redline | f96e2f36eb80d62032e1266804efadc3d35926cff9dd6fed1461af79cffa236a

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2023 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08723799.exe
Size

738KB
MD5

ce8e78f602a55a5952ead887f3e632d5
SHA1

1a12e0a2a4ad9307270c61649f3262b26209e7e4
SHA256

f96e2f36eb80d62032e1266804efadc3d35926cff9dd6fed1461af79cffa236a
SHA512

b903698d11c96ba0a6297332e919d5c14d542cb07554e9b84afbf7e4a58b3d8753a4887d1f8c9d1793d1c0bbab45d5bc66efd7f028e23ed47f501aab211fa945
SSDEEP

12288:4Mrdy9044PkO6cExehlE0SMrEaploc2SOJOuSxo0PW4xyZf8A5BRyP1/+:lyFncEx0l5Jp2SOM5x1WIyZFB8P1/+

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.126:19048

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a2502541.exeAppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2502541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2502541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2502541.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a2502541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2502541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2502541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 6 IoCs

Processes:

v6963026.exev5589596.exev5710896.exea2502541.exeb3705868.exec0834935.exe

pid process

2184 v6963026.exe
4804 v5589596.exe
3280 v5710896.exe
556 a2502541.exe
2964 b3705868.exe
228 c0834935.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a2502541.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a2502541.exe

pid	process
2184	v6963026.exe
4804	v5589596.exe
3280	v5710896.exe
556	a2502541.exe
2964	b3705868.exe
228	c0834935.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2502541.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

08723799.exev6963026.exev5589596.exev5710896.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	08723799.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6963026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6963026.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5589596.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5589596.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5710896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5710896.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	08723799.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b3705868.exe

description pid process target process

PID 2964 set thread context of 3640 2964 b3705868.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

624 2964 WerFault.exe b3705868.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a2502541.exeAppLaunch.exe

pid process

556 a2502541.exe
556 a2502541.exe
3640 AppLaunch.exe
3640 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a2502541.exeAppLaunch.exe

description pid process

Token: SeDebugPrivilege 556 a2502541.exe
Token: SeDebugPrivilege 3640 AppLaunch.exe

description	pid	process	target process
PID 2964 set thread context of 3640	2964	b3705868.exe	AppLaunch.exe

pid	pid_target	process	target process
624	2964	WerFault.exe	b3705868.exe

pid	process
556	a2502541.exe
556	a2502541.exe
3640	AppLaunch.exe
3640	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	556	a2502541.exe
Token: SeDebugPrivilege	3640	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

08723799.exev6963026.exev5589596.exev5710896.exeb3705868.exe

description	pid	process	target process
PID 4968 wrote to memory of 2184	4968	08723799.exe	v6963026.exe
PID 4968 wrote to memory of 2184	4968	08723799.exe	v6963026.exe
PID 4968 wrote to memory of 2184	4968	08723799.exe	v6963026.exe
PID 2184 wrote to memory of 4804	2184	v6963026.exe	v5589596.exe
PID 2184 wrote to memory of 4804	2184	v6963026.exe	v5589596.exe
PID 2184 wrote to memory of 4804	2184	v6963026.exe	v5589596.exe
PID 4804 wrote to memory of 3280	4804	v5589596.exe	v5710896.exe
PID 4804 wrote to memory of 3280	4804	v5589596.exe	v5710896.exe
PID 4804 wrote to memory of 3280	4804	v5589596.exe	v5710896.exe
PID 3280 wrote to memory of 556	3280	v5710896.exe	a2502541.exe
PID 3280 wrote to memory of 556	3280	v5710896.exe	a2502541.exe
PID 3280 wrote to memory of 2964	3280	v5710896.exe	b3705868.exe
PID 3280 wrote to memory of 2964	3280	v5710896.exe	b3705868.exe
PID 3280 wrote to memory of 2964	3280	v5710896.exe	b3705868.exe
PID 2964 wrote to memory of 3640	2964	b3705868.exe	AppLaunch.exe
PID 2964 wrote to memory of 3640	2964	b3705868.exe	AppLaunch.exe
PID 2964 wrote to memory of 3640	2964	b3705868.exe	AppLaunch.exe
PID 2964 wrote to memory of 3640	2964	b3705868.exe	AppLaunch.exe
PID 2964 wrote to memory of 3640	2964	b3705868.exe	AppLaunch.exe
PID 4804 wrote to memory of 228	4804	v5589596.exe	c0834935.exe
PID 4804 wrote to memory of 228	4804	v5589596.exe	c0834935.exe
PID 4804 wrote to memory of 228	4804	v5589596.exe	c0834935.exe

C:\Users\Admin\AppData\Local\Temp\08723799.exe
"C:\Users\Admin\AppData\Local\Temp\08723799.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6963026.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6963026.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5589596.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5589596.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5710896.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5710896.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3280

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2502541.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2502541.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3705868.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3705868.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 140
6⤵
- Program crash
PID:624

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0834935.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0834935.exe
4⤵
- Executes dropped EXE
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2964 -ip 2964
1⤵
PID:2676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6963026.exe
Filesize
531KB

MD5
3efd4c2348bd4546ecff74cb06923e76

SHA1
900eabd5d0d2d492e7b1d71601a359f42a3831d0

SHA256
3ff165b739551eefdaebcb2344dfae73a5ead2409508fb88063a64bd0fcfc5e1

SHA512
84bc7f1a815375d790ea0fe25df86fa7d1ca467393d5dd54a590bbee39678e1467dca940d1f7e38e1651b8676cd236f37c1248fb9357d25fd28f0604d1c41049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6963026.exe
Filesize
531KB

MD5
3efd4c2348bd4546ecff74cb06923e76

SHA1
900eabd5d0d2d492e7b1d71601a359f42a3831d0

SHA256
3ff165b739551eefdaebcb2344dfae73a5ead2409508fb88063a64bd0fcfc5e1

SHA512
84bc7f1a815375d790ea0fe25df86fa7d1ca467393d5dd54a590bbee39678e1467dca940d1f7e38e1651b8676cd236f37c1248fb9357d25fd28f0604d1c41049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5589596.exe
Filesize
359KB

MD5
47864224d1c8e2f8e30fbcd5c760177e

SHA1
f2884d9878e0c959efed91536258cd8d7884ac88

SHA256
88f9e1c1d40e814f5927dcbf9484db9bfc21277daba485bf456bc9752ac515eb

SHA512
73427de62a424aefb0f2812ae6c84071f62af3cd6fbd49fad25c332bd09d21fc09a8e83a318b0c5f2337face73156ec51276664b0a2a8eab9a9469e5fd9ba3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5589596.exe
Filesize
359KB

MD5
47864224d1c8e2f8e30fbcd5c760177e

SHA1
f2884d9878e0c959efed91536258cd8d7884ac88

SHA256
88f9e1c1d40e814f5927dcbf9484db9bfc21277daba485bf456bc9752ac515eb

SHA512
73427de62a424aefb0f2812ae6c84071f62af3cd6fbd49fad25c332bd09d21fc09a8e83a318b0c5f2337face73156ec51276664b0a2a8eab9a9469e5fd9ba3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0834935.exe
Filesize
172KB

MD5
ef982035f7924741b055054c44037626

SHA1
5d820585a41fb051ac607c577a3aa3bb76ec8160

SHA256
c9f3e6d150e334a044ac942570612c31f0324d76e4bac0df2fbaf8f7485aa0c4

SHA512
5816ea55fb8532d6b4279e6252a2ad99b8f81a2185828b95ecb81edffc31500ffccdf3eff3dccfe6b19e9a62ecdf013edb87f848e5985ce01ed610a834953bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0834935.exe
Filesize
172KB

MD5
ef982035f7924741b055054c44037626

SHA1
5d820585a41fb051ac607c577a3aa3bb76ec8160

SHA256
c9f3e6d150e334a044ac942570612c31f0324d76e4bac0df2fbaf8f7485aa0c4

SHA512
5816ea55fb8532d6b4279e6252a2ad99b8f81a2185828b95ecb81edffc31500ffccdf3eff3dccfe6b19e9a62ecdf013edb87f848e5985ce01ed610a834953bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5710896.exe
Filesize
203KB

MD5
1785a7c83f2bfe56ad1c94d4fe699f06

SHA1
6133f724f0c9d345797e8722162fbf043fa0a7af

SHA256
46121870ae506abb9d63fca74a3685d4db9cd98ef190a2e0b4ef2ae4fca112ad

SHA512
8fe0865971e1c669d0c5070c7ffc10e3564d9509a008d3273b9b53fbacb145ba5a496f3576aaa34eee2d7f972be8d129669af2490fc97fd19e4b19149ab3c806

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5710896.exe
Filesize
203KB

MD5
1785a7c83f2bfe56ad1c94d4fe699f06

SHA1
6133f724f0c9d345797e8722162fbf043fa0a7af

SHA256
46121870ae506abb9d63fca74a3685d4db9cd98ef190a2e0b4ef2ae4fca112ad

SHA512
8fe0865971e1c669d0c5070c7ffc10e3564d9509a008d3273b9b53fbacb145ba5a496f3576aaa34eee2d7f972be8d129669af2490fc97fd19e4b19149ab3c806

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2502541.exe
Filesize
13KB

MD5
9a6951d27510a660faed05ab6966cbf4

SHA1
4918aaec8be9798e773a632c0d2a786797d3b4f5

SHA256
7979c6644af8a5837993858a5a369ec99eb3a89d0aa2ff2c48eb925ded90f865

SHA512
b29988d44039e8c8dc179259775a06e7997bb78284892448a5759b25aa235159b011d5af160610bc402aebad9966803ff8379414e6bc03d13a0aeb6e5c8426f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2502541.exe
Filesize
13KB

MD5
9a6951d27510a660faed05ab6966cbf4

SHA1
4918aaec8be9798e773a632c0d2a786797d3b4f5

SHA256
7979c6644af8a5837993858a5a369ec99eb3a89d0aa2ff2c48eb925ded90f865

SHA512
b29988d44039e8c8dc179259775a06e7997bb78284892448a5759b25aa235159b011d5af160610bc402aebad9966803ff8379414e6bc03d13a0aeb6e5c8426f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3705868.exe
Filesize
120KB

MD5
a4a521f4f98ccebcbd886bf1f6a738bd

SHA1
bd06ba0ca8c29b4b27d2de6a228a35dabf71e015

SHA256
e17dd10c00aa12e62d2321f272b01d5662fd02619ed436645934813452679ff6

SHA512
4a19298fdaeaa77a9f96d571033a15f801c5b07693c9e73e91e36940ff3a017e2266a4efa9b3cae30e0b0dbb2b2574694ec42baa07ef0678a55f5f4cfef8e6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3705868.exe
Filesize
120KB

MD5
a4a521f4f98ccebcbd886bf1f6a738bd

SHA1
bd06ba0ca8c29b4b27d2de6a228a35dabf71e015

SHA256
e17dd10c00aa12e62d2321f272b01d5662fd02619ed436645934813452679ff6

SHA512
4a19298fdaeaa77a9f96d571033a15f801c5b07693c9e73e91e36940ff3a017e2266a4efa9b3cae30e0b0dbb2b2574694ec42baa07ef0678a55f5f4cfef8e6d6

Download Submit
memory/228-175-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/228-176-0x000000000A500000-0x000000000AB18000-memory.dmp

Filesize
6.1MB

Download
memory/228-177-0x000000000A080000-0x000000000A18A000-memory.dmp

Filesize
1.0MB

Download
memory/228-178-0x0000000009FC0000-0x0000000009FD2000-memory.dmp

Filesize
72KB

Download
memory/228-179-0x000000000A020000-0x000000000A05C000-memory.dmp

Filesize
240KB

Download
memory/228-180-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/228-182-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/556-161-0x0000000000740000-0x000000000074A000-memory.dmp

Filesize
40KB

Download
memory/3640-167-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download