redline | bf6cc72a1e7cbcdb27b467b8537d161fac6d7ea5ae55636d6a16943366b70637

Analysis

max time kernel
50s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf6cc72a1e7cbcdb27b467b8537d161fac6d7ea5ae55636d6a16943366b70637.exe
Size

695KB
MD5

748c744146cc89baf8ef8fd9191aa02a
SHA1

7b0cb3cf9c91119c8c838b5cb352e31dec75f0fd
SHA256

bf6cc72a1e7cbcdb27b467b8537d161fac6d7ea5ae55636d6a16943366b70637
SHA512

cf6784b536a01d8c071e7e6608a6eaff5c9233c53e411f3a930f327cb20a6bad14aef78d1c901968a1a5290382e65a879ea98de2580983f10f372dbac8a7b468
SSDEEP

12288:UMrNy90287RN5FphxgVnGmbW8W1LRzhaZHBovTeSnz3M5vPS1zxCnJ0plmR2r/pv:pyx8v/pclWzkZqvTe8z3M5y1xYmppLb

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro2384.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro2384.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro2384.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro2384.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro2384.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

resource	yara_rule
behavioral1/memory/3088-179-0x00000000025A0000-0x00000000025E6000-memory.dmp	family_redline
behavioral1/memory/3088-180-0x0000000002840000-0x0000000002884000-memory.dmp	family_redline
behavioral1/memory/3088-181-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-182-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-184-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-186-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-188-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-190-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-192-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-194-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-196-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-203-0x0000000000950000-0x0000000000960000-memory.dmp	family_redline
behavioral1/memory/3088-204-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-200-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-206-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-208-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-210-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-212-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-214-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-216-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/3088-218-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2344	un108755.exe
2440	pro2384.exe
3088	qu3858.exe
4252	si498186.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro2384.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro2384.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bf6cc72a1e7cbcdb27b467b8537d161fac6d7ea5ae55636d6a16943366b70637.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bf6cc72a1e7cbcdb27b467b8537d161fac6d7ea5ae55636d6a16943366b70637.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un108755.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un108755.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2440	pro2384.exe
2440	pro2384.exe
3088	qu3858.exe
3088	qu3858.exe
4252	si498186.exe
4252	si498186.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	pro2384.exe
Token: SeDebugPrivilege	3088	qu3858.exe
Token: SeDebugPrivilege	4252	si498186.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2344	2064	bf6cc72a1e7cbcdb27b467b8537d161fac6d7ea5ae55636d6a16943366b70637.exe	66
PID 2064 wrote to memory of 2344	2064	bf6cc72a1e7cbcdb27b467b8537d161fac6d7ea5ae55636d6a16943366b70637.exe	66
PID 2064 wrote to memory of 2344	2064	bf6cc72a1e7cbcdb27b467b8537d161fac6d7ea5ae55636d6a16943366b70637.exe	66
PID 2344 wrote to memory of 2440	2344	un108755.exe	67
PID 2344 wrote to memory of 2440	2344	un108755.exe	67
PID 2344 wrote to memory of 2440	2344	un108755.exe	67
PID 2344 wrote to memory of 3088	2344	un108755.exe	68
PID 2344 wrote to memory of 3088	2344	un108755.exe	68
PID 2344 wrote to memory of 3088	2344	un108755.exe	68
PID 2064 wrote to memory of 4252	2064	bf6cc72a1e7cbcdb27b467b8537d161fac6d7ea5ae55636d6a16943366b70637.exe	70
PID 2064 wrote to memory of 4252	2064	bf6cc72a1e7cbcdb27b467b8537d161fac6d7ea5ae55636d6a16943366b70637.exe	70
PID 2064 wrote to memory of 4252	2064	bf6cc72a1e7cbcdb27b467b8537d161fac6d7ea5ae55636d6a16943366b70637.exe	70

C:\Users\Admin\AppData\Local\Temp\bf6cc72a1e7cbcdb27b467b8537d161fac6d7ea5ae55636d6a16943366b70637.exe
"C:\Users\Admin\AppData\Local\Temp\bf6cc72a1e7cbcdb27b467b8537d161fac6d7ea5ae55636d6a16943366b70637.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un108755.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un108755.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2384.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2384.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3858.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3858.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3088
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si498186.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si498186.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si498186.exe

Filesize
175KB

MD5
3ccc9217282b3a6018255d9088a22bee

SHA1
15285860f944b095738ece3b9b488fa77eface3b

SHA256
e7b3fbc87c8ef806c366fa1bda4060cbd4087d0a0539da376588ebfea3fd7b6c

SHA512
b27fa8e877ea33c4a1c92e3ab8f4cf099ac6868d1678cfb3eae6190d82be68e9776da301f78f30efefc62ffa771a36f61c261ca9f21402b664bbdb6a50663cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si498186.exe

Filesize
175KB

MD5
3ccc9217282b3a6018255d9088a22bee

SHA1
15285860f944b095738ece3b9b488fa77eface3b

SHA256
e7b3fbc87c8ef806c366fa1bda4060cbd4087d0a0539da376588ebfea3fd7b6c

SHA512
b27fa8e877ea33c4a1c92e3ab8f4cf099ac6868d1678cfb3eae6190d82be68e9776da301f78f30efefc62ffa771a36f61c261ca9f21402b664bbdb6a50663cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un108755.exe

Filesize
553KB

MD5
bf2f59094d1fc2944e3423b89b14af77

SHA1
0d4306f4d4134daec069b70e08ce7f8db47f49e7

SHA256
49fa7ac91c1429d840941af8801611622d1d408d155a2ff7fb52e2e6420e4534

SHA512
4afd09a8b93fc4933c1d9fdf2fa71d3f6f664b1e07310779c680964e696da392b49f8c36fa87676e272e484af63e7ffc342d3e7e13bf4cca1f6c62d7e60f6abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un108755.exe

Filesize
553KB

MD5
bf2f59094d1fc2944e3423b89b14af77

SHA1
0d4306f4d4134daec069b70e08ce7f8db47f49e7

SHA256
49fa7ac91c1429d840941af8801611622d1d408d155a2ff7fb52e2e6420e4534

SHA512
4afd09a8b93fc4933c1d9fdf2fa71d3f6f664b1e07310779c680964e696da392b49f8c36fa87676e272e484af63e7ffc342d3e7e13bf4cca1f6c62d7e60f6abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2384.exe

Filesize
308KB

MD5
ad6c9c40a1e6502f20cd847372e1f7df

SHA1
69f254cb39455418ff28a798a1b2036c5e505bf4

SHA256
da94b5c21ad1e5eeb08928ec4c8cdc1b115b749df58ccec31fdd1486e152f281

SHA512
d6a4de98ec07eaaf1135466242cc48e0fa023c7b731891bd6dee13eedc3f486667f7925018e9e3fb2c40ef170668f406d6c84625f995563c08610152eb7dfef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2384.exe

Filesize
308KB

MD5
ad6c9c40a1e6502f20cd847372e1f7df

SHA1
69f254cb39455418ff28a798a1b2036c5e505bf4

SHA256
da94b5c21ad1e5eeb08928ec4c8cdc1b115b749df58ccec31fdd1486e152f281

SHA512
d6a4de98ec07eaaf1135466242cc48e0fa023c7b731891bd6dee13eedc3f486667f7925018e9e3fb2c40ef170668f406d6c84625f995563c08610152eb7dfef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3858.exe

Filesize
366KB

MD5
655c47980b697e2fee1de4065c5db986

SHA1
e5245cc8ca3cd45a72b99afc3f426d0181406f08

SHA256
52074323c3a94a890583dc036a2314124a88117d923a8735c7ff0bf3cc6d8cff

SHA512
75f5ca14a95a59700d2dd0e63433eac905b4a501a7e4ca3bda0e6aab307a76081e50ac154669d6a69fc8b1a6d7b5fc27c6c6470b42205b5a1c7f024258bff057

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3858.exe

Filesize
366KB

MD5
655c47980b697e2fee1de4065c5db986

SHA1
e5245cc8ca3cd45a72b99afc3f426d0181406f08

SHA256
52074323c3a94a890583dc036a2314124a88117d923a8735c7ff0bf3cc6d8cff

SHA512
75f5ca14a95a59700d2dd0e63433eac905b4a501a7e4ca3bda0e6aab307a76081e50ac154669d6a69fc8b1a6d7b5fc27c6c6470b42205b5a1c7f024258bff057

Download Submit
memory/2440-136-0x0000000002370000-0x000000000238A000-memory.dmp

Filesize
104KB

Download
memory/2440-137-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2440-138-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2440-139-0x0000000004E30000-0x000000000532E000-memory.dmp

Filesize
5.0MB

Download
memory/2440-140-0x0000000002430000-0x0000000002448000-memory.dmp

Filesize
96KB

Download
memory/2440-141-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2440-142-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2440-144-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2440-146-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2440-148-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2440-150-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2440-152-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2440-154-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2440-156-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2440-158-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2440-160-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2440-162-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2440-164-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2440-166-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2440-168-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/2440-169-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2440-170-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2440-171-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2440-172-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2440-174-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3088-179-0x00000000025A0000-0x00000000025E6000-memory.dmp

Filesize
280KB

Download
memory/3088-180-0x0000000002840000-0x0000000002884000-memory.dmp

Filesize
272KB

Download
memory/3088-181-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-182-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-184-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-186-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-188-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-190-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-192-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-194-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-197-0x0000000000840000-0x000000000088B000-memory.dmp

Filesize
300KB

Download
memory/3088-196-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-198-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/3088-201-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/3088-203-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/3088-204-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-200-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-206-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-208-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-210-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-212-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-214-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-216-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-218-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/3088-1091-0x0000000005840000-0x0000000005E46000-memory.dmp

Filesize
6.0MB

Download
memory/3088-1092-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/3088-1093-0x00000000053F0000-0x0000000005402000-memory.dmp

Filesize
72KB

Download
memory/3088-1094-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/3088-1095-0x0000000005410000-0x000000000544E000-memory.dmp

Filesize
248KB

Download
memory/3088-1096-0x0000000005560000-0x00000000055AB000-memory.dmp

Filesize
300KB

Download
memory/3088-1098-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/3088-1099-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/3088-1100-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/3088-1101-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/3088-1102-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/3088-1103-0x0000000006700000-0x00000000068C2000-memory.dmp

Filesize
1.8MB

Download
memory/3088-1104-0x00000000068D0000-0x0000000006DFC000-memory.dmp

Filesize
5.2MB

Download
memory/3088-1105-0x0000000006F40000-0x0000000006FB6000-memory.dmp

Filesize
472KB

Download
memory/3088-1106-0x0000000006FC0000-0x0000000007010000-memory.dmp

Filesize
320KB

Download
memory/3088-1107-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/4252-1113-0x00000000008D0000-0x0000000000902000-memory.dmp

Filesize
200KB

Download
memory/4252-1114-0x0000000005310000-0x000000000535B000-memory.dmp

Filesize
300KB

Download
memory/4252-1115-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download