redline | c4bf068f9f3b5e48f06f053b261f68671302e22a98924da9183a08014d16e997

Analysis

max time kernel
61s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2023, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4bf068f9f3b5e48f06f053b261f68671302e22a98924da9183a08014d16e997.exe
Size

686KB
MD5

97f8b495ae2e95e52edf356efec6367f
SHA1

5b0c982fe553ff0f83b2e89003211f28f7afaab7
SHA256

c4bf068f9f3b5e48f06f053b261f68671302e22a98924da9183a08014d16e997
SHA512

6fef3028ed49ee10d3897b2b34ad1f505ba35643880d9a146d1a9c54be8de24c3aa0ef4a4aa8a96b805e691d7108cab24c9de19ee00dc5d73b00875b015d08bb
SSDEEP

12288:tMrTy902XgxiXxczYKiO0Qk2riJL3rYrW7VTImciX/92pt5w:yyf1xccDNMril3rYBNiX/92pLw

Score

10^/10

redline boris dogma discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

dogma

193.233.20.32:4125

Attributes

auth_value
1b692976ca991040f2e8890409c35142

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro0238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro0238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro0238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro0238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro0238.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro0238.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/3132-191-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-192-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-194-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-196-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-198-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-200-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-202-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-204-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-206-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-208-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-211-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-213-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-215-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-217-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-219-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-221-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-223-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline
behavioral1/memory/3132-225-0x0000000004BD0000-0x0000000004C0F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4272	un653553.exe
1032	pro0238.exe
3132	qu7735.exe
3284	si075207.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro0238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro0238.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c4bf068f9f3b5e48f06f053b261f68671302e22a98924da9183a08014d16e997.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un653553.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un653553.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c4bf068f9f3b5e48f06f053b261f68671302e22a98924da9183a08014d16e997.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
100	1032	WerFault.exe	84
3980	3132	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1032	pro0238.exe
1032	pro0238.exe
3132	qu7735.exe
3132	qu7735.exe
3284	si075207.exe
3284	si075207.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	pro0238.exe
Token: SeDebugPrivilege	3132	qu7735.exe
Token: SeDebugPrivilege	3284	si075207.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 4272	3524	c4bf068f9f3b5e48f06f053b261f68671302e22a98924da9183a08014d16e997.exe	83
PID 3524 wrote to memory of 4272	3524	c4bf068f9f3b5e48f06f053b261f68671302e22a98924da9183a08014d16e997.exe	83
PID 3524 wrote to memory of 4272	3524	c4bf068f9f3b5e48f06f053b261f68671302e22a98924da9183a08014d16e997.exe	83
PID 4272 wrote to memory of 1032	4272	un653553.exe	84
PID 4272 wrote to memory of 1032	4272	un653553.exe	84
PID 4272 wrote to memory of 1032	4272	un653553.exe	84
PID 4272 wrote to memory of 3132	4272	un653553.exe	87
PID 4272 wrote to memory of 3132	4272	un653553.exe	87
PID 4272 wrote to memory of 3132	4272	un653553.exe	87
PID 3524 wrote to memory of 3284	3524	c4bf068f9f3b5e48f06f053b261f68671302e22a98924da9183a08014d16e997.exe	91
PID 3524 wrote to memory of 3284	3524	c4bf068f9f3b5e48f06f053b261f68671302e22a98924da9183a08014d16e997.exe	91
PID 3524 wrote to memory of 3284	3524	c4bf068f9f3b5e48f06f053b261f68671302e22a98924da9183a08014d16e997.exe	91

C:\Users\Admin\AppData\Local\Temp\c4bf068f9f3b5e48f06f053b261f68671302e22a98924da9183a08014d16e997.exe
"C:\Users\Admin\AppData\Local\Temp\c4bf068f9f3b5e48f06f053b261f68671302e22a98924da9183a08014d16e997.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un653553.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un653553.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0238.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0238.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1080
      4⤵
      Program crash
      PID:100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7735.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7735.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1332
      4⤵
      Program crash
      PID:3980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si075207.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si075207.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1032 -ip 1032
1⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3132 -ip 3132
1⤵
PID:2524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si075207.exe

Filesize
175KB

MD5
bc7d84816b61f1bbc216ce455d6d8e78

SHA1
c8f239d56eb6ea845d33f5fa8affb0c00b33d4b1

SHA256
ec1159245cc9f7a3f35bbe8e57f7778329ec85c2b77b15c62c9fe544a7dc3fd0

SHA512
1ed7ce6c3d36697265106702f476c9fce9419b3451bed1cf74240742a5125d50bc7c315db6862737ef9d9555160cda2526c00f88923867474acb78782606039f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si075207.exe

Filesize
175KB

MD5
bc7d84816b61f1bbc216ce455d6d8e78

SHA1
c8f239d56eb6ea845d33f5fa8affb0c00b33d4b1

SHA256
ec1159245cc9f7a3f35bbe8e57f7778329ec85c2b77b15c62c9fe544a7dc3fd0

SHA512
1ed7ce6c3d36697265106702f476c9fce9419b3451bed1cf74240742a5125d50bc7c315db6862737ef9d9555160cda2526c00f88923867474acb78782606039f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un653553.exe

Filesize
544KB

MD5
893e4f5078e37b256ab2d20867dbaca6

SHA1
c53f4db624337fe342ba42740e7441c571ab5107

SHA256
b2b73f66c3dd82c27f0b628e679899b13db19b582f4894a5a6e592670496ee57

SHA512
2a15608b8d688133518fea550aa30bb509c45af2ba91491c5943b4150a4a2953a0b369aad31b51fcdffd7debd27f9a11983d05608341eb341d38b983d12c6a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un653553.exe

Filesize
544KB

MD5
893e4f5078e37b256ab2d20867dbaca6

SHA1
c53f4db624337fe342ba42740e7441c571ab5107

SHA256
b2b73f66c3dd82c27f0b628e679899b13db19b582f4894a5a6e592670496ee57

SHA512
2a15608b8d688133518fea550aa30bb509c45af2ba91491c5943b4150a4a2953a0b369aad31b51fcdffd7debd27f9a11983d05608341eb341d38b983d12c6a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0238.exe

Filesize
326KB

MD5
557f7ffbed24d0ea9f17bb882efe5b01

SHA1
91af976eac59636032c13e66b893c64302df4c6a

SHA256
fa56e3696905e27ea2d5f3660bb8d3710f3d08dca6d02e0fa11001d56d407626

SHA512
5c8665c281a4d3c5eba9e5fb0bc6b2659a472999d357eaad62774d529b06a8c616221913ea72a9874b2787d9af053bbbc972690823e81ec44bda503ef8509acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0238.exe

Filesize
326KB

MD5
557f7ffbed24d0ea9f17bb882efe5b01

SHA1
91af976eac59636032c13e66b893c64302df4c6a

SHA256
fa56e3696905e27ea2d5f3660bb8d3710f3d08dca6d02e0fa11001d56d407626

SHA512
5c8665c281a4d3c5eba9e5fb0bc6b2659a472999d357eaad62774d529b06a8c616221913ea72a9874b2787d9af053bbbc972690823e81ec44bda503ef8509acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7735.exe

Filesize
384KB

MD5
ef8aa1ba83602a4ecfb5f420808a86b2

SHA1
d4e2de25fc141f7a0e0fafd014f4357a494d186f

SHA256
cb12a790ca4f780246028e33a675594dc182c6ac2ea640ab4e62358597e980de

SHA512
0ace1986e661f41dbdbe18e8cdeac92a4949baf953f14850bb301233446c0ea49ec3a71e1ddb6f94f50e534896dcb65bdd63087152f7bdf74f9a6c2109ea5887

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7735.exe

Filesize
384KB

MD5
ef8aa1ba83602a4ecfb5f420808a86b2

SHA1
d4e2de25fc141f7a0e0fafd014f4357a494d186f

SHA256
cb12a790ca4f780246028e33a675594dc182c6ac2ea640ab4e62358597e980de

SHA512
0ace1986e661f41dbdbe18e8cdeac92a4949baf953f14850bb301233446c0ea49ec3a71e1ddb6f94f50e534896dcb65bdd63087152f7bdf74f9a6c2109ea5887

Download Submit
memory/1032-148-0x0000000007310000-0x00000000078B4000-memory.dmp

Filesize
5.6MB

Download
memory/1032-149-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/1032-150-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/1032-151-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/1032-152-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/1032-153-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1032-156-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1032-154-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1032-158-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1032-160-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1032-162-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1032-164-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1032-166-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1032-168-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1032-170-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1032-172-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1032-174-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1032-176-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1032-178-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1032-180-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1032-181-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/1032-182-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/1032-183-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/1032-185-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/3132-190-0x0000000002C80000-0x0000000002CCB000-memory.dmp

Filesize
300KB

Download
memory/3132-191-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-192-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-194-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-196-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-198-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-200-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-202-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-204-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-206-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-208-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-210-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/3132-211-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-213-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-215-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-217-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-219-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-221-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-223-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-225-0x0000000004BD0000-0x0000000004C0F000-memory.dmp

Filesize
252KB

Download
memory/3132-1098-0x00000000079E0000-0x0000000007FF8000-memory.dmp

Filesize
6.1MB

Download
memory/3132-1099-0x0000000008000000-0x000000000810A000-memory.dmp

Filesize
1.0MB

Download
memory/3132-1100-0x00000000073C0000-0x00000000073D2000-memory.dmp

Filesize
72KB

Download
memory/3132-1101-0x00000000073E0000-0x000000000741C000-memory.dmp

Filesize
240KB

Download
memory/3132-1102-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/3132-1104-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/3132-1105-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/3132-1106-0x0000000008C60000-0x0000000008CD6000-memory.dmp

Filesize
472KB

Download
memory/3132-1107-0x0000000008CF0000-0x0000000008D40000-memory.dmp

Filesize
320KB

Download
memory/3132-1108-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/3132-1109-0x0000000008D60000-0x0000000008F22000-memory.dmp

Filesize
1.8MB

Download
memory/3132-1110-0x0000000008F40000-0x000000000946C000-memory.dmp

Filesize
5.2MB

Download
memory/3132-1113-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/3284-1117-0x0000000000960000-0x0000000000992000-memory.dmp

Filesize
200KB

Download
memory/3284-1118-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download