redline | 55b9e0ede951ec0c2fd4d96303fe3574d02f0ab5dfe010a1e1da933603e5a6e9

Analysis

max time kernel
112s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2023 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

382865f473f0fece1c8e73fe5b1617a1.exe
Size

555KB
MD5

382865f473f0fece1c8e73fe5b1617a1
SHA1

b41baf828e4dd248828406e9bef4a8d15f400edf
SHA256

55b9e0ede951ec0c2fd4d96303fe3574d02f0ab5dfe010a1e1da933603e5a6e9
SHA512

4417fbb3de8ac7596fafbfea51780a2bdcef41a68f6312bd1b2220ab8634690fa2da89db8b1745afb51a46d928106ee5d7f1d4c7c3dac6938d96d38b03debad9
SSDEEP

12288:UMr+y9073+kZDq+R1vt2lnsqzVBNPgOJzJT8PZx/KU6EYF:CyZF2vwlnnPLJdTq/56Ey

Score

10^/10

redline boris lida discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

lida

193.233.20.32:4125

Attributes

auth_value
24052aa2e9b85984a98d80cf08623e8d

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	h14yj88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	h14yj88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	h14yj88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	h14yj88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	h14yj88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	h14yj88.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

resource	yara_rule
behavioral2/memory/628-157-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-160-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-158-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-162-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-164-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-166-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-168-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-170-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-172-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-174-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-176-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-178-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-180-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-182-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-184-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-186-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-188-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-190-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-192-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-194-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-196-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-198-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-200-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-202-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-204-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-206-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-208-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-210-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-212-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-214-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-216-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-218-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral2/memory/628-220-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
756	niba0537.exe
4932	h14yj88.exe
628	inYjq03.exe
1468	l50Ps12.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	h14yj88.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	382865f473f0fece1c8e73fe5b1617a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	382865f473f0fece1c8e73fe5b1617a1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	niba0537.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	niba0537.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3640	628	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4932	h14yj88.exe
4932	h14yj88.exe
628	inYjq03.exe
628	inYjq03.exe
1468	l50Ps12.exe
1468	l50Ps12.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	h14yj88.exe
Token: SeDebugPrivilege	628	inYjq03.exe
Token: SeDebugPrivilege	1468	l50Ps12.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 756	4452	382865f473f0fece1c8e73fe5b1617a1.exe	85
PID 4452 wrote to memory of 756	4452	382865f473f0fece1c8e73fe5b1617a1.exe	85
PID 4452 wrote to memory of 756	4452	382865f473f0fece1c8e73fe5b1617a1.exe	85
PID 756 wrote to memory of 4932	756	niba0537.exe	86
PID 756 wrote to memory of 4932	756	niba0537.exe	86
PID 756 wrote to memory of 628	756	niba0537.exe	91
PID 756 wrote to memory of 628	756	niba0537.exe	91
PID 756 wrote to memory of 628	756	niba0537.exe	91
PID 4452 wrote to memory of 1468	4452	382865f473f0fece1c8e73fe5b1617a1.exe	98
PID 4452 wrote to memory of 1468	4452	382865f473f0fece1c8e73fe5b1617a1.exe	98
PID 4452 wrote to memory of 1468	4452	382865f473f0fece1c8e73fe5b1617a1.exe	98

C:\Users\Admin\AppData\Local\Temp\382865f473f0fece1c8e73fe5b1617a1.exe
"C:\Users\Admin\AppData\Local\Temp\382865f473f0fece1c8e73fe5b1617a1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0537.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0537.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h14yj88.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h14yj88.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\inYjq03.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\inYjq03.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1804
      4⤵
      Program crash
      PID:3640
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l50Ps12.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l50Ps12.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 628 -ip 628
1⤵
PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l50Ps12.exe

Filesize
175KB

MD5
6b06147bf5fd26306978a93fe83127a4

SHA1
7b14ff42f4441b985591ef5b7d4cc703f0bbcdfa

SHA256
11e6d45ae92fc4505f14f550d01d97a42fba91a999b900daf843251772c755e0

SHA512
603007d99e52da5739040fee891c193123dc5741985de1c3dde091dd07e759336ec749312e4ab95d05c1c6681f10e56b4e9aee67d633a97b6aa25c5119f4d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l50Ps12.exe

Filesize
175KB

MD5
6b06147bf5fd26306978a93fe83127a4

SHA1
7b14ff42f4441b985591ef5b7d4cc703f0bbcdfa

SHA256
11e6d45ae92fc4505f14f550d01d97a42fba91a999b900daf843251772c755e0

SHA512
603007d99e52da5739040fee891c193123dc5741985de1c3dde091dd07e759336ec749312e4ab95d05c1c6681f10e56b4e9aee67d633a97b6aa25c5119f4d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0537.exe

Filesize
413KB

MD5
16a4028764fe211e2ffb6adf39ac063b

SHA1
c784725de77c7c16f10bcbfa8f9c0dd9b8c028d7

SHA256
219d50d7c6c37ac2d9c2b48d0bda63b3b769c9ca61f4aafbf0f4e7c9b88718bb

SHA512
839d40efa88f5cdffce53ee0ce1134b9145406c3e43b56933e26c3041a27aef70af52ab23aa1b9fe9db0fe2e363bc6fe52be25710aba5c32586381fd33caa7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0537.exe

Filesize
413KB

MD5
16a4028764fe211e2ffb6adf39ac063b

SHA1
c784725de77c7c16f10bcbfa8f9c0dd9b8c028d7

SHA256
219d50d7c6c37ac2d9c2b48d0bda63b3b769c9ca61f4aafbf0f4e7c9b88718bb

SHA512
839d40efa88f5cdffce53ee0ce1134b9145406c3e43b56933e26c3041a27aef70af52ab23aa1b9fe9db0fe2e363bc6fe52be25710aba5c32586381fd33caa7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h14yj88.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h14yj88.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\inYjq03.exe

Filesize
387KB

MD5
9081be764dd41767dbc924f99e4d3a3c

SHA1
1a0d51745dfda972c1e9a6c5a3e076712d968ab7

SHA256
c389ece9969e10d2ee3b0cf75a51970a0a66d79c600900f76507a26f5e8c7ff6

SHA512
8d4086ab2a4f398109dc4ac937e55c601d2f16f3e3eab079a9911e06e98279972a0990560412df36730d1f960e29c38a7a810bf9cae96c0ea17f40c6ac115b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\inYjq03.exe

Filesize
387KB

MD5
9081be764dd41767dbc924f99e4d3a3c

SHA1
1a0d51745dfda972c1e9a6c5a3e076712d968ab7

SHA256
c389ece9969e10d2ee3b0cf75a51970a0a66d79c600900f76507a26f5e8c7ff6

SHA512
8d4086ab2a4f398109dc4ac937e55c601d2f16f3e3eab079a9911e06e98279972a0990560412df36730d1f960e29c38a7a810bf9cae96c0ea17f40c6ac115b89

Download Submit
memory/628-153-0x00000000074F0000-0x0000000007A94000-memory.dmp

Filesize
5.6MB

Download
memory/628-154-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/628-155-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/628-156-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/628-157-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-160-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-158-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-162-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-164-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-166-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-168-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-170-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-172-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-174-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-176-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-178-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-180-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-182-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-184-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-186-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-188-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-190-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-192-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-194-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-196-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-198-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-200-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-202-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-204-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-206-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-208-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-210-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-212-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-214-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-216-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-218-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-220-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/628-1063-0x0000000007AA0000-0x00000000080B8000-memory.dmp

Filesize
6.1MB

Download
memory/628-1064-0x0000000007390000-0x000000000749A000-memory.dmp

Filesize
1.0MB

Download
memory/628-1065-0x00000000080C0000-0x00000000080D2000-memory.dmp

Filesize
72KB

Download
memory/628-1066-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/628-1067-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/628-1069-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/628-1070-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/628-1071-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/628-1072-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/628-1073-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/628-1074-0x0000000008F00000-0x00000000090C2000-memory.dmp

Filesize
1.8MB

Download
memory/628-1075-0x00000000090E0000-0x000000000960C000-memory.dmp

Filesize
5.2MB

Download
memory/628-1076-0x00000000048C0000-0x0000000004936000-memory.dmp

Filesize
472KB

Download
memory/628-1077-0x000000000A8D0000-0x000000000A920000-memory.dmp

Filesize
320KB

Download
memory/628-1078-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/1468-1084-0x00000000002F0000-0x0000000000322000-memory.dmp

Filesize
200KB

Download
memory/1468-1085-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/4932-147-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download