redline | ca044281f268ecbc1ca79d6cfe8c7587eb04bbe7ce9a7e23c0082605f19c635c

Analysis

max time kernel
55s
max time network
65s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
27-03-2023 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca044281f268ecbc1ca79d6cfe8c7587eb04bbe7ce9a7e23c0082605f19c635c.exe
Size

695KB
MD5

b1173a8058193fa04e9fd1c36146c660
SHA1

8ad7cfda39b0ff058ec33fd65ce766bff31197a8
SHA256

ca044281f268ecbc1ca79d6cfe8c7587eb04bbe7ce9a7e23c0082605f19c635c
SHA512

ccc2673b2edee78c948209428dd12735f838fe82aed6225e72156e88899c41b088a28b950896fc21a2e180dac68c10d1f36394338fb2e832795edfacb0a21cac
SSDEEP

12288:3MrNy90k8ciQT/j1Gl3k1UPCl1gCcke95QTlD3pvPS1z4zRJara9i4+XS:Wyz1T7Cb8jhMOpy141g0x+C

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro6033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro6033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro6033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro6033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro6033.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/2164-178-0x0000000002490000-0x00000000024D6000-memory.dmp	family_redline
behavioral1/memory/2164-179-0x0000000002660000-0x00000000026A4000-memory.dmp	family_redline
behavioral1/memory/2164-180-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-183-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-185-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-181-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-187-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-189-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-191-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-193-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-195-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-197-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-199-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-201-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-203-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-205-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-207-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-209-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-211-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2164-214-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2392	un842355.exe
2672	pro6033.exe
2164	qu2958.exe
4468	si843426.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro6033.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro6033.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ca044281f268ecbc1ca79d6cfe8c7587eb04bbe7ce9a7e23c0082605f19c635c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ca044281f268ecbc1ca79d6cfe8c7587eb04bbe7ce9a7e23c0082605f19c635c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un842355.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un842355.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2672	pro6033.exe
2672	pro6033.exe
2164	qu2958.exe
2164	qu2958.exe
4468	si843426.exe
4468	si843426.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	pro6033.exe
Token: SeDebugPrivilege	2164	qu2958.exe
Token: SeDebugPrivilege	4468	si843426.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2392	2320	ca044281f268ecbc1ca79d6cfe8c7587eb04bbe7ce9a7e23c0082605f19c635c.exe	66
PID 2320 wrote to memory of 2392	2320	ca044281f268ecbc1ca79d6cfe8c7587eb04bbe7ce9a7e23c0082605f19c635c.exe	66
PID 2320 wrote to memory of 2392	2320	ca044281f268ecbc1ca79d6cfe8c7587eb04bbe7ce9a7e23c0082605f19c635c.exe	66
PID 2392 wrote to memory of 2672	2392	un842355.exe	67
PID 2392 wrote to memory of 2672	2392	un842355.exe	67
PID 2392 wrote to memory of 2672	2392	un842355.exe	67
PID 2392 wrote to memory of 2164	2392	un842355.exe	68
PID 2392 wrote to memory of 2164	2392	un842355.exe	68
PID 2392 wrote to memory of 2164	2392	un842355.exe	68
PID 2320 wrote to memory of 4468	2320	ca044281f268ecbc1ca79d6cfe8c7587eb04bbe7ce9a7e23c0082605f19c635c.exe	70
PID 2320 wrote to memory of 4468	2320	ca044281f268ecbc1ca79d6cfe8c7587eb04bbe7ce9a7e23c0082605f19c635c.exe	70
PID 2320 wrote to memory of 4468	2320	ca044281f268ecbc1ca79d6cfe8c7587eb04bbe7ce9a7e23c0082605f19c635c.exe	70

C:\Users\Admin\AppData\Local\Temp\ca044281f268ecbc1ca79d6cfe8c7587eb04bbe7ce9a7e23c0082605f19c635c.exe
"C:\Users\Admin\AppData\Local\Temp\ca044281f268ecbc1ca79d6cfe8c7587eb04bbe7ce9a7e23c0082605f19c635c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un842355.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un842355.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6033.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6033.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2958.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2958.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si843426.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si843426.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si843426.exe

Filesize
175KB

MD5
c1999fe2496f5874dc46ea322691201f

SHA1
d0408a96fb07892b90c9abbc0fb1050ec577b710

SHA256
efdcd5067819670c76ff77ca111a9c244ff26829e1af833ff67985b593d59c11

SHA512
0bc8de2a2dc8ddcb7143709f7e07d77e0d13fe89fde0a6a970aa040ddb91cf2339355861a108d1d1684f4c9302351723a15ad830dee2b550e9e3f41d7ef88bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si843426.exe

Filesize
175KB

MD5
c1999fe2496f5874dc46ea322691201f

SHA1
d0408a96fb07892b90c9abbc0fb1050ec577b710

SHA256
efdcd5067819670c76ff77ca111a9c244ff26829e1af833ff67985b593d59c11

SHA512
0bc8de2a2dc8ddcb7143709f7e07d77e0d13fe89fde0a6a970aa040ddb91cf2339355861a108d1d1684f4c9302351723a15ad830dee2b550e9e3f41d7ef88bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un842355.exe

Filesize
553KB

MD5
c748d11b25f4f4a53f44d5b47c891416

SHA1
d716ceb3d8cf046716c7719a8316a891740f4d5a

SHA256
0d76d6aad4e89d9b386bf6ccef2afc796e757252973d33fd7ceb2149cbbba97c

SHA512
fabd4b1164f8e84aa6ff69c8b064fd257ca125b48527d431e9330983001dfa911ce8a6fd2407142a587a7e9f0e16f3f94c9b1f5ab8e1d8cf352f977f0704d050

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un842355.exe

Filesize
553KB

MD5
c748d11b25f4f4a53f44d5b47c891416

SHA1
d716ceb3d8cf046716c7719a8316a891740f4d5a

SHA256
0d76d6aad4e89d9b386bf6ccef2afc796e757252973d33fd7ceb2149cbbba97c

SHA512
fabd4b1164f8e84aa6ff69c8b064fd257ca125b48527d431e9330983001dfa911ce8a6fd2407142a587a7e9f0e16f3f94c9b1f5ab8e1d8cf352f977f0704d050

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6033.exe

Filesize
308KB

MD5
ffb28db859de0b2da03200644db259a7

SHA1
11ff0c491c0683717715095c263b68baa9523cf5

SHA256
dca7c0352ac0b0e528f119b92c994f1b9c8ce23ed1a2d12b894945e3389dff24

SHA512
f5958cdbc5b42d0ff111c47e9759920f61c75fc17d6b7080a82607bb5330eaf23787d18021a2e4cc26ea85b910959cfc896e2b3a296aea4d9083b3202919eb22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6033.exe

Filesize
308KB

MD5
ffb28db859de0b2da03200644db259a7

SHA1
11ff0c491c0683717715095c263b68baa9523cf5

SHA256
dca7c0352ac0b0e528f119b92c994f1b9c8ce23ed1a2d12b894945e3389dff24

SHA512
f5958cdbc5b42d0ff111c47e9759920f61c75fc17d6b7080a82607bb5330eaf23787d18021a2e4cc26ea85b910959cfc896e2b3a296aea4d9083b3202919eb22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2958.exe

Filesize
366KB

MD5
54c2e71bafd77f85c7cef6f48c71e464

SHA1
584f373dce234177def0d9df7bd60025cb756c0e

SHA256
a93aacffef91f91e3cf0530e34436f572ceb606687fcbc8f51e30acb24d336ba

SHA512
6ed49b34b058745808ac78d93f04ebfcad734aad81cbeda8a46c4d95da793037900b0edcb64055b9ab4f6a3fafe2dc1271a4c5f0736ccf84bd40e3a84234c679

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2958.exe

Filesize
366KB

MD5
54c2e71bafd77f85c7cef6f48c71e464

SHA1
584f373dce234177def0d9df7bd60025cb756c0e

SHA256
a93aacffef91f91e3cf0530e34436f572ceb606687fcbc8f51e30acb24d336ba

SHA512
6ed49b34b058745808ac78d93f04ebfcad734aad81cbeda8a46c4d95da793037900b0edcb64055b9ab4f6a3fafe2dc1271a4c5f0736ccf84bd40e3a84234c679

Download Submit
memory/2164-1090-0x0000000005490000-0x0000000005A96000-memory.dmp

Filesize
6.0MB

Download
memory/2164-1093-0x0000000004F20000-0x0000000004F5E000-memory.dmp

Filesize
248KB

Download
memory/2164-1105-0x0000000008350000-0x00000000083A0000-memory.dmp

Filesize
320KB

Download
memory/2164-1104-0x00000000082C0000-0x0000000008336000-memory.dmp

Filesize
472KB

Download
memory/2164-1103-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2164-1102-0x0000000006790000-0x0000000006CBC000-memory.dmp

Filesize
5.2MB

Download
memory/2164-1101-0x00000000065B0000-0x0000000006772000-memory.dmp

Filesize
1.8MB

Download
memory/2164-1100-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2164-1099-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2164-1097-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/2164-1096-0x0000000005D00000-0x0000000005D92000-memory.dmp

Filesize
584KB

Download
memory/2164-1095-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2164-1094-0x0000000005BA0000-0x0000000005BEB000-memory.dmp

Filesize
300KB

Download
memory/2164-197-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-1092-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2164-1091-0x0000000004E10000-0x0000000004F1A000-memory.dmp

Filesize
1.0MB

Download
memory/2164-216-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2164-218-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2164-214-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-215-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2164-212-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/2164-211-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-178-0x0000000002490000-0x00000000024D6000-memory.dmp

Filesize
280KB

Download
memory/2164-179-0x0000000002660000-0x00000000026A4000-memory.dmp

Filesize
272KB

Download
memory/2164-180-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-183-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-185-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-181-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-187-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-189-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-199-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-193-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-205-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-209-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-191-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-201-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-203-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-195-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2164-207-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2672-148-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2672-162-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2672-150-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2672-173-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2672-171-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2672-170-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2672-169-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2672-138-0x00000000023B0000-0x00000000023C8000-memory.dmp

Filesize
96KB

Download
memory/2672-168-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2672-166-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2672-141-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2672-160-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2672-140-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2672-139-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2672-142-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2672-154-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2672-152-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2672-158-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2672-164-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2672-146-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2672-144-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2672-156-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2672-137-0x0000000004EE0000-0x00000000053DE000-memory.dmp

Filesize
5.0MB

Download
memory/2672-136-0x00000000009C0000-0x00000000009DA000-memory.dmp

Filesize
104KB

Download
memory/4468-1113-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/4468-1112-0x0000000005000000-0x000000000504B000-memory.dmp

Filesize
300KB

Download
memory/4468-1111-0x0000000000780000-0x00000000007B2000-memory.dmp

Filesize
200KB

Download