7640138.exe
Filesize
13KB

MD5
3470fb456825c284f5a1a9713463b4d3

SHA1
87fe5d42c6678cdac3c43191f84edffd04cf0da0

SHA256
dc3997d7aeaf6f8cc4924d024464339ad301161b78eea171c18630892df9d72e

SHA512
27d6e7c39fe81e6dc821fb7d5a9d1fbea4d575ff40a2c491ca488891e7faaa6dc543dbfe8d66f48d223a515712341e5c78ddff838e8a992e9a6af133822381b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9084967.exe
Filesize
117KB

MD5
2e28dab1531c7a3055df0b22624b3618

SHA1
c04e03cc821e1d46d67fedf1d2440597f4ad8f92

SHA256
e708da87bdd9267f4d67a4941f421c82dde2975c133ac0436a66d162d97fe83c

SHA512
e7cad054e4ea5078e327bca068ee397b39a3fc8fd2020b3a7c99c3d6b2f635cc728bde2a966aafc0038526c0b9abadaeb792f44d63b08cbcd00b6348f0579acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9084967.exe
Filesize
117KB

MD5
2e28dab1531c7a3055df0b22624b3618

SHA1
c04e03cc821e1d46d67fedf1d2440597f4ad8f92

SHA256
e708da87bdd9267f4d67a4941f421c82dde2975c133ac0436a66d162d97fe83c

SHA512
e7cad054e4ea5078e327bca068ee397b39a3fc8fd2020b3a7c99c3d6b2f635cc728bde2a966aafc0038526c0b9abadaeb792f44d63b08cbcd00b6348f0579acd

Download Submit
memory/3316-175-0x0000000000860000-0x0000000000890000-memory.dmp

Filesize
192KB

Download
memory/3316-176-0x000000000AC60000-0x000000000B278000-memory.dmp

Filesize
6.1MB

Download
memory/3316-177-0x000000000A7E0000-0x000000000A8EA000-memory.dmp

Filesize
1.0MB

Download
memory/3316-178-0x000000000A720000-0x000000000A732000-memory.dmp

Filesize
72KB

Download
memory/3316-179-0x000000000A780000-0x000000000A7BC000-memory.dmp

Filesize
240KB

Download
memory/3316-180-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3316-182-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3444-167-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4276-161-0x0000000000FB0000-0x0000000000FBA000-memory.dmp

Filesize
40KB

Download