redline | ae7b61d79fac8a9f66e98157dda73eb3b1a61e6bc48fec1605156274af5e7c6e

Analysis

max time kernel
95s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae7b61d79fac8a9f66e98157dda73eb3b1a61e6bc48fec1605156274af5e7c6e.exe
Size

695KB
MD5

006c16ec48a68326f9f85160fe83634f
SHA1

b6204989c5ce21a6bf7d5fa86519c242f91a1117
SHA256

ae7b61d79fac8a9f66e98157dda73eb3b1a61e6bc48fec1605156274af5e7c6e
SHA512

144ed6bc9b678a39cfd4d5bfe2cf3c76e1b1062a37b190a4bc78c37e4dd94c0399455abb9fbbbfebafd4a58a87bb832234626a1e389dc896dbda79215c8ff93f
SSDEEP

12288:WMrpy90TZhM+qie/JHMtIhpbGsl8ZR0mytz8etYSYagMuYz8D6JVrpXbDT+p:vyuuieBHEIhJ8L0m8zbgMuA8eDVXnip

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro5186.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5186.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5186.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5186.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5186.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5186.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/2740-190-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-191-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-193-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-195-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-197-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-199-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-201-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-203-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-205-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-207-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-209-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-211-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-213-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-215-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-217-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-219-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-221-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline
behavioral1/memory/2740-223-0x00000000025C0000-0x00000000025FF000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
740	un074043.exe
2060	pro5186.exe
2740	qu1675.exe
3228	si891151.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5186.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5186.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ae7b61d79fac8a9f66e98157dda73eb3b1a61e6bc48fec1605156274af5e7c6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ae7b61d79fac8a9f66e98157dda73eb3b1a61e6bc48fec1605156274af5e7c6e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un074043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un074043.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2060	pro5186.exe
2060	pro5186.exe
2740	qu1675.exe
2740	qu1675.exe
3228	si891151.exe
3228	si891151.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	pro5186.exe
Token: SeDebugPrivilege	2740	qu1675.exe
Token: SeDebugPrivilege	3228	si891151.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 740	1728	ae7b61d79fac8a9f66e98157dda73eb3b1a61e6bc48fec1605156274af5e7c6e.exe	83
PID 1728 wrote to memory of 740	1728	ae7b61d79fac8a9f66e98157dda73eb3b1a61e6bc48fec1605156274af5e7c6e.exe	83
PID 1728 wrote to memory of 740	1728	ae7b61d79fac8a9f66e98157dda73eb3b1a61e6bc48fec1605156274af5e7c6e.exe	83
PID 740 wrote to memory of 2060	740	un074043.exe	84
PID 740 wrote to memory of 2060	740	un074043.exe	84
PID 740 wrote to memory of 2060	740	un074043.exe	84
PID 740 wrote to memory of 2740	740	un074043.exe	88
PID 740 wrote to memory of 2740	740	un074043.exe	88
PID 740 wrote to memory of 2740	740	un074043.exe	88
PID 1728 wrote to memory of 3228	1728	ae7b61d79fac8a9f66e98157dda73eb3b1a61e6bc48fec1605156274af5e7c6e.exe	89
PID 1728 wrote to memory of 3228	1728	ae7b61d79fac8a9f66e98157dda73eb3b1a61e6bc48fec1605156274af5e7c6e.exe	89
PID 1728 wrote to memory of 3228	1728	ae7b61d79fac8a9f66e98157dda73eb3b1a61e6bc48fec1605156274af5e7c6e.exe	89

C:\Users\Admin\AppData\Local\Temp\ae7b61d79fac8a9f66e98157dda73eb3b1a61e6bc48fec1605156274af5e7c6e.exe
"C:\Users\Admin\AppData\Local\Temp\ae7b61d79fac8a9f66e98157dda73eb3b1a61e6bc48fec1605156274af5e7c6e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un074043.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un074043.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5186.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5186.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1675.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1675.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si891151.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si891151.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si891151.exe

Filesize
175KB

MD5
a88c2b3be2d960019e5e81415fa162e4

SHA1
4f51be16020f2eef045af3bbfa538477aeb8d7b6

SHA256
27b19cf8bd73d03f4e6048749260c17f0355d2a21e55d03216155d763c3d1305

SHA512
10fe886bdee5676dd1f64ae5b2b9ae7441c84eaab1e537548a3b9829574301c7b1a427b64cd0201ae3d941647454faa682b182dbf8b10c4f3f8e4f06fd1fc850

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si891151.exe

Filesize
175KB

MD5
a88c2b3be2d960019e5e81415fa162e4

SHA1
4f51be16020f2eef045af3bbfa538477aeb8d7b6

SHA256
27b19cf8bd73d03f4e6048749260c17f0355d2a21e55d03216155d763c3d1305

SHA512
10fe886bdee5676dd1f64ae5b2b9ae7441c84eaab1e537548a3b9829574301c7b1a427b64cd0201ae3d941647454faa682b182dbf8b10c4f3f8e4f06fd1fc850

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un074043.exe

Filesize
553KB

MD5
d2e2d44befcd6c19c17d6f60d5a0f30c

SHA1
0de6b368f0e722d62b4af0fd49c3de62b1bb20d3

SHA256
614294db7dd7524c14a93a71a21b05e22d437f45548e3518a514cea88633fa5c

SHA512
0eb34eab1478c5d5ba4bbab9872fe3c75a03f4ac62856f702e0854e3ead566aade4810df55fa13ca40841afcb4ebada72ddf3f5e3fd1459228856932cc341c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un074043.exe

Filesize
553KB

MD5
d2e2d44befcd6c19c17d6f60d5a0f30c

SHA1
0de6b368f0e722d62b4af0fd49c3de62b1bb20d3

SHA256
614294db7dd7524c14a93a71a21b05e22d437f45548e3518a514cea88633fa5c

SHA512
0eb34eab1478c5d5ba4bbab9872fe3c75a03f4ac62856f702e0854e3ead566aade4810df55fa13ca40841afcb4ebada72ddf3f5e3fd1459228856932cc341c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5186.exe

Filesize
308KB

MD5
67442311c0b3336962792d84143e15f5

SHA1
8d9e395ad4c78fc477f4829d5d9b2f4456d0e48f

SHA256
f120ab84cbd02e8844a6bb4742dce499976d8cf87dc28ad771cdf853df26775b

SHA512
0fc24af979774900b54d8239f64701d1ebb00fcca8e8aa70ed25d407113c2a98dfb870b64339eec64adb19042b28a20d51d8097de6a2b4088a9a85ff26e4e831

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5186.exe

Filesize
308KB

MD5
67442311c0b3336962792d84143e15f5

SHA1
8d9e395ad4c78fc477f4829d5d9b2f4456d0e48f

SHA256
f120ab84cbd02e8844a6bb4742dce499976d8cf87dc28ad771cdf853df26775b

SHA512
0fc24af979774900b54d8239f64701d1ebb00fcca8e8aa70ed25d407113c2a98dfb870b64339eec64adb19042b28a20d51d8097de6a2b4088a9a85ff26e4e831

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1675.exe

Filesize
366KB

MD5
ca95d2a19b7c4b0106abcd8a7706c2e7

SHA1
d342175c954c19822fb33b2b20041b18ebc98cb9

SHA256
a4f30328ac78f71cbb382b387ea5a48dd775c00496d40f50e12118cfe60c7db1

SHA512
1fb29354824d3721592e5d9b7e70372211718d6ecabd340684c9aab1f8db56e4368a7b8a16367891dbce02f6dee244beaa906e61e9d32994cd7a03d11566dc9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1675.exe

Filesize
366KB

MD5
ca95d2a19b7c4b0106abcd8a7706c2e7

SHA1
d342175c954c19822fb33b2b20041b18ebc98cb9

SHA256
a4f30328ac78f71cbb382b387ea5a48dd775c00496d40f50e12118cfe60c7db1

SHA512
1fb29354824d3721592e5d9b7e70372211718d6ecabd340684c9aab1f8db56e4368a7b8a16367891dbce02f6dee244beaa906e61e9d32994cd7a03d11566dc9f

Download Submit
memory/2060-148-0x00000000008F0000-0x000000000091D000-memory.dmp

Filesize
180KB

Download
memory/2060-149-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/2060-150-0x0000000005000000-0x00000000055A4000-memory.dmp

Filesize
5.6MB

Download
memory/2060-151-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/2060-152-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/2060-153-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2060-154-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2060-156-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2060-158-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2060-160-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2060-162-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2060-164-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2060-166-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2060-168-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2060-170-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2060-172-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2060-174-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2060-176-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2060-178-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2060-180-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2060-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2060-182-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/2060-183-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/2060-185-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2740-190-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-191-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-193-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-195-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-197-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-199-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-201-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-203-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-205-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-207-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-209-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-211-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-213-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-215-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-217-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-219-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-221-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-223-0x00000000025C0000-0x00000000025FF000-memory.dmp

Filesize
252KB

Download
memory/2740-249-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/2740-253-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2740-251-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2740-1099-0x0000000005490000-0x0000000005AA8000-memory.dmp

Filesize
6.1MB

Download
memory/2740-1100-0x0000000005AB0000-0x0000000005BBA000-memory.dmp

Filesize
1.0MB

Download
memory/2740-1101-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/2740-1102-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2740-1103-0x0000000004E30000-0x0000000004E6C000-memory.dmp

Filesize
240KB

Download
memory/2740-1104-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/2740-1105-0x00000000064E0000-0x0000000006572000-memory.dmp

Filesize
584KB

Download
memory/2740-1107-0x00000000065C0000-0x0000000006636000-memory.dmp

Filesize
472KB

Download
memory/2740-1108-0x0000000006640000-0x0000000006690000-memory.dmp

Filesize
320KB

Download
memory/2740-1109-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2740-1110-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2740-1111-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2740-1112-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2740-1113-0x0000000006910000-0x0000000006AD2000-memory.dmp

Filesize
1.8MB

Download
memory/2740-1114-0x0000000006AE0000-0x000000000700C000-memory.dmp

Filesize
5.2MB

Download
memory/3228-1120-0x0000000000470000-0x00000000004A2000-memory.dmp

Filesize
200KB

Download
memory/3228-1121-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download