redline | bc4c608d2a408c7f2846dca4b476bef5fa4f9b8fd98e7b6bbb4614e5cdd60478

Analysis

max time kernel
61s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc4c608d2a408c7f2846dca4b476bef5fa4f9b8fd98e7b6bbb4614e5cdd60478.exe
Size

694KB
MD5

884a2a3f3396153e77705c0bff02ea06
SHA1

8a0fc42306e84baae05ba22bbd1ef47087d7a112
SHA256

bc4c608d2a408c7f2846dca4b476bef5fa4f9b8fd98e7b6bbb4614e5cdd60478
SHA512

712f3285b9b19465f8e33591a762095aaf150f86eac811bac26fdd1c10f9c4821728ddbc9f51062c7dfb63b59b30fc450def9b30ed0331eac856991dd129f253
SSDEEP

12288:WMrYy90Ccm8XaCqfQO0Hc7bNudQCOlV24CvPS3zkVDJml+sq:mysDTOsQNlCOlV2ByDkl0g

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7488.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro7488.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7488.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7488.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7488.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7488.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/1168-191-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-192-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-194-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-196-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-198-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-200-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-202-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-204-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-206-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-208-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-210-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-212-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-214-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-216-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-218-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-220-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-222-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline
behavioral1/memory/1168-224-0x0000000002890000-0x00000000028CF000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2356	un475741.exe
4852	pro7488.exe
1168	qu4666.exe
5048	si139931.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7488.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7488.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un475741.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bc4c608d2a408c7f2846dca4b476bef5fa4f9b8fd98e7b6bbb4614e5cdd60478.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bc4c608d2a408c7f2846dca4b476bef5fa4f9b8fd98e7b6bbb4614e5cdd60478.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un475741.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4852	pro7488.exe
4852	pro7488.exe
1168	qu4666.exe
1168	qu4666.exe
5048	si139931.exe
5048	si139931.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4852	pro7488.exe
Token: SeDebugPrivilege	1168	qu4666.exe
Token: SeDebugPrivilege	5048	si139931.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2356	1464	bc4c608d2a408c7f2846dca4b476bef5fa4f9b8fd98e7b6bbb4614e5cdd60478.exe	84
PID 1464 wrote to memory of 2356	1464	bc4c608d2a408c7f2846dca4b476bef5fa4f9b8fd98e7b6bbb4614e5cdd60478.exe	84
PID 1464 wrote to memory of 2356	1464	bc4c608d2a408c7f2846dca4b476bef5fa4f9b8fd98e7b6bbb4614e5cdd60478.exe	84
PID 2356 wrote to memory of 4852	2356	un475741.exe	85
PID 2356 wrote to memory of 4852	2356	un475741.exe	85
PID 2356 wrote to memory of 4852	2356	un475741.exe	85
PID 2356 wrote to memory of 1168	2356	un475741.exe	90
PID 2356 wrote to memory of 1168	2356	un475741.exe	90
PID 2356 wrote to memory of 1168	2356	un475741.exe	90
PID 1464 wrote to memory of 5048	1464	bc4c608d2a408c7f2846dca4b476bef5fa4f9b8fd98e7b6bbb4614e5cdd60478.exe	94
PID 1464 wrote to memory of 5048	1464	bc4c608d2a408c7f2846dca4b476bef5fa4f9b8fd98e7b6bbb4614e5cdd60478.exe	94
PID 1464 wrote to memory of 5048	1464	bc4c608d2a408c7f2846dca4b476bef5fa4f9b8fd98e7b6bbb4614e5cdd60478.exe	94

C:\Users\Admin\AppData\Local\Temp\bc4c608d2a408c7f2846dca4b476bef5fa4f9b8fd98e7b6bbb4614e5cdd60478.exe
"C:\Users\Admin\AppData\Local\Temp\bc4c608d2a408c7f2846dca4b476bef5fa4f9b8fd98e7b6bbb4614e5cdd60478.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un475741.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un475741.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7488.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7488.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4666.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4666.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si139931.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si139931.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si139931.exe

Filesize
175KB

MD5
b55e98358d364388ecf0c35c65dbe575

SHA1
8e3a89a9e6a7b0e7477b077b92575a656e618f1e

SHA256
d1f348c52283b5efe0becee8a2f8c06e183939cdebc51624a667a477c1cdf89e

SHA512
e96ac90b3e2bf19c3641e9db2ed4a01e02e909e5feb062269426d63b8c367e2d81530fabc2c410c4e2da91db0e548aa2af61eceebf4a81e1878f012a5c45bf24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si139931.exe

Filesize
175KB

MD5
b55e98358d364388ecf0c35c65dbe575

SHA1
8e3a89a9e6a7b0e7477b077b92575a656e618f1e

SHA256
d1f348c52283b5efe0becee8a2f8c06e183939cdebc51624a667a477c1cdf89e

SHA512
e96ac90b3e2bf19c3641e9db2ed4a01e02e909e5feb062269426d63b8c367e2d81530fabc2c410c4e2da91db0e548aa2af61eceebf4a81e1878f012a5c45bf24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un475741.exe

Filesize
553KB

MD5
c45d3369693fd5c73c0999d402de1880

SHA1
333a9c62f72ccf040069ae03c7bd7228e5888f8c

SHA256
e9a0843a61cd63614067bf824243e5ae6c82d6aad813d197e4b0cf67c67efa10

SHA512
faca05594f2660f1a236454af0031935eceb7718d920cb9d9eb10466ef940af585d8b69f96d49f353ab7a3836aa5ed221341fce91600fba7c0b6094d00dd46f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un475741.exe

Filesize
553KB

MD5
c45d3369693fd5c73c0999d402de1880

SHA1
333a9c62f72ccf040069ae03c7bd7228e5888f8c

SHA256
e9a0843a61cd63614067bf824243e5ae6c82d6aad813d197e4b0cf67c67efa10

SHA512
faca05594f2660f1a236454af0031935eceb7718d920cb9d9eb10466ef940af585d8b69f96d49f353ab7a3836aa5ed221341fce91600fba7c0b6094d00dd46f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7488.exe

Filesize
308KB

MD5
22af177d6ba368b0b3600c4a6843e280

SHA1
71918ead59cc437262539f5aceee4b3e4c78ad1e

SHA256
47b108171c6baf73813bc0aabf033cbc7b5e802749d521c7bd5331f31c26158c

SHA512
6fb115f68c099c8e2ee05916096cdca2c423ff350830d430931107d9276b2ad412bcfe339ce24a4346920e3329dfc03c23f2bb5cb6f4dbd94e2dbb16af9def52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7488.exe

Filesize
308KB

MD5
22af177d6ba368b0b3600c4a6843e280

SHA1
71918ead59cc437262539f5aceee4b3e4c78ad1e

SHA256
47b108171c6baf73813bc0aabf033cbc7b5e802749d521c7bd5331f31c26158c

SHA512
6fb115f68c099c8e2ee05916096cdca2c423ff350830d430931107d9276b2ad412bcfe339ce24a4346920e3329dfc03c23f2bb5cb6f4dbd94e2dbb16af9def52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4666.exe

Filesize
366KB

MD5
862f828ea7da190e9ee1a0adbaad9f2c

SHA1
7f87c1ad161e71637b43a85ba12cf0150af1d20a

SHA256
46c3554b2ac8b5622ab6b3e5ca919a4e5e78aeb0b4e94b2fe971bfb88399b71b

SHA512
dca8e9a6a34425ade27809b3831555827204bc9010537bb2179e76f821873d546ea574a868994a5cf2740f57803401409848aeb9ae6509e1688263c111788345

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4666.exe

Filesize
366KB

MD5
862f828ea7da190e9ee1a0adbaad9f2c

SHA1
7f87c1ad161e71637b43a85ba12cf0150af1d20a

SHA256
46c3554b2ac8b5622ab6b3e5ca919a4e5e78aeb0b4e94b2fe971bfb88399b71b

SHA512
dca8e9a6a34425ade27809b3831555827204bc9010537bb2179e76f821873d546ea574a868994a5cf2740f57803401409848aeb9ae6509e1688263c111788345

Download Submit
memory/1168-1102-0x0000000005B10000-0x0000000005C1A000-memory.dmp

Filesize
1.0MB

Download
memory/1168-233-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1168-204-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-206-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-1115-0x00000000073A0000-0x0000000007416000-memory.dmp

Filesize
472KB

Download
memory/1168-1114-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1168-1113-0x0000000006A00000-0x0000000006F2C000-memory.dmp

Filesize
5.2MB

Download
memory/1168-1112-0x0000000006810000-0x00000000069D2000-memory.dmp

Filesize
1.8MB

Download
memory/1168-1111-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1168-1110-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1168-208-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-1109-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1168-1108-0x0000000006610000-0x00000000066A2000-memory.dmp

Filesize
584KB

Download
memory/1168-1106-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/1168-1105-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1168-1104-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/1168-1103-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/1168-1101-0x00000000054B0000-0x0000000005AC8000-memory.dmp

Filesize
6.1MB

Download
memory/1168-235-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1168-218-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-230-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1168-227-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/1168-224-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-191-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-192-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-194-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-196-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-198-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-200-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-202-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-222-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-1116-0x0000000007430000-0x0000000007480000-memory.dmp

Filesize
320KB

Download
memory/1168-220-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-210-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-212-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-214-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/1168-216-0x0000000002890000-0x00000000028CF000-memory.dmp

Filesize
252KB

Download
memory/4852-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4852-170-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4852-148-0x0000000004C60000-0x0000000005204000-memory.dmp

Filesize
5.6MB

Download
memory/4852-152-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/4852-149-0x0000000000900000-0x000000000092D000-memory.dmp

Filesize
180KB

Download
memory/4852-186-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4852-184-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/4852-183-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/4852-182-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/4852-151-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/4852-153-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4852-180-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4852-178-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4852-176-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4852-174-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4852-172-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4852-168-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4852-166-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4852-164-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4852-162-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4852-160-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4852-158-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4852-154-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4852-150-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/4852-156-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/5048-1122-0x0000000000BC0000-0x0000000000BF2000-memory.dmp

Filesize
200KB

Download
memory/5048-1123-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download