redline | 2b7b221c9c9a9c06f411a806bd11b24dd4f73265803ae4dd4f1a049f740318a6

Analysis

max time kernel
97s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b7b221c9c9a9c06f411a806bd11b24dd4f73265803ae4dd4f1a049f740318a6.exe
Size

695KB
MD5

a6545d941aee6e8de1b09ddcd25cf3a6
SHA1

47b9da4c27be43f7a0d756ae493ccd0abc40b7ce
SHA256

2b7b221c9c9a9c06f411a806bd11b24dd4f73265803ae4dd4f1a049f740318a6
SHA512

4681b740fe2459fe26feb26efb56cab0821e6e78548bac1193094d362fb91cf71acc281af84cbcf856597e91226ef4fb8a71343cfb2437d0443c56d7b3159389
SSDEEP

12288:GMr1y90Gc7C7Au8L3wZDo3oNcCljfwV6IEhJtrRyNH7vPSee49JQJvYMidFnod8:Lyf7AtL3m83oNcR6BztVebyeegsvridt

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro9066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro9066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro9066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro9066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro9066.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro9066.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/824-190-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-191-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-193-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-195-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-197-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-199-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-201-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-203-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-205-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-207-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-209-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-211-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-213-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-215-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-217-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-219-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-221-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline
behavioral1/memory/824-223-0x00000000025E0000-0x000000000261F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4156	un429030.exe
4200	pro9066.exe
824	qu2365.exe
1824	si137203.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro9066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro9066.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un429030.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2b7b221c9c9a9c06f411a806bd11b24dd4f73265803ae4dd4f1a049f740318a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b7b221c9c9a9c06f411a806bd11b24dd4f73265803ae4dd4f1a049f740318a6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un429030.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4200	pro9066.exe
4200	pro9066.exe
824	qu2365.exe
824	qu2365.exe
1824	si137203.exe
1824	si137203.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4200	pro9066.exe
Token: SeDebugPrivilege	824	qu2365.exe
Token: SeDebugPrivilege	1824	si137203.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 4156	4432	2b7b221c9c9a9c06f411a806bd11b24dd4f73265803ae4dd4f1a049f740318a6.exe	84
PID 4432 wrote to memory of 4156	4432	2b7b221c9c9a9c06f411a806bd11b24dd4f73265803ae4dd4f1a049f740318a6.exe	84
PID 4432 wrote to memory of 4156	4432	2b7b221c9c9a9c06f411a806bd11b24dd4f73265803ae4dd4f1a049f740318a6.exe	84
PID 4156 wrote to memory of 4200	4156	un429030.exe	85
PID 4156 wrote to memory of 4200	4156	un429030.exe	85
PID 4156 wrote to memory of 4200	4156	un429030.exe	85
PID 4156 wrote to memory of 824	4156	un429030.exe	89
PID 4156 wrote to memory of 824	4156	un429030.exe	89
PID 4156 wrote to memory of 824	4156	un429030.exe	89
PID 4432 wrote to memory of 1824	4432	2b7b221c9c9a9c06f411a806bd11b24dd4f73265803ae4dd4f1a049f740318a6.exe	90
PID 4432 wrote to memory of 1824	4432	2b7b221c9c9a9c06f411a806bd11b24dd4f73265803ae4dd4f1a049f740318a6.exe	90
PID 4432 wrote to memory of 1824	4432	2b7b221c9c9a9c06f411a806bd11b24dd4f73265803ae4dd4f1a049f740318a6.exe	90

C:\Users\Admin\AppData\Local\Temp\2b7b221c9c9a9c06f411a806bd11b24dd4f73265803ae4dd4f1a049f740318a6.exe
"C:\Users\Admin\AppData\Local\Temp\2b7b221c9c9a9c06f411a806bd11b24dd4f73265803ae4dd4f1a049f740318a6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un429030.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un429030.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9066.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9066.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4200
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2365.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2365.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si137203.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si137203.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si137203.exe

Filesize
175KB

MD5
05965576f69d7109a97e0b8c05dd6031

SHA1
c2d9c0fb268726c79f8a7961b5a4607dcf4a0674

SHA256
9de4d9969696bb63c7c415f9bedde1766480bb68f0f2c95f784687529ba180a2

SHA512
a1952066af7d9d1a3ac41f1d72da1b4c8fac1db71f25c1ef8fe4a0a0d8ccd3807b78d4af29d247e6fedc744ff49c621aa14beb3f3df7331c32e3960098d6e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si137203.exe

Filesize
175KB

MD5
05965576f69d7109a97e0b8c05dd6031

SHA1
c2d9c0fb268726c79f8a7961b5a4607dcf4a0674

SHA256
9de4d9969696bb63c7c415f9bedde1766480bb68f0f2c95f784687529ba180a2

SHA512
a1952066af7d9d1a3ac41f1d72da1b4c8fac1db71f25c1ef8fe4a0a0d8ccd3807b78d4af29d247e6fedc744ff49c621aa14beb3f3df7331c32e3960098d6e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un429030.exe

Filesize
553KB

MD5
6552d44f85f87672b5697547444712b0

SHA1
f005f73c1ff4d730a8bd4e747dbe962bcb1af960

SHA256
828a928fdf47b5636dd382a528b142b879da1ca8876e66251a7093fa12818a27

SHA512
c10e4fbc71a512dae4fd4bc0f6cb0b360dc50c09cf14737ee30e162cd3099e15387f4bc0b135a525f59837df1e88821630e3814f152af81cbf2988e374e10468

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un429030.exe

Filesize
553KB

MD5
6552d44f85f87672b5697547444712b0

SHA1
f005f73c1ff4d730a8bd4e747dbe962bcb1af960

SHA256
828a928fdf47b5636dd382a528b142b879da1ca8876e66251a7093fa12818a27

SHA512
c10e4fbc71a512dae4fd4bc0f6cb0b360dc50c09cf14737ee30e162cd3099e15387f4bc0b135a525f59837df1e88821630e3814f152af81cbf2988e374e10468

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9066.exe

Filesize
308KB

MD5
7280096240c1cff6f53ecafcd9014da9

SHA1
cd317951a67aca4b03c2dfbab4042cbcad08c2a8

SHA256
b0fedcca47341af4d9ead597f35ff081ba82b92c989b2282310dfa27c8bb602f

SHA512
835ba56c93a2075ce27a02b218e2a35d1d7923c91d32e3f48ff50ad0d91747260323a002188298a4eade09ebb9c644408c837860b27f2a347435f5ece386b1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9066.exe

Filesize
308KB

MD5
7280096240c1cff6f53ecafcd9014da9

SHA1
cd317951a67aca4b03c2dfbab4042cbcad08c2a8

SHA256
b0fedcca47341af4d9ead597f35ff081ba82b92c989b2282310dfa27c8bb602f

SHA512
835ba56c93a2075ce27a02b218e2a35d1d7923c91d32e3f48ff50ad0d91747260323a002188298a4eade09ebb9c644408c837860b27f2a347435f5ece386b1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2365.exe

Filesize
366KB

MD5
119bb88030814a3f703a143ab1882169

SHA1
dda5f31ba8febb8582fea9b4a563b1a8092d7942

SHA256
e05d767ce319a422c9f45c8feed9859526d3a38f917e1937abb36468076e232f

SHA512
83a9304969f865d9a3bc83b2751a88a869e1f91325dcd2ebcbf4c25a0c363f8118ad26233891ad7493c599001c6f6e5f6c0bf36fb7a888891ccb5f0478a48c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2365.exe

Filesize
366KB

MD5
119bb88030814a3f703a143ab1882169

SHA1
dda5f31ba8febb8582fea9b4a563b1a8092d7942

SHA256
e05d767ce319a422c9f45c8feed9859526d3a38f917e1937abb36468076e232f

SHA512
83a9304969f865d9a3bc83b2751a88a869e1f91325dcd2ebcbf4c25a0c363f8118ad26233891ad7493c599001c6f6e5f6c0bf36fb7a888891ccb5f0478a48c5e

Download Submit
memory/824-1099-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/824-1102-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/824-1114-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/824-1113-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/824-1112-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/824-1111-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/824-1110-0x00000000069D0000-0x0000000006EFC000-memory.dmp

Filesize
5.2MB

Download
memory/824-1109-0x0000000006800000-0x00000000069C2000-memory.dmp

Filesize
1.8MB

Download
memory/824-1107-0x0000000006780000-0x00000000067D0000-memory.dmp

Filesize
320KB

Download
memory/824-1106-0x00000000066F0000-0x0000000006766000-memory.dmp

Filesize
472KB

Download
memory/824-1105-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/824-1104-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/824-1103-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/824-1101-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/824-1100-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/824-498-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/824-496-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/824-495-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/824-223-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-221-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-219-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-217-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-190-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-191-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-193-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-195-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-197-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-199-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-201-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-203-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-205-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-207-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-209-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-211-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-213-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/824-215-0x00000000025E0000-0x000000000261F000-memory.dmp

Filesize
252KB

Download
memory/1824-1120-0x0000000000850000-0x0000000000882000-memory.dmp

Filesize
200KB

Download
memory/1824-1121-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/4200-173-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4200-148-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/4200-182-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4200-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4200-180-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4200-150-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4200-179-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4200-177-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4200-155-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4200-175-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4200-153-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4200-183-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4200-165-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4200-167-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4200-169-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4200-163-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4200-161-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4200-159-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4200-157-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4200-152-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4200-149-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4200-171-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4200-185-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4200-151-0x0000000004E30000-0x00000000053D4000-memory.dmp

Filesize
5.6MB

Download