redline | 488325444b06529e25f698d58af9cee6f9cd02bd1d5d39af3ef3c183a29cc2e1

Analysis

max time kernel
94s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

488325444b06529e25f698d58af9cee6f9cd02bd1d5d39af3ef3c183a29cc2e1.exe
Size

695KB
MD5

fe4022c7eb6f24b78792e7b7955327b9
SHA1

f6732d399dccb68cbd03839bbdc8942fdb34edfd
SHA256

488325444b06529e25f698d58af9cee6f9cd02bd1d5d39af3ef3c183a29cc2e1
SHA512

53cb49f9f08fe952859b67e81e17ac47bce8f0cbe20b3a1b05db2e2436d54ee4de6b3a4f4aeb6d65637f474396a6140f54e048dbf041c0ecb61277e93b5de865
SSDEEP

12288:AMrNy90WuXZGrJ+ZaaDt6zWKlumlxfuPDQUTQLZ0q8i8zc7fJdpKwt59HwkMc:9ypGGckaxDKlHlpuP0Uw8pcTdV5PMc

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro8059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8059.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/4364-192-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-194-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-191-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-196-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-198-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-200-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-202-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-204-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-206-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-208-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-210-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-212-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-214-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-216-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-218-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-222-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-226-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline
behavioral1/memory/4364-228-0x00000000025A0000-0x00000000025DF000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
5060	un056698.exe
4700	pro8059.exe
4364	qu8631.exe
4956	si861783.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8059.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	488325444b06529e25f698d58af9cee6f9cd02bd1d5d39af3ef3c183a29cc2e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	488325444b06529e25f698d58af9cee6f9cd02bd1d5d39af3ef3c183a29cc2e1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un056698.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un056698.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4700	pro8059.exe
4700	pro8059.exe
4364	qu8631.exe
4364	qu8631.exe
4956	si861783.exe
4956	si861783.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4700	pro8059.exe
Token: SeDebugPrivilege	4364	qu8631.exe
Token: SeDebugPrivilege	4956	si861783.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 5060	3116	488325444b06529e25f698d58af9cee6f9cd02bd1d5d39af3ef3c183a29cc2e1.exe	83
PID 3116 wrote to memory of 5060	3116	488325444b06529e25f698d58af9cee6f9cd02bd1d5d39af3ef3c183a29cc2e1.exe	83
PID 3116 wrote to memory of 5060	3116	488325444b06529e25f698d58af9cee6f9cd02bd1d5d39af3ef3c183a29cc2e1.exe	83
PID 5060 wrote to memory of 4700	5060	un056698.exe	84
PID 5060 wrote to memory of 4700	5060	un056698.exe	84
PID 5060 wrote to memory of 4700	5060	un056698.exe	84
PID 5060 wrote to memory of 4364	5060	un056698.exe	85
PID 5060 wrote to memory of 4364	5060	un056698.exe	85
PID 5060 wrote to memory of 4364	5060	un056698.exe	85
PID 3116 wrote to memory of 4956	3116	488325444b06529e25f698d58af9cee6f9cd02bd1d5d39af3ef3c183a29cc2e1.exe	86
PID 3116 wrote to memory of 4956	3116	488325444b06529e25f698d58af9cee6f9cd02bd1d5d39af3ef3c183a29cc2e1.exe	86
PID 3116 wrote to memory of 4956	3116	488325444b06529e25f698d58af9cee6f9cd02bd1d5d39af3ef3c183a29cc2e1.exe	86

C:\Users\Admin\AppData\Local\Temp\488325444b06529e25f698d58af9cee6f9cd02bd1d5d39af3ef3c183a29cc2e1.exe
"C:\Users\Admin\AppData\Local\Temp\488325444b06529e25f698d58af9cee6f9cd02bd1d5d39af3ef3c183a29cc2e1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un056698.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un056698.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8059.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8059.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8631.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8631.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si861783.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si861783.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si861783.exe

Filesize
175KB

MD5
1074cc5df693239dd6b5707f7fcea674

SHA1
73b02d033305f6c1e7bf9e02f49a4685a7645df6

SHA256
d6f73105b8cba04b73a308332a870f5e457c14786421fad382f13d230aa81d0f

SHA512
088dd3a346fbc64c53b2c60eb2848c8cb4d1e285c4af7a2893e81ed0b67d8048c5acd17cc0fa778cfc221a0086b6b4453ede2d175f75e4c1d7707427247c88a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si861783.exe

Filesize
175KB

MD5
1074cc5df693239dd6b5707f7fcea674

SHA1
73b02d033305f6c1e7bf9e02f49a4685a7645df6

SHA256
d6f73105b8cba04b73a308332a870f5e457c14786421fad382f13d230aa81d0f

SHA512
088dd3a346fbc64c53b2c60eb2848c8cb4d1e285c4af7a2893e81ed0b67d8048c5acd17cc0fa778cfc221a0086b6b4453ede2d175f75e4c1d7707427247c88a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un056698.exe

Filesize
553KB

MD5
c938a50d15ba9987c467b73610695b34

SHA1
e5c5ac08bf3b6a5583e3d6701b3566c9007b6cee

SHA256
6cb25ff83532d1683be600301677e74a4746e167e12ad0747439347f2995cc07

SHA512
e51f6202a76575a89a8c879530976dd6b888fa34a9e5d95019bb99ae1658516e719848df430b2032294ac7f755216fbe4ec7071302603e97dd61f168c10abb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un056698.exe

Filesize
553KB

MD5
c938a50d15ba9987c467b73610695b34

SHA1
e5c5ac08bf3b6a5583e3d6701b3566c9007b6cee

SHA256
6cb25ff83532d1683be600301677e74a4746e167e12ad0747439347f2995cc07

SHA512
e51f6202a76575a89a8c879530976dd6b888fa34a9e5d95019bb99ae1658516e719848df430b2032294ac7f755216fbe4ec7071302603e97dd61f168c10abb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8059.exe

Filesize
308KB

MD5
a251699898d7acd5f0ea91f89eba4f71

SHA1
d67999aab7765ecb9d7071b5b7532bd5cfad18bf

SHA256
54d858dc37305fae1603ef0eed1de208f8e6ccddf66d2b09702f86f5bfd50310

SHA512
118ec9456f328326bddca2b726378e6b724da4e11357cf5de7d1471fa29ddc9480a9306b88ed9cfe9ebc275cd6916edad00e5d3af7bc766e8d53f733b95a17b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8059.exe

Filesize
308KB

MD5
a251699898d7acd5f0ea91f89eba4f71

SHA1
d67999aab7765ecb9d7071b5b7532bd5cfad18bf

SHA256
54d858dc37305fae1603ef0eed1de208f8e6ccddf66d2b09702f86f5bfd50310

SHA512
118ec9456f328326bddca2b726378e6b724da4e11357cf5de7d1471fa29ddc9480a9306b88ed9cfe9ebc275cd6916edad00e5d3af7bc766e8d53f733b95a17b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8631.exe

Filesize
366KB

MD5
d57dd9faad67942163edd3c6db173442

SHA1
5c8d6ee4885c4c4940d733b8ce1cd910a2094638

SHA256
42bca80b62b17c49be9d7fef73a955a13adbc1ea9fe6e4ac0b404a4454ea8d04

SHA512
48000ffb37a3845707e70af0d76e167a8fbf43a63ba3d9e54e60c0911759e7afd539a1160b20851d3ee5160b9b1f063114b21b5493139c795becbce5d3d74723

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8631.exe

Filesize
366KB

MD5
d57dd9faad67942163edd3c6db173442

SHA1
5c8d6ee4885c4c4940d733b8ce1cd910a2094638

SHA256
42bca80b62b17c49be9d7fef73a955a13adbc1ea9fe6e4ac0b404a4454ea8d04

SHA512
48000ffb37a3845707e70af0d76e167a8fbf43a63ba3d9e54e60c0911759e7afd539a1160b20851d3ee5160b9b1f063114b21b5493139c795becbce5d3d74723

Download Submit
memory/4364-1102-0x0000000005B40000-0x0000000005C4A000-memory.dmp

Filesize
1.0MB

Download
memory/4364-225-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4364-204-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-206-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-1115-0x00000000069A0000-0x0000000006ECC000-memory.dmp

Filesize
5.2MB

Download
memory/4364-1114-0x00000000067D0000-0x0000000006992000-memory.dmp

Filesize
1.8MB

Download
memory/4364-1113-0x0000000006760000-0x00000000067B0000-memory.dmp

Filesize
320KB

Download
memory/4364-1112-0x00000000066D0000-0x0000000006746000-memory.dmp

Filesize
472KB

Download
memory/4364-1111-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4364-1110-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4364-208-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-1109-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4364-1107-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/4364-1106-0x0000000005E10000-0x0000000005EA2000-memory.dmp

Filesize
584KB

Download
memory/4364-1105-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4364-1104-0x00000000027D0000-0x000000000280C000-memory.dmp

Filesize
240KB

Download
memory/4364-1103-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/4364-1101-0x0000000005520000-0x0000000005B38000-memory.dmp

Filesize
6.1MB

Download
memory/4364-228-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-218-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-226-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-221-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4364-223-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4364-192-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-194-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-191-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-196-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-198-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-200-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-202-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-222-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-1116-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4364-219-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/4364-210-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-212-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-214-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4364-216-0x00000000025A0000-0x00000000025DF000-memory.dmp

Filesize
252KB

Download
memory/4700-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4700-170-0x0000000002960000-0x0000000002972000-memory.dmp

Filesize
72KB

Download
memory/4700-148-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/4700-151-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4700-152-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4700-186-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4700-184-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4700-183-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4700-182-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4700-150-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4700-153-0x0000000002960000-0x0000000002972000-memory.dmp

Filesize
72KB

Download
memory/4700-180-0x0000000002960000-0x0000000002972000-memory.dmp

Filesize
72KB

Download
memory/4700-176-0x0000000002960000-0x0000000002972000-memory.dmp

Filesize
72KB

Download
memory/4700-178-0x0000000002960000-0x0000000002972000-memory.dmp

Filesize
72KB

Download
memory/4700-174-0x0000000002960000-0x0000000002972000-memory.dmp

Filesize
72KB

Download
memory/4700-172-0x0000000002960000-0x0000000002972000-memory.dmp

Filesize
72KB

Download
memory/4700-168-0x0000000002960000-0x0000000002972000-memory.dmp

Filesize
72KB

Download
memory/4700-166-0x0000000002960000-0x0000000002972000-memory.dmp

Filesize
72KB

Download
memory/4700-164-0x0000000002960000-0x0000000002972000-memory.dmp

Filesize
72KB

Download
memory/4700-162-0x0000000002960000-0x0000000002972000-memory.dmp

Filesize
72KB

Download
memory/4700-160-0x0000000002960000-0x0000000002972000-memory.dmp

Filesize
72KB

Download
memory/4700-158-0x0000000002960000-0x0000000002972000-memory.dmp

Filesize
72KB

Download
memory/4700-156-0x0000000002960000-0x0000000002972000-memory.dmp

Filesize
72KB

Download
memory/4700-149-0x0000000004FF0000-0x0000000005594000-memory.dmp

Filesize
5.6MB

Download
memory/4700-154-0x0000000002960000-0x0000000002972000-memory.dmp

Filesize
72KB

Download
memory/4956-1122-0x00000000000F0000-0x0000000000122000-memory.dmp

Filesize
200KB

Download
memory/4956-1123-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download