redline | 17bb654182369503af75dd756b5c0f4b8047c17228336c1a9ba71f75cb66ef50

Analysis

max time kernel
61s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17bb654182369503af75dd756b5c0f4b8047c17228336c1a9ba71f75cb66ef50.exe
Size

696KB
MD5

af673137f046e418a7d4f2676ea914c0
SHA1

a5970d6c89584de7f0f76c9669a975235fb69d2c
SHA256

17bb654182369503af75dd756b5c0f4b8047c17228336c1a9ba71f75cb66ef50
SHA512

f435c5695a367850c04f3020512e55fe1e08f3f74ddc0962ff7c1e3e31616d9075eb02c0f90f5dad401a4648ad369d65c123fca27ed30cb676b34e0bc31fc7ec
SSDEEP

12288:vMr7y90dM3LJjeKGgRseGmTonffKWlMf+Ztrf3olst/r4UUzhC3Jay1628hCQ:4yd3hezmaKWWetL3osj98hYQy16Pz

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8207.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro8207.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/888-191-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-190-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-193-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-195-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-197-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-199-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-201-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-203-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-205-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-207-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-209-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-211-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-213-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-215-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-217-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-220-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-225-0x0000000004E30000-0x0000000004E40000-memory.dmp	family_redline
behavioral1/memory/888-224-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline
behavioral1/memory/888-227-0x0000000004D20000-0x0000000004D5F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4716	un029699.exe
4444	pro8207.exe
888	qu9348.exe
4288	si574031.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8207.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8207.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	17bb654182369503af75dd756b5c0f4b8047c17228336c1a9ba71f75cb66ef50.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un029699.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un029699.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	17bb654182369503af75dd756b5c0f4b8047c17228336c1a9ba71f75cb66ef50.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4444	pro8207.exe
4444	pro8207.exe
888	qu9348.exe
888	qu9348.exe
4288	si574031.exe
4288	si574031.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4444	pro8207.exe
Token: SeDebugPrivilege	888	qu9348.exe
Token: SeDebugPrivilege	4288	si574031.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 4716	4600	17bb654182369503af75dd756b5c0f4b8047c17228336c1a9ba71f75cb66ef50.exe	84
PID 4600 wrote to memory of 4716	4600	17bb654182369503af75dd756b5c0f4b8047c17228336c1a9ba71f75cb66ef50.exe	84
PID 4600 wrote to memory of 4716	4600	17bb654182369503af75dd756b5c0f4b8047c17228336c1a9ba71f75cb66ef50.exe	84
PID 4716 wrote to memory of 4444	4716	un029699.exe	85
PID 4716 wrote to memory of 4444	4716	un029699.exe	85
PID 4716 wrote to memory of 4444	4716	un029699.exe	85
PID 4716 wrote to memory of 888	4716	un029699.exe	90
PID 4716 wrote to memory of 888	4716	un029699.exe	90
PID 4716 wrote to memory of 888	4716	un029699.exe	90
PID 4600 wrote to memory of 4288	4600	17bb654182369503af75dd756b5c0f4b8047c17228336c1a9ba71f75cb66ef50.exe	94
PID 4600 wrote to memory of 4288	4600	17bb654182369503af75dd756b5c0f4b8047c17228336c1a9ba71f75cb66ef50.exe	94
PID 4600 wrote to memory of 4288	4600	17bb654182369503af75dd756b5c0f4b8047c17228336c1a9ba71f75cb66ef50.exe	94

C:\Users\Admin\AppData\Local\Temp\17bb654182369503af75dd756b5c0f4b8047c17228336c1a9ba71f75cb66ef50.exe
"C:\Users\Admin\AppData\Local\Temp\17bb654182369503af75dd756b5c0f4b8047c17228336c1a9ba71f75cb66ef50.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un029699.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un029699.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8207.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8207.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4444
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9348.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9348.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si574031.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si574031.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si574031.exe

Filesize
175KB

MD5
97fa437bf0a4fafc8ff8cd2cd22dfefd

SHA1
773d4b341ffea0ad9272efea687fe91d8f1189e3

SHA256
269839497d3a6597260a00e560d7864e3e908938889a8d8cb8d4dc40800b97ec

SHA512
96008cd2ddb1b7db739bd7430e79102bbc6cadcc89d45d4a6ddf2c7f6774ceb0523f0cb114169f88e00611950aa0c757bc7ec53aac96e34736a95720797b0c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si574031.exe

Filesize
175KB

MD5
97fa437bf0a4fafc8ff8cd2cd22dfefd

SHA1
773d4b341ffea0ad9272efea687fe91d8f1189e3

SHA256
269839497d3a6597260a00e560d7864e3e908938889a8d8cb8d4dc40800b97ec

SHA512
96008cd2ddb1b7db739bd7430e79102bbc6cadcc89d45d4a6ddf2c7f6774ceb0523f0cb114169f88e00611950aa0c757bc7ec53aac96e34736a95720797b0c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un029699.exe

Filesize
553KB

MD5
937a1237c3c0143ba6e6522b79726fee

SHA1
468b59ac76e4ed2853114ed1651d29f1fd412aab

SHA256
35e2a33ccf9bda0aec8e604c674a7f4e3c2523bcf7c985094a2775de9985351b

SHA512
512ae8ebc6af6eec960180f26ab196f71091f2268dcab124e663741c673863f68a74e4c072d124766baa748e3fcd4e8294e8dbb1764e860ed8b117f8308eb41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un029699.exe

Filesize
553KB

MD5
937a1237c3c0143ba6e6522b79726fee

SHA1
468b59ac76e4ed2853114ed1651d29f1fd412aab

SHA256
35e2a33ccf9bda0aec8e604c674a7f4e3c2523bcf7c985094a2775de9985351b

SHA512
512ae8ebc6af6eec960180f26ab196f71091f2268dcab124e663741c673863f68a74e4c072d124766baa748e3fcd4e8294e8dbb1764e860ed8b117f8308eb41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8207.exe

Filesize
308KB

MD5
3ac221812f9262ed003503fabf811fab

SHA1
c6d29be88434ad0760553060deecebc1a67bad44

SHA256
d69442d469de062afade61a21e07cd0c30f734f15e3eab7c00b8024a9229ceaa

SHA512
5873062a472a453bfe50bb0e2d62e3f67bb5b1e5f0395295c6882b6b4e65d09b4dbe31e1ac043bb11191f7fb7fca0a4c4342ce0fb5e92468c98021abac9043e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8207.exe

Filesize
308KB

MD5
3ac221812f9262ed003503fabf811fab

SHA1
c6d29be88434ad0760553060deecebc1a67bad44

SHA256
d69442d469de062afade61a21e07cd0c30f734f15e3eab7c00b8024a9229ceaa

SHA512
5873062a472a453bfe50bb0e2d62e3f67bb5b1e5f0395295c6882b6b4e65d09b4dbe31e1ac043bb11191f7fb7fca0a4c4342ce0fb5e92468c98021abac9043e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9348.exe

Filesize
366KB

MD5
bdd2eddb9014be837c132961f0207a65

SHA1
503bf0f95d636980228531b8491914cd8b1b4da1

SHA256
3f17ea8e14ef43820f941e968f445130bf3010b042841887fea1d5af95ae5ecf

SHA512
9b12a0eb138c63e418370bd976d0b917bf1d515bfea356d2d46abf76518fe2330bee863c19c8caede627cff240bfb88156754dc981ee56779c2020e012e939f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9348.exe

Filesize
366KB

MD5
bdd2eddb9014be837c132961f0207a65

SHA1
503bf0f95d636980228531b8491914cd8b1b4da1

SHA256
3f17ea8e14ef43820f941e968f445130bf3010b042841887fea1d5af95ae5ecf

SHA512
9b12a0eb138c63e418370bd976d0b917bf1d515bfea356d2d46abf76518fe2330bee863c19c8caede627cff240bfb88156754dc981ee56779c2020e012e939f4

Download Submit
memory/888-227-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-1102-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/888-1114-0x0000000006B00000-0x000000000702C000-memory.dmp

Filesize
5.2MB

Download
memory/888-1113-0x0000000006930000-0x0000000006AF2000-memory.dmp

Filesize
1.8MB

Download
memory/888-1112-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/888-1111-0x00000000068A0000-0x00000000068F0000-memory.dmp

Filesize
320KB

Download
memory/888-1110-0x0000000006820000-0x0000000006896000-memory.dmp

Filesize
472KB

Download
memory/888-1109-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/888-1108-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/888-1106-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/888-1105-0x0000000005E10000-0x0000000005EA2000-memory.dmp

Filesize
584KB

Download
memory/888-1104-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/888-1103-0x0000000005B60000-0x0000000005B9C000-memory.dmp

Filesize
240KB

Download
memory/888-1101-0x0000000005A10000-0x0000000005B1A000-memory.dmp

Filesize
1.0MB

Download
memory/888-1100-0x00000000053F0000-0x0000000005A08000-memory.dmp

Filesize
6.1MB

Download
memory/888-224-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-225-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/888-220-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-223-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/888-221-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/888-219-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/888-217-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-191-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-190-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-193-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-195-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-197-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-199-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-201-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-203-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-205-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-207-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-209-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-211-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-213-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/888-215-0x0000000004D20000-0x0000000004D5F000-memory.dmp

Filesize
252KB

Download
memory/4288-1120-0x0000000000320000-0x0000000000352000-memory.dmp

Filesize
200KB

Download
memory/4288-1121-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/4444-172-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4444-148-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/4444-182-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4444-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4444-180-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4444-150-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4444-178-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4444-176-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4444-153-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4444-174-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4444-152-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4444-183-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4444-164-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4444-166-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4444-168-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4444-162-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4444-160-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4444-158-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4444-156-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4444-154-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4444-149-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/4444-170-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/4444-185-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4444-151-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download