redline | d52572f05b941a3350541450089dcfd6b704eec482ad5600e20f310f034fba03

Analysis

max time kernel
56s
max time network
58s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d52572f05b941a3350541450089dcfd6b704eec482ad5600e20f310f034fba03.exe
Size

694KB
MD5

831f304cde2bb9169ab587a517bde631
SHA1

e639927ab07f57281a79f834cff8cb71dff0061a
SHA256

d52572f05b941a3350541450089dcfd6b704eec482ad5600e20f310f034fba03
SHA512

9e025a562703baff4746745c8ded85974cb88936758d53b1ae38db13c4dafa7bacf29e0e699c4a8d787e1f10d248a50eeda1ae822198f3431c2803a720f76444
SSDEEP

12288:/Mr2y90iAOzm0qkhzz12ipFDtfERjpSPZY8WejWJhvPSfzi48J+Ap2l:Fybbzm5klIUFxUjwx1Wny7i1Ec2l

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro0238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro0238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro0238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro0238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro0238.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

resource	yara_rule
behavioral1/memory/4748-181-0x00000000024D0000-0x0000000002516000-memory.dmp	family_redline
behavioral1/memory/4748-182-0x0000000002840000-0x0000000002884000-memory.dmp	family_redline
behavioral1/memory/4748-183-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-184-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-186-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-188-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-190-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-192-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-194-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-196-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-198-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-200-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-204-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-202-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-206-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-208-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-210-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-212-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-214-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-217-0x0000000002840000-0x000000000287F000-memory.dmp	family_redline
behavioral1/memory/4748-1100-0x0000000004F00000-0x0000000004F10000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4228	un920876.exe
3652	pro0238.exe
4748	qu8623.exe
1308	si272380.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro0238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro0238.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d52572f05b941a3350541450089dcfd6b704eec482ad5600e20f310f034fba03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d52572f05b941a3350541450089dcfd6b704eec482ad5600e20f310f034fba03.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un920876.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un920876.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3652	pro0238.exe
3652	pro0238.exe
4748	qu8623.exe
4748	qu8623.exe
1308	si272380.exe
1308	si272380.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	pro0238.exe
Token: SeDebugPrivilege	4748	qu8623.exe
Token: SeDebugPrivilege	1308	si272380.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 4228	3752	d52572f05b941a3350541450089dcfd6b704eec482ad5600e20f310f034fba03.exe	66
PID 3752 wrote to memory of 4228	3752	d52572f05b941a3350541450089dcfd6b704eec482ad5600e20f310f034fba03.exe	66
PID 3752 wrote to memory of 4228	3752	d52572f05b941a3350541450089dcfd6b704eec482ad5600e20f310f034fba03.exe	66
PID 4228 wrote to memory of 3652	4228	un920876.exe	67
PID 4228 wrote to memory of 3652	4228	un920876.exe	67
PID 4228 wrote to memory of 3652	4228	un920876.exe	67
PID 4228 wrote to memory of 4748	4228	un920876.exe	68
PID 4228 wrote to memory of 4748	4228	un920876.exe	68
PID 4228 wrote to memory of 4748	4228	un920876.exe	68
PID 3752 wrote to memory of 1308	3752	d52572f05b941a3350541450089dcfd6b704eec482ad5600e20f310f034fba03.exe	70
PID 3752 wrote to memory of 1308	3752	d52572f05b941a3350541450089dcfd6b704eec482ad5600e20f310f034fba03.exe	70
PID 3752 wrote to memory of 1308	3752	d52572f05b941a3350541450089dcfd6b704eec482ad5600e20f310f034fba03.exe	70

C:\Users\Admin\AppData\Local\Temp\d52572f05b941a3350541450089dcfd6b704eec482ad5600e20f310f034fba03.exe
"C:\Users\Admin\AppData\Local\Temp\d52572f05b941a3350541450089dcfd6b704eec482ad5600e20f310f034fba03.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un920876.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un920876.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0238.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0238.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8623.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8623.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272380.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272380.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272380.exe

Filesize
175KB

MD5
d5bfb1b3a561c04fdf5abc7e3b3c1b80

SHA1
603e3bac0d6c72f95090342c3401353a0dde0db3

SHA256
d197006e8b1908c392c1d4d5a11274f7802f23cfb16a8e9318cef3dba67a9cb4

SHA512
bd43c44930be805e54e005bc5d4fae0330313dab96b2f4666f10c2e55a9756252e4c6276b3f78ee35ef45a6144bdebdb32ab79621db43ba6510c1abe3eeb7fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si272380.exe

Filesize
175KB

MD5
d5bfb1b3a561c04fdf5abc7e3b3c1b80

SHA1
603e3bac0d6c72f95090342c3401353a0dde0db3

SHA256
d197006e8b1908c392c1d4d5a11274f7802f23cfb16a8e9318cef3dba67a9cb4

SHA512
bd43c44930be805e54e005bc5d4fae0330313dab96b2f4666f10c2e55a9756252e4c6276b3f78ee35ef45a6144bdebdb32ab79621db43ba6510c1abe3eeb7fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un920876.exe

Filesize
552KB

MD5
6a984f4420c825dec156ea3ff136fdc8

SHA1
5d3492038ad63cd46ebd89a361a61554903621bd

SHA256
055d8de63602eac47a7e80259767976c13661ccec11ff793b7d743d867ebc097

SHA512
d792a417ad5dd765f3df935d931c69e63382c90a11e9299985b504f9240cbb8b45b3188d0c26a4c167785754d7a169f5ecd50949466d470f2352c99aebb547fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un920876.exe

Filesize
552KB

MD5
6a984f4420c825dec156ea3ff136fdc8

SHA1
5d3492038ad63cd46ebd89a361a61554903621bd

SHA256
055d8de63602eac47a7e80259767976c13661ccec11ff793b7d743d867ebc097

SHA512
d792a417ad5dd765f3df935d931c69e63382c90a11e9299985b504f9240cbb8b45b3188d0c26a4c167785754d7a169f5ecd50949466d470f2352c99aebb547fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0238.exe

Filesize
308KB

MD5
e4739b50092098f64b64eba5e8a404ce

SHA1
8dbdf66c01a1b74b1e8f2ad0231cbad63d2b5956

SHA256
5eef785974c874b2e4172fc4e9f5529f6722270b099ff6f9b16cf5df6f46d7bd

SHA512
b2a5e4dff0bfed7135f9257e7ea687fde3ced9359b66e78f072b7a154a61fbe7d8d5009af12a215d4c67dfa1a7647d2e02ab7fd1ec9af7d274debb4bd10e3b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0238.exe

Filesize
308KB

MD5
e4739b50092098f64b64eba5e8a404ce

SHA1
8dbdf66c01a1b74b1e8f2ad0231cbad63d2b5956

SHA256
5eef785974c874b2e4172fc4e9f5529f6722270b099ff6f9b16cf5df6f46d7bd

SHA512
b2a5e4dff0bfed7135f9257e7ea687fde3ced9359b66e78f072b7a154a61fbe7d8d5009af12a215d4c67dfa1a7647d2e02ab7fd1ec9af7d274debb4bd10e3b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8623.exe

Filesize
366KB

MD5
4c217f8e2e569341e496b85c73282679

SHA1
438504c57ee7d52150cf567b6e8d73761aa41305

SHA256
c21a4a1a11e897469ad1a24f148b1c243ac6f9d79ca0d673b3985e424d51b19e

SHA512
dd9e3b34116f67f3187462619b2347d4eff7684e599483e991857dc331a46dbd2f09ac1418d6fe3da08e465fe775480d7e560acfdb562e4c5fe1a537a14fb9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8623.exe

Filesize
366KB

MD5
4c217f8e2e569341e496b85c73282679

SHA1
438504c57ee7d52150cf567b6e8d73761aa41305

SHA256
c21a4a1a11e897469ad1a24f148b1c243ac6f9d79ca0d673b3985e424d51b19e

SHA512
dd9e3b34116f67f3187462619b2347d4eff7684e599483e991857dc331a46dbd2f09ac1418d6fe3da08e465fe775480d7e560acfdb562e4c5fe1a537a14fb9d2

Download Submit
memory/1308-1115-0x0000000000FD0000-0x0000000001002000-memory.dmp

Filesize
200KB

Download
memory/1308-1116-0x0000000005B90000-0x0000000005BA0000-memory.dmp

Filesize
64KB

Download
memory/1308-1117-0x0000000005A10000-0x0000000005A5B000-memory.dmp

Filesize
300KB

Download
memory/3652-146-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3652-158-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3652-141-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3652-140-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3652-142-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3652-143-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3652-144-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3652-138-0x0000000004CB0000-0x00000000051AE000-memory.dmp

Filesize
5.0MB

Download
memory/3652-148-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3652-150-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3652-152-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3652-154-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3652-156-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3652-139-0x0000000004C30000-0x0000000004C48000-memory.dmp

Filesize
96KB

Download
memory/3652-160-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3652-162-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3652-164-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3652-166-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3652-168-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3652-170-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3652-171-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3652-172-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3652-173-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3652-174-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3652-176-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3652-137-0x0000000002280000-0x000000000229A000-memory.dmp

Filesize
104KB

Download
memory/3652-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4748-183-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-216-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/4748-186-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-188-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-190-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-192-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-194-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-196-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-198-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-200-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-204-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-202-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-206-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-208-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-210-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-212-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-214-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-217-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-218-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4748-184-0x0000000002840000-0x000000000287F000-memory.dmp

Filesize
252KB

Download
memory/4748-223-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4748-221-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4748-1093-0x0000000005410000-0x0000000005A16000-memory.dmp

Filesize
6.0MB

Download
memory/4748-1094-0x0000000004DA0000-0x0000000004EAA000-memory.dmp

Filesize
1.0MB

Download
memory/4748-1095-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

Filesize
72KB

Download
memory/4748-1096-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4748-1097-0x0000000005A20000-0x0000000005A5E000-memory.dmp

Filesize
248KB

Download
memory/4748-1098-0x0000000005B70000-0x0000000005BBB000-memory.dmp

Filesize
300KB

Download
memory/4748-1100-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4748-1101-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4748-1102-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4748-1103-0x0000000005D00000-0x0000000005D92000-memory.dmp

Filesize
584KB

Download
memory/4748-1104-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/4748-1105-0x00000000065A0000-0x0000000006762000-memory.dmp

Filesize
1.8MB

Download
memory/4748-1106-0x0000000006790000-0x0000000006CBC000-memory.dmp

Filesize
5.2MB

Download
memory/4748-182-0x0000000002840000-0x0000000002884000-memory.dmp

Filesize
272KB

Download
memory/4748-181-0x00000000024D0000-0x0000000002516000-memory.dmp

Filesize
280KB

Download
memory/4748-1107-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4748-1108-0x0000000006E00000-0x0000000006E76000-memory.dmp

Filesize
472KB

Download
memory/4748-1109-0x0000000006E80000-0x0000000006ED0000-memory.dmp

Filesize
320KB

Download