redline | 692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205

Analysis

max time kernel
53s
max time network
57s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
25/03/2023, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe
Size

689KB
MD5

16f9dc98ad99825b48e69e86be6da4d8
SHA1

34aca6728d518072293ad4aecf39cdce68cea899
SHA256

692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205
SHA512

37172ace4a013693188085ae143631c0d65766357daecb853b4fcdc4a4649b42237f19fa91a758ef6c8403bdda295c170075d147531db1ec7cfbc1d75c7ecb6c
SSDEEP

12288:9MrDy90nvJLMnPrTNJFSEtQLhW2cngq/6zd768wB:qyfrTxUcnz/6z9rwB

Score

10^/10

redline boris lenka discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

lenka

193.233.20.32:4125

Attributes

auth_value
8a60e8b2ec79d6a7e92f9feac39b8830

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro6290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro6290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro6290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro6290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro6290.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/2828-179-0x0000000004B70000-0x0000000004BB6000-memory.dmp	family_redline
behavioral1/memory/2828-180-0x0000000007140000-0x0000000007184000-memory.dmp	family_redline
behavioral1/memory/2828-185-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-186-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-188-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-190-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-192-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-194-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-196-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-198-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-202-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-200-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-204-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-206-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-208-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-210-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-212-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-214-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-216-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline
behavioral1/memory/2828-218-0x0000000007140000-0x000000000717F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3364	unio7245.exe
4236	pro6290.exe
2828	qu6085.exe
4904	si551129.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro6290.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro6290.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	unio7245.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	unio7245.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4236	pro6290.exe
4236	pro6290.exe
2828	qu6085.exe
2828	qu6085.exe
4904	si551129.exe
4904	si551129.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4236	pro6290.exe
Token: SeDebugPrivilege	2828	qu6085.exe
Token: SeDebugPrivilege	4904	si551129.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 3364	4044	692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe	66
PID 4044 wrote to memory of 3364	4044	692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe	66
PID 4044 wrote to memory of 3364	4044	692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe	66
PID 3364 wrote to memory of 4236	3364	unio7245.exe	67
PID 3364 wrote to memory of 4236	3364	unio7245.exe	67
PID 3364 wrote to memory of 4236	3364	unio7245.exe	67
PID 3364 wrote to memory of 2828	3364	unio7245.exe	68
PID 3364 wrote to memory of 2828	3364	unio7245.exe	68
PID 3364 wrote to memory of 2828	3364	unio7245.exe	68
PID 4044 wrote to memory of 4904	4044	692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe	70
PID 4044 wrote to memory of 4904	4044	692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe	70
PID 4044 wrote to memory of 4904	4044	692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe	70

C:\Users\Admin\AppData\Local\Temp\692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe
"C:\Users\Admin\AppData\Local\Temp\692b6771612709a9cac43d9ff49ebd016fe28e3a5d1e8357986717b59e708205.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7245.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7245.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6290.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6290.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4236
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6085.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6085.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si551129.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si551129.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si551129.exe

Filesize
175KB

MD5
e80464c643732f28518c0d87cc91aebb

SHA1
91142c1729cdc9b9593238381ddbe574cd8ee6a4

SHA256
138aa922c4c89a0fa9290dcc0a6814a00fccfb6ad9966127e268a946d7bbcf6a

SHA512
b10bea2f341a022f534052d651e6c509d41270e3dc1ef8be8f3761d675a64136bd57f39bdda8d494cb79d9b466b9109ff06df6793d44c6f24d499554cae441ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si551129.exe

Filesize
175KB

MD5
e80464c643732f28518c0d87cc91aebb

SHA1
91142c1729cdc9b9593238381ddbe574cd8ee6a4

SHA256
138aa922c4c89a0fa9290dcc0a6814a00fccfb6ad9966127e268a946d7bbcf6a

SHA512
b10bea2f341a022f534052d651e6c509d41270e3dc1ef8be8f3761d675a64136bd57f39bdda8d494cb79d9b466b9109ff06df6793d44c6f24d499554cae441ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7245.exe

Filesize
548KB

MD5
2d238a988b1e79fdca02f7baaca0258a

SHA1
26634bc5e549fb5cf11dd6748968c39e884f8e7b

SHA256
206ce4e882bf7bc5a6fd5254d179955d4d138dc1c24bcfc4f4bd084de60ab831

SHA512
21f61381a017374fc39da0d2218e2259c7069f7c907c81caef98226494430eed83fbf3ea23d13c16bc42bd1e09f5b858cc2762690777c134581a24f31d69c102

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7245.exe

Filesize
548KB

MD5
2d238a988b1e79fdca02f7baaca0258a

SHA1
26634bc5e549fb5cf11dd6748968c39e884f8e7b

SHA256
206ce4e882bf7bc5a6fd5254d179955d4d138dc1c24bcfc4f4bd084de60ab831

SHA512
21f61381a017374fc39da0d2218e2259c7069f7c907c81caef98226494430eed83fbf3ea23d13c16bc42bd1e09f5b858cc2762690777c134581a24f31d69c102

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6290.exe

Filesize
328KB

MD5
0ec2fd8c74c49b4b2dbdb59f9c80d6d0

SHA1
cd135f1efb0bb8c774e0f4a7a4ec9858f67f5356

SHA256
b6065f070981dfc90df2780620549c77e135dcff66f1f24d0be39c4c11c60aa3

SHA512
cb49f109e3ba8a41cd277e2b8b1d74f8d6bd8676fe2b2e0bf29bcc0bbd41937f1fbfda035b4cd8ebe2b604e197f18b85fdd77b9699b8a0d993fab17a5c080fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6290.exe

Filesize
328KB

MD5
0ec2fd8c74c49b4b2dbdb59f9c80d6d0

SHA1
cd135f1efb0bb8c774e0f4a7a4ec9858f67f5356

SHA256
b6065f070981dfc90df2780620549c77e135dcff66f1f24d0be39c4c11c60aa3

SHA512
cb49f109e3ba8a41cd277e2b8b1d74f8d6bd8676fe2b2e0bf29bcc0bbd41937f1fbfda035b4cd8ebe2b604e197f18b85fdd77b9699b8a0d993fab17a5c080fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6085.exe

Filesize
385KB

MD5
1e477f3c8253eeb1be53c9b8f24aa77c

SHA1
e8c5359d90cf10bc1f913622a4bfb1accd45cf81

SHA256
9d4cc4853f9dc2e1c42f99473109c6a05476b4a54df3bdbe61ab0825edcfeaad

SHA512
82298865847f638c7ab2fcf3ea81341895c95076df66e9cbc955ecdf6f8f2bc0ef74ac885f18c2dff44ee3eaa0526a85a44c2408bc099659f41541c573db3fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6085.exe

Filesize
385KB

MD5
1e477f3c8253eeb1be53c9b8f24aa77c

SHA1
e8c5359d90cf10bc1f913622a4bfb1accd45cf81

SHA256
9d4cc4853f9dc2e1c42f99473109c6a05476b4a54df3bdbe61ab0825edcfeaad

SHA512
82298865847f638c7ab2fcf3ea81341895c95076df66e9cbc955ecdf6f8f2bc0ef74ac885f18c2dff44ee3eaa0526a85a44c2408bc099659f41541c573db3fb3

Download Submit
memory/2828-1093-0x0000000007240000-0x0000000007252000-memory.dmp

Filesize
72KB

Download
memory/2828-1094-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/2828-1107-0x0000000008F80000-0x00000000094AC000-memory.dmp

Filesize
5.2MB

Download
memory/2828-1106-0x0000000008DB0000-0x0000000008F72000-memory.dmp

Filesize
1.8MB

Download
memory/2828-190-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-1105-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/2828-1104-0x0000000008BE0000-0x0000000008C30000-memory.dmp

Filesize
320KB

Download
memory/2828-1103-0x0000000008B50000-0x0000000008BC6000-memory.dmp

Filesize
472KB

Download
memory/2828-194-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-1101-0x0000000007B60000-0x0000000007BC6000-memory.dmp

Filesize
408KB

Download
memory/2828-1100-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/2828-1099-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/2828-1098-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/2828-1096-0x0000000007A10000-0x0000000007A5B000-memory.dmp

Filesize
300KB

Download
memory/2828-1095-0x0000000007260000-0x000000000729E000-memory.dmp

Filesize
248KB

Download
memory/2828-1092-0x0000000007800000-0x000000000790A000-memory.dmp

Filesize
1.0MB

Download
memory/2828-1091-0x0000000007E10000-0x0000000008416000-memory.dmp

Filesize
6.0MB

Download
memory/2828-218-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-216-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-214-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-212-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-210-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-208-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-179-0x0000000004B70000-0x0000000004BB6000-memory.dmp

Filesize
280KB

Download
memory/2828-181-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/2828-182-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/2828-183-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/2828-184-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/2828-180-0x0000000007140000-0x0000000007184000-memory.dmp

Filesize
272KB

Download
memory/2828-185-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-186-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-188-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-206-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-196-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-1102-0x0000000008950000-0x00000000089E2000-memory.dmp

Filesize
584KB

Download
memory/2828-192-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-198-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-202-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-200-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/2828-204-0x0000000007140000-0x000000000717F000-memory.dmp

Filesize
252KB

Download
memory/4236-151-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/4236-137-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4236-140-0x0000000007260000-0x000000000775E000-memory.dmp

Filesize
5.0MB

Download
memory/4236-174-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/4236-157-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/4236-171-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/4236-170-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/4236-169-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/4236-167-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/4236-138-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/4236-141-0x0000000004C50000-0x0000000004C68000-memory.dmp

Filesize
96KB

Download
memory/4236-165-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/4236-139-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/4236-163-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/4236-173-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/4236-161-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/4236-155-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/4236-153-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/4236-159-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/4236-149-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/4236-147-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/4236-143-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/4236-142-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/4236-145-0x0000000004C50000-0x0000000004C62000-memory.dmp

Filesize
72KB

Download
memory/4236-136-0x00000000048F0000-0x000000000490A000-memory.dmp

Filesize
104KB

Download
memory/4904-1113-0x0000000000990000-0x00000000009C2000-memory.dmp

Filesize
200KB

Download
memory/4904-1114-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/4904-1115-0x0000000005400000-0x000000000544B000-memory.dmp

Filesize
300KB

Download