redline | 5354743482cb420298cbc267bb7f3f46f91e318200ebba81a90fac0ffb921f35

Analysis

max time kernel
55s
max time network
149s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5354743482cb420298cbc267bb7f3f46f91e318200ebba81a90fac0ffb921f35.exe
Size

695KB
MD5

1720eb08ac3286cc3ccfe174cf599950
SHA1

9cea76060d030f0815749085ef419856d5ecf3c6
SHA256

5354743482cb420298cbc267bb7f3f46f91e318200ebba81a90fac0ffb921f35
SHA512

7fa2d1ef8c5395d4b47b9dfe8eb5ea0bf5468e26b29b411466dd25fcb6f3bb4b0cbfcd2133129adb559665f5be4c1ba74c6922f380b223df13e60538054571a1
SSDEEP

12288:qMrHy90/K4vm3HHAaqHiVJ9u1vMnh7oUoWdMljyppS:dyyJCHno6KCh7oBKM+pQ

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4391.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4391.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4391.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4391.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4391.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/3048-180-0x0000000004AE0000-0x0000000004B26000-memory.dmp	family_redline
behavioral1/memory/3048-181-0x00000000051C0000-0x0000000005204000-memory.dmp	family_redline
behavioral1/memory/3048-183-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-182-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-185-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-187-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-189-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-191-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-193-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-195-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-199-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-205-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-202-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-207-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-209-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-211-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-213-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-215-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-217-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline
behavioral1/memory/3048-219-0x00000000051C0000-0x00000000051FF000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2120	un443203.exe
2512	pro4391.exe
3048	qu1947.exe
4176	si764033.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4391.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4391.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un443203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un443203.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5354743482cb420298cbc267bb7f3f46f91e318200ebba81a90fac0ffb921f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5354743482cb420298cbc267bb7f3f46f91e318200ebba81a90fac0ffb921f35.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2512	pro4391.exe
2512	pro4391.exe
3048	qu1947.exe
3048	qu1947.exe
4176	si764033.exe
4176	si764033.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	pro4391.exe
Token: SeDebugPrivilege	3048	qu1947.exe
Token: SeDebugPrivilege	4176	si764033.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2120	1804	5354743482cb420298cbc267bb7f3f46f91e318200ebba81a90fac0ffb921f35.exe	66
PID 1804 wrote to memory of 2120	1804	5354743482cb420298cbc267bb7f3f46f91e318200ebba81a90fac0ffb921f35.exe	66
PID 1804 wrote to memory of 2120	1804	5354743482cb420298cbc267bb7f3f46f91e318200ebba81a90fac0ffb921f35.exe	66
PID 2120 wrote to memory of 2512	2120	un443203.exe	67
PID 2120 wrote to memory of 2512	2120	un443203.exe	67
PID 2120 wrote to memory of 2512	2120	un443203.exe	67
PID 2120 wrote to memory of 3048	2120	un443203.exe	68
PID 2120 wrote to memory of 3048	2120	un443203.exe	68
PID 2120 wrote to memory of 3048	2120	un443203.exe	68
PID 1804 wrote to memory of 4176	1804	5354743482cb420298cbc267bb7f3f46f91e318200ebba81a90fac0ffb921f35.exe	70
PID 1804 wrote to memory of 4176	1804	5354743482cb420298cbc267bb7f3f46f91e318200ebba81a90fac0ffb921f35.exe	70
PID 1804 wrote to memory of 4176	1804	5354743482cb420298cbc267bb7f3f46f91e318200ebba81a90fac0ffb921f35.exe	70

C:\Users\Admin\AppData\Local\Temp\5354743482cb420298cbc267bb7f3f46f91e318200ebba81a90fac0ffb921f35.exe
"C:\Users\Admin\AppData\Local\Temp\5354743482cb420298cbc267bb7f3f46f91e318200ebba81a90fac0ffb921f35.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un443203.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un443203.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4391.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4391.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1947.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1947.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si764033.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si764033.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si764033.exe

Filesize
175KB

MD5
85f3991c12e8a2f38d1652af3f29bd51

SHA1
4f6445cf86225248c769ea0a8a1d212f95be40fd

SHA256
2267192954262f75ef9e485297243a327eb108e819b3533908a3eee13e1d6b05

SHA512
e60fbc4c060f9cc5e8889d72fe796608d1e9679e5dca19e45ff250958d8044fc9a5e797905c1dacddd63095ee0479b71fbcb12df1426516d5892ec2542bffd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si764033.exe

Filesize
175KB

MD5
85f3991c12e8a2f38d1652af3f29bd51

SHA1
4f6445cf86225248c769ea0a8a1d212f95be40fd

SHA256
2267192954262f75ef9e485297243a327eb108e819b3533908a3eee13e1d6b05

SHA512
e60fbc4c060f9cc5e8889d72fe796608d1e9679e5dca19e45ff250958d8044fc9a5e797905c1dacddd63095ee0479b71fbcb12df1426516d5892ec2542bffd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un443203.exe

Filesize
553KB

MD5
02af788c4e3863638aa3590f84bed854

SHA1
7ef0cdd342505c058ed062c5f38658bb2d8c9aa0

SHA256
2f55dd98270d3515b4adf4ed515929b9794d34bc64d34337daabd53c5585cd92

SHA512
8e90fa48e1243faf7e57237fa6d9962681d9c04e2a610bfab0bbb790eea2653a251f1de821113a84e343d62f54bd83afad3372f43e321709629ed652d790dffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un443203.exe

Filesize
553KB

MD5
02af788c4e3863638aa3590f84bed854

SHA1
7ef0cdd342505c058ed062c5f38658bb2d8c9aa0

SHA256
2f55dd98270d3515b4adf4ed515929b9794d34bc64d34337daabd53c5585cd92

SHA512
8e90fa48e1243faf7e57237fa6d9962681d9c04e2a610bfab0bbb790eea2653a251f1de821113a84e343d62f54bd83afad3372f43e321709629ed652d790dffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4391.exe

Filesize
308KB

MD5
fb843a64704b355da4dca96b3e255b58

SHA1
8571fa13e3f2f77ca501f4d46264c338e0de68bb

SHA256
24372aa1e8ca15ef7f63e2e78262d1e5f1ea830d7cdf21f3f8c86ecd26a11cef

SHA512
f648c6eb542b3f28c3af3e4ae30e17567f21fe831d643beaddea857bfe75cb99aa2e9b47a65f4e937af9a79415bd1f93c1f414122bc04c5afb7c6460fde5c539

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4391.exe

Filesize
308KB

MD5
fb843a64704b355da4dca96b3e255b58

SHA1
8571fa13e3f2f77ca501f4d46264c338e0de68bb

SHA256
24372aa1e8ca15ef7f63e2e78262d1e5f1ea830d7cdf21f3f8c86ecd26a11cef

SHA512
f648c6eb542b3f28c3af3e4ae30e17567f21fe831d643beaddea857bfe75cb99aa2e9b47a65f4e937af9a79415bd1f93c1f414122bc04c5afb7c6460fde5c539

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1947.exe

Filesize
366KB

MD5
118acc06e093441b954a79ad5e261f40

SHA1
7990cb369848342630f50b7fe8ea4a162fb1e144

SHA256
058f912edca4b3befb4ed0762abb679b980d805f18bd0f65c29f77c36edca441

SHA512
01f10f70b9ada29b221ca94cd426b0e091ae5ff0d6e190637c9daaa24a8c937814a9751da748e9f299bef27b9076037857b76c5f405f23a3b9c4f73ba48a04ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1947.exe

Filesize
366KB

MD5
118acc06e093441b954a79ad5e261f40

SHA1
7990cb369848342630f50b7fe8ea4a162fb1e144

SHA256
058f912edca4b3befb4ed0762abb679b980d805f18bd0f65c29f77c36edca441

SHA512
01f10f70b9ada29b221ca94cd426b0e091ae5ff0d6e190637c9daaa24a8c937814a9751da748e9f299bef27b9076037857b76c5f405f23a3b9c4f73ba48a04ed

Download Submit
memory/2512-135-0x0000000002560000-0x000000000257A000-memory.dmp

Filesize
104KB

Download
memory/2512-136-0x0000000004D10000-0x000000000520E000-memory.dmp

Filesize
5.0MB

Download
memory/2512-137-0x00000000027D0000-0x00000000027E8000-memory.dmp

Filesize
96KB

Download
memory/2512-138-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2512-140-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/2512-141-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/2512-139-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/2512-142-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2512-143-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2512-145-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2512-147-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2512-149-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2512-151-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2512-153-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2512-155-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2512-157-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2512-159-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2512-161-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2512-163-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2512-165-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2512-167-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2512-169-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2512-170-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2512-171-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/2512-172-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/2512-173-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/2512-175-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/3048-180-0x0000000004AE0000-0x0000000004B26000-memory.dmp

Filesize
280KB

Download
memory/3048-181-0x00000000051C0000-0x0000000005204000-memory.dmp

Filesize
272KB

Download
memory/3048-183-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-182-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-185-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-187-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-189-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-191-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-193-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-196-0x0000000000800000-0x000000000084B000-memory.dmp

Filesize
300KB

Download
memory/3048-195-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-198-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3048-200-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3048-199-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-205-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-203-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3048-202-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-207-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-209-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-211-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-213-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-215-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-217-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-219-0x00000000051C0000-0x00000000051FF000-memory.dmp

Filesize
252KB

Download
memory/3048-1092-0x0000000005980000-0x0000000005F86000-memory.dmp

Filesize
6.0MB

Download
memory/3048-1093-0x00000000053F0000-0x00000000054FA000-memory.dmp

Filesize
1.0MB

Download
memory/3048-1094-0x0000000005530000-0x0000000005542000-memory.dmp

Filesize
72KB

Download
memory/3048-1095-0x0000000005550000-0x000000000558E000-memory.dmp

Filesize
248KB

Download
memory/3048-1096-0x00000000056A0000-0x00000000056EB000-memory.dmp

Filesize
300KB

Download
memory/3048-1097-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3048-1098-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/3048-1099-0x0000000006500000-0x0000000006592000-memory.dmp

Filesize
584KB

Download
memory/3048-1101-0x0000000006700000-0x00000000068C2000-memory.dmp

Filesize
1.8MB

Download
memory/3048-1102-0x00000000068D0000-0x0000000006DFC000-memory.dmp

Filesize
5.2MB

Download
memory/3048-1103-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3048-1104-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3048-1105-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3048-1106-0x0000000006F30000-0x0000000006FA6000-memory.dmp

Filesize
472KB

Download
memory/3048-1107-0x0000000006FB0000-0x0000000007000000-memory.dmp

Filesize
320KB

Download
memory/3048-1108-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4176-1114-0x0000000000670000-0x00000000006A2000-memory.dmp

Filesize
200KB

Download
memory/4176-1115-0x00000000050B0000-0x00000000050FB000-memory.dmp

Filesize
300KB

Download
memory/4176-1116-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download