redline | b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4

Analysis

max time kernel
68s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2023, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe
Size

695KB
MD5

c95d4d970cda70c280f37991dff60df3
SHA1

aabf35d37e133fe7e72929020d4855c983808230
SHA256

b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4
SHA512

b98cc261874aa981e3537d3b9cbe7dadc979690b72ed4641acfcd738c16b84288af6b58b0f5de4ccf6d309a5aed50bd770b31d9ecf132dc53017b858dfba0448
SSDEEP

12288:yMrKy90qlGLsMZrPJh8yRBwNb6poB3FQMylueujsAvPSezhLJJhKtNAc1SHj3tf/:IyhT8F2yY33FQMylueXAyqhFWtNAcQD1

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro8301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8301.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/2564-191-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-192-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-195-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-200-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-202-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-204-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-206-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-208-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-210-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-212-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-214-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-216-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-218-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-220-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-222-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-224-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-226-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2564-228-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2704	un850948.exe
4020	pro8301.exe
2564	qu2659.exe
3888	si900092.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8301.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8301.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un850948.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un850948.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4020	pro8301.exe
4020	pro8301.exe
2564	qu2659.exe
2564	qu2659.exe
3888	si900092.exe
3888	si900092.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4020	pro8301.exe
Token: SeDebugPrivilege	2564	qu2659.exe
Token: SeDebugPrivilege	3888	si900092.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2704	2132	b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe	84
PID 2132 wrote to memory of 2704	2132	b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe	84
PID 2132 wrote to memory of 2704	2132	b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe	84
PID 2704 wrote to memory of 4020	2704	un850948.exe	85
PID 2704 wrote to memory of 4020	2704	un850948.exe	85
PID 2704 wrote to memory of 4020	2704	un850948.exe	85
PID 2704 wrote to memory of 2564	2704	un850948.exe	86
PID 2704 wrote to memory of 2564	2704	un850948.exe	86
PID 2704 wrote to memory of 2564	2704	un850948.exe	86
PID 2132 wrote to memory of 3888	2132	b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe	88
PID 2132 wrote to memory of 3888	2132	b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe	88
PID 2132 wrote to memory of 3888	2132	b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe	88

C:\Users\Admin\AppData\Local\Temp\b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe
"C:\Users\Admin\AppData\Local\Temp\b25c837592a7b8ba2e17e25d0097ce2ff2f52bf725fe43a8afe64d2fdb8dfdb4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un850948.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un850948.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8301.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8301.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2659.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2659.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si900092.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si900092.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si900092.exe

Filesize
175KB

MD5
588298e4a1642cf19fbc977513a06b88

SHA1
e10211e757c8c25b90319f7455ca922c8d6eec12

SHA256
2b93dfbad714d7f53250dcfac12709402fb075ea60591fed0c15650ed0f348c7

SHA512
70952684eea1db26e6f6c9cfc4ee5a8e80a8f1b87056517fa6f6f07323036d221fee2b3a0bdbb6966f9f5f668209e07371ac55e1a3e5a5b58fe6f0c9c884703f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si900092.exe

Filesize
175KB

MD5
588298e4a1642cf19fbc977513a06b88

SHA1
e10211e757c8c25b90319f7455ca922c8d6eec12

SHA256
2b93dfbad714d7f53250dcfac12709402fb075ea60591fed0c15650ed0f348c7

SHA512
70952684eea1db26e6f6c9cfc4ee5a8e80a8f1b87056517fa6f6f07323036d221fee2b3a0bdbb6966f9f5f668209e07371ac55e1a3e5a5b58fe6f0c9c884703f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un850948.exe

Filesize
553KB

MD5
8910f2d9841571ab26b5f34cc908bedb

SHA1
be151155676960eef389f5a0f80f9ca6899e837c

SHA256
21aa98269129f07730edddeb52a2fff2615d707c0d1e772914cb9ab0a6f98aaa

SHA512
253d11f16b114702ac968147d48cbafcb4ca5f0b893daec5f13ea8632fb16e62e3bdd478863be883ebdb855458d2a3d320e9c3097e6756c17ffa56f70a550c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un850948.exe

Filesize
553KB

MD5
8910f2d9841571ab26b5f34cc908bedb

SHA1
be151155676960eef389f5a0f80f9ca6899e837c

SHA256
21aa98269129f07730edddeb52a2fff2615d707c0d1e772914cb9ab0a6f98aaa

SHA512
253d11f16b114702ac968147d48cbafcb4ca5f0b893daec5f13ea8632fb16e62e3bdd478863be883ebdb855458d2a3d320e9c3097e6756c17ffa56f70a550c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8301.exe

Filesize
308KB

MD5
2919c73923ff4ff4446c4d3fc93d6426

SHA1
913b26af828f67e165f274c12d7f374f9ee03cf6

SHA256
a618946cd47726739ec39655574ac399825fb2b4b9b255c7804ec0f719656eb8

SHA512
2805070d093fe81b38c9221c5f9b8c283407e4ec7ffd13b1b7290466c2ab786ab17023195c97c3f1f936113605ce561801fcae22c3f9245cf8df4daeead7e38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8301.exe

Filesize
308KB

MD5
2919c73923ff4ff4446c4d3fc93d6426

SHA1
913b26af828f67e165f274c12d7f374f9ee03cf6

SHA256
a618946cd47726739ec39655574ac399825fb2b4b9b255c7804ec0f719656eb8

SHA512
2805070d093fe81b38c9221c5f9b8c283407e4ec7ffd13b1b7290466c2ab786ab17023195c97c3f1f936113605ce561801fcae22c3f9245cf8df4daeead7e38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2659.exe

Filesize
366KB

MD5
ca44214cd177b1b6fc43a37e08aaa08e

SHA1
b28f448c7a018d01a841599189703c2fd630edb9

SHA256
9ccca5c43e227e163c6215200d6e36a2cf92f89d10be27df9b36717dc8a596ff

SHA512
a057175d60a274ee6a4d29c79e99986c247508b6dc5e422111820f0c9923a75c6376db1094ecdae3a188fb3f6ea23a67b7d3570de3518a1df2532116aad993f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2659.exe

Filesize
366KB

MD5
ca44214cd177b1b6fc43a37e08aaa08e

SHA1
b28f448c7a018d01a841599189703c2fd630edb9

SHA256
9ccca5c43e227e163c6215200d6e36a2cf92f89d10be27df9b36717dc8a596ff

SHA512
a057175d60a274ee6a4d29c79e99986c247508b6dc5e422111820f0c9923a75c6376db1094ecdae3a188fb3f6ea23a67b7d3570de3518a1df2532116aad993f3

Download Submit
memory/2564-1102-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/2564-1103-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/2564-1116-0x00000000080D0000-0x0000000008120000-memory.dmp

Filesize
320KB

Download
memory/2564-1115-0x00000000047C0000-0x0000000004836000-memory.dmp

Filesize
472KB

Download
memory/2564-1114-0x0000000007A60000-0x0000000007F8C000-memory.dmp

Filesize
5.2MB

Download
memory/2564-1113-0x0000000007880000-0x0000000007A42000-memory.dmp

Filesize
1.8MB

Download
memory/2564-1112-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2564-1111-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/2564-1110-0x0000000005E10000-0x0000000005EA2000-memory.dmp

Filesize
584KB

Download
memory/2564-1109-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2564-1108-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2564-1107-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2564-1105-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2564-1104-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/2564-200-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-1101-0x0000000005320000-0x0000000005938000-memory.dmp

Filesize
6.1MB

Download
memory/2564-228-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-226-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-224-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-222-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-204-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-218-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-216-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-191-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-192-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-195-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-196-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2564-197-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2564-199-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2564-194-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/2564-214-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-206-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-220-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-202-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-208-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-210-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2564-212-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/3888-1122-0x0000000000A50000-0x0000000000A82000-memory.dmp

Filesize
200KB

Download
memory/3888-1123-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4020-154-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4020-149-0x0000000004E40000-0x00000000053E4000-memory.dmp

Filesize
5.6MB

Download
memory/4020-184-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/4020-183-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/4020-182-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/4020-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4020-180-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4020-150-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/4020-178-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4020-153-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4020-176-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4020-186-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4020-172-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4020-166-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4020-170-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4020-164-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4020-162-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4020-160-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4020-158-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4020-156-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4020-174-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4020-168-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4020-148-0x0000000000800000-0x000000000082D000-memory.dmp

Filesize
180KB

Download
memory/4020-152-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/4020-151-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download