redline | c746dac4a432b4d932d39d3885b928f44b14466e1b1309c0c88cf512ec75a76c

Analysis

max time kernel
139s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c746dac4a432b4d932d39d3885b928f44b14466e1b1309c0c88cf512ec75a76c.exe
Size

695KB
MD5

0c40fc767d17b2c5dab60b30afd56c1b
SHA1

b59b680637eb61c4c29764a9c1b25386ec045405
SHA256

c746dac4a432b4d932d39d3885b928f44b14466e1b1309c0c88cf512ec75a76c
SHA512

9f13628652dcb06bce21667c7d39d6cbedf32bd8e34e8a019f1be1dd9fd168cf3dfa573872ad2c9c87214063d89a0ba048487c4b3e4d51ef1818606cff4377b5
SSDEEP

12288:+MrBy902eh/0v136pm5HFwLwDt3HCAJuPl/KWW4Gg0I7UhNztRjJxgpPMGkeXU:HyFm/8RXrwLwx/Jel/PW4G0UvtZs1MGa

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro0184.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro0184.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro0184.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro0184.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro0184.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro0184.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/3680-189-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-190-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-192-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-194-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-196-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-198-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-200-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-202-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-208-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-210-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-212-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-214-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-216-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-218-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-220-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-222-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-224-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-226-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/3680-1109-0x0000000002710000-0x0000000002720000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1528	un985096.exe
1028	pro0184.exe
3680	qu7485.exe
1304	si976456.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro0184.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro0184.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c746dac4a432b4d932d39d3885b928f44b14466e1b1309c0c88cf512ec75a76c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c746dac4a432b4d932d39d3885b928f44b14466e1b1309c0c88cf512ec75a76c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un985096.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un985096.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1004	sc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1028	pro0184.exe
1028	pro0184.exe
3680	qu7485.exe
3680	qu7485.exe
1304	si976456.exe
1304	si976456.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	pro0184.exe
Token: SeDebugPrivilege	3680	qu7485.exe
Token: SeDebugPrivilege	1304	si976456.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 1528	4272	c746dac4a432b4d932d39d3885b928f44b14466e1b1309c0c88cf512ec75a76c.exe	85
PID 4272 wrote to memory of 1528	4272	c746dac4a432b4d932d39d3885b928f44b14466e1b1309c0c88cf512ec75a76c.exe	85
PID 4272 wrote to memory of 1528	4272	c746dac4a432b4d932d39d3885b928f44b14466e1b1309c0c88cf512ec75a76c.exe	85
PID 1528 wrote to memory of 1028	1528	un985096.exe	86
PID 1528 wrote to memory of 1028	1528	un985096.exe	86
PID 1528 wrote to memory of 1028	1528	un985096.exe	86
PID 1528 wrote to memory of 3680	1528	un985096.exe	90
PID 1528 wrote to memory of 3680	1528	un985096.exe	90
PID 1528 wrote to memory of 3680	1528	un985096.exe	90
PID 4272 wrote to memory of 1304	4272	c746dac4a432b4d932d39d3885b928f44b14466e1b1309c0c88cf512ec75a76c.exe	92
PID 4272 wrote to memory of 1304	4272	c746dac4a432b4d932d39d3885b928f44b14466e1b1309c0c88cf512ec75a76c.exe	92
PID 4272 wrote to memory of 1304	4272	c746dac4a432b4d932d39d3885b928f44b14466e1b1309c0c88cf512ec75a76c.exe	92

C:\Users\Admin\AppData\Local\Temp\c746dac4a432b4d932d39d3885b928f44b14466e1b1309c0c88cf512ec75a76c.exe
"C:\Users\Admin\AppData\Local\Temp\c746dac4a432b4d932d39d3885b928f44b14466e1b1309c0c88cf512ec75a76c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un985096.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un985096.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0184.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0184.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7485.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7485.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si976456.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si976456.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1304

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si976456.exe

Filesize
175KB

MD5
56f5aec8536290b2ec7c5f45a2344988

SHA1
2c224cccdfbb69d24db12f8215592d9299df1f9d

SHA256
80183f52347271680f2842a874e79c97bdec161072952793b3578b4859e46e3a

SHA512
240a24c9db5d98e4f71ed12e5082a35bcb5f91f62fbcece9162e38a582ec3e68783ba397d302f9b22a91a0c4b3452d85aeacbb3362484a84babcbf4d94c005b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si976456.exe

Filesize
175KB

MD5
56f5aec8536290b2ec7c5f45a2344988

SHA1
2c224cccdfbb69d24db12f8215592d9299df1f9d

SHA256
80183f52347271680f2842a874e79c97bdec161072952793b3578b4859e46e3a

SHA512
240a24c9db5d98e4f71ed12e5082a35bcb5f91f62fbcece9162e38a582ec3e68783ba397d302f9b22a91a0c4b3452d85aeacbb3362484a84babcbf4d94c005b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un985096.exe

Filesize
553KB

MD5
99a9483a3e0740ed5dca6c269e010679

SHA1
87a49e8a463dfb2d9aa2070f9ac0e417b049e141

SHA256
08bad6549120d86e5d1c9e0c12770a5c042f74cb960113a673592faa24fc66f9

SHA512
55ef73dd25c21aac881c3e5a1cc3034728ac04c0bd4eeceada89633aa2a1e92e54ad4309b1c275c453a786f23cbe1bf73774ee06c280616e7d7b304495518ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un985096.exe

Filesize
553KB

MD5
99a9483a3e0740ed5dca6c269e010679

SHA1
87a49e8a463dfb2d9aa2070f9ac0e417b049e141

SHA256
08bad6549120d86e5d1c9e0c12770a5c042f74cb960113a673592faa24fc66f9

SHA512
55ef73dd25c21aac881c3e5a1cc3034728ac04c0bd4eeceada89633aa2a1e92e54ad4309b1c275c453a786f23cbe1bf73774ee06c280616e7d7b304495518ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0184.exe

Filesize
308KB

MD5
52e3018c983fef24543b38e9376a6857

SHA1
cbea71cf447df9a4b6e698f74d842cb808dd1b94

SHA256
dfd2f96044539d49dc4bec25b6031467f5d1c580db9807969d81030d53b3ee27

SHA512
6ccb27d5631f67cacc8d34792ab793161b53406eb85845b7ea5e3cadd6e1456fac56f627677d0717235373a7cac373f6de458b45cbba973bc52b9110ae6baeb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0184.exe

Filesize
308KB

MD5
52e3018c983fef24543b38e9376a6857

SHA1
cbea71cf447df9a4b6e698f74d842cb808dd1b94

SHA256
dfd2f96044539d49dc4bec25b6031467f5d1c580db9807969d81030d53b3ee27

SHA512
6ccb27d5631f67cacc8d34792ab793161b53406eb85845b7ea5e3cadd6e1456fac56f627677d0717235373a7cac373f6de458b45cbba973bc52b9110ae6baeb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7485.exe

Filesize
366KB

MD5
f4c572bc73ea107558b996a94f46c11c

SHA1
50f35e287575f9df57a0f6060e539a8824251377

SHA256
961a7fa5ab4e304439ab53aab766dd6b097cc00a7eded71e57d4bcd37fe98368

SHA512
51e3f2096b5a422c53848f215019b647549de171a13e7bcbb8cd66bc6f2f78b85c8b17ec84a14cf8ebf23a02905407cbc0bc418910ef5b949b8ac3b5f1185dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7485.exe

Filesize
366KB

MD5
f4c572bc73ea107558b996a94f46c11c

SHA1
50f35e287575f9df57a0f6060e539a8824251377

SHA256
961a7fa5ab4e304439ab53aab766dd6b097cc00a7eded71e57d4bcd37fe98368

SHA512
51e3f2096b5a422c53848f215019b647549de171a13e7bcbb8cd66bc6f2f78b85c8b17ec84a14cf8ebf23a02905407cbc0bc418910ef5b949b8ac3b5f1185dd4

Download Submit
memory/1028-148-0x0000000004E30000-0x00000000053D4000-memory.dmp

Filesize
5.6MB

Download
memory/1028-149-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/1028-150-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/1028-151-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1028-152-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1028-154-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1028-156-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1028-158-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1028-160-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1028-162-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1028-164-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1028-166-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1028-168-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1028-170-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1028-172-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1028-174-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1028-176-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1028-178-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/1028-179-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/1028-180-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/1028-181-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/1028-182-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/1028-184-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/1304-1120-0x00000000001A0000-0x00000000001D2000-memory.dmp

Filesize
200KB

Download
memory/1304-1122-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/1304-1121-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3680-192-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-226-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-196-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-198-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-200-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-202-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-203-0x0000000000840000-0x000000000088B000-memory.dmp

Filesize
300KB

Download
memory/3680-204-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3680-206-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3680-208-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-207-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3680-210-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-212-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-214-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-216-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-218-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-220-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-222-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-224-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-194-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-1099-0x00000000054A0000-0x0000000005AB8000-memory.dmp

Filesize
6.1MB

Download
memory/3680-1100-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/3680-1101-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/3680-1102-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/3680-1103-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3680-1104-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/3680-1105-0x0000000006610000-0x00000000066A2000-memory.dmp

Filesize
584KB

Download
memory/3680-1106-0x0000000006710000-0x00000000068D2000-memory.dmp

Filesize
1.8MB

Download
memory/3680-1107-0x00000000068F0000-0x0000000006E1C000-memory.dmp

Filesize
5.2MB

Download
memory/3680-1109-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3680-1110-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3680-1111-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3680-190-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-189-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/3680-1112-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/3680-1113-0x0000000002560000-0x00000000025D6000-memory.dmp

Filesize
472KB

Download
memory/3680-1114-0x000000000A630000-0x000000000A680000-memory.dmp

Filesize
320KB

Download