redline | efe0d4a3c991303083fd4ba828c9f898bdcb12a0d76b98b2193ade32c2f329af

Analysis

max time kernel
54s
max time network
139s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efe0d4a3c991303083fd4ba828c9f898bdcb12a0d76b98b2193ade32c2f329af.exe
Size

700KB
MD5

de1eea25820f29bb1577de6c94741223
SHA1

b111f79864ebdfd08a4f46798572eaabeb463d15
SHA256

efe0d4a3c991303083fd4ba828c9f898bdcb12a0d76b98b2193ade32c2f329af
SHA512

76bc290b0777c136ee66163d838fdcc41b9ecc0310509c86f35a05fb1e6a2db99f63095e4605f451e551db9536cc63ce3173b7f7bc788c3aae7d8c7d1e9e8aff
SSDEEP

12288:gMrby900qvhf41tO6hFwMf9DSrcAL8F38pOmEPWUBgjquP4XbKRbkxdqaABpH:ryqf41k6hn+L8VAsDg+uP4XbKlidqxBl

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5811.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/2148-176-0x0000000002460000-0x00000000024A6000-memory.dmp	family_redline
behavioral1/memory/2148-179-0x0000000002650000-0x0000000002694000-memory.dmp	family_redline
behavioral1/memory/2148-182-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-183-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-185-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-187-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-189-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-191-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-193-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-195-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-197-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-199-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-201-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-203-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-205-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-207-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-211-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-209-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-213-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline
behavioral1/memory/2148-215-0x0000000002650000-0x000000000268F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3644	un296880.exe
2272	pro5811.exe
2148	qu2206.exe
3984	si297584.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5811.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	efe0d4a3c991303083fd4ba828c9f898bdcb12a0d76b98b2193ade32c2f329af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	efe0d4a3c991303083fd4ba828c9f898bdcb12a0d76b98b2193ade32c2f329af.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un296880.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un296880.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2272	pro5811.exe
2272	pro5811.exe
2148	qu2206.exe
2148	qu2206.exe
3984	si297584.exe
3984	si297584.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	pro5811.exe
Token: SeDebugPrivilege	2148	qu2206.exe
Token: SeDebugPrivilege	3984	si297584.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 3644	4124	efe0d4a3c991303083fd4ba828c9f898bdcb12a0d76b98b2193ade32c2f329af.exe	66
PID 4124 wrote to memory of 3644	4124	efe0d4a3c991303083fd4ba828c9f898bdcb12a0d76b98b2193ade32c2f329af.exe	66
PID 4124 wrote to memory of 3644	4124	efe0d4a3c991303083fd4ba828c9f898bdcb12a0d76b98b2193ade32c2f329af.exe	66
PID 3644 wrote to memory of 2272	3644	un296880.exe	67
PID 3644 wrote to memory of 2272	3644	un296880.exe	67
PID 3644 wrote to memory of 2272	3644	un296880.exe	67
PID 3644 wrote to memory of 2148	3644	un296880.exe	68
PID 3644 wrote to memory of 2148	3644	un296880.exe	68
PID 3644 wrote to memory of 2148	3644	un296880.exe	68
PID 4124 wrote to memory of 3984	4124	efe0d4a3c991303083fd4ba828c9f898bdcb12a0d76b98b2193ade32c2f329af.exe	70
PID 4124 wrote to memory of 3984	4124	efe0d4a3c991303083fd4ba828c9f898bdcb12a0d76b98b2193ade32c2f329af.exe	70
PID 4124 wrote to memory of 3984	4124	efe0d4a3c991303083fd4ba828c9f898bdcb12a0d76b98b2193ade32c2f329af.exe	70

C:\Users\Admin\AppData\Local\Temp\efe0d4a3c991303083fd4ba828c9f898bdcb12a0d76b98b2193ade32c2f329af.exe
"C:\Users\Admin\AppData\Local\Temp\efe0d4a3c991303083fd4ba828c9f898bdcb12a0d76b98b2193ade32c2f329af.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un296880.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un296880.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5811.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5811.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2206.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2206.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si297584.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si297584.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si297584.exe

Filesize
175KB

MD5
a9bb09c38fb68073ad9cacee36e16ea5

SHA1
096f6c1e39c22439e521ac3d04e3cac34fd37eef

SHA256
656e6cca8e0578849fcd22e1518fbecc7969fbc105f77ee7aa2e3ce10c8d1d44

SHA512
5c391f9cf9c692b7ac01279a46376440e6b4708a73f1bd09590fab1690a0d342e030a625a1da70eef842f8b2c9dff96e5fdcace975c0dcda2f84ee52e598ae12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si297584.exe

Filesize
175KB

MD5
a9bb09c38fb68073ad9cacee36e16ea5

SHA1
096f6c1e39c22439e521ac3d04e3cac34fd37eef

SHA256
656e6cca8e0578849fcd22e1518fbecc7969fbc105f77ee7aa2e3ce10c8d1d44

SHA512
5c391f9cf9c692b7ac01279a46376440e6b4708a73f1bd09590fab1690a0d342e030a625a1da70eef842f8b2c9dff96e5fdcace975c0dcda2f84ee52e598ae12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un296880.exe

Filesize
558KB

MD5
5608c53159cbe291fb56d11388f06406

SHA1
000b8b7bcd9ae0b81d9215e1a636a1c1791bda54

SHA256
5bd7abe7da15a821464fec8247043a305cedbc27b0034c4f63f02cec6d59b07b

SHA512
73570ccd2ded02552e8e4e00d362ec641d829b8e4c995ed692ae856c589147a0aada21c86f4ba9083a77cc8bca8a6243d05b498699258702ebc2a04f9c285fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un296880.exe

Filesize
558KB

MD5
5608c53159cbe291fb56d11388f06406

SHA1
000b8b7bcd9ae0b81d9215e1a636a1c1791bda54

SHA256
5bd7abe7da15a821464fec8247043a305cedbc27b0034c4f63f02cec6d59b07b

SHA512
73570ccd2ded02552e8e4e00d362ec641d829b8e4c995ed692ae856c589147a0aada21c86f4ba9083a77cc8bca8a6243d05b498699258702ebc2a04f9c285fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5811.exe

Filesize
307KB

MD5
eab94fb914202505f621f497d3756825

SHA1
80ff3028908f4672ce08da46ba6380bf688812de

SHA256
85200c51c1863146ccaf7ccf6f30e838ef0465cda2f43b9df5575aad0fe4f67c

SHA512
c6d41a557f4becf5ee94d034ad6d86daa4bc857db62934e13831bcb608f99b63fe37d6531cb5ab5d24d0cacb9a5c390b301ef984997125abbf2fb1628638e0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5811.exe

Filesize
307KB

MD5
eab94fb914202505f621f497d3756825

SHA1
80ff3028908f4672ce08da46ba6380bf688812de

SHA256
85200c51c1863146ccaf7ccf6f30e838ef0465cda2f43b9df5575aad0fe4f67c

SHA512
c6d41a557f4becf5ee94d034ad6d86daa4bc857db62934e13831bcb608f99b63fe37d6531cb5ab5d24d0cacb9a5c390b301ef984997125abbf2fb1628638e0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2206.exe

Filesize
365KB

MD5
deae244f21f6527a671f08525f1b7a00

SHA1
de74ba16cce19e4ac1c41fa67f5d8ce129412691

SHA256
308a23323d5770b65433c02660cf26f3c52c385513bd542a76e67b0386d44eeb

SHA512
54fa19261b605d2f5c0283522a194fac3653d0d1beb4a54d4666b31c8fb6c54fe84ab6335307bad2fff1a8e1a9a1fc527028cef8b6666d9c9ca1898e1be339e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2206.exe

Filesize
365KB

MD5
deae244f21f6527a671f08525f1b7a00

SHA1
de74ba16cce19e4ac1c41fa67f5d8ce129412691

SHA256
308a23323d5770b65433c02660cf26f3c52c385513bd542a76e67b0386d44eeb

SHA512
54fa19261b605d2f5c0283522a194fac3653d0d1beb4a54d4666b31c8fb6c54fe84ab6335307bad2fff1a8e1a9a1fc527028cef8b6666d9c9ca1898e1be339e0

Download Submit
memory/2148-1088-0x00000000054F0000-0x0000000005AF6000-memory.dmp

Filesize
6.0MB

Download
memory/2148-215-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-187-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-1103-0x0000000007100000-0x0000000007150000-memory.dmp

Filesize
320KB

Download
memory/2148-1102-0x0000000007080000-0x00000000070F6000-memory.dmp

Filesize
472KB

Download
memory/2148-189-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-1101-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2148-1100-0x00000000068D0000-0x0000000006DFC000-memory.dmp

Filesize
5.2MB

Download
memory/2148-1099-0x00000000066E0000-0x00000000068A2000-memory.dmp

Filesize
1.8MB

Download
memory/2148-191-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-1098-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2148-1097-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2148-1095-0x0000000005EE0000-0x0000000005F46000-memory.dmp

Filesize
408KB

Download
memory/2148-1094-0x0000000005E40000-0x0000000005ED2000-memory.dmp

Filesize
584KB

Download
memory/2148-1093-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2148-1092-0x0000000004E80000-0x0000000004ECB000-memory.dmp

Filesize
300KB

Download
memory/2148-1091-0x0000000004E30000-0x0000000004E6E000-memory.dmp

Filesize
248KB

Download
memory/2148-1090-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/2148-1089-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/2148-197-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-213-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-209-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-211-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-207-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-205-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-176-0x0000000002460000-0x00000000024A6000-memory.dmp

Filesize
280KB

Download
memory/2148-177-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/2148-178-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2148-179-0x0000000002650000-0x0000000002694000-memory.dmp

Filesize
272KB

Download
memory/2148-180-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2148-181-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2148-182-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-183-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-185-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-203-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-201-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-199-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-193-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2148-195-0x0000000002650000-0x000000000268F000-memory.dmp

Filesize
252KB

Download
memory/2272-166-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2272-149-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2272-141-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2272-131-0x0000000000AD0000-0x0000000000AEA000-memory.dmp

Filesize
104KB

Download
memory/2272-134-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/2272-135-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2272-171-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2272-169-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2272-168-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2272-167-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2272-133-0x00000000023D0000-0x00000000023E8000-memory.dmp

Filesize
96KB

Download
memory/2272-136-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2272-165-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2272-163-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2272-161-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2272-159-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2272-157-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2272-155-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2272-153-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2272-151-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2272-147-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2272-145-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2272-143-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2272-139-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2272-138-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2272-132-0x0000000004DC0000-0x00000000052BE000-memory.dmp

Filesize
5.0MB

Download
memory/2272-137-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/3984-1109-0x00000000001A0000-0x00000000001D2000-memory.dmp

Filesize
200KB

Download
memory/3984-1110-0x0000000004AE0000-0x0000000004B2B000-memory.dmp

Filesize
300KB

Download
memory/3984-1111-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download