redline | 20888e5f8ce623e1be81a54c740e0751681069cf7e56f03425321d2d2c922bf1

Analysis

max time kernel
135s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2023, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20888e5f8ce623e1be81a54c740e0751681069cf7e56f03425321d2d2c922bf1.exe
Size

701KB
MD5

ee26e9be692ae2d72a37dd09ba5da49f
SHA1

87651d92c447bf9b81bdc0e0e0fbfa603fc565d3
SHA256

20888e5f8ce623e1be81a54c740e0751681069cf7e56f03425321d2d2c922bf1
SHA512

60df3bf6abf8290add52bf65e5902a26ea8c497c33546b3c098035907e626446e169d50488d5c0a87ec0ec164e310304dbcf9f705bb23f335ee988b74d476a8c
SSDEEP

12288:cMrQy90btjvasibPby1Zo6iHxTKXPZ9RRzkQTegNYMv3rKuOrf4f:UyIjSsNPRicPNxkXMPrK3m

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro9664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro9664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro9664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro9664.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro9664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro9664.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/2660-190-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-189-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-192-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-194-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-196-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-198-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-200-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-202-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-207-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-209-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-211-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-213-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-215-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-217-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-219-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-221-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-223-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline
behavioral1/memory/2660-225-0x0000000002540000-0x000000000257F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
548	un776494.exe
1960	pro9664.exe
2660	qu2544.exe
3816	si254614.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro9664.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro9664.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un776494.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un776494.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	20888e5f8ce623e1be81a54c740e0751681069cf7e56f03425321d2d2c922bf1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	20888e5f8ce623e1be81a54c740e0751681069cf7e56f03425321d2d2c922bf1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3640	1960	WerFault.exe	85
4300	2660	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1960	pro9664.exe
1960	pro9664.exe
2660	qu2544.exe
2660	qu2544.exe
3816	si254614.exe
3816	si254614.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	pro9664.exe
Token: SeDebugPrivilege	2660	qu2544.exe
Token: SeDebugPrivilege	3816	si254614.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 548	4900	20888e5f8ce623e1be81a54c740e0751681069cf7e56f03425321d2d2c922bf1.exe	84
PID 4900 wrote to memory of 548	4900	20888e5f8ce623e1be81a54c740e0751681069cf7e56f03425321d2d2c922bf1.exe	84
PID 4900 wrote to memory of 548	4900	20888e5f8ce623e1be81a54c740e0751681069cf7e56f03425321d2d2c922bf1.exe	84
PID 548 wrote to memory of 1960	548	un776494.exe	85
PID 548 wrote to memory of 1960	548	un776494.exe	85
PID 548 wrote to memory of 1960	548	un776494.exe	85
PID 548 wrote to memory of 2660	548	un776494.exe	93
PID 548 wrote to memory of 2660	548	un776494.exe	93
PID 548 wrote to memory of 2660	548	un776494.exe	93
PID 4900 wrote to memory of 3816	4900	20888e5f8ce623e1be81a54c740e0751681069cf7e56f03425321d2d2c922bf1.exe	96
PID 4900 wrote to memory of 3816	4900	20888e5f8ce623e1be81a54c740e0751681069cf7e56f03425321d2d2c922bf1.exe	96
PID 4900 wrote to memory of 3816	4900	20888e5f8ce623e1be81a54c740e0751681069cf7e56f03425321d2d2c922bf1.exe	96

C:\Users\Admin\AppData\Local\Temp\20888e5f8ce623e1be81a54c740e0751681069cf7e56f03425321d2d2c922bf1.exe
"C:\Users\Admin\AppData\Local\Temp\20888e5f8ce623e1be81a54c740e0751681069cf7e56f03425321d2d2c922bf1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un776494.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un776494.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9664.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9664.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 1080
      4⤵
      Program crash
      PID:3640
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2544.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2544.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1336
      4⤵
      Program crash
      PID:4300
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si254614.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si254614.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1960 -ip 1960
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2660 -ip 2660
1⤵
PID:4424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si254614.exe

Filesize
175KB

MD5
590fc588b6c460225f96134784ffb328

SHA1
50278e04bc3b51fb8c97324af7d12f9ebfe3ffc2

SHA256
abb74aa9c6677a41a2a41409cee6dae4b3eac589a71b406b3093ed3454124d57

SHA512
865bacae8ce0b107db6340aa3d3bb55ede1df44126252295bacafe60e2209da8c27fdf402f739317369ee5c80ba2946b18fae6b0b61b11719b6b08d489f10c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si254614.exe

Filesize
175KB

MD5
590fc588b6c460225f96134784ffb328

SHA1
50278e04bc3b51fb8c97324af7d12f9ebfe3ffc2

SHA256
abb74aa9c6677a41a2a41409cee6dae4b3eac589a71b406b3093ed3454124d57

SHA512
865bacae8ce0b107db6340aa3d3bb55ede1df44126252295bacafe60e2209da8c27fdf402f739317369ee5c80ba2946b18fae6b0b61b11719b6b08d489f10c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un776494.exe

Filesize
558KB

MD5
e64c4411f27a6d4c993ced66d46f34b8

SHA1
07370274d06d45ab72e79a17921b8a34424da2eb

SHA256
855d0ee9cf0727e5767af20b1fed66e57d8605220ef0cb5561c4b6f776d68bdf

SHA512
ec3a23575c223471431f360b8b6f3815a7877d6d9d9f3450aa5da0b74c56e807862a912da5e1801342cd3819e4d2c17d9b5483e555bfc589e115fd6295649248

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un776494.exe

Filesize
558KB

MD5
e64c4411f27a6d4c993ced66d46f34b8

SHA1
07370274d06d45ab72e79a17921b8a34424da2eb

SHA256
855d0ee9cf0727e5767af20b1fed66e57d8605220ef0cb5561c4b6f776d68bdf

SHA512
ec3a23575c223471431f360b8b6f3815a7877d6d9d9f3450aa5da0b74c56e807862a912da5e1801342cd3819e4d2c17d9b5483e555bfc589e115fd6295649248

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9664.exe

Filesize
307KB

MD5
9ee699bef996a109fa03171b0f314623

SHA1
1413e2786322175d7952f65e1bfa40811a999daa

SHA256
492357a1b312e7fff0292868139a24ca8a65723bd3ba7540aabb21dbf8cef89d

SHA512
bb029b3e2787b7be2422dab6e52fe05925627320cdfc7f7b0ef06dd30e93d51ae3a535624a76b3791d710a35990f7563b629a1561d83156637871979a06f8925

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9664.exe

Filesize
307KB

MD5
9ee699bef996a109fa03171b0f314623

SHA1
1413e2786322175d7952f65e1bfa40811a999daa

SHA256
492357a1b312e7fff0292868139a24ca8a65723bd3ba7540aabb21dbf8cef89d

SHA512
bb029b3e2787b7be2422dab6e52fe05925627320cdfc7f7b0ef06dd30e93d51ae3a535624a76b3791d710a35990f7563b629a1561d83156637871979a06f8925

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2544.exe

Filesize
365KB

MD5
eb400830d63bc97a4ac74b6ebe605b17

SHA1
a719370b211c49ec06428d53dafaed5df300651d

SHA256
2a42ad6cd50c789827f525c218a753e02129d25f521185ac06d85f55bf6e3dfb

SHA512
df638836de681d2ecd7734542d23954b81f1ff0b9b1e7cfbd5b197a2a2472e330050c075388426bdfa1d175bde2767d76351003e0a999ddc1159490e0c2ea4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2544.exe

Filesize
365KB

MD5
eb400830d63bc97a4ac74b6ebe605b17

SHA1
a719370b211c49ec06428d53dafaed5df300651d

SHA256
2a42ad6cd50c789827f525c218a753e02129d25f521185ac06d85f55bf6e3dfb

SHA512
df638836de681d2ecd7734542d23954b81f1ff0b9b1e7cfbd5b197a2a2472e330050c075388426bdfa1d175bde2767d76351003e0a999ddc1159490e0c2ea4e6

Download Submit
memory/1960-148-0x0000000004E30000-0x00000000053D4000-memory.dmp

Filesize
5.6MB

Download
memory/1960-149-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/1960-150-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/1960-151-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/1960-152-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1960-153-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1960-155-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1960-157-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1960-159-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1960-161-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1960-163-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1960-165-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1960-167-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1960-169-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1960-171-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1960-173-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1960-175-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1960-177-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1960-179-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1960-180-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/1960-181-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/1960-182-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/1960-184-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2660-194-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-223-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-192-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-190-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-196-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-198-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-200-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-203-0x0000000000810000-0x000000000085B000-memory.dmp

Filesize
300KB

Download
memory/2660-202-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-204-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2660-206-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2660-207-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-209-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-211-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-213-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-215-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-217-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-219-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-221-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-189-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-225-0x0000000002540000-0x000000000257F000-memory.dmp

Filesize
252KB

Download
memory/2660-1098-0x0000000005710000-0x0000000005D28000-memory.dmp

Filesize
6.1MB

Download
memory/2660-1099-0x0000000005D30000-0x0000000005E3A000-memory.dmp

Filesize
1.0MB

Download
memory/2660-1100-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/2660-1101-0x0000000002B40000-0x0000000002B7C000-memory.dmp

Filesize
240KB

Download
memory/2660-1102-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2660-1103-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/2660-1104-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/2660-1105-0x00000000066F0000-0x0000000006766000-memory.dmp

Filesize
472KB

Download
memory/2660-1106-0x0000000006780000-0x00000000067D0000-memory.dmp

Filesize
320KB

Download
memory/2660-1109-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2660-1108-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2660-1110-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2660-1111-0x0000000006A40000-0x0000000006C02000-memory.dmp

Filesize
1.8MB

Download
memory/2660-1112-0x0000000006C10000-0x000000000713C000-memory.dmp

Filesize
5.2MB

Download
memory/2660-1113-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/3816-1119-0x00000000009F0000-0x0000000000A22000-memory.dmp

Filesize
200KB

Download
memory/3816-1120-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download