redline | 022c27f86aa558238779f845d37c99c679c3fc9f9cea29dd0085c5ea0cff8ff3

Analysis

max time kernel
144s
max time network
146s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
25-03-2023 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

022c27f86aa558238779f845d37c99c679c3fc9f9cea29dd0085c5ea0cff8ff3.exe
Size

689KB
MD5

0a612962532d584de9a864f10ac2a90f
SHA1

ba39a525f24302bbf745f541dd01c71d60a6a015
SHA256

022c27f86aa558238779f845d37c99c679c3fc9f9cea29dd0085c5ea0cff8ff3
SHA512

1d36499e1b4fbc9e062147496496dcab954ccadc884e326c68365b5d355d2e321ee6a956faa3ad4e04f572f2a72cb350af0ea93340b78708ac1846034a2f1972
SSDEEP

12288:UMrOy90RgPXFXdCW7UwW9BI4VVmdpSwiyYYsdEz5l43xNYMfKb/asLFv8H:iyNBoW7UR9/mKwiCsg5l4hGMSzr0H

Score

10^/10

redline boris lenka discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

lenka

193.233.20.32:4125

Attributes

auth_value
8a60e8b2ec79d6a7e92f9feac39b8830

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro0936.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro0936.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro0936.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro0936.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro0936.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 22 IoCs

resource	yara_rule
behavioral1/memory/372-177-0x0000000004940000-0x0000000004986000-memory.dmp	family_redline
behavioral1/memory/372-178-0x0000000004B00000-0x0000000004B44000-memory.dmp	family_redline
behavioral1/memory/372-179-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-180-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-182-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-184-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-186-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-188-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-192-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-190-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-194-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-202-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-204-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-200-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-198-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-196-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-206-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-208-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-210-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-212-0x0000000004B00000-0x0000000004B3F000-memory.dmp	family_redline
behavioral1/memory/372-1096-0x0000000007330000-0x0000000007340000-memory.dmp	family_redline
behavioral1/memory/372-1097-0x0000000007330000-0x0000000007340000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2612	unio5189.exe
4188	pro0936.exe
372	qu8421.exe
4040	si243993.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro0936.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro0936.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	unio5189.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	022c27f86aa558238779f845d37c99c679c3fc9f9cea29dd0085c5ea0cff8ff3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	022c27f86aa558238779f845d37c99c679c3fc9f9cea29dd0085c5ea0cff8ff3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	unio5189.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4188	pro0936.exe
4188	pro0936.exe
372	qu8421.exe
372	qu8421.exe
4040	si243993.exe
4040	si243993.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4188	pro0936.exe
Token: SeDebugPrivilege	372	qu8421.exe
Token: SeDebugPrivilege	4040	si243993.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2612	2904	022c27f86aa558238779f845d37c99c679c3fc9f9cea29dd0085c5ea0cff8ff3.exe	66
PID 2904 wrote to memory of 2612	2904	022c27f86aa558238779f845d37c99c679c3fc9f9cea29dd0085c5ea0cff8ff3.exe	66
PID 2904 wrote to memory of 2612	2904	022c27f86aa558238779f845d37c99c679c3fc9f9cea29dd0085c5ea0cff8ff3.exe	66
PID 2612 wrote to memory of 4188	2612	unio5189.exe	67
PID 2612 wrote to memory of 4188	2612	unio5189.exe	67
PID 2612 wrote to memory of 4188	2612	unio5189.exe	67
PID 2612 wrote to memory of 372	2612	unio5189.exe	68
PID 2612 wrote to memory of 372	2612	unio5189.exe	68
PID 2612 wrote to memory of 372	2612	unio5189.exe	68
PID 2904 wrote to memory of 4040	2904	022c27f86aa558238779f845d37c99c679c3fc9f9cea29dd0085c5ea0cff8ff3.exe	70
PID 2904 wrote to memory of 4040	2904	022c27f86aa558238779f845d37c99c679c3fc9f9cea29dd0085c5ea0cff8ff3.exe	70
PID 2904 wrote to memory of 4040	2904	022c27f86aa558238779f845d37c99c679c3fc9f9cea29dd0085c5ea0cff8ff3.exe	70

C:\Users\Admin\AppData\Local\Temp\022c27f86aa558238779f845d37c99c679c3fc9f9cea29dd0085c5ea0cff8ff3.exe
"C:\Users\Admin\AppData\Local\Temp\022c27f86aa558238779f845d37c99c679c3fc9f9cea29dd0085c5ea0cff8ff3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5189.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5189.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0936.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0936.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8421.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8421.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si243993.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si243993.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si243993.exe

Filesize
175KB

MD5
e7d8217844c2463ef47c0051972d477c

SHA1
c83116e99007f530fa4c31dc81782852aca74778

SHA256
29aab9c97d06e472cbec771e298a992c98f848082846c5c091367c79b95c46da

SHA512
f2050be14d27f95216d7feca331292637ec07d030975f11e3310c132e2768d31e00305679dafc589268e049916ac7ffa88fe39f6078872b74354c67ccfb85d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si243993.exe

Filesize
175KB

MD5
e7d8217844c2463ef47c0051972d477c

SHA1
c83116e99007f530fa4c31dc81782852aca74778

SHA256
29aab9c97d06e472cbec771e298a992c98f848082846c5c091367c79b95c46da

SHA512
f2050be14d27f95216d7feca331292637ec07d030975f11e3310c132e2768d31e00305679dafc589268e049916ac7ffa88fe39f6078872b74354c67ccfb85d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5189.exe

Filesize
547KB

MD5
d4ddccde3790c3441b67c3961e91383e

SHA1
1c374cc8fe1e5dbfec462bf3c41e19a18aeebaea

SHA256
35e04e1a919766334a211d2a9632ee9eba0808b193da20641fcdfd5a0bb5eb9e

SHA512
472efe19dac4f6581ec8718d55854e811272bbfaeee219d6e62514b1bb4bf7edd4170ad8032219523c9dc2cc07207608f62f494db632d7a13adbdaec4cdcb0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio5189.exe

Filesize
547KB

MD5
d4ddccde3790c3441b67c3961e91383e

SHA1
1c374cc8fe1e5dbfec462bf3c41e19a18aeebaea

SHA256
35e04e1a919766334a211d2a9632ee9eba0808b193da20641fcdfd5a0bb5eb9e

SHA512
472efe19dac4f6581ec8718d55854e811272bbfaeee219d6e62514b1bb4bf7edd4170ad8032219523c9dc2cc07207608f62f494db632d7a13adbdaec4cdcb0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0936.exe

Filesize
329KB

MD5
01aa34f36699889d7225feb7a0e9c660

SHA1
f87f939fe9e29f347907938c50e2c21b610727de

SHA256
bb33728964a6280f01719f0c612a2dc752b515af0513afbeb44c4b28e443f4a1

SHA512
ddb1e19389a9323896a5e914677bde45f39a4ab48dda27c73f7c07a228257e80fc75b3b599406383fb76c6fadf80b52815dd62d3a813344c06b53af81dd8af59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0936.exe

Filesize
329KB

MD5
01aa34f36699889d7225feb7a0e9c660

SHA1
f87f939fe9e29f347907938c50e2c21b610727de

SHA256
bb33728964a6280f01719f0c612a2dc752b515af0513afbeb44c4b28e443f4a1

SHA512
ddb1e19389a9323896a5e914677bde45f39a4ab48dda27c73f7c07a228257e80fc75b3b599406383fb76c6fadf80b52815dd62d3a813344c06b53af81dd8af59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8421.exe

Filesize
386KB

MD5
ce3725a6714fdc38c6be2bce5824f12d

SHA1
f1ace212f333ca802988336a11a2ac73e2f9cf2c

SHA256
04f828c87457c892515e27b0bcb9722cbe1b789b63febd90fbe8036dc12e87e1

SHA512
a86e2793e3c61e71c87d63a03a979b1b11a8c1ba03f014dbb097199c280087b6172213298dfac2aa92632e830018ac7411def8c993b5903f946114ada5f3d6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8421.exe

Filesize
386KB

MD5
ce3725a6714fdc38c6be2bce5824f12d

SHA1
f1ace212f333ca802988336a11a2ac73e2f9cf2c

SHA256
04f828c87457c892515e27b0bcb9722cbe1b789b63febd90fbe8036dc12e87e1

SHA512
a86e2793e3c61e71c87d63a03a979b1b11a8c1ba03f014dbb097199c280087b6172213298dfac2aa92632e830018ac7411def8c993b5903f946114ada5f3d6bd

Download Submit
memory/372-1090-0x0000000007210000-0x000000000731A000-memory.dmp

Filesize
1.0MB

Download
memory/372-177-0x0000000004940000-0x0000000004986000-memory.dmp

Filesize
280KB

Download
memory/372-224-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/372-221-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/372-223-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/372-212-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-1105-0x000000000A0D0000-0x000000000A5FC000-memory.dmp

Filesize
5.2MB

Download
memory/372-202-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-1104-0x0000000009F00000-0x000000000A0C2000-memory.dmp

Filesize
1.8MB

Download
memory/372-1103-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/372-1102-0x0000000008970000-0x00000000089C0000-memory.dmp

Filesize
320KB

Download
memory/372-1101-0x00000000088D0000-0x0000000008946000-memory.dmp

Filesize
472KB

Download
memory/372-1100-0x0000000008210000-0x0000000008276000-memory.dmp

Filesize
408KB

Download
memory/372-204-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-1099-0x0000000008170000-0x0000000008202000-memory.dmp

Filesize
584KB

Download
memory/372-1098-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/372-1097-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/372-200-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-1096-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/372-1094-0x0000000007FE0000-0x000000000802B000-memory.dmp

Filesize
300KB

Download
memory/372-1093-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/372-219-0x0000000002DA0000-0x0000000002DEB000-memory.dmp

Filesize
300KB

Download
memory/372-178-0x0000000004B00000-0x0000000004B44000-memory.dmp

Filesize
272KB

Download
memory/372-179-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-180-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-182-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-184-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-186-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-188-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-192-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-190-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-194-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-1092-0x0000000007E90000-0x0000000007ECE000-memory.dmp

Filesize
248KB

Download
memory/372-1091-0x0000000007E70000-0x0000000007E82000-memory.dmp

Filesize
72KB

Download
memory/372-1089-0x0000000007840000-0x0000000007E46000-memory.dmp

Filesize
6.0MB

Download
memory/372-198-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-196-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-206-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-208-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/372-210-0x0000000004B00000-0x0000000004B3F000-memory.dmp

Filesize
252KB

Download
memory/4040-1111-0x0000000000240000-0x0000000000272000-memory.dmp

Filesize
200KB

Download
memory/4040-1112-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4040-1113-0x0000000004C90000-0x0000000004CDB000-memory.dmp

Filesize
300KB

Download
memory/4040-1114-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4188-151-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/4188-170-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/4188-138-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/4188-161-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/4188-153-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/4188-139-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/4188-140-0x00000000072B0000-0x00000000077AE000-memory.dmp

Filesize
5.0MB

Download
memory/4188-172-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/4188-141-0x00000000049A0000-0x00000000049B8000-memory.dmp

Filesize
96KB

Download
memory/4188-155-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/4188-157-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/4188-163-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/4188-169-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/4188-167-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/4188-165-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/4188-159-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/4188-149-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/4188-137-0x00000000047E0000-0x00000000047FA000-memory.dmp

Filesize
104KB

Download
memory/4188-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4188-147-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/4188-145-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/4188-143-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/4188-142-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download