redline | 737a2ad71df51cec4e94610c2891bf664ce6b81a79d08bb8e91da05fbf164e62

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2023 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

737a2ad71df51cec4e94610c2891bf664ce6b81a79d08bb8e91da05fbf164e62.exe
Size

740KB
MD5

490cc340e3f63ca132962f67ec44bdbe
SHA1

3e49a6337dc0f30110624f25d58f7d77f698cfd5
SHA256

737a2ad71df51cec4e94610c2891bf664ce6b81a79d08bb8e91da05fbf164e62
SHA512

77fa05af47bbdba47ec540cfbc4e6bdb9601167cbb610169d5f97e82f4dd636fde8bae08bf79077a52d61f6f76edebe0277a3a27192257a9597aef57a916a27e
SSDEEP

12288:RMrAy908Ad/YispZBn1FnjETlH2iRxCpdBzHbVxvdbFsGut+r3wTzW:hy41YiSfnj4HCpPz7FFsGw+ca

Score

10^/10

redline maxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19048

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3778139.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3778139.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a3778139.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3778139.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3778139.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3778139.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
656	v2193449.exe
824	v2211734.exe
440	v8853267.exe
3736	a3778139.exe
4388	b0577656.exe
3480	c6342572.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3778139.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2193449.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2193449.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2211734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2211734.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8853267.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8853267.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	737a2ad71df51cec4e94610c2891bf664ce6b81a79d08bb8e91da05fbf164e62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	737a2ad71df51cec4e94610c2891bf664ce6b81a79d08bb8e91da05fbf164e62.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4388 set thread context of 3528	4388	b0577656.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4492	4388	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3736	a3778139.exe
3736	a3778139.exe
3528	AppLaunch.exe
3528	AppLaunch.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe
3480	c6342572.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3736	a3778139.exe
Token: SeDebugPrivilege	3528	AppLaunch.exe
Token: SeDebugPrivilege	3480	c6342572.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 656	4528	737a2ad71df51cec4e94610c2891bf664ce6b81a79d08bb8e91da05fbf164e62.exe	82
PID 4528 wrote to memory of 656	4528	737a2ad71df51cec4e94610c2891bf664ce6b81a79d08bb8e91da05fbf164e62.exe	82
PID 4528 wrote to memory of 656	4528	737a2ad71df51cec4e94610c2891bf664ce6b81a79d08bb8e91da05fbf164e62.exe	82
PID 656 wrote to memory of 824	656	v2193449.exe	83
PID 656 wrote to memory of 824	656	v2193449.exe	83
PID 656 wrote to memory of 824	656	v2193449.exe	83
PID 824 wrote to memory of 440	824	v2211734.exe	84
PID 824 wrote to memory of 440	824	v2211734.exe	84
PID 824 wrote to memory of 440	824	v2211734.exe	84
PID 440 wrote to memory of 3736	440	v8853267.exe	85
PID 440 wrote to memory of 3736	440	v8853267.exe	85
PID 440 wrote to memory of 4388	440	v8853267.exe	90
PID 440 wrote to memory of 4388	440	v8853267.exe	90
PID 440 wrote to memory of 4388	440	v8853267.exe	90
PID 4388 wrote to memory of 3528	4388	b0577656.exe	92
PID 4388 wrote to memory of 3528	4388	b0577656.exe	92
PID 4388 wrote to memory of 3528	4388	b0577656.exe	92
PID 4388 wrote to memory of 3528	4388	b0577656.exe	92
PID 4388 wrote to memory of 3528	4388	b0577656.exe	92
PID 824 wrote to memory of 3480	824	v2211734.exe	97
PID 824 wrote to memory of 3480	824	v2211734.exe	97
PID 824 wrote to memory of 3480	824	v2211734.exe	97

C:\Users\Admin\AppData\Local\Temp\737a2ad71df51cec4e94610c2891bf664ce6b81a79d08bb8e91da05fbf164e62.exe
"C:\Users\Admin\AppData\Local\Temp\737a2ad71df51cec4e94610c2891bf664ce6b81a79d08bb8e91da05fbf164e62.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2193449.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2193449.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2211734.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2211734.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8853267.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8853267.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:440
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3778139.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3778139.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0577656.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0577656.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4388
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 148
        6⤵
        Program crash
        
        PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6342572.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6342572.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4388 -ip 4388
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2193449.exe

Filesize
532KB

MD5
192e0318dd9ed41e066b782fcc1c7507

SHA1
3b481cb425be94091386b5e3fdb1b73fcd6b030a

SHA256
3925a15000a5d71e97ed42255d895c5d1bf32d1c07bb3fdc056f3664defcec32

SHA512
bbc77cc96d9d6ecb325b64961763c8c8f194e60333a63646bfbb0c6333da37394c499233ad3699d0338f3c0e898d688973f086f2f605c4ceaae7a9b8e6561d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2193449.exe

Filesize
532KB

MD5
192e0318dd9ed41e066b782fcc1c7507

SHA1
3b481cb425be94091386b5e3fdb1b73fcd6b030a

SHA256
3925a15000a5d71e97ed42255d895c5d1bf32d1c07bb3fdc056f3664defcec32

SHA512
bbc77cc96d9d6ecb325b64961763c8c8f194e60333a63646bfbb0c6333da37394c499233ad3699d0338f3c0e898d688973f086f2f605c4ceaae7a9b8e6561d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2211734.exe

Filesize
360KB

MD5
18ce4f6a02dd4a49227c2f3d96b16f6e

SHA1
8020cbe90c1f47ba4675e38f7cfb47498f3c9892

SHA256
338e0a6171d8a2071a540226ac7759657c86a836a26771d6e4115df1bd151956

SHA512
8410fdb442a5bec765935972b57cb3d090aab0b017be4a47def6652212c5c5da57972583c6a4b4dd5ce3a85ed7fc24bf31b5581c00dd7ff5d1b2eb97d54106df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2211734.exe

Filesize
360KB

MD5
18ce4f6a02dd4a49227c2f3d96b16f6e

SHA1
8020cbe90c1f47ba4675e38f7cfb47498f3c9892

SHA256
338e0a6171d8a2071a540226ac7759657c86a836a26771d6e4115df1bd151956

SHA512
8410fdb442a5bec765935972b57cb3d090aab0b017be4a47def6652212c5c5da57972583c6a4b4dd5ce3a85ed7fc24bf31b5581c00dd7ff5d1b2eb97d54106df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6342572.exe

Filesize
172KB

MD5
8de8834f2c544cf5592cce3ee4da8d2e

SHA1
b723d33f07d8906ce84c697f88336cb510cdda8a

SHA256
82372438daaf161f0a7e4b4f0c270fa3d4d798df152f3520ad03d9e8a75d68ec

SHA512
49a394ce4a0ce178d4073ac1e5bbfb9085dcebdf63f7f7aca47f4dbbfcbe25e3207e33141f1208fb1ab8c1cb02b726cfc564958763988995f90b62b7e69f2ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6342572.exe

Filesize
172KB

MD5
8de8834f2c544cf5592cce3ee4da8d2e

SHA1
b723d33f07d8906ce84c697f88336cb510cdda8a

SHA256
82372438daaf161f0a7e4b4f0c270fa3d4d798df152f3520ad03d9e8a75d68ec

SHA512
49a394ce4a0ce178d4073ac1e5bbfb9085dcebdf63f7f7aca47f4dbbfcbe25e3207e33141f1208fb1ab8c1cb02b726cfc564958763988995f90b62b7e69f2ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8853267.exe

Filesize
204KB

MD5
d1299c74b430066a3b9b2ea7b0f0caab

SHA1
ca55805953e211c21eeffd7dcd438dcd44878914

SHA256
93f246d45aa9e770d78239eda760991db58bb068444f9787de4d34a91a037145

SHA512
6bd4617557b1e5870bd50683c677a1eccf23e0426b0ff37bbee2fef96b98f57820998fc13b189bee5d6b10d35614bc48978d0c544b74fcfbc9fdb0e11b47b3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8853267.exe

Filesize
204KB

MD5
d1299c74b430066a3b9b2ea7b0f0caab

SHA1
ca55805953e211c21eeffd7dcd438dcd44878914

SHA256
93f246d45aa9e770d78239eda760991db58bb068444f9787de4d34a91a037145

SHA512
6bd4617557b1e5870bd50683c677a1eccf23e0426b0ff37bbee2fef96b98f57820998fc13b189bee5d6b10d35614bc48978d0c544b74fcfbc9fdb0e11b47b3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3778139.exe

Filesize
13KB

MD5
c07e7dd09767fc403da8db079ee85538

SHA1
1eaa2f6f4217f2927d9be1a8d1fb52e1d4e1b028

SHA256
d967abdd02a35ed38f41f70d66ded44595a7343fcfdcdf2c4ca7abbd691421be

SHA512
b189fdb21ad8d81840eeae2e1e14f3d972b9844af7589cbc193b6de9061f79b54b3726ba5c2551b68a86c82dbe1c17d76ef9e465960f5578a949837d5c2c7848

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3778139.exe

Filesize
13KB

MD5
c07e7dd09767fc403da8db079ee85538

SHA1
1eaa2f6f4217f2927d9be1a8d1fb52e1d4e1b028

SHA256
d967abdd02a35ed38f41f70d66ded44595a7343fcfdcdf2c4ca7abbd691421be

SHA512
b189fdb21ad8d81840eeae2e1e14f3d972b9844af7589cbc193b6de9061f79b54b3726ba5c2551b68a86c82dbe1c17d76ef9e465960f5578a949837d5c2c7848

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0577656.exe

Filesize
120KB

MD5
0bd54a7f0f26bbcc69c33458a44b461d

SHA1
cee99479e0126c8ad3b35caccc2dd4329a252d85

SHA256
d4bcfe0cf499d7f19a854b497a086be572983ba19f51a531c588fb7c874acece

SHA512
ebb4862da10de16ea6036cb39c45f8baaa11236b524f6044b46d6ce57428ba2a07d80065512d935f03150d141801ef2d094b76229e7273c030700ec27a3636e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0577656.exe

Filesize
120KB

MD5
0bd54a7f0f26bbcc69c33458a44b461d

SHA1
cee99479e0126c8ad3b35caccc2dd4329a252d85

SHA256
d4bcfe0cf499d7f19a854b497a086be572983ba19f51a531c588fb7c874acece

SHA512
ebb4862da10de16ea6036cb39c45f8baaa11236b524f6044b46d6ce57428ba2a07d80065512d935f03150d141801ef2d094b76229e7273c030700ec27a3636e7

Download Submit
memory/3480-175-0x0000000000CD0000-0x0000000000D00000-memory.dmp

Filesize
192KB

Download
memory/3480-180-0x000000000AAB0000-0x000000000AAEC000-memory.dmp

Filesize
240KB

Download
memory/3480-189-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/3480-176-0x000000000AF90000-0x000000000B5A8000-memory.dmp

Filesize
6.1MB

Download
memory/3480-177-0x000000000AB10000-0x000000000AC1A000-memory.dmp

Filesize
1.0MB

Download
memory/3480-178-0x000000000AA50000-0x000000000AA62000-memory.dmp

Filesize
72KB

Download
memory/3480-179-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/3480-188-0x000000000C190000-0x000000000C1E0000-memory.dmp

Filesize
320KB

Download
memory/3480-182-0x000000000ADC0000-0x000000000AE36000-memory.dmp

Filesize
472KB

Download
memory/3480-183-0x000000000AEE0000-0x000000000AF72000-memory.dmp

Filesize
584KB

Download
memory/3480-184-0x000000000BB60000-0x000000000C104000-memory.dmp

Filesize
5.6MB

Download
memory/3480-185-0x000000000B6B0000-0x000000000B716000-memory.dmp

Filesize
408KB

Download
memory/3480-186-0x000000000C2E0000-0x000000000C4A2000-memory.dmp

Filesize
1.8MB

Download
memory/3480-187-0x000000000C9E0000-0x000000000CF0C000-memory.dmp

Filesize
5.2MB

Download
memory/3528-167-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/3736-161-0x0000000000FB0000-0x0000000000FBA000-memory.dmp

Filesize
40KB

Download