redline | 06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8

Analysis

max time kernel
91s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2023, 20:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe
Size

695KB
MD5

1b5af02ae251b2eaa952a20340449425
SHA1

fa24cdfa5495457fcaf183edecfd61ce3b3f05ea
SHA256

06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8
SHA512

a1d6718b7a2b1e581a395a7987e4ae53ee9ce002eecf4bb96100fbd9f159f16372b32f04acedb4965b56d498c79c4759c2f7d72b74f711d6f4e9d9bca10b6ab3
SSDEEP

12288:9Mr9y90S84AMIemVYmDtcyMBuFlYrZMK2fq3UeFHzbXhJklbsch1M14a:Ayc4A0mVYmxXMB0lYrZig7Tbx8bs21/a

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro9807.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro9807.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro9807.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro9807.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro9807.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro9807.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/4992-191-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-192-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-194-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-196-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-198-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-200-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-202-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-204-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-206-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-208-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-210-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-212-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-214-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-216-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-218-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-220-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-222-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline
behavioral1/memory/4992-227-0x0000000005310000-0x000000000534F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1496	un792371.exe
1240	pro9807.exe
4992	qu8545.exe
1744	si020432.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro9807.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro9807.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un792371.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un792371.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1240	pro9807.exe
1240	pro9807.exe
4992	qu8545.exe
4992	qu8545.exe
1744	si020432.exe
1744	si020432.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	pro9807.exe
Token: SeDebugPrivilege	4992	qu8545.exe
Token: SeDebugPrivilege	1744	si020432.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 1496	4324	06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe	83
PID 4324 wrote to memory of 1496	4324	06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe	83
PID 4324 wrote to memory of 1496	4324	06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe	83
PID 1496 wrote to memory of 1240	1496	un792371.exe	84
PID 1496 wrote to memory of 1240	1496	un792371.exe	84
PID 1496 wrote to memory of 1240	1496	un792371.exe	84
PID 1496 wrote to memory of 4992	1496	un792371.exe	89
PID 1496 wrote to memory of 4992	1496	un792371.exe	89
PID 1496 wrote to memory of 4992	1496	un792371.exe	89
PID 4324 wrote to memory of 1744	4324	06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe	94
PID 4324 wrote to memory of 1744	4324	06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe	94
PID 4324 wrote to memory of 1744	4324	06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe	94

C:\Users\Admin\AppData\Local\Temp\06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe
"C:\Users\Admin\AppData\Local\Temp\06b4ad3e650e4af119a932edf277de1eea693a2df9754e713a27e7e7072f3ce8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un792371.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un792371.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9807.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9807.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8545.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8545.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4992
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si020432.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si020432.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si020432.exe

Filesize
175KB

MD5
081447fe567f6083505866cd5ca79f8d

SHA1
24bcf2934336677f35d4db08013e13fca5e0f46c

SHA256
70cf4d8b40aeccc57e61faa897383632ea862a5b1d138ad81cd05b8a54c746ba

SHA512
0af56160142fbd67821f2c5cf457cb1ca08b5387af97fd387c848011fd9423a2502bb307d55417cfb12b27d717ac9619bc193d426582e07f9a002cb9e4e7e55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si020432.exe

Filesize
175KB

MD5
081447fe567f6083505866cd5ca79f8d

SHA1
24bcf2934336677f35d4db08013e13fca5e0f46c

SHA256
70cf4d8b40aeccc57e61faa897383632ea862a5b1d138ad81cd05b8a54c746ba

SHA512
0af56160142fbd67821f2c5cf457cb1ca08b5387af97fd387c848011fd9423a2502bb307d55417cfb12b27d717ac9619bc193d426582e07f9a002cb9e4e7e55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un792371.exe

Filesize
553KB

MD5
4a01b5ab01f306ad7f5937d0676e2071

SHA1
35b70189c96c91fad6e924463e09ba4ca89e983c

SHA256
bd9ef5dedb2adcf91ef07ab497c896ee91ea1bfb131ff351a992c42493e7f77e

SHA512
6f2518347cd8e28dcb9a5fa0434ef8fdc1c08c990b4222e95a38928a614ac5fbbedd8dcd35fb029488ac00a650fdaa3ac33bf0296a64dfd6e62e87ab06629a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un792371.exe

Filesize
553KB

MD5
4a01b5ab01f306ad7f5937d0676e2071

SHA1
35b70189c96c91fad6e924463e09ba4ca89e983c

SHA256
bd9ef5dedb2adcf91ef07ab497c896ee91ea1bfb131ff351a992c42493e7f77e

SHA512
6f2518347cd8e28dcb9a5fa0434ef8fdc1c08c990b4222e95a38928a614ac5fbbedd8dcd35fb029488ac00a650fdaa3ac33bf0296a64dfd6e62e87ab06629a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9807.exe

Filesize
308KB

MD5
cc9bd046844c2de86423d60e92cb4395

SHA1
dcff383a2dfdc97acf5cd234796acc098da42be3

SHA256
728b5fc5bec2637c9d4fd64c04aed16c49240c21472f22faf41da8d16f2dc93a

SHA512
acfae258b0fc87934a413446a27d0aa323c4d4abebed9e0793c9a797ccc9719cb906c7f57c6b5d213cfaf4b930ce63c3330d2607db84adbb6c573fc2fe574bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9807.exe

Filesize
308KB

MD5
cc9bd046844c2de86423d60e92cb4395

SHA1
dcff383a2dfdc97acf5cd234796acc098da42be3

SHA256
728b5fc5bec2637c9d4fd64c04aed16c49240c21472f22faf41da8d16f2dc93a

SHA512
acfae258b0fc87934a413446a27d0aa323c4d4abebed9e0793c9a797ccc9719cb906c7f57c6b5d213cfaf4b930ce63c3330d2607db84adbb6c573fc2fe574bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8545.exe

Filesize
366KB

MD5
0411dc2d6a340d6f16b8fbbcf509eb67

SHA1
fba7c37d5ff8bb7223daf71c293a1d16cb1c1fa4

SHA256
1fc8c0457602cc0a892de6fb40ff6d5b585d711f7eb15c80ccb14d77f24a8df8

SHA512
851321647ef8499f808eb75ff06189b405857f0c7896d7526af3e8a79066e92b6302f23fe9b3a9946e87783aa21ce3cd79222c14ec60fe95eee2e8e2c4dd5c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8545.exe

Filesize
366KB

MD5
0411dc2d6a340d6f16b8fbbcf509eb67

SHA1
fba7c37d5ff8bb7223daf71c293a1d16cb1c1fa4

SHA256
1fc8c0457602cc0a892de6fb40ff6d5b585d711f7eb15c80ccb14d77f24a8df8

SHA512
851321647ef8499f808eb75ff06189b405857f0c7896d7526af3e8a79066e92b6302f23fe9b3a9946e87783aa21ce3cd79222c14ec60fe95eee2e8e2c4dd5c94

Download Submit
memory/1240-148-0x0000000004DD0000-0x0000000005374000-memory.dmp

Filesize
5.6MB

Download
memory/1240-150-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1240-149-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1240-152-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1240-154-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1240-157-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/1240-156-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1240-161-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/1240-162-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/1240-164-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1240-160-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1240-158-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/1240-166-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1240-168-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1240-170-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1240-172-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1240-174-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1240-176-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1240-178-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1240-180-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/1240-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/1240-182-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/1240-183-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/1240-184-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/1240-186-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/1744-1122-0x0000000000130000-0x0000000000162000-memory.dmp

Filesize
200KB

Download
memory/1744-1124-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/1744-1123-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4992-194-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-227-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-198-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-200-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-202-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-204-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-206-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-208-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-210-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-212-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-214-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-216-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-218-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-220-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-223-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/4992-222-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-224-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/4992-226-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/4992-228-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/4992-196-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-1101-0x0000000005490000-0x0000000005AA8000-memory.dmp

Filesize
6.1MB

Download
memory/4992-1102-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/4992-1103-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/4992-1104-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/4992-1105-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/4992-1107-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/4992-1108-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/4992-1109-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/4992-1110-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/4992-1111-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/4992-1112-0x0000000006950000-0x00000000069C6000-memory.dmp

Filesize
472KB

Download
memory/4992-1113-0x00000000069E0000-0x0000000006A30000-memory.dmp

Filesize
320KB

Download
memory/4992-192-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-191-0x0000000005310000-0x000000000534F000-memory.dmp

Filesize
252KB

Download
memory/4992-1114-0x0000000006A40000-0x0000000006C02000-memory.dmp

Filesize
1.8MB

Download
memory/4992-1115-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/4992-1116-0x0000000006C10000-0x000000000713C000-memory.dmp

Filesize
5.2MB

Download