redline | 0e7b98053bbb55f350854a13e1c24297458e3f32d31efd4a30210c980bf2acec

Analysis

max time kernel
135s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e7b98053bbb55f350854a13e1c24297458e3f32d31efd4a30210c980bf2acec.exe
Size

694KB
MD5

6af8844480f4b43cec6afb0af2e9a237
SHA1

360e269437066daadd1a1e14b84f6aaec58da342
SHA256

0e7b98053bbb55f350854a13e1c24297458e3f32d31efd4a30210c980bf2acec
SHA512

b7e358293fa9329e44d324cff11704df633c3890bcbd810f5d9b479a73b9b9548b1551e5c83348492cd2309b876ebf77d3a34a7a62453c9e630c1360a885fba6
SSDEEP

12288:9Mr+Oy904hidir2ifOTRTSoWvvPSQzKrLJa6Xownpd2S3o:8yDuifmgyIKnAWnpdG

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro8893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8893.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/2332-189-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-190-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-192-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-194-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-196-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-198-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-200-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-202-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-204-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-206-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-208-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-210-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-212-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-214-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-216-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-218-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-220-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline
behavioral1/memory/2332-222-0x0000000004CE0000-0x0000000004D1F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
5096	un541713.exe
4724	pro8893.exe
2332	qu1982.exe
2916	si636083.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8893.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un541713.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0e7b98053bbb55f350854a13e1c24297458e3f32d31efd4a30210c980bf2acec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0e7b98053bbb55f350854a13e1c24297458e3f32d31efd4a30210c980bf2acec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un541713.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4724	pro8893.exe
4724	pro8893.exe
2332	qu1982.exe
2332	qu1982.exe
2916	si636083.exe
2916	si636083.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4724	pro8893.exe
Token: SeDebugPrivilege	2332	qu1982.exe
Token: SeDebugPrivilege	2916	si636083.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 5096	3388	0e7b98053bbb55f350854a13e1c24297458e3f32d31efd4a30210c980bf2acec.exe	84
PID 3388 wrote to memory of 5096	3388	0e7b98053bbb55f350854a13e1c24297458e3f32d31efd4a30210c980bf2acec.exe	84
PID 3388 wrote to memory of 5096	3388	0e7b98053bbb55f350854a13e1c24297458e3f32d31efd4a30210c980bf2acec.exe	84
PID 5096 wrote to memory of 4724	5096	un541713.exe	85
PID 5096 wrote to memory of 4724	5096	un541713.exe	85
PID 5096 wrote to memory of 4724	5096	un541713.exe	85
PID 5096 wrote to memory of 2332	5096	un541713.exe	89
PID 5096 wrote to memory of 2332	5096	un541713.exe	89
PID 5096 wrote to memory of 2332	5096	un541713.exe	89
PID 3388 wrote to memory of 2916	3388	0e7b98053bbb55f350854a13e1c24297458e3f32d31efd4a30210c980bf2acec.exe	90
PID 3388 wrote to memory of 2916	3388	0e7b98053bbb55f350854a13e1c24297458e3f32d31efd4a30210c980bf2acec.exe	90
PID 3388 wrote to memory of 2916	3388	0e7b98053bbb55f350854a13e1c24297458e3f32d31efd4a30210c980bf2acec.exe	90

C:\Users\Admin\AppData\Local\Temp\0e7b98053bbb55f350854a13e1c24297458e3f32d31efd4a30210c980bf2acec.exe
"C:\Users\Admin\AppData\Local\Temp\0e7b98053bbb55f350854a13e1c24297458e3f32d31efd4a30210c980bf2acec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un541713.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un541713.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8893.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8893.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1982.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1982.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636083.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636083.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636083.exe

Filesize
175KB

MD5
7004f23988bdc13f436b01c634e88063

SHA1
f07c1b3707b9e3549dd9e798170c87e399aa1eee

SHA256
f2a24e2101c3d394e38fa3cc5a9d6933c523f4b909301bb8672a78bacbb5b139

SHA512
f566f3e82ae44a9f519f8fc878919f98cc34442f17d8cff616568f329b9183a643bcb9ee4dfc622ec6834bf19cb788fdbebdc94d2c1386225805352025618fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636083.exe

Filesize
175KB

MD5
7004f23988bdc13f436b01c634e88063

SHA1
f07c1b3707b9e3549dd9e798170c87e399aa1eee

SHA256
f2a24e2101c3d394e38fa3cc5a9d6933c523f4b909301bb8672a78bacbb5b139

SHA512
f566f3e82ae44a9f519f8fc878919f98cc34442f17d8cff616568f329b9183a643bcb9ee4dfc622ec6834bf19cb788fdbebdc94d2c1386225805352025618fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un541713.exe

Filesize
553KB

MD5
516a1f16cdfb5f4e60d85791026fba20

SHA1
77025f18503c1b949fa131a60564680ff0191600

SHA256
c7a03fc0b3478b7d0547de21b42f69fe192606e474f328f9788f59e7c33253d6

SHA512
1c98a4c5f21976f108cb8b7186dbc450a3b3a6cbd76bc4b1c29776a674d91aeaf3604477d36b8c3081ca920712836324f700f476f4da10a54515a598ab398390

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un541713.exe

Filesize
553KB

MD5
516a1f16cdfb5f4e60d85791026fba20

SHA1
77025f18503c1b949fa131a60564680ff0191600

SHA256
c7a03fc0b3478b7d0547de21b42f69fe192606e474f328f9788f59e7c33253d6

SHA512
1c98a4c5f21976f108cb8b7186dbc450a3b3a6cbd76bc4b1c29776a674d91aeaf3604477d36b8c3081ca920712836324f700f476f4da10a54515a598ab398390

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8893.exe

Filesize
308KB

MD5
dbbea8a4353de2f03b3e58960e97cb4e

SHA1
10f7a07ef98a4ff2e658f250cf323aa75901b398

SHA256
539713cae75540b9139a748fd8f24a1c46de4f4a27dbb43eeace854265b2ae20

SHA512
72463692fbd9b5ffdad3dd4c436d4be7895de4bc2891c2fa9e173e2fcde9921b12bfdc22090e8fa90939f6b0fd272e1594c2df5ce7e857f4e80f4f54df2d8878

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8893.exe

Filesize
308KB

MD5
dbbea8a4353de2f03b3e58960e97cb4e

SHA1
10f7a07ef98a4ff2e658f250cf323aa75901b398

SHA256
539713cae75540b9139a748fd8f24a1c46de4f4a27dbb43eeace854265b2ae20

SHA512
72463692fbd9b5ffdad3dd4c436d4be7895de4bc2891c2fa9e173e2fcde9921b12bfdc22090e8fa90939f6b0fd272e1594c2df5ce7e857f4e80f4f54df2d8878

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1982.exe

Filesize
366KB

MD5
c24c00ba0c3fbf28b7baefdc3d9766a6

SHA1
7fedc26184d7234a4d5dc66b59791ba413166332

SHA256
423707a0664a6050200e1dc116be8be76c1342ec4207c53cdc9e9e1618f41220

SHA512
9451e20dada40b96365ac470f0a677b2ba6971c3b745951572081081f5c4990ea1211bbb939cf30b4d5b45d3262f22d22e782514db2ae0ddc2bec7cc1a3c2049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1982.exe

Filesize
366KB

MD5
c24c00ba0c3fbf28b7baefdc3d9766a6

SHA1
7fedc26184d7234a4d5dc66b59791ba413166332

SHA256
423707a0664a6050200e1dc116be8be76c1342ec4207c53cdc9e9e1618f41220

SHA512
9451e20dada40b96365ac470f0a677b2ba6971c3b745951572081081f5c4990ea1211bbb939cf30b4d5b45d3262f22d22e782514db2ae0ddc2bec7cc1a3c2049

Download Submit
memory/2332-1099-0x0000000005A00000-0x0000000005B0A000-memory.dmp

Filesize
1.0MB

Download
memory/2332-1102-0x0000000005B30000-0x0000000005B6C000-memory.dmp

Filesize
240KB

Download
memory/2332-1113-0x0000000006B00000-0x000000000702C000-memory.dmp

Filesize
5.2MB

Download
memory/2332-1112-0x0000000006930000-0x0000000006AF2000-memory.dmp

Filesize
1.8MB

Download
memory/2332-1111-0x00000000068A0000-0x00000000068F0000-memory.dmp

Filesize
320KB

Download
memory/2332-1110-0x0000000006810000-0x0000000006886000-memory.dmp

Filesize
472KB

Download
memory/2332-1109-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2332-1108-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2332-1107-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2332-1106-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2332-1104-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/2332-1103-0x0000000005E10000-0x0000000005EA2000-memory.dmp

Filesize
584KB

Download
memory/2332-1101-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2332-1100-0x0000000005B10000-0x0000000005B22000-memory.dmp

Filesize
72KB

Download
memory/2332-1098-0x00000000053E0000-0x00000000059F8000-memory.dmp

Filesize
6.1MB

Download
memory/2332-459-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2332-456-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2332-455-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/2332-222-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-220-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-218-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-189-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-190-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-192-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-194-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-196-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-198-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-200-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-202-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-204-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-206-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-208-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-210-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-212-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-214-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2332-216-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

Filesize
252KB

Download
memory/2916-1119-0x0000000000BE0000-0x0000000000C12000-memory.dmp

Filesize
200KB

Download
memory/2916-1120-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4724-171-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4724-152-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4724-151-0x0000000004D80000-0x0000000005324000-memory.dmp

Filesize
5.6MB

Download
memory/4724-180-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4724-179-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4724-150-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4724-177-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4724-175-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4724-153-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4724-167-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4724-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4724-182-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4724-173-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4724-165-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4724-163-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4724-161-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4724-159-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4724-157-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4724-155-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4724-149-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4724-148-0x0000000000820000-0x000000000084D000-memory.dmp

Filesize
180KB

Download
memory/4724-184-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4724-169-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download