redline | 440aceb6b427a9dfb63f75722c56a31b3e2208865cc275bc93495a85ed18e589

Analysis

max time kernel
100s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

440aceb6b427a9dfb63f75722c56a31b3e2208865cc275bc93495a85ed18e589.exe
Size

675KB
MD5

af4d1f6294541cbe1d4e167f8ab2aecc
SHA1

609f563adc635d39cd8cec6d3bdd57ff514bc061
SHA256

440aceb6b427a9dfb63f75722c56a31b3e2208865cc275bc93495a85ed18e589
SHA512

76f8f86d8b11c025dd3ad79c3ab124ef268259029f8b4a55f67caac260654de99cbb4ddbfd8a3325138e18c0ab9f32cb7a1e36a6cb57f11dc9f1cdc0c6b50fe8
SSDEEP

12288:4MrGy9048J3aGxYp1f1k6W0F7hW89PgnHdFkaZCrtwREJUm:+y/GxU100F7hSbkjrt4m

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8776.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro8776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8776.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/2760-188-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-189-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-191-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-193-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-195-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-197-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-199-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-201-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-203-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-205-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-207-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-209-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-211-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-213-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-215-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-217-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-219-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-221-0x0000000002680000-0x00000000026BF000-memory.dmp	family_redline
behavioral1/memory/2760-534-0x0000000004E20000-0x0000000004E30000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4384	un481840.exe
4604	pro8776.exe
2760	qu1580.exe
3712	si346684.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8776.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8776.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	440aceb6b427a9dfb63f75722c56a31b3e2208865cc275bc93495a85ed18e589.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un481840.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un481840.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	440aceb6b427a9dfb63f75722c56a31b3e2208865cc275bc93495a85ed18e589.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3908	4604	WerFault.exe	85
1768	2760	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4604	pro8776.exe
4604	pro8776.exe
2760	qu1580.exe
2760	qu1580.exe
3712	si346684.exe
3712	si346684.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	pro8776.exe
Token: SeDebugPrivilege	2760	qu1580.exe
Token: SeDebugPrivilege	3712	si346684.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4384	4148	440aceb6b427a9dfb63f75722c56a31b3e2208865cc275bc93495a85ed18e589.exe	84
PID 4148 wrote to memory of 4384	4148	440aceb6b427a9dfb63f75722c56a31b3e2208865cc275bc93495a85ed18e589.exe	84
PID 4148 wrote to memory of 4384	4148	440aceb6b427a9dfb63f75722c56a31b3e2208865cc275bc93495a85ed18e589.exe	84
PID 4384 wrote to memory of 4604	4384	un481840.exe	85
PID 4384 wrote to memory of 4604	4384	un481840.exe	85
PID 4384 wrote to memory of 4604	4384	un481840.exe	85
PID 4384 wrote to memory of 2760	4384	un481840.exe	91
PID 4384 wrote to memory of 2760	4384	un481840.exe	91
PID 4384 wrote to memory of 2760	4384	un481840.exe	91
PID 4148 wrote to memory of 3712	4148	440aceb6b427a9dfb63f75722c56a31b3e2208865cc275bc93495a85ed18e589.exe	95
PID 4148 wrote to memory of 3712	4148	440aceb6b427a9dfb63f75722c56a31b3e2208865cc275bc93495a85ed18e589.exe	95
PID 4148 wrote to memory of 3712	4148	440aceb6b427a9dfb63f75722c56a31b3e2208865cc275bc93495a85ed18e589.exe	95

C:\Users\Admin\AppData\Local\Temp\440aceb6b427a9dfb63f75722c56a31b3e2208865cc275bc93495a85ed18e589.exe
"C:\Users\Admin\AppData\Local\Temp\440aceb6b427a9dfb63f75722c56a31b3e2208865cc275bc93495a85ed18e589.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un481840.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un481840.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8776.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8776.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1084
      4⤵
      Program crash
      PID:3908
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1580.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1580.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1348
      4⤵
      Program crash
      PID:1768
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si346684.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si346684.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4604 -ip 4604
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2760 -ip 2760
1⤵
PID:3804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si346684.exe

Filesize
175KB

MD5
0856e2d16a2a7baa19ecc29d68b0d660

SHA1
0c460462bd82bddd3d505ff017862438819b40d5

SHA256
492ac059dab7f6c8f34e231fb441c41e66fba7441648a5da8a1200b8716fbf58

SHA512
13bb376c726f7bf6fdb905ec105042f906d0935108e25a968ea12ba124c92f3c00cd01ca8997e62636c8526520d2e1e176499f6ef4fcf376503fd0d3a9c39ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si346684.exe

Filesize
175KB

MD5
0856e2d16a2a7baa19ecc29d68b0d660

SHA1
0c460462bd82bddd3d505ff017862438819b40d5

SHA256
492ac059dab7f6c8f34e231fb441c41e66fba7441648a5da8a1200b8716fbf58

SHA512
13bb376c726f7bf6fdb905ec105042f906d0935108e25a968ea12ba124c92f3c00cd01ca8997e62636c8526520d2e1e176499f6ef4fcf376503fd0d3a9c39ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un481840.exe

Filesize
533KB

MD5
a1a31b0a07dcf08ec91ac082d84f208d

SHA1
907dd85b6fdd31df0486212bbddde44e07c086b2

SHA256
c849b2f8ffe4b70339c03dbcee2a112bb7527b482bf870d3a001e174ca1c12a8

SHA512
67242b5ab274366d6acfe81f63c372b0fb5b76df7bb96d760869d7a6bc85a853abb2158e2bb689759dcb519a4495c24e170fdd8c9044a7713934ba79c4211358

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un481840.exe

Filesize
533KB

MD5
a1a31b0a07dcf08ec91ac082d84f208d

SHA1
907dd85b6fdd31df0486212bbddde44e07c086b2

SHA256
c849b2f8ffe4b70339c03dbcee2a112bb7527b482bf870d3a001e174ca1c12a8

SHA512
67242b5ab274366d6acfe81f63c372b0fb5b76df7bb96d760869d7a6bc85a853abb2158e2bb689759dcb519a4495c24e170fdd8c9044a7713934ba79c4211358

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8776.exe

Filesize
272KB

MD5
2b029654324f1231d05e21be43bf840f

SHA1
cf5e63cec149f3f1442029b6917a5eb93f876dcc

SHA256
980293fbe059ca1420b8b4a499df5a4586237859a9a353b73594cd0ee23dc787

SHA512
423678b438ee183afe83da5c2eb8b24960ccb211a4cb94f9030fefc0dd8e5eb257daec5d99562af36d87d426d54e7d6849122ed4cbb4ef755c5a3b42cac12424

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8776.exe

Filesize
272KB

MD5
2b029654324f1231d05e21be43bf840f

SHA1
cf5e63cec149f3f1442029b6917a5eb93f876dcc

SHA256
980293fbe059ca1420b8b4a499df5a4586237859a9a353b73594cd0ee23dc787

SHA512
423678b438ee183afe83da5c2eb8b24960ccb211a4cb94f9030fefc0dd8e5eb257daec5d99562af36d87d426d54e7d6849122ed4cbb4ef755c5a3b42cac12424

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1580.exe

Filesize
331KB

MD5
2cab862f0b91418f955b4e4bdedc317e

SHA1
97267993029a71f2edff2817b5c2550fe303958a

SHA256
3e23439cfe538f81673f919f20b3dcc1aba89db526c39de9911b12539b423f54

SHA512
8fffa2f75d5772c6ee2e946580c1a0fb8ece9cc418b34beb9b5b5f1e05a0c7c93294a03edc2c9a3a531053ab23e57cc4a7b3edf5b8e0c7a24969d72e99e0efe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1580.exe

Filesize
331KB

MD5
2cab862f0b91418f955b4e4bdedc317e

SHA1
97267993029a71f2edff2817b5c2550fe303958a

SHA256
3e23439cfe538f81673f919f20b3dcc1aba89db526c39de9911b12539b423f54

SHA512
8fffa2f75d5772c6ee2e946580c1a0fb8ece9cc418b34beb9b5b5f1e05a0c7c93294a03edc2c9a3a531053ab23e57cc4a7b3edf5b8e0c7a24969d72e99e0efe1

Download Submit
memory/2760-1099-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/2760-1100-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/2760-1112-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2760-1111-0x0000000007120000-0x0000000007170000-memory.dmp

Filesize
320KB

Download
memory/2760-1110-0x0000000007080000-0x00000000070F6000-memory.dmp

Filesize
472KB

Download
memory/2760-1109-0x0000000006A30000-0x0000000006F5C000-memory.dmp

Filesize
5.2MB

Download
memory/2760-1108-0x0000000006850000-0x0000000006A12000-memory.dmp

Filesize
1.8MB

Download
memory/2760-1107-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2760-1106-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2760-1105-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2760-1103-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/2760-1102-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/2760-1101-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2760-1098-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/2760-1097-0x00000000054E0000-0x0000000005AF8000-memory.dmp

Filesize
6.1MB

Download
memory/2760-538-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2760-534-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2760-536-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2760-221-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-187-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/2760-188-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-189-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-191-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-193-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-195-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-197-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-199-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-201-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-203-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-205-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-207-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-209-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-211-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-213-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-215-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-217-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/2760-219-0x0000000002680000-0x00000000026BF000-memory.dmp

Filesize
252KB

Download
memory/3712-1118-0x00000000006A0000-0x00000000006D2000-memory.dmp

Filesize
200KB

Download
memory/3712-1119-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4604-172-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4604-166-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4604-179-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/4604-178-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4604-150-0x0000000004D50000-0x00000000052F4000-memory.dmp

Filesize
5.6MB

Download
memory/4604-154-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4604-176-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4604-174-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4604-151-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4604-170-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4604-168-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4604-180-0x0000000000740000-0x000000000076D000-memory.dmp

Filesize
180KB

Download
memory/4604-164-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4604-162-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4604-160-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4604-158-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4604-156-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/4604-149-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/4604-148-0x0000000000740000-0x000000000076D000-memory.dmp

Filesize
180KB

Download
memory/4604-182-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/4604-152-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download