redline | c3bc09ca7f306dda59167240348380e83e1ffec57a4dca10a4c110bd552672d0

Analysis

max time kernel
128s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3bc09ca7f306dda59167240348380e83e1ffec57a4dca10a4c110bd552672d0.exe
Size

695KB
MD5

307f8b9bd6937074b57130acc0d3b38d
SHA1

64f756f41857025a0813ad878d7a382e520335f6
SHA256

c3bc09ca7f306dda59167240348380e83e1ffec57a4dca10a4c110bd552672d0
SHA512

a5fe6972c8e21d8111fb0a8ec1cbd51b0cd01bbd49d995d38b8efcbccae14ea9bea7bf95b7ce073a850d881852e5265335e16e55bfc289eb922d55bc0831886e
SSDEEP

12288:RMroy90uvhFW+4RogBuwLsRzi8O+avPS0zvxfJ1kX/NINoPr:VyXT6RNkwLwzi8OPycvt4VINoD

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5076.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro5076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5076.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/1428-192-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-194-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-191-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-196-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-198-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-200-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-202-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-204-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-206-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-208-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-210-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-212-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-215-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-219-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-220-0x0000000004E30000-0x0000000004E40000-memory.dmp	family_redline
behavioral1/memory/1428-222-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-224-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-226-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-228-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/1428-1111-0x0000000004E30000-0x0000000004E40000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1252	un612799.exe
972	pro5076.exe
1428	qu4917.exe
1352	si449408.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5076.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c3bc09ca7f306dda59167240348380e83e1ffec57a4dca10a4c110bd552672d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c3bc09ca7f306dda59167240348380e83e1ffec57a4dca10a4c110bd552672d0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un612799.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un612799.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1732	sc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
972	pro5076.exe
972	pro5076.exe
1428	qu4917.exe
1428	qu4917.exe
1352	si449408.exe
1352	si449408.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	972	pro5076.exe
Token: SeDebugPrivilege	1428	qu4917.exe
Token: SeDebugPrivilege	1352	si449408.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 1252	3820	c3bc09ca7f306dda59167240348380e83e1ffec57a4dca10a4c110bd552672d0.exe	84
PID 3820 wrote to memory of 1252	3820	c3bc09ca7f306dda59167240348380e83e1ffec57a4dca10a4c110bd552672d0.exe	84
PID 3820 wrote to memory of 1252	3820	c3bc09ca7f306dda59167240348380e83e1ffec57a4dca10a4c110bd552672d0.exe	84
PID 1252 wrote to memory of 972	1252	un612799.exe	85
PID 1252 wrote to memory of 972	1252	un612799.exe	85
PID 1252 wrote to memory of 972	1252	un612799.exe	85
PID 1252 wrote to memory of 1428	1252	un612799.exe	91
PID 1252 wrote to memory of 1428	1252	un612799.exe	91
PID 1252 wrote to memory of 1428	1252	un612799.exe	91
PID 3820 wrote to memory of 1352	3820	c3bc09ca7f306dda59167240348380e83e1ffec57a4dca10a4c110bd552672d0.exe	92
PID 3820 wrote to memory of 1352	3820	c3bc09ca7f306dda59167240348380e83e1ffec57a4dca10a4c110bd552672d0.exe	92
PID 3820 wrote to memory of 1352	3820	c3bc09ca7f306dda59167240348380e83e1ffec57a4dca10a4c110bd552672d0.exe	92

C:\Users\Admin\AppData\Local\Temp\c3bc09ca7f306dda59167240348380e83e1ffec57a4dca10a4c110bd552672d0.exe
"C:\Users\Admin\AppData\Local\Temp\c3bc09ca7f306dda59167240348380e83e1ffec57a4dca10a4c110bd552672d0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un612799.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un612799.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5076.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5076.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4917.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4917.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si449408.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si449408.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1352

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si449408.exe

Filesize
175KB

MD5
2aeaa5a0da725f5411b91bfc68dcea57

SHA1
6a4f85c0f05a103fd6c25ee4b3849608773c3cfc

SHA256
a57f0a8e51d4dd54ad8e936eb99af69d44c83d75c2c1a3c8ff570b57d21f044d

SHA512
d7ce6584ba24a1ed030eaf12017ad8ab962e7e5c5ff4698911ecca18a2539abec9b511b1411c97313ebbb20d57bfea7fe752dc3e0da63b9da943da55c086f900

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si449408.exe

Filesize
175KB

MD5
2aeaa5a0da725f5411b91bfc68dcea57

SHA1
6a4f85c0f05a103fd6c25ee4b3849608773c3cfc

SHA256
a57f0a8e51d4dd54ad8e936eb99af69d44c83d75c2c1a3c8ff570b57d21f044d

SHA512
d7ce6584ba24a1ed030eaf12017ad8ab962e7e5c5ff4698911ecca18a2539abec9b511b1411c97313ebbb20d57bfea7fe752dc3e0da63b9da943da55c086f900

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un612799.exe

Filesize
553KB

MD5
a654ce79e0f1d7fdd5b3690667c25e1c

SHA1
d02c3fea961ced074a61c8c8da3d737f889ec1f5

SHA256
d4f18c08fa2c9ae6a669350ea4556478f242b3786b2c74e11ec9cc51701a4d77

SHA512
b0d4891c8342cd8c5f7df24755243e2a4a91a20b0028344f29e1a6c12a5bc2c63a208dcba22c4182611d125225d118ab38bf88cdbe65036c03150e309b66199b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un612799.exe

Filesize
553KB

MD5
a654ce79e0f1d7fdd5b3690667c25e1c

SHA1
d02c3fea961ced074a61c8c8da3d737f889ec1f5

SHA256
d4f18c08fa2c9ae6a669350ea4556478f242b3786b2c74e11ec9cc51701a4d77

SHA512
b0d4891c8342cd8c5f7df24755243e2a4a91a20b0028344f29e1a6c12a5bc2c63a208dcba22c4182611d125225d118ab38bf88cdbe65036c03150e309b66199b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5076.exe

Filesize
308KB

MD5
3879c1f2256a96bb074d802af8978aba

SHA1
15f7cee0d5c8b02f2611c0d79514abe01f389e67

SHA256
f85e6982de269d3ce24bfb9469e86e6dbd44f3449bf99fa48b09f98ca816041b

SHA512
16670a2c9a32502460d394ed609966d47672258951a3cff2d6834979b22c2efdab5eb5efb3ff51170daae6dc2f50240a9fef3aa20d40decf4e3cd723345d2624

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5076.exe

Filesize
308KB

MD5
3879c1f2256a96bb074d802af8978aba

SHA1
15f7cee0d5c8b02f2611c0d79514abe01f389e67

SHA256
f85e6982de269d3ce24bfb9469e86e6dbd44f3449bf99fa48b09f98ca816041b

SHA512
16670a2c9a32502460d394ed609966d47672258951a3cff2d6834979b22c2efdab5eb5efb3ff51170daae6dc2f50240a9fef3aa20d40decf4e3cd723345d2624

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4917.exe

Filesize
366KB

MD5
4b0aca5aa06c213b0643cb88e10cc572

SHA1
2bf77a334b1019fe254fd4db4b681b9571f56fee

SHA256
0c410a5401da4b788b52e09fef9e83f84a287472d55730066872ae54f46b8786

SHA512
fcfe31ae7e042bc869077ba77573515154fb33fc105b9b07294937bff4a7d6f9db88c162f678cd78aefcb9dea172f546fc6413a99e9bb3073479f90e16cbf31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4917.exe

Filesize
366KB

MD5
4b0aca5aa06c213b0643cb88e10cc572

SHA1
2bf77a334b1019fe254fd4db4b681b9571f56fee

SHA256
0c410a5401da4b788b52e09fef9e83f84a287472d55730066872ae54f46b8786

SHA512
fcfe31ae7e042bc869077ba77573515154fb33fc105b9b07294937bff4a7d6f9db88c162f678cd78aefcb9dea172f546fc6413a99e9bb3073479f90e16cbf31d

Download Submit
memory/972-149-0x0000000004EE0000-0x0000000005484000-memory.dmp

Filesize
5.6MB

Download
memory/972-148-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/972-151-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/972-150-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/972-152-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/972-153-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/972-154-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/972-156-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/972-158-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/972-160-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/972-162-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/972-164-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/972-166-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/972-168-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/972-170-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/972-172-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/972-174-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/972-176-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/972-178-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/972-180-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/972-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/972-182-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/972-183-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/972-184-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/972-186-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/1352-1122-0x0000000000F50000-0x0000000000F82000-memory.dmp

Filesize
200KB

Download
memory/1352-1123-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

Filesize
64KB

Download
memory/1428-191-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-226-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-196-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-198-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-200-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-202-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-204-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-206-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-208-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-210-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-212-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-216-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1428-213-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/1428-215-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-218-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1428-219-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-220-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1428-222-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-224-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-194-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-228-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-1101-0x00000000053F0000-0x0000000005A08000-memory.dmp

Filesize
6.1MB

Download
memory/1428-1102-0x0000000005A10000-0x0000000005B1A000-memory.dmp

Filesize
1.0MB

Download
memory/1428-1103-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/1428-1104-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/1428-1105-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1428-1106-0x0000000005E10000-0x0000000005EA2000-memory.dmp

Filesize
584KB

Download
memory/1428-1107-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/1428-1109-0x00000000065B0000-0x0000000006626000-memory.dmp

Filesize
472KB

Download
memory/1428-1110-0x0000000006640000-0x0000000006690000-memory.dmp

Filesize
320KB

Download
memory/1428-1111-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1428-1112-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1428-1113-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1428-192-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/1428-1114-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1428-1115-0x00000000067F0000-0x00000000069B2000-memory.dmp

Filesize
1.8MB

Download
memory/1428-1116-0x00000000069C0000-0x0000000006EEC000-memory.dmp

Filesize
5.2MB

Download