redline | 0c9a7186c19c9664fbc5a2e08f603bf7a02920bbd4abf54230b9fbbb5080bf08

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c9a7186c19c9664fbc5a2e08f603bf7a02920bbd4abf54230b9fbbb5080bf08.exe
Size

695KB
MD5

98fb2ff21af33f082259195627e90802
SHA1

dc9963e398813e9551cc32b15c410fbd6b447a1e
SHA256

0c9a7186c19c9664fbc5a2e08f603bf7a02920bbd4abf54230b9fbbb5080bf08
SHA512

898d28ba2bba703af467d7878675aa7f1d346df503ae1de67707aa22076e8ee3406b3a13793031b65c9d6e6f8bc7c4b60206ce87c119ef3086eb7c1925f9bab7
SSDEEP

12288:eMrUy90gF2YgTCErapzdnDtwV8dudleEbVxefWCSkmG8x0BzgjHJiobhF9:iyRgWmaXnxc8dcleEbDefWxkCigTUkz9

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8611.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro8611.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/4928-190-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-191-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-193-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-195-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-197-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-199-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-201-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-203-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-205-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-207-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-209-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-211-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-213-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-215-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-217-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-219-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-221-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-223-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/4928-1112-0x0000000004DE0000-0x0000000004DF0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3684	un943933.exe
4376	pro8611.exe
4928	qu0625.exe
456	si344799.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8611.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0c9a7186c19c9664fbc5a2e08f603bf7a02920bbd4abf54230b9fbbb5080bf08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0c9a7186c19c9664fbc5a2e08f603bf7a02920bbd4abf54230b9fbbb5080bf08.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un943933.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un943933.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4376	pro8611.exe
4376	pro8611.exe
4928	qu0625.exe
4928	qu0625.exe
456	si344799.exe
456	si344799.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	pro8611.exe
Token: SeDebugPrivilege	4928	qu0625.exe
Token: SeDebugPrivilege	456	si344799.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 3684	1188	0c9a7186c19c9664fbc5a2e08f603bf7a02920bbd4abf54230b9fbbb5080bf08.exe	82
PID 1188 wrote to memory of 3684	1188	0c9a7186c19c9664fbc5a2e08f603bf7a02920bbd4abf54230b9fbbb5080bf08.exe	82
PID 1188 wrote to memory of 3684	1188	0c9a7186c19c9664fbc5a2e08f603bf7a02920bbd4abf54230b9fbbb5080bf08.exe	82
PID 3684 wrote to memory of 4376	3684	un943933.exe	83
PID 3684 wrote to memory of 4376	3684	un943933.exe	83
PID 3684 wrote to memory of 4376	3684	un943933.exe	83
PID 3684 wrote to memory of 4928	3684	un943933.exe	87
PID 3684 wrote to memory of 4928	3684	un943933.exe	87
PID 3684 wrote to memory of 4928	3684	un943933.exe	87
PID 1188 wrote to memory of 456	1188	0c9a7186c19c9664fbc5a2e08f603bf7a02920bbd4abf54230b9fbbb5080bf08.exe	88
PID 1188 wrote to memory of 456	1188	0c9a7186c19c9664fbc5a2e08f603bf7a02920bbd4abf54230b9fbbb5080bf08.exe	88
PID 1188 wrote to memory of 456	1188	0c9a7186c19c9664fbc5a2e08f603bf7a02920bbd4abf54230b9fbbb5080bf08.exe	88

C:\Users\Admin\AppData\Local\Temp\0c9a7186c19c9664fbc5a2e08f603bf7a02920bbd4abf54230b9fbbb5080bf08.exe
"C:\Users\Admin\AppData\Local\Temp\0c9a7186c19c9664fbc5a2e08f603bf7a02920bbd4abf54230b9fbbb5080bf08.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un943933.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un943933.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8611.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8611.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0625.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0625.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4928
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si344799.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si344799.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si344799.exe

Filesize
175KB

MD5
ba21be96ed2fcb2273eba917a62cc507

SHA1
e1b3357822e0b050cbe3462c135d0e2c86e5d187

SHA256
8da667bf9eef34fffa06126ec9cc27011b078b95d38dd0713aaccd74c8f4b3fe

SHA512
38dd19b3f822cd88988f0b2bf27cd68919d99cfb603da5550a209a5d586794f9ac070d939143470291fc7c7f7f9266d97d030e9128a253f3ce01c3d548cb6fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si344799.exe

Filesize
175KB

MD5
ba21be96ed2fcb2273eba917a62cc507

SHA1
e1b3357822e0b050cbe3462c135d0e2c86e5d187

SHA256
8da667bf9eef34fffa06126ec9cc27011b078b95d38dd0713aaccd74c8f4b3fe

SHA512
38dd19b3f822cd88988f0b2bf27cd68919d99cfb603da5550a209a5d586794f9ac070d939143470291fc7c7f7f9266d97d030e9128a253f3ce01c3d548cb6fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un943933.exe

Filesize
553KB

MD5
1d593d8346aba2a4330ccc60124d6e78

SHA1
22752c6189fc9359b760d81e02e50225119fac8a

SHA256
9d3e7a7e365ae1c97612cc14e18de6b62c851e23cdf0a85226036e758ea2ac1f

SHA512
5da5c1d03c975de144ae5a202762e6823256ebb63807f89a778d6d22ebc05a9c447c6ec4adb095017c9348ff37bc2603077213cf3e20cdea627b9d7bff6feb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un943933.exe

Filesize
553KB

MD5
1d593d8346aba2a4330ccc60124d6e78

SHA1
22752c6189fc9359b760d81e02e50225119fac8a

SHA256
9d3e7a7e365ae1c97612cc14e18de6b62c851e23cdf0a85226036e758ea2ac1f

SHA512
5da5c1d03c975de144ae5a202762e6823256ebb63807f89a778d6d22ebc05a9c447c6ec4adb095017c9348ff37bc2603077213cf3e20cdea627b9d7bff6feb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8611.exe

Filesize
308KB

MD5
ee771d0ed5733a2eca9683231e101b51

SHA1
31cd3777c106137a0787c38033430e4a3d179349

SHA256
8e9445b391667b66c7fa467fc1e1eb7d8292a1a11124431bbf4bf21f180ba150

SHA512
a769b1178a4366d279de093d674b0e1d3e952c1a856d03cf8a5da09d4d645470402445477a21edf4a6e9dbc3918485a0e797a26a10a85acb412fd7a639c240ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8611.exe

Filesize
308KB

MD5
ee771d0ed5733a2eca9683231e101b51

SHA1
31cd3777c106137a0787c38033430e4a3d179349

SHA256
8e9445b391667b66c7fa467fc1e1eb7d8292a1a11124431bbf4bf21f180ba150

SHA512
a769b1178a4366d279de093d674b0e1d3e952c1a856d03cf8a5da09d4d645470402445477a21edf4a6e9dbc3918485a0e797a26a10a85acb412fd7a639c240ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0625.exe

Filesize
366KB

MD5
130df444cd44005e5815457d6d046514

SHA1
e3f3e9ad63b16c2ac770f087b1250502b4b5592f

SHA256
1147d106d561361b0b8f4c8dc29e3ae46c268a60d9373916a9b6d18a1e3d502c

SHA512
41d522692ffa34fa92f94f717d2c2790e115180e1759f87299ee84c7dc2a0ddf1c800e3b1a968b39beef1a811f38775e6c8a8f802e18c8defaba06aff21a77ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0625.exe

Filesize
366KB

MD5
130df444cd44005e5815457d6d046514

SHA1
e3f3e9ad63b16c2ac770f087b1250502b4b5592f

SHA256
1147d106d561361b0b8f4c8dc29e3ae46c268a60d9373916a9b6d18a1e3d502c

SHA512
41d522692ffa34fa92f94f717d2c2790e115180e1759f87299ee84c7dc2a0ddf1c800e3b1a968b39beef1a811f38775e6c8a8f802e18c8defaba06aff21a77ec

Download Submit
memory/456-1121-0x0000000000D50000-0x0000000000D82000-memory.dmp

Filesize
200KB

Download
memory/456-1122-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/4376-156-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/4376-166-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/4376-153-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/4376-152-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/4376-151-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/4376-154-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/4376-149-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/4376-158-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/4376-160-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/4376-162-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/4376-164-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/4376-150-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/4376-168-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/4376-170-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/4376-172-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/4376-174-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/4376-176-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/4376-178-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/4376-180-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/4376-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4376-182-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/4376-183-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/4376-185-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4376-148-0x0000000004E10000-0x00000000053B4000-memory.dmp

Filesize
5.6MB

Download
memory/4928-191-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-298-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4928-195-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-197-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-199-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-201-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-203-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-205-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-207-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-209-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-211-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-213-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-215-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-217-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-219-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-221-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-223-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-295-0x0000000000900000-0x000000000094B000-memory.dmp

Filesize
300KB

Download
memory/4928-297-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4928-193-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-300-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4928-1100-0x00000000054A0000-0x0000000005AB8000-memory.dmp

Filesize
6.1MB

Download
memory/4928-1101-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/4928-1103-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/4928-1102-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4928-1104-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/4928-1105-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/4928-1106-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/4928-1107-0x0000000006710000-0x00000000068D2000-memory.dmp

Filesize
1.8MB

Download
memory/4928-1109-0x00000000068F0000-0x0000000006E1C000-memory.dmp

Filesize
5.2MB

Download
memory/4928-1110-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4928-1111-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4928-1112-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4928-190-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/4928-1113-0x0000000006F50000-0x0000000006FC6000-memory.dmp

Filesize
472KB

Download
memory/4928-1114-0x0000000006FE0000-0x0000000007030000-memory.dmp

Filesize
320KB

Download
memory/4928-1115-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download