redline | c1031a3f9d2b38503858c38730ba7b8dcab80a871fa106f13af0bd0d25439d70

Analysis

max time kernel
52s
max time network
69s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27/03/2023, 19:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c1031a3f9d2b38503858c38730ba7b8dcab80a871fa106f13af0bd0d25439d70.exe
Size

695KB
MD5

07cdbf97a992dccbc58200bb3167d55a
SHA1

2118f80cdab97d143da4484a63af72b32fa0f460
SHA256

c1031a3f9d2b38503858c38730ba7b8dcab80a871fa106f13af0bd0d25439d70
SHA512

93b5b61746ef0701076bc9f185a7d99343ce5a5926ff61b3ef01b0dceec591df76cde20ad74d9e893efd56df9963cc636977e1fa53a2da91c01116c7deb0175c
SSDEEP

12288:AMrOy90D2MLM9Xj+Rb1nD33csmkUBUAAoit5NDEuM6cziVIJ1tEhqjrKCMdJ6So:+yjMO2bNcVvUpt5NDyXiuFEnCMdJ6n

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7547.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7547.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7547.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7547.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7547.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4616-179-0x0000000000B10000-0x0000000000B56000-memory.dmp	family_redline
behavioral1/memory/4616-180-0x0000000002720000-0x0000000002764000-memory.dmp	family_redline
behavioral1/memory/4616-181-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-182-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-184-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-186-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-188-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-190-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-192-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-194-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-198-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-196-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-200-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-202-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-204-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-206-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-208-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-210-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-212-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline
behavioral1/memory/4616-218-0x0000000002720000-0x000000000275F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
420	un048025.exe
2284	pro7547.exe
4616	qu6749.exe
2984	si896955.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7547.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7547.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c1031a3f9d2b38503858c38730ba7b8dcab80a871fa106f13af0bd0d25439d70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1031a3f9d2b38503858c38730ba7b8dcab80a871fa106f13af0bd0d25439d70.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un048025.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un048025.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2284	pro7547.exe
2284	pro7547.exe
4616	qu6749.exe
4616	qu6749.exe
2984	si896955.exe
2984	si896955.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	pro7547.exe
Token: SeDebugPrivilege	4616	qu6749.exe
Token: SeDebugPrivilege	2984	si896955.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 420	1884	c1031a3f9d2b38503858c38730ba7b8dcab80a871fa106f13af0bd0d25439d70.exe	66
PID 1884 wrote to memory of 420	1884	c1031a3f9d2b38503858c38730ba7b8dcab80a871fa106f13af0bd0d25439d70.exe	66
PID 1884 wrote to memory of 420	1884	c1031a3f9d2b38503858c38730ba7b8dcab80a871fa106f13af0bd0d25439d70.exe	66
PID 420 wrote to memory of 2284	420	un048025.exe	67
PID 420 wrote to memory of 2284	420	un048025.exe	67
PID 420 wrote to memory of 2284	420	un048025.exe	67
PID 420 wrote to memory of 4616	420	un048025.exe	68
PID 420 wrote to memory of 4616	420	un048025.exe	68
PID 420 wrote to memory of 4616	420	un048025.exe	68
PID 1884 wrote to memory of 2984	1884	c1031a3f9d2b38503858c38730ba7b8dcab80a871fa106f13af0bd0d25439d70.exe	70
PID 1884 wrote to memory of 2984	1884	c1031a3f9d2b38503858c38730ba7b8dcab80a871fa106f13af0bd0d25439d70.exe	70
PID 1884 wrote to memory of 2984	1884	c1031a3f9d2b38503858c38730ba7b8dcab80a871fa106f13af0bd0d25439d70.exe	70

C:\Users\Admin\AppData\Local\Temp\c1031a3f9d2b38503858c38730ba7b8dcab80a871fa106f13af0bd0d25439d70.exe
"C:\Users\Admin\AppData\Local\Temp\c1031a3f9d2b38503858c38730ba7b8dcab80a871fa106f13af0bd0d25439d70.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un048025.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un048025.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7547.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7547.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6749.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6749.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si896955.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si896955.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si896955.exe

Filesize
175KB

MD5
5244ca87e2d490a959a47fef8e5df47d

SHA1
f221c6194383d5f405c978fdccba409b3b3bfb8d

SHA256
d15bd4edfbcc02e0c38dc850b135fe20b400fd03009862ed665f2a68dccc14c6

SHA512
7799ce2a3461e6030584190e176306b593a3d99707475386a214d06ca885b583ba45e30db07711828537cff8e525c454946ddff43f68130049af17ff88454686

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si896955.exe

Filesize
175KB

MD5
5244ca87e2d490a959a47fef8e5df47d

SHA1
f221c6194383d5f405c978fdccba409b3b3bfb8d

SHA256
d15bd4edfbcc02e0c38dc850b135fe20b400fd03009862ed665f2a68dccc14c6

SHA512
7799ce2a3461e6030584190e176306b593a3d99707475386a214d06ca885b583ba45e30db07711828537cff8e525c454946ddff43f68130049af17ff88454686

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un048025.exe

Filesize
553KB

MD5
9d5a63025d433963cd99921c2c1990f4

SHA1
914ed62b8a99d9a744a73f99cdb17a6ab386edcd

SHA256
762e8b7db374c71dae167d1f5d821170908c1ad18058365b711a0d475bb21c92

SHA512
5f8286f007aefd51a4453abbd307d97a18fd14c089db2632b5cf10f2fc5fd3c623eb2b8e4f4e2426003c13c70b65985942472fab3c3770b117c5062b5ff7874e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un048025.exe

Filesize
553KB

MD5
9d5a63025d433963cd99921c2c1990f4

SHA1
914ed62b8a99d9a744a73f99cdb17a6ab386edcd

SHA256
762e8b7db374c71dae167d1f5d821170908c1ad18058365b711a0d475bb21c92

SHA512
5f8286f007aefd51a4453abbd307d97a18fd14c089db2632b5cf10f2fc5fd3c623eb2b8e4f4e2426003c13c70b65985942472fab3c3770b117c5062b5ff7874e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7547.exe

Filesize
308KB

MD5
2ec910713ddb5e69be034ce290f207e4

SHA1
ce88a6a372a1a8069a656c78e0c64e97346cf050

SHA256
23b277864bc4740145f2b3d35fc9dff03d1cad2020d0555b292ba800cc17c12d

SHA512
2b467bcddc361aa18e63997ebd6c9d07c477d65b203802c9f72ef85e4d4797abb53a4def2e35b1b1245a1ef93ecdbce053494a04914f72c52a6d912d0490295c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7547.exe

Filesize
308KB

MD5
2ec910713ddb5e69be034ce290f207e4

SHA1
ce88a6a372a1a8069a656c78e0c64e97346cf050

SHA256
23b277864bc4740145f2b3d35fc9dff03d1cad2020d0555b292ba800cc17c12d

SHA512
2b467bcddc361aa18e63997ebd6c9d07c477d65b203802c9f72ef85e4d4797abb53a4def2e35b1b1245a1ef93ecdbce053494a04914f72c52a6d912d0490295c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6749.exe

Filesize
366KB

MD5
e168b8789f66a9cc40304152298aedc7

SHA1
56d7129a4bab1acc6c8ded2fb8d5162cb4830b58

SHA256
35abb38f647dfced708f7a046607211fdb5e7510b4489357492850ad506291cb

SHA512
f5d39cec3c8f1e80f72e71723d50e04f6c8676de617329861b0cbf78e1246a5023311fbc673d1ae3fb15aa61ed9e87c864d4a6783def61cc2a2f501ed47cb537

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6749.exe

Filesize
366KB

MD5
e168b8789f66a9cc40304152298aedc7

SHA1
56d7129a4bab1acc6c8ded2fb8d5162cb4830b58

SHA256
35abb38f647dfced708f7a046607211fdb5e7510b4489357492850ad506291cb

SHA512
f5d39cec3c8f1e80f72e71723d50e04f6c8676de617329861b0cbf78e1246a5023311fbc673d1ae3fb15aa61ed9e87c864d4a6783def61cc2a2f501ed47cb537

Download Submit
memory/2284-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2284-137-0x0000000000920000-0x0000000000930000-memory.dmp

Filesize
64KB

Download
memory/2284-138-0x0000000002290000-0x00000000022AA000-memory.dmp

Filesize
104KB

Download
memory/2284-139-0x0000000004D60000-0x000000000525E000-memory.dmp

Filesize
5.0MB

Download
memory/2284-140-0x0000000002320000-0x0000000002338000-memory.dmp

Filesize
96KB

Download
memory/2284-141-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2284-142-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2284-144-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2284-146-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2284-148-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2284-150-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2284-152-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2284-154-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2284-156-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2284-158-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2284-160-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2284-162-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2284-164-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2284-166-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2284-168-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2284-169-0x0000000000920000-0x0000000000930000-memory.dmp

Filesize
64KB

Download
memory/2284-170-0x0000000000920000-0x0000000000930000-memory.dmp

Filesize
64KB

Download
memory/2284-171-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2284-172-0x0000000000920000-0x0000000000930000-memory.dmp

Filesize
64KB

Download
memory/2284-174-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2984-1113-0x0000000000D60000-0x0000000000D92000-memory.dmp

Filesize
200KB

Download
memory/2984-1115-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/2984-1114-0x00000000057A0000-0x00000000057EB000-memory.dmp

Filesize
300KB

Download
memory/4616-184-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-218-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-181-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-186-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-188-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-190-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-192-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-194-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-198-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-196-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-200-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-202-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-204-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-206-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-208-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-210-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-212-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-214-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4616-216-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4616-182-0x0000000002720000-0x000000000275F000-memory.dmp

Filesize
252KB

Download
memory/4616-217-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4616-213-0x0000000000840000-0x000000000088B000-memory.dmp

Filesize
300KB

Download
memory/4616-1091-0x0000000005AE0000-0x00000000060E6000-memory.dmp

Filesize
6.0MB

Download
memory/4616-1092-0x0000000004E20000-0x0000000004F2A000-memory.dmp

Filesize
1.0MB

Download
memory/4616-1093-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/4616-1094-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4616-1095-0x0000000004F30000-0x0000000004F6E000-memory.dmp

Filesize
248KB

Download
memory/4616-1096-0x0000000004F70000-0x0000000004FBB000-memory.dmp

Filesize
300KB

Download
memory/4616-1098-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/4616-1099-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/4616-1100-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4616-1101-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4616-1102-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4616-1103-0x00000000066F0000-0x00000000068B2000-memory.dmp

Filesize
1.8MB

Download
memory/4616-1104-0x00000000068D0000-0x0000000006DFC000-memory.dmp

Filesize
5.2MB

Download
memory/4616-180-0x0000000002720000-0x0000000002764000-memory.dmp

Filesize
272KB

Download
memory/4616-179-0x0000000000B10000-0x0000000000B56000-memory.dmp

Filesize
280KB

Download
memory/4616-1105-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/4616-1106-0x0000000006F30000-0x0000000006FA6000-memory.dmp

Filesize
472KB

Download
memory/4616-1107-0x0000000006FB0000-0x0000000007000000-memory.dmp

Filesize
320KB

Download