redline | 434015a42546ee6b0e5f117631d9b594cd922889dd7223dab5fdce04f5efbb93

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2023 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df202d8bfd8d4fc017b3dd43ae93c32d.exe
Size

735KB
MD5

df202d8bfd8d4fc017b3dd43ae93c32d
SHA1

8ca333235a256a5263f2364e26ef8a9db7e2b758
SHA256

434015a42546ee6b0e5f117631d9b594cd922889dd7223dab5fdce04f5efbb93
SHA512

527361523be2159c400cb9de0c3ebb29089bc791a89d09d71dfd4f02b48e0858b8028e6d2276b6a93ecba489cde7181d5f28492bab68f861751a978f213d86b8
SSDEEP

12288:5MrAy90H24AtlaAOO7t5WzhaaFSMjvfu936KZqTe86JKeW7BvA3:Zyi24At0e/WzJSH3LwTiWK

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19048

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a6932560.exeAppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6932560.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6932560.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a6932560.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6932560.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6932560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6932560.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 6 IoCs

Processes:

v4286507.exev6794406.exev2411481.exea6932560.exeb7470008.exec6391326.exe

pid process

1996 v4286507.exe
4848 v6794406.exe
764 v2411481.exe
4220 a6932560.exe
924 b7470008.exe
4552 c6391326.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a6932560.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a6932560.exe

pid	process
1996	v4286507.exe
4848	v6794406.exe
764	v2411481.exe
4220	a6932560.exe
924	b7470008.exe
4552	c6391326.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6932560.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v2411481.exedf202d8bfd8d4fc017b3dd43ae93c32d.exev4286507.exev6794406.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2411481.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	df202d8bfd8d4fc017b3dd43ae93c32d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	df202d8bfd8d4fc017b3dd43ae93c32d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4286507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4286507.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6794406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6794406.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2411481.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

b7470008.exe

description pid process target process

PID 924 set thread context of 3756 924 b7470008.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2228 924 WerFault.exe b7470008.exe

description	pid	process	target process
PID 924 set thread context of 3756	924	b7470008.exe	AppLaunch.exe

pid	pid_target	process	target process
2228	924	WerFault.exe	b7470008.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

a6932560.exeAppLaunch.exec6391326.exe

pid	process
4220	a6932560.exe
4220	a6932560.exe
3756	AppLaunch.exe
3756	AppLaunch.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe
4552	c6391326.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a6932560.exeAppLaunch.exec6391326.exe

description pid process

Token: SeDebugPrivilege 4220 a6932560.exe
Token: SeDebugPrivilege 3756 AppLaunch.exe
Token: SeDebugPrivilege 4552 c6391326.exe

description	pid	process
Token: SeDebugPrivilege	4220	a6932560.exe
Token: SeDebugPrivilege	3756	AppLaunch.exe
Token: SeDebugPrivilege	4552	c6391326.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

df202d8bfd8d4fc017b3dd43ae93c32d.exev4286507.exev6794406.exev2411481.exeb7470008.exe

description	pid	process	target process
PID 3044 wrote to memory of 1996	3044	df202d8bfd8d4fc017b3dd43ae93c32d.exe	v4286507.exe
PID 3044 wrote to memory of 1996	3044	df202d8bfd8d4fc017b3dd43ae93c32d.exe	v4286507.exe
PID 3044 wrote to memory of 1996	3044	df202d8bfd8d4fc017b3dd43ae93c32d.exe	v4286507.exe
PID 1996 wrote to memory of 4848	1996	v4286507.exe	v6794406.exe
PID 1996 wrote to memory of 4848	1996	v4286507.exe	v6794406.exe
PID 1996 wrote to memory of 4848	1996	v4286507.exe	v6794406.exe
PID 4848 wrote to memory of 764	4848	v6794406.exe	v2411481.exe
PID 4848 wrote to memory of 764	4848	v6794406.exe	v2411481.exe
PID 4848 wrote to memory of 764	4848	v6794406.exe	v2411481.exe
PID 764 wrote to memory of 4220	764	v2411481.exe	a6932560.exe
PID 764 wrote to memory of 4220	764	v2411481.exe	a6932560.exe
PID 764 wrote to memory of 924	764	v2411481.exe	b7470008.exe
PID 764 wrote to memory of 924	764	v2411481.exe	b7470008.exe
PID 764 wrote to memory of 924	764	v2411481.exe	b7470008.exe
PID 924 wrote to memory of 3756	924	b7470008.exe	AppLaunch.exe
PID 924 wrote to memory of 3756	924	b7470008.exe	AppLaunch.exe
PID 924 wrote to memory of 3756	924	b7470008.exe	AppLaunch.exe
PID 924 wrote to memory of 3756	924	b7470008.exe	AppLaunch.exe
PID 924 wrote to memory of 3756	924	b7470008.exe	AppLaunch.exe
PID 4848 wrote to memory of 4552	4848	v6794406.exe	c6391326.exe
PID 4848 wrote to memory of 4552	4848	v6794406.exe	c6391326.exe
PID 4848 wrote to memory of 4552	4848	v6794406.exe	c6391326.exe

C:\Users\Admin\AppData\Local\Temp\df202d8bfd8d4fc017b3dd43ae93c32d.exe
"C:\Users\Admin\AppData\Local\Temp\df202d8bfd8d4fc017b3dd43ae93c32d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4286507.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4286507.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6794406.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6794406.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2411481.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2411481.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6932560.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6932560.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7470008.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7470008.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 572
6⤵
- Program crash
PID:2228

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6391326.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6391326.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 924 -ip 924
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4286507.exe
Filesize
529KB

MD5
5af504fc49b75f43ca841a6a63466c58

SHA1
1654d202d0906afa77d37cdad8c89fc985c7e44d

SHA256
a02136b660bc782ba700bf65e695c309a9853fc814c22d61954a6c543575bfb5

SHA512
96ef1797b451122b23c2d3727152a5c1f68e52e635f187c8419c557f3fae6f2e0e9dd1b0e76c0550862176fe3f6de5808ee411a853d9bad532f2b36fb2daac3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4286507.exe
Filesize
529KB

MD5
5af504fc49b75f43ca841a6a63466c58

SHA1
1654d202d0906afa77d37cdad8c89fc985c7e44d

SHA256
a02136b660bc782ba700bf65e695c309a9853fc814c22d61954a6c543575bfb5

SHA512
96ef1797b451122b23c2d3727152a5c1f68e52e635f187c8419c557f3fae6f2e0e9dd1b0e76c0550862176fe3f6de5808ee411a853d9bad532f2b36fb2daac3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6794406.exe
Filesize
357KB

MD5
d32bd8979a23ce3472ce030f5e1f358a

SHA1
b3af5837107db20eb439e63927cba3959219eda5

SHA256
a6ed12e5ed0ed0686eb67303b02dcca7496ffd5557bf94344ab9286379726647

SHA512
bdde9f8a6d5ee07834bf399b9fa162fcafb704d1cc2f8a0a57b58229473404bc883c7154aa463b0b10327c23f06076fc705af89052b9b56aa455e7ab252eb24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6794406.exe
Filesize
357KB

MD5
d32bd8979a23ce3472ce030f5e1f358a

SHA1
b3af5837107db20eb439e63927cba3959219eda5

SHA256
a6ed12e5ed0ed0686eb67303b02dcca7496ffd5557bf94344ab9286379726647

SHA512
bdde9f8a6d5ee07834bf399b9fa162fcafb704d1cc2f8a0a57b58229473404bc883c7154aa463b0b10327c23f06076fc705af89052b9b56aa455e7ab252eb24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6391326.exe
Filesize
172KB

MD5
6b0e059ed710c1420721ffa360c13dc4

SHA1
e059af86dcc609c88de6af72e64da37f32921a58

SHA256
944686657b0935f62cb1bc445744e85bf1277232ba4286920c83b53f23172a19

SHA512
b0ad9fc5542cfa260cb6fbbe795bbcccc5e9e69dcdb9b6d3610dc2b7bda58ccddcd107f8da28b24c002668405748de29824cfed2f5cdbd1cdc12b30501f17f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6391326.exe
Filesize
172KB

MD5
6b0e059ed710c1420721ffa360c13dc4

SHA1
e059af86dcc609c88de6af72e64da37f32921a58

SHA256
944686657b0935f62cb1bc445744e85bf1277232ba4286920c83b53f23172a19

SHA512
b0ad9fc5542cfa260cb6fbbe795bbcccc5e9e69dcdb9b6d3610dc2b7bda58ccddcd107f8da28b24c002668405748de29824cfed2f5cdbd1cdc12b30501f17f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2411481.exe
Filesize
202KB

MD5
2a4a4f05cd71644236777b004c79dd18

SHA1
46ba11cead0b096ac4e9bd03ec46ce117167854f

SHA256
5614552846464e3bc1113008fc4c66f3067e6fc610092274237b562714443f9d

SHA512
74b803a07d4294127aae702859d850eae81db14de423c535a4c836633112a826d9a37ca2807911ef13066fa1d2dfb1226c0d028d0bf4628842715837f6766358

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2411481.exe
Filesize
202KB

MD5
2a4a4f05cd71644236777b004c79dd18

SHA1
46ba11cead0b096ac4e9bd03ec46ce117167854f

SHA256
5614552846464e3bc1113008fc4c66f3067e6fc610092274237b562714443f9d

SHA512
74b803a07d4294127aae702859d850eae81db14de423c535a4c836633112a826d9a37ca2807911ef13066fa1d2dfb1226c0d028d0bf4628842715837f6766358

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6932560.exe
Filesize
13KB

MD5
6a266dfa4a206f819a896ce11534d0e7

SHA1
4761380821b67e5be8f976493595f0c2946eec45

SHA256
cc40b0f8a2f0461dbedbc34c4e1be7cc8e5bddd3c039191c06f29c8b03f46c80

SHA512
392779dc08830a125703647abcb9ca3fd4231e8290dd9c9bd749d4a924ee47e1a7e27f9a59d384f41a327cc00461e8499c9ef74692e503ad1a371e5990efe573

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6932560.exe
Filesize
13KB

MD5
6a266dfa4a206f819a896ce11534d0e7

SHA1
4761380821b67e5be8f976493595f0c2946eec45

SHA256
cc40b0f8a2f0461dbedbc34c4e1be7cc8e5bddd3c039191c06f29c8b03f46c80

SHA512
392779dc08830a125703647abcb9ca3fd4231e8290dd9c9bd749d4a924ee47e1a7e27f9a59d384f41a327cc00461e8499c9ef74692e503ad1a371e5990efe573

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7470008.exe
Filesize
117KB

MD5
eadc930f39db6b27f1d1e4f930f5dbb4

SHA1
423f0b10f64432c4e006865bf4826d9ee929a1e9

SHA256
b17de9f0466bcbfa81f24773b7fe93aea914ae509d9a95caf6c0aa6330d45306

SHA512
431528897c7172c7fe189767a70e13fe2dae573a321992f072ce74b287edc9b35eba64fa450fd9c6b730d0381a93eb3c8261f6b583a24d3b9c310ee2a654a855

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7470008.exe
Filesize
117KB

MD5
eadc930f39db6b27f1d1e4f930f5dbb4

SHA1
423f0b10f64432c4e006865bf4826d9ee929a1e9

SHA256
b17de9f0466bcbfa81f24773b7fe93aea914ae509d9a95caf6c0aa6330d45306

SHA512
431528897c7172c7fe189767a70e13fe2dae573a321992f072ce74b287edc9b35eba64fa450fd9c6b730d0381a93eb3c8261f6b583a24d3b9c310ee2a654a855

Download Submit
memory/3756-167-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/4220-161-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/4552-175-0x0000000000D20000-0x0000000000D50000-memory.dmp

Filesize
192KB

Download
memory/4552-176-0x0000000005DC0000-0x00000000063D8000-memory.dmp

Filesize
6.1MB

Download
memory/4552-177-0x00000000058B0000-0x00000000059BA000-memory.dmp

Filesize
1.0MB

Download
memory/4552-178-0x00000000057C0000-0x00000000057D2000-memory.dmp

Filesize
72KB

Download
memory/4552-179-0x0000000005820000-0x000000000585C000-memory.dmp

Filesize
240KB

Download
memory/4552-180-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4552-182-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4552-183-0x0000000005C60000-0x0000000005CD6000-memory.dmp

Filesize
472KB

Download
memory/4552-184-0x00000000063E0000-0x0000000006472000-memory.dmp

Filesize
584KB

Download
memory/4552-185-0x0000000006D80000-0x0000000007324000-memory.dmp

Filesize
5.6MB

Download
memory/4552-186-0x00000000067D0000-0x0000000006836000-memory.dmp

Filesize
408KB

Download
memory/4552-187-0x0000000006B10000-0x0000000006CD2000-memory.dmp

Filesize
1.8MB

Download
memory/4552-188-0x0000000008F50000-0x000000000947C000-memory.dmp

Filesize
5.2MB

Download
memory/4552-189-0x0000000006D30000-0x0000000006D80000-memory.dmp

Filesize
320KB

Download