redline | 35a9856a264c784f47bbcbd4eef791b26f101886d969dc7ac2b889ebeec310ff

Analysis

max time kernel
51s
max time network
62s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26/03/2023, 15:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35a9856a264c784f47bbcbd4eef791b26f101886d969dc7ac2b889ebeec310ff.exe
Size

686KB
MD5

d54624144ba187a6cce0396595e480bd
SHA1

bf22f5844d79e65ada6536674a2267df9d7154e2
SHA256

35a9856a264c784f47bbcbd4eef791b26f101886d969dc7ac2b889ebeec310ff
SHA512

7bb316053095c27bab4af7f3c72bd69390d0ff01b4c16d27e30b3061c119c0b6ddc34137a43a5f9d460093079d82d5f950bd8e948ca9049be1d70db6313ca05f
SSDEEP

12288:cMrYy90FqOhxEPtFk4bOUoKZN+hD5b817VTIvziv8iBuOh5Qf:EycuY4bcC+VWI7iEUu

Score

10^/10

redline boris dogma discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

dogma

193.233.20.32:4125

Attributes

auth_value
1b692976ca991040f2e8890409c35142

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7924.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4764-179-0x00000000048F0000-0x0000000004936000-memory.dmp	family_redline
behavioral1/memory/4764-182-0x00000000070F0000-0x0000000007134000-memory.dmp	family_redline
behavioral1/memory/4764-184-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-183-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-186-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-188-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-190-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-192-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-194-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-196-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-198-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-200-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-202-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-204-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-206-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-208-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-210-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-212-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-214-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline
behavioral1/memory/4764-216-0x00000000070F0000-0x000000000712F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4076	un654418.exe
4276	pro7924.exe
4764	qu2414.exe
3756	si051141.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7924.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	35a9856a264c784f47bbcbd4eef791b26f101886d969dc7ac2b889ebeec310ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	35a9856a264c784f47bbcbd4eef791b26f101886d969dc7ac2b889ebeec310ff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un654418.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un654418.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4276	pro7924.exe
4276	pro7924.exe
4764	qu2414.exe
4764	qu2414.exe
3756	si051141.exe
3756	si051141.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4276	pro7924.exe
Token: SeDebugPrivilege	4764	qu2414.exe
Token: SeDebugPrivilege	3756	si051141.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 4076	3668	35a9856a264c784f47bbcbd4eef791b26f101886d969dc7ac2b889ebeec310ff.exe	66
PID 3668 wrote to memory of 4076	3668	35a9856a264c784f47bbcbd4eef791b26f101886d969dc7ac2b889ebeec310ff.exe	66
PID 3668 wrote to memory of 4076	3668	35a9856a264c784f47bbcbd4eef791b26f101886d969dc7ac2b889ebeec310ff.exe	66
PID 4076 wrote to memory of 4276	4076	un654418.exe	67
PID 4076 wrote to memory of 4276	4076	un654418.exe	67
PID 4076 wrote to memory of 4276	4076	un654418.exe	67
PID 4076 wrote to memory of 4764	4076	un654418.exe	68
PID 4076 wrote to memory of 4764	4076	un654418.exe	68
PID 4076 wrote to memory of 4764	4076	un654418.exe	68
PID 3668 wrote to memory of 3756	3668	35a9856a264c784f47bbcbd4eef791b26f101886d969dc7ac2b889ebeec310ff.exe	70
PID 3668 wrote to memory of 3756	3668	35a9856a264c784f47bbcbd4eef791b26f101886d969dc7ac2b889ebeec310ff.exe	70
PID 3668 wrote to memory of 3756	3668	35a9856a264c784f47bbcbd4eef791b26f101886d969dc7ac2b889ebeec310ff.exe	70

C:\Users\Admin\AppData\Local\Temp\35a9856a264c784f47bbcbd4eef791b26f101886d969dc7ac2b889ebeec310ff.exe
"C:\Users\Admin\AppData\Local\Temp\35a9856a264c784f47bbcbd4eef791b26f101886d969dc7ac2b889ebeec310ff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un654418.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un654418.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7924.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7924.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4276
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2414.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2414.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si051141.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si051141.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si051141.exe

Filesize
175KB

MD5
5d91ca352df1ff797710a56bd6c72573

SHA1
ffe102d7d58c6e616376246234cc72974a8f747b

SHA256
f8f09c660ecc072e5594f300d8d32a7d27f45eff56ceb8a41cc5c8c8b01fbc6a

SHA512
9ba1e405774c2d83adfba05e42795cf3a48f8eb935862343845df66bfa6b2f5b5afc8574390a8cc192992eba8c4057e17267a7238a3452e2b8091fd4b424e544

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si051141.exe

Filesize
175KB

MD5
5d91ca352df1ff797710a56bd6c72573

SHA1
ffe102d7d58c6e616376246234cc72974a8f747b

SHA256
f8f09c660ecc072e5594f300d8d32a7d27f45eff56ceb8a41cc5c8c8b01fbc6a

SHA512
9ba1e405774c2d83adfba05e42795cf3a48f8eb935862343845df66bfa6b2f5b5afc8574390a8cc192992eba8c4057e17267a7238a3452e2b8091fd4b424e544

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un654418.exe

Filesize
544KB

MD5
efdfff4270e1dd899581cb7aa8945b6f

SHA1
691d7649335480e02450cc31f7ff8b065d71755f

SHA256
275063db3d81f9895def1d81ea1244594f3e17eb820c071b46b281d7e178bc05

SHA512
38f066bdc7ff899096c9c9daaa60f04ee9c4597d35187344b0427e69e448228a67459bf52229d460555b5bfccadb1df6650ea4187c1726068b95b404481df296

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un654418.exe

Filesize
544KB

MD5
efdfff4270e1dd899581cb7aa8945b6f

SHA1
691d7649335480e02450cc31f7ff8b065d71755f

SHA256
275063db3d81f9895def1d81ea1244594f3e17eb820c071b46b281d7e178bc05

SHA512
38f066bdc7ff899096c9c9daaa60f04ee9c4597d35187344b0427e69e448228a67459bf52229d460555b5bfccadb1df6650ea4187c1726068b95b404481df296

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7924.exe

Filesize
326KB

MD5
a10b9192053ff3670642938c70faaca8

SHA1
cbf6c0750647fd9a718e12343d51605cf7cd2c79

SHA256
9d0706132fd52054a0b840d782fae5fd99a5f9f26b57e53aa21cdea0752cd54f

SHA512
e4242431f627be5ddb2d3600d2fc59714af418a4ad600fb5c522d14a3482905db756c4f4e51861a760bc024fb3f4f92d59e2e79290b90f8e971286dedf6cd6fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7924.exe

Filesize
326KB

MD5
a10b9192053ff3670642938c70faaca8

SHA1
cbf6c0750647fd9a718e12343d51605cf7cd2c79

SHA256
9d0706132fd52054a0b840d782fae5fd99a5f9f26b57e53aa21cdea0752cd54f

SHA512
e4242431f627be5ddb2d3600d2fc59714af418a4ad600fb5c522d14a3482905db756c4f4e51861a760bc024fb3f4f92d59e2e79290b90f8e971286dedf6cd6fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2414.exe

Filesize
384KB

MD5
e0b680684fc0b5444afe8b76dc55b25c

SHA1
d8b95d250d3f024be8cecdbe1db1bceb17f02055

SHA256
822de2ffd8cc12bf6b63a8859be4f2a454fbf3a497a1cc49a4283ccb9f64a433

SHA512
1c023fabde3759b3d3e261aaea3c4845079920e38a9c0c03cc76d97d0c2b3c6d6060be769ee52a0dc01bfdee0e96153d05469824d52eec5083385ce95a4da6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2414.exe

Filesize
384KB

MD5
e0b680684fc0b5444afe8b76dc55b25c

SHA1
d8b95d250d3f024be8cecdbe1db1bceb17f02055

SHA256
822de2ffd8cc12bf6b63a8859be4f2a454fbf3a497a1cc49a4283ccb9f64a433

SHA512
1c023fabde3759b3d3e261aaea3c4845079920e38a9c0c03cc76d97d0c2b3c6d6060be769ee52a0dc01bfdee0e96153d05469824d52eec5083385ce95a4da6a5

Download Submit
memory/3756-1109-0x0000000004BD0000-0x0000000004C1B000-memory.dmp

Filesize
300KB

Download
memory/3756-1108-0x0000000000350000-0x0000000000382000-memory.dmp

Filesize
200KB

Download
memory/3756-1110-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4276-144-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4276-156-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4276-138-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/4276-139-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/4276-140-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/4276-141-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4276-142-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4276-136-0x0000000007390000-0x000000000788E000-memory.dmp

Filesize
5.0MB

Download
memory/4276-146-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4276-148-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4276-150-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4276-152-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4276-154-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4276-137-0x0000000004940000-0x0000000004958000-memory.dmp

Filesize
96KB

Download
memory/4276-158-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4276-160-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4276-162-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4276-164-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4276-166-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4276-168-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4276-169-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/4276-172-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/4276-173-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/4276-174-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/4276-171-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/4276-135-0x0000000002DF0000-0x0000000002E0A000-memory.dmp

Filesize
104KB

Download
memory/4276-134-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4764-179-0x00000000048F0000-0x0000000004936000-memory.dmp

Filesize
280KB

Download
memory/4764-182-0x00000000070F0000-0x0000000007134000-memory.dmp

Filesize
272KB

Download
memory/4764-184-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-183-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-186-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-188-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-190-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-192-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-194-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-196-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-198-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-200-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-202-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-204-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-206-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-208-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-210-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-212-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-214-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-216-0x00000000070F0000-0x000000000712F000-memory.dmp

Filesize
252KB

Download
memory/4764-1089-0x0000000007DF0000-0x00000000083F6000-memory.dmp

Filesize
6.0MB

Download
memory/4764-1090-0x0000000007860000-0x000000000796A000-memory.dmp

Filesize
1.0MB

Download
memory/4764-1091-0x00000000079A0000-0x00000000079B2000-memory.dmp

Filesize
72KB

Download
memory/4764-1092-0x00000000079C0000-0x00000000079FE000-memory.dmp

Filesize
248KB

Download
memory/4764-1093-0x0000000007B10000-0x0000000007B5B000-memory.dmp

Filesize
300KB

Download
memory/4764-1094-0x0000000007140000-0x0000000007150000-memory.dmp

Filesize
64KB

Download
memory/4764-1096-0x0000000007CA0000-0x0000000007D06000-memory.dmp

Filesize
408KB

Download
memory/4764-1097-0x0000000008980000-0x0000000008A12000-memory.dmp

Filesize
584KB

Download
memory/4764-1098-0x0000000008A70000-0x0000000008C32000-memory.dmp

Filesize
1.8MB

Download
memory/4764-1099-0x0000000008C40000-0x000000000916C000-memory.dmp

Filesize
5.2MB

Download
memory/4764-181-0x0000000007140000-0x0000000007150000-memory.dmp

Filesize
64KB

Download
memory/4764-180-0x0000000002C70000-0x0000000002CBB000-memory.dmp

Filesize
300KB

Download
memory/4764-1100-0x0000000007140000-0x0000000007150000-memory.dmp

Filesize
64KB

Download
memory/4764-1101-0x0000000009620000-0x0000000009696000-memory.dmp

Filesize
472KB

Download
memory/4764-1102-0x00000000096A0000-0x00000000096F0000-memory.dmp

Filesize
320KB

Download