redline | 1ad53c2428a36b81b63094cc8fe46a27d1eba3b91fb5f192c9a1a7a4d3c1a8ea

Analysis

max time kernel
59s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ad53c2428a36b81b63094cc8fe46a27d1eba3b91fb5f192c9a1a7a4d3c1a8ea.exe
Size

695KB
MD5

3f1c880ee026438df177f88779f9a797
SHA1

e99f3fcb5746f128736b4dc504cbdcda090ab3c5
SHA256

1ad53c2428a36b81b63094cc8fe46a27d1eba3b91fb5f192c9a1a7a4d3c1a8ea
SHA512

789e74bf39fd2614b1281b3e783194fa917b1800345ca453c0a44fe7f4eece39a89eff939ea3f195b91f0c13f57bd10000417f7389913774af38a7b85d2dcb63
SSDEEP

12288:zMr/y90e0yy3R+dxP31P/rzNTBtr/Uj5qvPSAzaHdJR69LeCtLE4slmd+DH:Iyl0pBSxPlPPrtAdqy4a9OUQLEzlmkDH

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro3851.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro3851.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro3851.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro3851.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro3851.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro3851.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/2764-191-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-192-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-194-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-196-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-198-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-200-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-202-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-204-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-206-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-208-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-210-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-212-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-214-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-216-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-218-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-220-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-225-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline
behavioral1/memory/2764-228-0x0000000002760000-0x000000000279F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
224	un040726.exe
4704	pro3851.exe
2764	qu9471.exe
2276	si065520.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro3851.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro3851.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1ad53c2428a36b81b63094cc8fe46a27d1eba3b91fb5f192c9a1a7a4d3c1a8ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1ad53c2428a36b81b63094cc8fe46a27d1eba3b91fb5f192c9a1a7a4d3c1a8ea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un040726.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un040726.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4704	pro3851.exe
4704	pro3851.exe
2764	qu9471.exe
2764	qu9471.exe
2276	si065520.exe
2276	si065520.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4704	pro3851.exe
Token: SeDebugPrivilege	2764	qu9471.exe
Token: SeDebugPrivilege	2276	si065520.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 224	3340	1ad53c2428a36b81b63094cc8fe46a27d1eba3b91fb5f192c9a1a7a4d3c1a8ea.exe	84
PID 3340 wrote to memory of 224	3340	1ad53c2428a36b81b63094cc8fe46a27d1eba3b91fb5f192c9a1a7a4d3c1a8ea.exe	84
PID 3340 wrote to memory of 224	3340	1ad53c2428a36b81b63094cc8fe46a27d1eba3b91fb5f192c9a1a7a4d3c1a8ea.exe	84
PID 224 wrote to memory of 4704	224	un040726.exe	85
PID 224 wrote to memory of 4704	224	un040726.exe	85
PID 224 wrote to memory of 4704	224	un040726.exe	85
PID 224 wrote to memory of 2764	224	un040726.exe	89
PID 224 wrote to memory of 2764	224	un040726.exe	89
PID 224 wrote to memory of 2764	224	un040726.exe	89
PID 3340 wrote to memory of 2276	3340	1ad53c2428a36b81b63094cc8fe46a27d1eba3b91fb5f192c9a1a7a4d3c1a8ea.exe	90
PID 3340 wrote to memory of 2276	3340	1ad53c2428a36b81b63094cc8fe46a27d1eba3b91fb5f192c9a1a7a4d3c1a8ea.exe	90
PID 3340 wrote to memory of 2276	3340	1ad53c2428a36b81b63094cc8fe46a27d1eba3b91fb5f192c9a1a7a4d3c1a8ea.exe	90

C:\Users\Admin\AppData\Local\Temp\1ad53c2428a36b81b63094cc8fe46a27d1eba3b91fb5f192c9a1a7a4d3c1a8ea.exe
"C:\Users\Admin\AppData\Local\Temp\1ad53c2428a36b81b63094cc8fe46a27d1eba3b91fb5f192c9a1a7a4d3c1a8ea.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un040726.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un040726.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3851.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3851.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4704
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9471.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9471.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si065520.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si065520.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si065520.exe

Filesize
175KB

MD5
a17c5092ce074312c3fb8877cff60e52

SHA1
28c25fbfa752dbfdb545f1cbfb4421ee0affc5d1

SHA256
753366f8074acc311c0f7d14ab7cbc4b0a63ffd3fe743e1606b5146f3149e9fa

SHA512
142d764d2033123809520ca280e0886eb8a31f415cca69303f93528fe24dd0b3891f84ba7d4cdf4621b5f518951de8ed0f332d802e2563f10910f118f3728deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si065520.exe

Filesize
175KB

MD5
a17c5092ce074312c3fb8877cff60e52

SHA1
28c25fbfa752dbfdb545f1cbfb4421ee0affc5d1

SHA256
753366f8074acc311c0f7d14ab7cbc4b0a63ffd3fe743e1606b5146f3149e9fa

SHA512
142d764d2033123809520ca280e0886eb8a31f415cca69303f93528fe24dd0b3891f84ba7d4cdf4621b5f518951de8ed0f332d802e2563f10910f118f3728deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un040726.exe

Filesize
553KB

MD5
cffbef6053378f6d1972049ac0a13dfd

SHA1
775784d02c7d3dfbe62ae3ab801e70eb662e88fa

SHA256
c2c552687070d183a9119f52e1f8f1124ae501dad195f48dd46e481cd0f08d92

SHA512
6bfeb54ac5ede6e81c2d103ad60a4ccd17fc7798fe9c4ba5925c5bf718b03ff7b5d85b17174caa1fbbb28a645b1fc77a680cb1c1561b7fae90cd0c55c9b135d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un040726.exe

Filesize
553KB

MD5
cffbef6053378f6d1972049ac0a13dfd

SHA1
775784d02c7d3dfbe62ae3ab801e70eb662e88fa

SHA256
c2c552687070d183a9119f52e1f8f1124ae501dad195f48dd46e481cd0f08d92

SHA512
6bfeb54ac5ede6e81c2d103ad60a4ccd17fc7798fe9c4ba5925c5bf718b03ff7b5d85b17174caa1fbbb28a645b1fc77a680cb1c1561b7fae90cd0c55c9b135d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3851.exe

Filesize
308KB

MD5
f116708551fb0d6ec325c71ac4118c1e

SHA1
8aa6f94cc0f47f1f8e5ba12f6c219e13b85dd89c

SHA256
40311a1aa71ec2a2be2ad9c45e4799264df6defaa99a8e9d7d0de1516dbc72cc

SHA512
9dd165ecd69a43fa7599480d7f60850c248b9f999e5c6335dbb38603a7693167475151718d9fa6c7e162ecede57c22e7c592328f33397b93e2c8c52e481ff4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3851.exe

Filesize
308KB

MD5
f116708551fb0d6ec325c71ac4118c1e

SHA1
8aa6f94cc0f47f1f8e5ba12f6c219e13b85dd89c

SHA256
40311a1aa71ec2a2be2ad9c45e4799264df6defaa99a8e9d7d0de1516dbc72cc

SHA512
9dd165ecd69a43fa7599480d7f60850c248b9f999e5c6335dbb38603a7693167475151718d9fa6c7e162ecede57c22e7c592328f33397b93e2c8c52e481ff4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9471.exe

Filesize
366KB

MD5
fbeb20b73848dd859351acdb43197396

SHA1
6d0e40de58ec36b81bdfe4597ac7746c753a4cc9

SHA256
83209a6e1be013495a4819a0ec8973ffab08d069b3394d596423d8951391ffb7

SHA512
971245bbf294fdb6cb1f08b04fd8a9ad2845b5dedbd1da1a617b0d5aa55a121eeab4df65047e3aadaddc40d6320f9ecaf267b853095c4f9faad2c5e951053611

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9471.exe

Filesize
366KB

MD5
fbeb20b73848dd859351acdb43197396

SHA1
6d0e40de58ec36b81bdfe4597ac7746c753a4cc9

SHA256
83209a6e1be013495a4819a0ec8973ffab08d069b3394d596423d8951391ffb7

SHA512
971245bbf294fdb6cb1f08b04fd8a9ad2845b5dedbd1da1a617b0d5aa55a121eeab4df65047e3aadaddc40d6320f9ecaf267b853095c4f9faad2c5e951053611

Download Submit
memory/2276-1123-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/2276-1122-0x0000000000740000-0x0000000000772000-memory.dmp

Filesize
200KB

Download
memory/2764-1102-0x0000000005B20000-0x0000000005C2A000-memory.dmp

Filesize
1.0MB

Download
memory/2764-1104-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2764-1116-0x0000000007360000-0x00000000073B0000-memory.dmp

Filesize
320KB

Download
memory/2764-1115-0x00000000072E0000-0x0000000007356000-memory.dmp

Filesize
472KB

Download
memory/2764-1114-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2764-1113-0x0000000006B30000-0x000000000705C000-memory.dmp

Filesize
5.2MB

Download
memory/2764-1112-0x0000000006950000-0x0000000006B12000-memory.dmp

Filesize
1.8MB

Download
memory/2764-1111-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2764-1110-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2764-1109-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2764-1107-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/2764-1106-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/2764-1105-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/2764-1103-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/2764-1101-0x0000000005500000-0x0000000005B18000-memory.dmp

Filesize
6.1MB

Download
memory/2764-228-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-227-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2764-224-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2764-225-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-222-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2764-221-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/2764-191-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-192-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-194-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-196-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-198-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-200-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-202-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-204-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-206-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-208-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-210-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-212-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-214-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-216-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-218-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/2764-220-0x0000000002760000-0x000000000279F000-memory.dmp

Filesize
252KB

Download
memory/4704-174-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/4704-183-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/4704-155-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4704-184-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/4704-176-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4704-182-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/4704-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4704-169-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4704-180-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4704-159-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4704-178-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4704-173-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4704-186-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4704-157-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4704-153-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4704-170-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/4704-172-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/4704-167-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4704-165-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4704-163-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4704-161-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4704-151-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4704-150-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/4704-149-0x0000000004E20000-0x00000000053C4000-memory.dmp

Filesize
5.6MB

Download
memory/4704-148-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download