redline | faed7521d3677c22a2fbba041fdb29d4ac6121c819f1fe7ff4ee953d656c31cd

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2023 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faed7521d3677c22a2fbba041fdb29d4ac6121c819f1fe7ff4ee953d656c31cd.exe
Size

739KB
MD5

9c88e1983ea13c8cf8526110be4e2a10
SHA1

c2f5a542afc2240beb23fd6e91205bef2e8c6c06
SHA256

faed7521d3677c22a2fbba041fdb29d4ac6121c819f1fe7ff4ee953d656c31cd
SHA512

50abeece90620944fc6fc6ec9b7efd505576e5008e121968ee142a94213fc9b9fdc04d92bb44e85d31d12bb2e884bf643547849566a2e3b012c4b7fd1c8050de
SSDEEP

12288:qMrmy90SmIUmOBs+6p9JuDGoFx00TN9gMgID/+Ch/l5B5u0mN6tYfxKJe3A1M:Qy9HABs+6p9JuDRFy0TN9Brz/l5BcNbH

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19048

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exea6976499.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6976499.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6976499.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6976499.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a6976499.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6976499.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6976499.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 6 IoCs

Processes:

v8046386.exev2573934.exev2544615.exea6976499.exeb4539253.exec3997618.exe

pid process

4868 v8046386.exe
4460 v2573934.exe
2016 v2544615.exe
5020 a6976499.exe
1080 b4539253.exe
2208 c3997618.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a6976499.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a6976499.exe

pid	process
4868	v8046386.exe
4460	v2573934.exe
2016	v2544615.exe
5020	a6976499.exe
1080	b4539253.exe
2208	c3997618.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6976499.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v2544615.exefaed7521d3677c22a2fbba041fdb29d4ac6121c819f1fe7ff4ee953d656c31cd.exev8046386.exev2573934.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2544615.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	faed7521d3677c22a2fbba041fdb29d4ac6121c819f1fe7ff4ee953d656c31cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	faed7521d3677c22a2fbba041fdb29d4ac6121c819f1fe7ff4ee953d656c31cd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8046386.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8046386.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2573934.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2573934.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2544615.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b4539253.exe

description pid process target process

PID 1080 set thread context of 3592 1080 b4539253.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4808 1080 WerFault.exe b4539253.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a6976499.exeAppLaunch.exe

pid process

5020 a6976499.exe
5020 a6976499.exe
3592 AppLaunch.exe
3592 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a6976499.exeAppLaunch.exe

description pid process

Token: SeDebugPrivilege 5020 a6976499.exe
Token: SeDebugPrivilege 3592 AppLaunch.exe

description	pid	process	target process
PID 1080 set thread context of 3592	1080	b4539253.exe	AppLaunch.exe

pid	pid_target	process	target process
4808	1080	WerFault.exe	b4539253.exe

pid	process
5020	a6976499.exe
5020	a6976499.exe
3592	AppLaunch.exe
3592	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	5020	a6976499.exe
Token: SeDebugPrivilege	3592	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

faed7521d3677c22a2fbba041fdb29d4ac6121c819f1fe7ff4ee953d656c31cd.exev8046386.exev2573934.exev2544615.exeb4539253.exe

description	pid	process	target process
PID 744 wrote to memory of 4868	744	faed7521d3677c22a2fbba041fdb29d4ac6121c819f1fe7ff4ee953d656c31cd.exe	v8046386.exe
PID 744 wrote to memory of 4868	744	faed7521d3677c22a2fbba041fdb29d4ac6121c819f1fe7ff4ee953d656c31cd.exe	v8046386.exe
PID 744 wrote to memory of 4868	744	faed7521d3677c22a2fbba041fdb29d4ac6121c819f1fe7ff4ee953d656c31cd.exe	v8046386.exe
PID 4868 wrote to memory of 4460	4868	v8046386.exe	v2573934.exe
PID 4868 wrote to memory of 4460	4868	v8046386.exe	v2573934.exe
PID 4868 wrote to memory of 4460	4868	v8046386.exe	v2573934.exe
PID 4460 wrote to memory of 2016	4460	v2573934.exe	v2544615.exe
PID 4460 wrote to memory of 2016	4460	v2573934.exe	v2544615.exe
PID 4460 wrote to memory of 2016	4460	v2573934.exe	v2544615.exe
PID 2016 wrote to memory of 5020	2016	v2544615.exe	a6976499.exe
PID 2016 wrote to memory of 5020	2016	v2544615.exe	a6976499.exe
PID 2016 wrote to memory of 1080	2016	v2544615.exe	b4539253.exe
PID 2016 wrote to memory of 1080	2016	v2544615.exe	b4539253.exe
PID 2016 wrote to memory of 1080	2016	v2544615.exe	b4539253.exe
PID 1080 wrote to memory of 3592	1080	b4539253.exe	AppLaunch.exe
PID 1080 wrote to memory of 3592	1080	b4539253.exe	AppLaunch.exe
PID 1080 wrote to memory of 3592	1080	b4539253.exe	AppLaunch.exe
PID 1080 wrote to memory of 3592	1080	b4539253.exe	AppLaunch.exe
PID 1080 wrote to memory of 3592	1080	b4539253.exe	AppLaunch.exe
PID 4460 wrote to memory of 2208	4460	v2573934.exe	c3997618.exe
PID 4460 wrote to memory of 2208	4460	v2573934.exe	c3997618.exe
PID 4460 wrote to memory of 2208	4460	v2573934.exe	c3997618.exe

C:\Users\Admin\AppData\Local\Temp\faed7521d3677c22a2fbba041fdb29d4ac6121c819f1fe7ff4ee953d656c31cd.exe
"C:\Users\Admin\AppData\Local\Temp\faed7521d3677c22a2fbba041fdb29d4ac6121c819f1fe7ff4ee953d656c31cd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8046386.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8046386.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2573934.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2573934.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2544615.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2544615.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6976499.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6976499.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4539253.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4539253.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 140
6⤵
- Program crash
PID:4808

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3997618.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3997618.exe
4⤵
- Executes dropped EXE
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1080 -ip 1080
1⤵
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8046386.exe
Filesize
532KB

MD5
42696616df540a0d387cf1650386ffcb

SHA1
1379ec3335bf241feb9d320e11ddf7f07c383d1a

SHA256
b71a1607de3eb88cce1204fe1ffef8a887c4984a74ddabfce8551cb62fd74b2c

SHA512
e597e6f08851623db6274f7a5ad4ce704ed7b22ce2b80b9ad80bb639ccaf201ab986858cac9296f4c4d8fae97dd6623784dc9281ac2e3160fbad2c150ab9dfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8046386.exe
Filesize
532KB

MD5
42696616df540a0d387cf1650386ffcb

SHA1
1379ec3335bf241feb9d320e11ddf7f07c383d1a

SHA256
b71a1607de3eb88cce1204fe1ffef8a887c4984a74ddabfce8551cb62fd74b2c

SHA512
e597e6f08851623db6274f7a5ad4ce704ed7b22ce2b80b9ad80bb639ccaf201ab986858cac9296f4c4d8fae97dd6623784dc9281ac2e3160fbad2c150ab9dfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2573934.exe
Filesize
359KB

MD5
323aa7ff631c97741720ec4fd7164902

SHA1
e1325f2224bd13c2981899ab000c668b5f5d9d1b

SHA256
e9b1de9ee8b2c6dfa1cbdbb4d9cb099984adec0fb08a098e8c84e7b51b93252d

SHA512
ca02e914e58c1ecb6327918581af25859c1318edb5436ed97ec85783f3973870a2937a1828ec7612514c89026e9b28df3c0799e4bc8003d2bc3194cf8061142e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2573934.exe
Filesize
359KB

MD5
323aa7ff631c97741720ec4fd7164902

SHA1
e1325f2224bd13c2981899ab000c668b5f5d9d1b

SHA256
e9b1de9ee8b2c6dfa1cbdbb4d9cb099984adec0fb08a098e8c84e7b51b93252d

SHA512
ca02e914e58c1ecb6327918581af25859c1318edb5436ed97ec85783f3973870a2937a1828ec7612514c89026e9b28df3c0799e4bc8003d2bc3194cf8061142e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3997618.exe
Filesize
172KB

MD5
7e3b8675576ced9ad08b189a90a3e393

SHA1
f2ce2470ad9babe52b9b27b5b3b422eda3bf6c5d

SHA256
872e9e5197385d0770be868b7ba4113dbb58d0ea5554e1a576ebddf0ef65e86e

SHA512
a74ebb78ab6b86d54d9ff9693c369ecadd0f822e17900616810174fcf4a7f72ab413cf223e8e59e882f38e223402eab09621139c5f63d373fa5abde45e14978b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3997618.exe
Filesize
172KB

MD5
7e3b8675576ced9ad08b189a90a3e393

SHA1
f2ce2470ad9babe52b9b27b5b3b422eda3bf6c5d

SHA256
872e9e5197385d0770be868b7ba4113dbb58d0ea5554e1a576ebddf0ef65e86e

SHA512
a74ebb78ab6b86d54d9ff9693c369ecadd0f822e17900616810174fcf4a7f72ab413cf223e8e59e882f38e223402eab09621139c5f63d373fa5abde45e14978b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2544615.exe
Filesize
204KB

MD5
a0f473b43ffab81330813f523eaa013b

SHA1
7c3c0497806f7aaa030bf95dfb2c6784a1910c58

SHA256
618251848ae3245600d75e4aa067d51ccdb05fd2045d1f3b68c2e03610b1d20f

SHA512
30d1a14aacb6b4f4d77284d700478c17e1944ea19a789e422a3d6b424563f73da23e1045c21e0eef5a615fed1f5d6924d2e2744bffce81a540def70c4ebb6e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2544615.exe
Filesize
204KB

MD5
a0f473b43ffab81330813f523eaa013b

SHA1
7c3c0497806f7aaa030bf95dfb2c6784a1910c58

SHA256
618251848ae3245600d75e4aa067d51ccdb05fd2045d1f3b68c2e03610b1d20f

SHA512
30d1a14aacb6b4f4d77284d700478c17e1944ea19a789e422a3d6b424563f73da23e1045c21e0eef5a615fed1f5d6924d2e2744bffce81a540def70c4ebb6e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6976499.exe
Filesize
14KB

MD5
6a1091c61966c8b841dc7727dcd2c36a

SHA1
03307130f9e9f17dbaf8431e7064057e2c530aae

SHA256
ab2dc56da05a79b80d0e2ad1e75e99c7dfc188702cc5d3ca8d7c52eb87dd30c0

SHA512
6b202a3cf7ddffdc9ac38696bd38d9d45014eabae229c95aeb883bc832099d99758ebdf88eebf6931addf8bf6922352875b1c2df4d877d2c2d14f87ea9dd914d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6976499.exe
Filesize
14KB

MD5
6a1091c61966c8b841dc7727dcd2c36a

SHA1
03307130f9e9f17dbaf8431e7064057e2c530aae

SHA256
ab2dc56da05a79b80d0e2ad1e75e99c7dfc188702cc5d3ca8d7c52eb87dd30c0

SHA512
6b202a3cf7ddffdc9ac38696bd38d9d45014eabae229c95aeb883bc832099d99758ebdf88eebf6931addf8bf6922352875b1c2df4d877d2c2d14f87ea9dd914d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4539253.exe
Filesize
120KB

MD5
5d2c3004e7516689cf39b23cf5c87621

SHA1
b8750bd1347b16a2e1dabbd38fabb92c1cc94f7c

SHA256
1733ea9ede0a9e969722e614008813a9eb29d798a660d9432d5d99cadaee2357

SHA512
cdc38367c95af0518e1458798eda0d2b1513915533c59a0d3305cea91bf47bfaf66b6383713d93750951c5dc80c448f5c3b4ad1ff65caac620ab6ff8b65f39ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4539253.exe
Filesize
120KB

MD5
5d2c3004e7516689cf39b23cf5c87621

SHA1
b8750bd1347b16a2e1dabbd38fabb92c1cc94f7c

SHA256
1733ea9ede0a9e969722e614008813a9eb29d798a660d9432d5d99cadaee2357

SHA512
cdc38367c95af0518e1458798eda0d2b1513915533c59a0d3305cea91bf47bfaf66b6383713d93750951c5dc80c448f5c3b4ad1ff65caac620ab6ff8b65f39ee

Download Submit
memory/2208-175-0x0000000000920000-0x0000000000950000-memory.dmp

Filesize
192KB

Download
memory/2208-176-0x000000000AE00000-0x000000000B418000-memory.dmp

Filesize
6.1MB

Download
memory/2208-177-0x000000000A8F0000-0x000000000A9FA000-memory.dmp

Filesize
1.0MB

Download
memory/2208-178-0x000000000A7E0000-0x000000000A7F2000-memory.dmp

Filesize
72KB

Download
memory/2208-179-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/2208-180-0x000000000A840000-0x000000000A87C000-memory.dmp

Filesize
240KB

Download
memory/2208-182-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/3592-167-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5020-161-0x0000000000040000-0x000000000004A000-memory.dmp

Filesize
40KB

Download