redline | 3b95bf80d167c23f7744d306d0a200231c8bde551941b63f73d94a6b72174347

Analysis

max time kernel
128s
max time network
141s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-06-2023 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.0MB
MD5

66522b2ee5c54d2e3b503e8036ac90f1
SHA1

48786a4b83eda38b9b58c4c6d8c83ad24daf9e6c
SHA256

3b95bf80d167c23f7744d306d0a200231c8bde551941b63f73d94a6b72174347
SHA512

5e613cb8f5ed937db9daa8efd80d901d6e8ebc83c036190994dd34dfca6944fa0c98fb7033fb64dd707e083f16398dc4104e4ff188c5f53e3a607ce00a3582f2
SSDEEP

24576:BypHJipy0vBcyvakncO6Oo3g+BrMgjlhg:0pJY3ok96Oo3gEl

Score

10^/10

redline maxi evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.122:19062

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a3426371.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a3426371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3426371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3426371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3426371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3426371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3426371.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

v5084366.exev3439787.exea3426371.exeb7297900.exe

pid process

1712 v5084366.exe
592 v3439787.exe
728 a3426371.exe
1372 b7297900.exe
Loads dropped DLL 8 IoCs

Processes:

file.exev5084366.exev3439787.exea3426371.exeb7297900.exe

pid process

1376 file.exe
1712 v5084366.exe
1712 v5084366.exe
592 v3439787.exe
592 v3439787.exe
728 a3426371.exe
592 v3439787.exe
1372 b7297900.exe

pid	process
1712	v5084366.exe
592	v3439787.exe
728	a3426371.exe
1372	b7297900.exe

pid	process
1376	file.exe
1712	v5084366.exe
1712	v5084366.exe
592	v3439787.exe
592	v3439787.exe
728	a3426371.exe
592	v3439787.exe
1372	b7297900.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a3426371.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	a3426371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3426371.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v5084366.exev3439787.exefile.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5084366.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5084366.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3439787.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3439787.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a3426371.exe

pid process

728 a3426371.exe
728 a3426371.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a3426371.exe

description pid process

Token: SeDebugPrivilege 728 a3426371.exe

pid	process
728	a3426371.exe
728	a3426371.exe

description	pid	process
Token: SeDebugPrivilege	728	a3426371.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

file.exev5084366.exev3439787.exe

description	pid	process	target process
PID 1376 wrote to memory of 1712	1376	file.exe	v5084366.exe
PID 1376 wrote to memory of 1712	1376	file.exe	v5084366.exe
PID 1376 wrote to memory of 1712	1376	file.exe	v5084366.exe
PID 1376 wrote to memory of 1712	1376	file.exe	v5084366.exe
PID 1376 wrote to memory of 1712	1376	file.exe	v5084366.exe
PID 1376 wrote to memory of 1712	1376	file.exe	v5084366.exe
PID 1376 wrote to memory of 1712	1376	file.exe	v5084366.exe
PID 1712 wrote to memory of 592	1712	v5084366.exe	v3439787.exe
PID 1712 wrote to memory of 592	1712	v5084366.exe	v3439787.exe
PID 1712 wrote to memory of 592	1712	v5084366.exe	v3439787.exe
PID 1712 wrote to memory of 592	1712	v5084366.exe	v3439787.exe
PID 1712 wrote to memory of 592	1712	v5084366.exe	v3439787.exe
PID 1712 wrote to memory of 592	1712	v5084366.exe	v3439787.exe
PID 1712 wrote to memory of 592	1712	v5084366.exe	v3439787.exe
PID 592 wrote to memory of 728	592	v3439787.exe	a3426371.exe
PID 592 wrote to memory of 728	592	v3439787.exe	a3426371.exe
PID 592 wrote to memory of 728	592	v3439787.exe	a3426371.exe
PID 592 wrote to memory of 728	592	v3439787.exe	a3426371.exe
PID 592 wrote to memory of 728	592	v3439787.exe	a3426371.exe
PID 592 wrote to memory of 728	592	v3439787.exe	a3426371.exe
PID 592 wrote to memory of 728	592	v3439787.exe	a3426371.exe
PID 592 wrote to memory of 1372	592	v3439787.exe	b7297900.exe
PID 592 wrote to memory of 1372	592	v3439787.exe	b7297900.exe
PID 592 wrote to memory of 1372	592	v3439787.exe	b7297900.exe
PID 592 wrote to memory of 1372	592	v3439787.exe	b7297900.exe
PID 592 wrote to memory of 1372	592	v3439787.exe	b7297900.exe
PID 592 wrote to memory of 1372	592	v3439787.exe	b7297900.exe
PID 592 wrote to memory of 1372	592	v3439787.exe	b7297900.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5084366.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5084366.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3439787.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3439787.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3426371.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3426371.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297900.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297900.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5084366.exe

Filesize
749KB

MD5
d13cdcc7a3e4b53c6353806332e2a38c

SHA1
3c077fca0e2c0164d0b3e64bf736ff657617eb64

SHA256
4d84a8443fa38a0e67764103a311bf6a6a69683b9686cc4d861a88566d4c4f71

SHA512
5a58fe0028a274999ed288adc9be7a584c1c76c2ef4dc3df6f44e67b9aeb475499135449c1ec9adf4ec2413dc4e6ec6d87ae2134311ccafd0ad75c0c44e8af70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5084366.exe

Filesize
749KB

MD5
d13cdcc7a3e4b53c6353806332e2a38c

SHA1
3c077fca0e2c0164d0b3e64bf736ff657617eb64

SHA256
4d84a8443fa38a0e67764103a311bf6a6a69683b9686cc4d861a88566d4c4f71

SHA512
5a58fe0028a274999ed288adc9be7a584c1c76c2ef4dc3df6f44e67b9aeb475499135449c1ec9adf4ec2413dc4e6ec6d87ae2134311ccafd0ad75c0c44e8af70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3439787.exe

Filesize
305KB

MD5
a266b9b8ecb3ee0394b4287b24b42259

SHA1
32bacbfd2e17f7b514c3dc8791c0deed296d438f

SHA256
fca5220b9770970cae6b7472fcc1adf7d8740c1105851a2d28b4ee50fc77aebb

SHA512
bbfd210fdbe1d4730bee3c25d994a61a49d02bb06e3c47f9637930a25a66ada1107ce65edbb7f32457f21cb8ffac4bf01262daa1c66ac30d98e2659e4f96cd1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3439787.exe

Filesize
305KB

MD5
a266b9b8ecb3ee0394b4287b24b42259

SHA1
32bacbfd2e17f7b514c3dc8791c0deed296d438f

SHA256
fca5220b9770970cae6b7472fcc1adf7d8740c1105851a2d28b4ee50fc77aebb

SHA512
bbfd210fdbe1d4730bee3c25d994a61a49d02bb06e3c47f9637930a25a66ada1107ce65edbb7f32457f21cb8ffac4bf01262daa1c66ac30d98e2659e4f96cd1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3426371.exe

Filesize
185KB

MD5
7d2a4f1c088908e87dd8d7935cc6f094

SHA1
9cc267650862a01dfad47c00511e5e14e44e088f

SHA256
377e62d9d877e2fcfbcbb11a3f0b0e4e062574f57cc30f797b9f447b3104ec83

SHA512
a50460795e6764bd7d07a4e69bfcf579268063cd0885f9b62e4010ba219c6c807d234e478ab48dac61983b63cb413d31f545053df8c4840063bc886c215c5584

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3426371.exe

Filesize
185KB

MD5
7d2a4f1c088908e87dd8d7935cc6f094

SHA1
9cc267650862a01dfad47c00511e5e14e44e088f

SHA256
377e62d9d877e2fcfbcbb11a3f0b0e4e062574f57cc30f797b9f447b3104ec83

SHA512
a50460795e6764bd7d07a4e69bfcf579268063cd0885f9b62e4010ba219c6c807d234e478ab48dac61983b63cb413d31f545053df8c4840063bc886c215c5584

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297900.exe

Filesize
145KB

MD5
c57b1dcdc09d6f2024fc7f879cada615

SHA1
9ca7169888f1284c856dbaa756c2e03baa9d7295

SHA256
ac01ff3025f6009bd8a5e84dea8bd605e2b63395c51ee79019afd935382641e0

SHA512
2fb459e80391e96fd23869b12665ba259a732c8bb5fae9f8166a5eb0a5a516107bc77fe75d1b43cdce9e5619ba742099d141673e33081b9050323c95efdceb4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297900.exe

Filesize
145KB

MD5
c57b1dcdc09d6f2024fc7f879cada615

SHA1
9ca7169888f1284c856dbaa756c2e03baa9d7295

SHA256
ac01ff3025f6009bd8a5e84dea8bd605e2b63395c51ee79019afd935382641e0

SHA512
2fb459e80391e96fd23869b12665ba259a732c8bb5fae9f8166a5eb0a5a516107bc77fe75d1b43cdce9e5619ba742099d141673e33081b9050323c95efdceb4f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5084366.exe

Filesize
749KB

MD5
d13cdcc7a3e4b53c6353806332e2a38c

SHA1
3c077fca0e2c0164d0b3e64bf736ff657617eb64

SHA256
4d84a8443fa38a0e67764103a311bf6a6a69683b9686cc4d861a88566d4c4f71

SHA512
5a58fe0028a274999ed288adc9be7a584c1c76c2ef4dc3df6f44e67b9aeb475499135449c1ec9adf4ec2413dc4e6ec6d87ae2134311ccafd0ad75c0c44e8af70

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5084366.exe

Filesize
749KB

MD5
d13cdcc7a3e4b53c6353806332e2a38c

SHA1
3c077fca0e2c0164d0b3e64bf736ff657617eb64

SHA256
4d84a8443fa38a0e67764103a311bf6a6a69683b9686cc4d861a88566d4c4f71

SHA512
5a58fe0028a274999ed288adc9be7a584c1c76c2ef4dc3df6f44e67b9aeb475499135449c1ec9adf4ec2413dc4e6ec6d87ae2134311ccafd0ad75c0c44e8af70

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3439787.exe

Filesize
305KB

MD5
a266b9b8ecb3ee0394b4287b24b42259

SHA1
32bacbfd2e17f7b514c3dc8791c0deed296d438f

SHA256
fca5220b9770970cae6b7472fcc1adf7d8740c1105851a2d28b4ee50fc77aebb

SHA512
bbfd210fdbe1d4730bee3c25d994a61a49d02bb06e3c47f9637930a25a66ada1107ce65edbb7f32457f21cb8ffac4bf01262daa1c66ac30d98e2659e4f96cd1f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3439787.exe

Filesize
305KB

MD5
a266b9b8ecb3ee0394b4287b24b42259

SHA1
32bacbfd2e17f7b514c3dc8791c0deed296d438f

SHA256
fca5220b9770970cae6b7472fcc1adf7d8740c1105851a2d28b4ee50fc77aebb

SHA512
bbfd210fdbe1d4730bee3c25d994a61a49d02bb06e3c47f9637930a25a66ada1107ce65edbb7f32457f21cb8ffac4bf01262daa1c66ac30d98e2659e4f96cd1f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3426371.exe

Filesize
185KB

MD5
7d2a4f1c088908e87dd8d7935cc6f094

SHA1
9cc267650862a01dfad47c00511e5e14e44e088f

SHA256
377e62d9d877e2fcfbcbb11a3f0b0e4e062574f57cc30f797b9f447b3104ec83

SHA512
a50460795e6764bd7d07a4e69bfcf579268063cd0885f9b62e4010ba219c6c807d234e478ab48dac61983b63cb413d31f545053df8c4840063bc886c215c5584

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3426371.exe

Filesize
185KB

MD5
7d2a4f1c088908e87dd8d7935cc6f094

SHA1
9cc267650862a01dfad47c00511e5e14e44e088f

SHA256
377e62d9d877e2fcfbcbb11a3f0b0e4e062574f57cc30f797b9f447b3104ec83

SHA512
a50460795e6764bd7d07a4e69bfcf579268063cd0885f9b62e4010ba219c6c807d234e478ab48dac61983b63cb413d31f545053df8c4840063bc886c215c5584

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297900.exe

Filesize
145KB

MD5
c57b1dcdc09d6f2024fc7f879cada615

SHA1
9ca7169888f1284c856dbaa756c2e03baa9d7295

SHA256
ac01ff3025f6009bd8a5e84dea8bd605e2b63395c51ee79019afd935382641e0

SHA512
2fb459e80391e96fd23869b12665ba259a732c8bb5fae9f8166a5eb0a5a516107bc77fe75d1b43cdce9e5619ba742099d141673e33081b9050323c95efdceb4f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297900.exe

Filesize
145KB

MD5
c57b1dcdc09d6f2024fc7f879cada615

SHA1
9ca7169888f1284c856dbaa756c2e03baa9d7295

SHA256
ac01ff3025f6009bd8a5e84dea8bd605e2b63395c51ee79019afd935382641e0

SHA512
2fb459e80391e96fd23869b12665ba259a732c8bb5fae9f8166a5eb0a5a516107bc77fe75d1b43cdce9e5619ba742099d141673e33081b9050323c95efdceb4f

Download Submit
memory/728-93-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/728-111-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/728-89-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/728-95-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/728-97-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/728-99-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/728-101-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/728-103-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/728-105-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/728-107-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/728-109-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/728-91-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/728-113-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/728-114-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download
memory/728-115-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download
memory/728-87-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/728-86-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/728-85-0x0000000000AE0000-0x0000000000AFC000-memory.dmp

Filesize
112KB

Download
memory/728-84-0x00000000004C0000-0x00000000004DE000-memory.dmp

Filesize
120KB

Download
memory/1372-122-0x0000000000B80000-0x0000000000BAA000-memory.dmp

Filesize
168KB

Download
memory/1372-123-0x0000000004FF0000-0x0000000005030000-memory.dmp

Filesize
256KB

Download
memory/1372-124-0x0000000004FF0000-0x0000000005030000-memory.dmp

Filesize
256KB

Download