redline | 32ab61332e9f6a8cd06d02f8a02feb5b4e8a2dd1bc05e4b43812dacb93aee390

Analysis

max time kernel
90s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32ab61332e9f6a8cd06d02f8a02feb5b4e8a2dd1bc05e4b43812dacb93aee390.exe
Size

695KB
MD5

38376aeb19e6e4e035dca7e61be9b641
SHA1

831747920e510446d5c9a935b1e7ec9b2fb8cb3a
SHA256

32ab61332e9f6a8cd06d02f8a02feb5b4e8a2dd1bc05e4b43812dacb93aee390
SHA512

24a84db7bc7f7b97229951fe1265c4170c7e0930cf09d803341abe0c0c8cdbaaf0fcb2a37c5289a56cbc6fe46c830634fba62bb2088c611d2d2c084f69fa5aee
SSDEEP

12288:6Mr3y90jz3XovatTFaIJDtUr122ouPlyQNkSmh6MSF0azzAsJ8HIag0d2DS58I:VyOHovaTJxo22oelyQNShKxzj+o2z

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro9107.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro9107.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro9107.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro9107.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro9107.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro9107.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/3428-192-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-194-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-191-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-196-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-198-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-200-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-202-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-204-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-206-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-208-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-213-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-218-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-216-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-220-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-222-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-224-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-226-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/3428-228-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3168	un294558.exe
1128	pro9107.exe
3428	qu9622.exe
1072	si803413.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro9107.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro9107.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	32ab61332e9f6a8cd06d02f8a02feb5b4e8a2dd1bc05e4b43812dacb93aee390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	32ab61332e9f6a8cd06d02f8a02feb5b4e8a2dd1bc05e4b43812dacb93aee390.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un294558.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un294558.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1128	pro9107.exe
1128	pro9107.exe
3428	qu9622.exe
3428	qu9622.exe
1072	si803413.exe
1072	si803413.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1128	pro9107.exe
Token: SeDebugPrivilege	3428	qu9622.exe
Token: SeDebugPrivilege	1072	si803413.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 3168	1956	32ab61332e9f6a8cd06d02f8a02feb5b4e8a2dd1bc05e4b43812dacb93aee390.exe	79
PID 1956 wrote to memory of 3168	1956	32ab61332e9f6a8cd06d02f8a02feb5b4e8a2dd1bc05e4b43812dacb93aee390.exe	79
PID 1956 wrote to memory of 3168	1956	32ab61332e9f6a8cd06d02f8a02feb5b4e8a2dd1bc05e4b43812dacb93aee390.exe	79
PID 3168 wrote to memory of 1128	3168	un294558.exe	80
PID 3168 wrote to memory of 1128	3168	un294558.exe	80
PID 3168 wrote to memory of 1128	3168	un294558.exe	80
PID 3168 wrote to memory of 3428	3168	un294558.exe	87
PID 3168 wrote to memory of 3428	3168	un294558.exe	87
PID 3168 wrote to memory of 3428	3168	un294558.exe	87
PID 1956 wrote to memory of 1072	1956	32ab61332e9f6a8cd06d02f8a02feb5b4e8a2dd1bc05e4b43812dacb93aee390.exe	91
PID 1956 wrote to memory of 1072	1956	32ab61332e9f6a8cd06d02f8a02feb5b4e8a2dd1bc05e4b43812dacb93aee390.exe	91
PID 1956 wrote to memory of 1072	1956	32ab61332e9f6a8cd06d02f8a02feb5b4e8a2dd1bc05e4b43812dacb93aee390.exe	91

C:\Users\Admin\AppData\Local\Temp\32ab61332e9f6a8cd06d02f8a02feb5b4e8a2dd1bc05e4b43812dacb93aee390.exe
"C:\Users\Admin\AppData\Local\Temp\32ab61332e9f6a8cd06d02f8a02feb5b4e8a2dd1bc05e4b43812dacb93aee390.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un294558.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un294558.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9107.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9107.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9622.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9622.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si803413.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si803413.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si803413.exe

Filesize
175KB

MD5
ed961037458b2dbe070acc744367af14

SHA1
7aafda61550ae17d85bd20c33988fc01d6d740cd

SHA256
437fc2729d3f32d6fcafea319bc4e6dcd88e4cc0410b4c7fc9b7f8013e79e3c3

SHA512
b48b0bda6dfb22d33b0ed9cc7999543e2075f1bf0662092a12d4a9f058da816f1301b402b4b77e11c200ffe0f6168c6b58fa411c3db5fad697bd3a0c0ef9ec8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si803413.exe

Filesize
175KB

MD5
ed961037458b2dbe070acc744367af14

SHA1
7aafda61550ae17d85bd20c33988fc01d6d740cd

SHA256
437fc2729d3f32d6fcafea319bc4e6dcd88e4cc0410b4c7fc9b7f8013e79e3c3

SHA512
b48b0bda6dfb22d33b0ed9cc7999543e2075f1bf0662092a12d4a9f058da816f1301b402b4b77e11c200ffe0f6168c6b58fa411c3db5fad697bd3a0c0ef9ec8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un294558.exe

Filesize
553KB

MD5
83739bfa4ec44be583455f118aabc06d

SHA1
4a3c66082893228aeea43be169be69387b16cda0

SHA256
603748c73c7b1e9947711fa7249d8088f0bc1b459b353a7d8ecbf171a8363771

SHA512
f153d13b74669bb7c027bb910bcbac47795563788a14c553d0900e4ced318f5691ec4f8bae66ddf183c3defecb614dc79142cf66d91f4616c15a78528064f30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un294558.exe

Filesize
553KB

MD5
83739bfa4ec44be583455f118aabc06d

SHA1
4a3c66082893228aeea43be169be69387b16cda0

SHA256
603748c73c7b1e9947711fa7249d8088f0bc1b459b353a7d8ecbf171a8363771

SHA512
f153d13b74669bb7c027bb910bcbac47795563788a14c553d0900e4ced318f5691ec4f8bae66ddf183c3defecb614dc79142cf66d91f4616c15a78528064f30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9107.exe

Filesize
308KB

MD5
797d3f47dfd6cf796aea3658da0ce9b0

SHA1
e9a2e271ce78496a9f629fd1840b8086706edc9f

SHA256
7ccc221f49db3f191c1cb8a2d808029f8fbe9d4e7d7d0db21cbca5f2f7fc12f0

SHA512
08e3f01e6f258a62b27f4cde31688506be9adad80699da8a14f029e3df695ae13a8c7b94dc599ae6290a6609cfc173246b516748efe9bd4404ae97642b13e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9107.exe

Filesize
308KB

MD5
797d3f47dfd6cf796aea3658da0ce9b0

SHA1
e9a2e271ce78496a9f629fd1840b8086706edc9f

SHA256
7ccc221f49db3f191c1cb8a2d808029f8fbe9d4e7d7d0db21cbca5f2f7fc12f0

SHA512
08e3f01e6f258a62b27f4cde31688506be9adad80699da8a14f029e3df695ae13a8c7b94dc599ae6290a6609cfc173246b516748efe9bd4404ae97642b13e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9622.exe

Filesize
366KB

MD5
307a0a3fd8a8e8b2bb2d29eb6557f908

SHA1
525ac88f603cb72672159e14479c9bd73c8ed059

SHA256
f78998b2b0a3e8993cb7e30a66609915f8f75310cf5c79276cd57c24b5592465

SHA512
6a3f62d4bf8fa327c6c050868e0725167feee9061c3619733b9f59cca982de0022968c7230e1878ad24bd4ebcddd8064fda04b353160b65b9c96b372dc7b476f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9622.exe

Filesize
366KB

MD5
307a0a3fd8a8e8b2bb2d29eb6557f908

SHA1
525ac88f603cb72672159e14479c9bd73c8ed059

SHA256
f78998b2b0a3e8993cb7e30a66609915f8f75310cf5c79276cd57c24b5592465

SHA512
6a3f62d4bf8fa327c6c050868e0725167feee9061c3619733b9f59cca982de0022968c7230e1878ad24bd4ebcddd8064fda04b353160b65b9c96b372dc7b476f

Download Submit
memory/1072-1122-0x00000000008B0000-0x00000000008E2000-memory.dmp

Filesize
200KB

Download
memory/1072-1123-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1128-151-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1128-170-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1128-155-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1128-156-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1128-158-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1128-154-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1128-150-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1128-149-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/1128-160-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1128-162-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1128-164-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1128-168-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1128-166-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1128-152-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1128-172-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1128-174-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1128-176-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1128-178-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1128-180-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1128-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/1128-182-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1128-183-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1128-184-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/1128-186-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/1128-148-0x0000000004FA0000-0x0000000005544000-memory.dmp

Filesize
5.6MB

Download
memory/3428-191-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-226-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-196-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-198-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-200-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-202-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-204-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-206-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-208-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-209-0x0000000000740000-0x000000000078B000-memory.dmp

Filesize
300KB

Download
memory/3428-211-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3428-212-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3428-213-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-214-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3428-218-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-216-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-220-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-222-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-224-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-194-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-228-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-1101-0x0000000005480000-0x0000000005A98000-memory.dmp

Filesize
6.1MB

Download
memory/3428-1102-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/3428-1103-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/3428-1104-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/3428-1105-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3428-1106-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/3428-1107-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/3428-1109-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3428-1110-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3428-1111-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3428-1112-0x0000000006850000-0x0000000006A12000-memory.dmp

Filesize
1.8MB

Download
memory/3428-1113-0x0000000006A30000-0x0000000006F5C000-memory.dmp

Filesize
5.2MB

Download
memory/3428-192-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3428-1114-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3428-1115-0x0000000008470000-0x00000000084E6000-memory.dmp

Filesize
472KB

Download
memory/3428-1116-0x0000000008500000-0x0000000008550000-memory.dmp

Filesize
320KB

Download