redline | 2bc19a1a48254b0ce6a30f471c0e870ceff05ef8ab66ce5d9bb4ecae869d3b10

General

Target

58a192c56eff7d48740607232cea9d49.exe
Size

1.3MB
MD5

58a192c56eff7d48740607232cea9d49
SHA1

6bde1b43b0eabaa2151f5126c102eb3cc5dbb693
SHA256

2bc19a1a48254b0ce6a30f471c0e870ceff05ef8ab66ce5d9bb4ecae869d3b10
SHA512

cf97dfe3d719f05d0bbbeaf78d8e26cfe3234480e1ef98c1888b2bd316d04777c022f78d09b64f079d07a22520e7df3dc3b5eeba21346ac1f6b1eb464f78beff

Score

10^/10

redline proliv2 evasion infostealer spyware trojan

Malware Config

Extracted

Family

redline

Botnet

proliv2

C2

136.243.65.8:48715

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/744-136-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/744-137-0x000000000041A68E-mapping.dmp	family_redline

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\333638dc-a5a0-47fc-8f73-d22f6d8404a6\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\333638dc-a5a0-47fc-8f73-d22f6d8404a6\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\333638dc-a5a0-47fc-8f73-d22f6d8404a6\AdvancedRun.exe	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe

pid process

3308 AdvancedRun.exe
3940 AdvancedRun.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

58a192c56eff7d48740607232cea9d49.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe = "0"	58a192c56eff7d48740607232cea9d49.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	58a192c56eff7d48740607232cea9d49.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	58a192c56eff7d48740607232cea9d49.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	58a192c56eff7d48740607232cea9d49.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	58a192c56eff7d48740607232cea9d49.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	58a192c56eff7d48740607232cea9d49.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	58a192c56eff7d48740607232cea9d49.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	58a192c56eff7d48740607232cea9d49.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	58a192c56eff7d48740607232cea9d49.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	58a192c56eff7d48740607232cea9d49.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

58a192c56eff7d48740607232cea9d49.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	58a192c56eff7d48740607232cea9d49.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	58a192c56eff7d48740607232cea9d49.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

58a192c56eff7d48740607232cea9d49.exe

description pid process target process

PID 3876 set thread context of 744 3876 58a192c56eff7d48740607232cea9d49.exe cvtres.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3876 set thread context of 744	3876	58a192c56eff7d48740607232cea9d49.exe	cvtres.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exe58a192c56eff7d48740607232cea9d49.execvtres.exe

pid	process
3308	AdvancedRun.exe
3308	AdvancedRun.exe
3308	AdvancedRun.exe
3308	AdvancedRun.exe
3940	AdvancedRun.exe
3940	AdvancedRun.exe
3940	AdvancedRun.exe
3940	AdvancedRun.exe
4056	powershell.exe
1500	powershell.exe
1500	powershell.exe
4056	powershell.exe
4056	powershell.exe
1500	powershell.exe
3876	58a192c56eff7d48740607232cea9d49.exe
3876	58a192c56eff7d48740607232cea9d49.exe
744	cvtres.exe
744	cvtres.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe58a192c56eff7d48740607232cea9d49.exepowershell.exepowershell.execvtres.exe

description	pid	process
Token: SeDebugPrivilege	3308	AdvancedRun.exe
Token: SeImpersonatePrivilege	3308	AdvancedRun.exe
Token: SeDebugPrivilege	3940	AdvancedRun.exe
Token: SeImpersonatePrivilege	3940	AdvancedRun.exe
Token: SeDebugPrivilege	3876	58a192c56eff7d48740607232cea9d49.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	744	cvtres.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

58a192c56eff7d48740607232cea9d49.exeAdvancedRun.exe

description	pid	process	target process
PID 3876 wrote to memory of 3308	3876	58a192c56eff7d48740607232cea9d49.exe	AdvancedRun.exe
PID 3876 wrote to memory of 3308	3876	58a192c56eff7d48740607232cea9d49.exe	AdvancedRun.exe
PID 3876 wrote to memory of 3308	3876	58a192c56eff7d48740607232cea9d49.exe	AdvancedRun.exe
PID 3308 wrote to memory of 3940	3308	AdvancedRun.exe	AdvancedRun.exe
PID 3308 wrote to memory of 3940	3308	AdvancedRun.exe	AdvancedRun.exe
PID 3308 wrote to memory of 3940	3308	AdvancedRun.exe	AdvancedRun.exe
PID 3876 wrote to memory of 4056	3876	58a192c56eff7d48740607232cea9d49.exe	powershell.exe
PID 3876 wrote to memory of 4056	3876	58a192c56eff7d48740607232cea9d49.exe	powershell.exe
PID 3876 wrote to memory of 4056	3876	58a192c56eff7d48740607232cea9d49.exe	powershell.exe
PID 3876 wrote to memory of 1500	3876	58a192c56eff7d48740607232cea9d49.exe	powershell.exe
PID 3876 wrote to memory of 1500	3876	58a192c56eff7d48740607232cea9d49.exe	powershell.exe
PID 3876 wrote to memory of 1500	3876	58a192c56eff7d48740607232cea9d49.exe	powershell.exe
PID 3876 wrote to memory of 744	3876	58a192c56eff7d48740607232cea9d49.exe	cvtres.exe
PID 3876 wrote to memory of 744	3876	58a192c56eff7d48740607232cea9d49.exe	cvtres.exe
PID 3876 wrote to memory of 744	3876	58a192c56eff7d48740607232cea9d49.exe	cvtres.exe
PID 3876 wrote to memory of 744	3876	58a192c56eff7d48740607232cea9d49.exe	cvtres.exe
PID 3876 wrote to memory of 744	3876	58a192c56eff7d48740607232cea9d49.exe	cvtres.exe
PID 3876 wrote to memory of 744	3876	58a192c56eff7d48740607232cea9d49.exe	cvtres.exe
PID 3876 wrote to memory of 744	3876	58a192c56eff7d48740607232cea9d49.exe	cvtres.exe
PID 3876 wrote to memory of 744	3876	58a192c56eff7d48740607232cea9d49.exe	cvtres.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

58a192c56eff7d48740607232cea9d49.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	58a192c56eff7d48740607232cea9d49.exe

C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe
"C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe"
1⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3876

C:\Users\Admin\AppData\Local\Temp\333638dc-a5a0-47fc-8f73-d22f6d8404a6\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\333638dc-a5a0-47fc-8f73-d22f6d8404a6\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\333638dc-a5a0-47fc-8f73-d22f6d8404a6\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308

C:\Users\Admin\AppData\Local\Temp\333638dc-a5a0-47fc-8f73-d22f6d8404a6\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\333638dc-a5a0-47fc-8f73-d22f6d8404a6\AdvancedRun.exe" /SpecialRun 4101d8 3308
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Disabling Security Tools

4

T1089

Modify Registry

5

T1112

Bypass User Account Control

1

T1088

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f1c1b1b94cf29dd644f88d968a6aaa69

SHA1
c6ccea66ef777cf28ba7637903bcf5f80a45dbcc

SHA256
5c067695deb738d40b6d5161ba003d38c57ff8f03be42160c877d04b08325be9

SHA512
391917e6030dcb0a35bf8ebdbc9dea4ae7a64ac3facd0047ca026b31364cf42394a05d8dd9ba214805a8345e69d0d3a8cbfd9571c4762d71de0341e008e42e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\333638dc-a5a0-47fc-8f73-d22f6d8404a6\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\333638dc-a5a0-47fc-8f73-d22f6d8404a6\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\333638dc-a5a0-47fc-8f73-d22f6d8404a6\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/744-358-0x000000000B100000-0x000000000B101000-memory.dmp

Filesize
4KB

Download
memory/744-164-0x00000000092E0000-0x00000000098E6000-memory.dmp

Filesize
6.0MB

Download
memory/744-357-0x000000000AA00000-0x000000000AA01000-memory.dmp

Filesize
4KB

Download
memory/744-137-0x000000000041A68E-mapping.dmp

Download
memory/744-156-0x00000000093C0000-0x00000000093C1000-memory.dmp

Filesize
4KB

Download
memory/744-386-0x000000000ACD0000-0x000000000ACD1000-memory.dmp

Filesize
4KB

Download
memory/744-154-0x0000000009380000-0x0000000009381000-memory.dmp

Filesize
4KB

Download
memory/744-151-0x0000000009450000-0x0000000009451000-memory.dmp

Filesize
4KB

Download
memory/744-149-0x0000000009320000-0x0000000009321000-memory.dmp

Filesize
4KB

Download
memory/744-145-0x00000000098F0000-0x00000000098F1000-memory.dmp

Filesize
4KB

Download
memory/744-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1500-184-0x00000000093E0000-0x0000000009413000-memory.dmp

Filesize
204KB

Download
memory/1500-213-0x00000000098F0000-0x00000000098F1000-memory.dmp

Filesize
4KB

Download
memory/1500-696-0x00000000071A0000-0x00000000071A1000-memory.dmp

Filesize
4KB

Download
memory/1500-146-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/1500-148-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download
memory/1500-132-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/1500-152-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/1500-127-0x0000000000000000-mapping.dmp

Download
memory/1500-238-0x0000000006E93000-0x0000000006E94000-memory.dmp

Filesize
4KB

Download
memory/1500-142-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/1500-155-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/1500-157-0x0000000006E90000-0x0000000006E91000-memory.dmp

Filesize
4KB

Download
memory/1500-211-0x0000000009530000-0x0000000009531000-memory.dmp

Filesize
4KB

Download
memory/1500-203-0x000000007F250000-0x000000007F251000-memory.dmp

Filesize
4KB

Download
memory/1500-199-0x00000000093C0000-0x00000000093C1000-memory.dmp

Filesize
4KB

Download
memory/1500-163-0x0000000006E92000-0x0000000006E93000-memory.dmp

Filesize
4KB

Download
memory/1500-167-0x0000000008610000-0x0000000008611000-memory.dmp

Filesize
4KB

Download
memory/3308-121-0x0000000000000000-mapping.dmp

Download
memory/3876-120-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/3876-116-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/3876-114-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/3876-117-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/3876-118-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/3876-119-0x0000000005360000-0x00000000053D2000-memory.dmp

Filesize
456KB

Download
memory/3940-124-0x0000000000000000-mapping.dmp

Download
memory/4056-161-0x0000000006B02000-0x0000000006B03000-memory.dmp

Filesize
4KB

Download
memory/4056-241-0x0000000006B03000-0x0000000006B04000-memory.dmp

Filesize
4KB

Download
memory/4056-126-0x0000000000000000-mapping.dmp

Download
memory/4056-134-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/4056-160-0x0000000006B00000-0x0000000006B01000-memory.dmp

Filesize
4KB

Download
memory/4056-207-0x000000007EE10000-0x000000007EE11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads