redline | df3a960f89924333d26c673cca543cdd090b6f33adfff09741cee45ee65070b6

Analysis

max time kernel
58s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df3a960f89924333d26c673cca543cdd090b6f33adfff09741cee45ee65070b6.exe
Size

700KB
MD5

f18baa9d0cd6b50d6cf8661efb4c5fc3
SHA1

8bee6602b4aad25250a68959bb22242aa97a6c6d
SHA256

df3a960f89924333d26c673cca543cdd090b6f33adfff09741cee45ee65070b6
SHA512

dfc186fd9392ccae90b3feb5dbb1df10cf95b8e49a0990b7998f25189ade8a4a1f92350b0628435236959505e2d1467fcb8d31babdaaf8e712950aed5e190ca9
SSDEEP

12288:4Mrgy90Ayz7JFbsIcUIk+9DSbcAz8F3q86HZs0zMgIR3M6VihlpHunr:IyNy3jNIkHz8V8/zMpFph

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro0027.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro0027.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro0027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro0027.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro0027.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro0027.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/3924-193-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-195-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-197-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-199-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-201-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-203-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-205-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-207-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-209-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-211-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-213-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-215-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-217-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-219-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-221-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-223-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-225-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline
behavioral1/memory/3924-227-0x0000000002770000-0x00000000027AF000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1416	un244693.exe
3336	pro0027.exe
3924	qu8075.exe
4376	si351470.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro0027.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro0027.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	df3a960f89924333d26c673cca543cdd090b6f33adfff09741cee45ee65070b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	df3a960f89924333d26c673cca543cdd090b6f33adfff09741cee45ee65070b6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un244693.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un244693.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4516	3336	WerFault.exe	86
4396	3924	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3336	pro0027.exe
3336	pro0027.exe
3924	qu8075.exe
3924	qu8075.exe
4376	si351470.exe
4376	si351470.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3336	pro0027.exe
Token: SeDebugPrivilege	3924	qu8075.exe
Token: SeDebugPrivilege	4376	si351470.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 1416	4164	df3a960f89924333d26c673cca543cdd090b6f33adfff09741cee45ee65070b6.exe	85
PID 4164 wrote to memory of 1416	4164	df3a960f89924333d26c673cca543cdd090b6f33adfff09741cee45ee65070b6.exe	85
PID 4164 wrote to memory of 1416	4164	df3a960f89924333d26c673cca543cdd090b6f33adfff09741cee45ee65070b6.exe	85
PID 1416 wrote to memory of 3336	1416	un244693.exe	86
PID 1416 wrote to memory of 3336	1416	un244693.exe	86
PID 1416 wrote to memory of 3336	1416	un244693.exe	86
PID 1416 wrote to memory of 3924	1416	un244693.exe	92
PID 1416 wrote to memory of 3924	1416	un244693.exe	92
PID 1416 wrote to memory of 3924	1416	un244693.exe	92
PID 4164 wrote to memory of 4376	4164	df3a960f89924333d26c673cca543cdd090b6f33adfff09741cee45ee65070b6.exe	96
PID 4164 wrote to memory of 4376	4164	df3a960f89924333d26c673cca543cdd090b6f33adfff09741cee45ee65070b6.exe	96
PID 4164 wrote to memory of 4376	4164	df3a960f89924333d26c673cca543cdd090b6f33adfff09741cee45ee65070b6.exe	96

C:\Users\Admin\AppData\Local\Temp\df3a960f89924333d26c673cca543cdd090b6f33adfff09741cee45ee65070b6.exe
"C:\Users\Admin\AppData\Local\Temp\df3a960f89924333d26c673cca543cdd090b6f33adfff09741cee45ee65070b6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un244693.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un244693.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0027.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0027.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1004
      4⤵
      Program crash
      PID:4516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8075.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8075.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1192
      4⤵
      Program crash
      PID:4396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si351470.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si351470.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3336 -ip 3336
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3924 -ip 3924
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si351470.exe

Filesize
175KB

MD5
721024ce8f551de53ccb331fe881cc37

SHA1
ffbd3beee99ffc4de639d4a35f232b39df1083ac

SHA256
289d1f030b111fd6f93d37c531e46d25a53fe085f5a946b5c74667978beb9601

SHA512
be006e6386c8b6455dc77c2bd7e2339569b47c34c180b7814a268c3235fd77c0fd2fac0de9e56343982cc1ecc22441c8be5f604100bcc07c930777c826c8eacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si351470.exe

Filesize
175KB

MD5
721024ce8f551de53ccb331fe881cc37

SHA1
ffbd3beee99ffc4de639d4a35f232b39df1083ac

SHA256
289d1f030b111fd6f93d37c531e46d25a53fe085f5a946b5c74667978beb9601

SHA512
be006e6386c8b6455dc77c2bd7e2339569b47c34c180b7814a268c3235fd77c0fd2fac0de9e56343982cc1ecc22441c8be5f604100bcc07c930777c826c8eacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un244693.exe

Filesize
558KB

MD5
047a03983bacd77278510d3ad734dea3

SHA1
85a6429e9903ded1df87b53fc768f28706228108

SHA256
298dba634fbf6b169d0b18dedae0177b7990e8f7aa797e21aad84e285b174a65

SHA512
c2e176fc1e5889551230d7334ea073fe6aa6ca255d9d5d9a85a45171769072ee14d29d3b89d26eb22b327663c9e06ee02891a7ccce7093ac5206f669a7bef246

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un244693.exe

Filesize
558KB

MD5
047a03983bacd77278510d3ad734dea3

SHA1
85a6429e9903ded1df87b53fc768f28706228108

SHA256
298dba634fbf6b169d0b18dedae0177b7990e8f7aa797e21aad84e285b174a65

SHA512
c2e176fc1e5889551230d7334ea073fe6aa6ca255d9d5d9a85a45171769072ee14d29d3b89d26eb22b327663c9e06ee02891a7ccce7093ac5206f669a7bef246

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0027.exe

Filesize
307KB

MD5
35862b58ad091f3f00009fa92eea8eb9

SHA1
efa9945ffb6518c50dab019f7b140af873de0d82

SHA256
903d199338f1d027ded36772cd8892f338a5a2137d194afba01ad55e53ace62e

SHA512
4d725def45962ea7f959e3bdda1608c06f65dc2ba30026ed2e1c01d727272ac0daafcf787e805ca16c1748f5b3325df93aeddbf3d00cd6744da4a57b0b26a56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0027.exe

Filesize
307KB

MD5
35862b58ad091f3f00009fa92eea8eb9

SHA1
efa9945ffb6518c50dab019f7b140af873de0d82

SHA256
903d199338f1d027ded36772cd8892f338a5a2137d194afba01ad55e53ace62e

SHA512
4d725def45962ea7f959e3bdda1608c06f65dc2ba30026ed2e1c01d727272ac0daafcf787e805ca16c1748f5b3325df93aeddbf3d00cd6744da4a57b0b26a56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8075.exe

Filesize
365KB

MD5
1fbd9aacd93d5960b4cfe706b9f10578

SHA1
10c1a950ae17aa929aacbeb38e7234ffd8873c6b

SHA256
43e5af23e53c5d65fbfbe8a9cd26973b013ee960767ced6aaac923e7cb27d94a

SHA512
b797ba2e7539d95f44012cc4fd9b806521ef97c4cba2622d6970dfd06b752090283902b4ca93bd8a80b5000973afd59c15fafb507fe3c29d268b64d0acae4d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8075.exe

Filesize
365KB

MD5
1fbd9aacd93d5960b4cfe706b9f10578

SHA1
10c1a950ae17aa929aacbeb38e7234ffd8873c6b

SHA256
43e5af23e53c5d65fbfbe8a9cd26973b013ee960767ced6aaac923e7cb27d94a

SHA512
b797ba2e7539d95f44012cc4fd9b806521ef97c4cba2622d6970dfd06b752090283902b4ca93bd8a80b5000973afd59c15fafb507fe3c29d268b64d0acae4d97

Download Submit
memory/3336-148-0x0000000004DB0000-0x0000000005354000-memory.dmp

Filesize
5.6MB

Download
memory/3336-149-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/3336-150-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3336-151-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3336-152-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3336-153-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3336-154-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3336-156-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3336-158-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3336-160-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3336-162-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3336-164-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3336-166-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3336-168-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3336-170-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3336-172-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3336-174-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3336-176-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3336-178-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3336-180-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3336-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3336-182-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3336-183-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3336-185-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3924-190-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/3924-191-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3924-193-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-195-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-194-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3924-192-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3924-197-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-199-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-201-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-203-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-205-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-207-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-209-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-211-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-213-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-215-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-217-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-219-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-221-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-223-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-225-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-227-0x0000000002770000-0x00000000027AF000-memory.dmp

Filesize
252KB

Download
memory/3924-1100-0x00000000054C0000-0x0000000005AD8000-memory.dmp

Filesize
6.1MB

Download
memory/3924-1101-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/3924-1102-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/3924-1103-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/3924-1104-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3924-1105-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/3924-1106-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/3924-1108-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3924-1109-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3924-1110-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3924-1111-0x0000000006710000-0x00000000068D2000-memory.dmp

Filesize
1.8MB

Download
memory/3924-1112-0x00000000068F0000-0x0000000006E1C000-memory.dmp

Filesize
5.2MB

Download
memory/3924-1113-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3924-1114-0x0000000008220000-0x0000000008296000-memory.dmp

Filesize
472KB

Download
memory/3924-1115-0x00000000082B0000-0x0000000008300000-memory.dmp

Filesize
320KB

Download
memory/4376-1121-0x00000000008D0000-0x0000000000902000-memory.dmp

Filesize
200KB

Download
memory/4376-1122-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download