redline | 6d11b84f088d009eaa5f5643a315a433b094be251f306c81cd5592a417f016da

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d11b84f088d009eaa5f5643a315a433b094be251f306c81cd5592a417f016da.exe
Size

695KB
MD5

d0c32cd3ccb4bf84b49d2a4e923f5dae
SHA1

db0087743db0d54e3e74b88e6eca8ef56283c20d
SHA256

6d11b84f088d009eaa5f5643a315a433b094be251f306c81cd5592a417f016da
SHA512

bb50663f1626cce2393bc86d238801354fcaa1cfaa32402217644f40a2f390285b97cd3be76b5f8aeeb1da5752dfc09383b81f2bd89c14808e10f412e84fd68a
SSDEEP

12288:rMr0y9099Vwai17wZuPWmRYuPl/KJn/WjAzLaGJeE14JxVN:/yEVY7woWEYel/wn/LLxYk4JN

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro1965.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro1965.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro1965.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro1965.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro1965.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro1965.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/1476-191-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-192-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-194-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-196-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-198-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-200-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-202-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-204-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-206-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-208-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-210-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-212-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-214-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-216-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-218-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-222-0x0000000004EF0000-0x0000000004F00000-memory.dmp	family_redline
behavioral1/memory/1476-221-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-226-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline
behavioral1/memory/1476-228-0x0000000002990000-0x00000000029CF000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3024	un500286.exe
3968	pro1965.exe
1476	qu7184.exe
3780	si684263.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro1965.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro1965.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6d11b84f088d009eaa5f5643a315a433b094be251f306c81cd5592a417f016da.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un500286.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un500286.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6d11b84f088d009eaa5f5643a315a433b094be251f306c81cd5592a417f016da.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3968	pro1965.exe
3968	pro1965.exe
1476	qu7184.exe
1476	qu7184.exe
3780	si684263.exe
3780	si684263.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3968	pro1965.exe
Token: SeDebugPrivilege	1476	qu7184.exe
Token: SeDebugPrivilege	3780	si684263.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 3024	4724	6d11b84f088d009eaa5f5643a315a433b094be251f306c81cd5592a417f016da.exe	83
PID 4724 wrote to memory of 3024	4724	6d11b84f088d009eaa5f5643a315a433b094be251f306c81cd5592a417f016da.exe	83
PID 4724 wrote to memory of 3024	4724	6d11b84f088d009eaa5f5643a315a433b094be251f306c81cd5592a417f016da.exe	83
PID 3024 wrote to memory of 3968	3024	un500286.exe	84
PID 3024 wrote to memory of 3968	3024	un500286.exe	84
PID 3024 wrote to memory of 3968	3024	un500286.exe	84
PID 3024 wrote to memory of 1476	3024	un500286.exe	85
PID 3024 wrote to memory of 1476	3024	un500286.exe	85
PID 3024 wrote to memory of 1476	3024	un500286.exe	85
PID 4724 wrote to memory of 3780	4724	6d11b84f088d009eaa5f5643a315a433b094be251f306c81cd5592a417f016da.exe	86
PID 4724 wrote to memory of 3780	4724	6d11b84f088d009eaa5f5643a315a433b094be251f306c81cd5592a417f016da.exe	86
PID 4724 wrote to memory of 3780	4724	6d11b84f088d009eaa5f5643a315a433b094be251f306c81cd5592a417f016da.exe	86

C:\Users\Admin\AppData\Local\Temp\6d11b84f088d009eaa5f5643a315a433b094be251f306c81cd5592a417f016da.exe
"C:\Users\Admin\AppData\Local\Temp\6d11b84f088d009eaa5f5643a315a433b094be251f306c81cd5592a417f016da.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500286.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500286.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1965.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1965.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7184.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7184.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si684263.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si684263.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si684263.exe

Filesize
175KB

MD5
4d7851a3dd20557e09392104affc4010

SHA1
89066e71d4515296662c917169250db942ab454a

SHA256
82083b955e0f80c6926623fc6ed24a830b7a9b40c18b47abe59bd1b033cfd1fb

SHA512
3d4f462c79785d59a2be2cda01a6c4f84349a2e180e0fa702bb646ea60b16a1a3595c2b02d5edefd013430ba44ded5197b64b83cd0a45ef9607654f7a3bb06de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si684263.exe

Filesize
175KB

MD5
4d7851a3dd20557e09392104affc4010

SHA1
89066e71d4515296662c917169250db942ab454a

SHA256
82083b955e0f80c6926623fc6ed24a830b7a9b40c18b47abe59bd1b033cfd1fb

SHA512
3d4f462c79785d59a2be2cda01a6c4f84349a2e180e0fa702bb646ea60b16a1a3595c2b02d5edefd013430ba44ded5197b64b83cd0a45ef9607654f7a3bb06de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500286.exe

Filesize
553KB

MD5
4780447855bbd84eb803688704210d3e

SHA1
9021e892896bb2ac622aefa608e5eddf40a84615

SHA256
51262e6fb2b5983cd4fe24800c2e9bc35fbdaecdadd2d57bbc509530411aa27a

SHA512
7436e31f2a4ca5ea9baa20ba6c84008b7eab62ccc87ab9bc7942f79a80d61fe13b396ccdc0d1740ab2a425b612a23c2f5ed759f0893cd4af4bf9b249afedf304

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un500286.exe

Filesize
553KB

MD5
4780447855bbd84eb803688704210d3e

SHA1
9021e892896bb2ac622aefa608e5eddf40a84615

SHA256
51262e6fb2b5983cd4fe24800c2e9bc35fbdaecdadd2d57bbc509530411aa27a

SHA512
7436e31f2a4ca5ea9baa20ba6c84008b7eab62ccc87ab9bc7942f79a80d61fe13b396ccdc0d1740ab2a425b612a23c2f5ed759f0893cd4af4bf9b249afedf304

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1965.exe

Filesize
308KB

MD5
c29b35062e2a28ab5667c37137e9b380

SHA1
e3c51ada810d059b9b4949437f5fc26005553a9e

SHA256
a6459143233229b9baae575eeed12bfe7687e0244777c79a6e99b3f7df11c451

SHA512
6ed3989deef04db72694f0df88f6b65933c2f561f05c5f21988e7e56e86e946d266239f663a008be21d96819d1810f4fedaf39d4edafea8c9bee6cb206258bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1965.exe

Filesize
308KB

MD5
c29b35062e2a28ab5667c37137e9b380

SHA1
e3c51ada810d059b9b4949437f5fc26005553a9e

SHA256
a6459143233229b9baae575eeed12bfe7687e0244777c79a6e99b3f7df11c451

SHA512
6ed3989deef04db72694f0df88f6b65933c2f561f05c5f21988e7e56e86e946d266239f663a008be21d96819d1810f4fedaf39d4edafea8c9bee6cb206258bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7184.exe

Filesize
366KB

MD5
a6e395edf29f0064e167eb8a56a36327

SHA1
81898bbb597daaced3cd59a68812d363587af84c

SHA256
1c43cddffa1aba8c4a575d7831adbfed729183732c8250a0f17b262d06afb35b

SHA512
fcec79ad92f2f75b6323fdc7309b5e4e0d28cb78842fe5e495c4028a3923134259dfdb9258ad2270980ce4615695d1b149cc7c261c5f1562f789c648c87333ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7184.exe

Filesize
366KB

MD5
a6e395edf29f0064e167eb8a56a36327

SHA1
81898bbb597daaced3cd59a68812d363587af84c

SHA256
1c43cddffa1aba8c4a575d7831adbfed729183732c8250a0f17b262d06afb35b

SHA512
fcec79ad92f2f75b6323fdc7309b5e4e0d28cb78842fe5e495c4028a3923134259dfdb9258ad2270980ce4615695d1b149cc7c261c5f1562f789c648c87333ce

Download Submit
memory/1476-1102-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/1476-1101-0x00000000054B0000-0x0000000005AC8000-memory.dmp

Filesize
6.1MB

Download
memory/1476-220-0x0000000000930000-0x000000000097B000-memory.dmp

Filesize
300KB

Download
memory/1476-218-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-204-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-206-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-1115-0x00000000083A0000-0x0000000008416000-memory.dmp

Filesize
472KB

Download
memory/1476-1114-0x0000000007DD0000-0x00000000082FC000-memory.dmp

Filesize
5.2MB

Download
memory/1476-1113-0x0000000007C00000-0x0000000007DC2000-memory.dmp

Filesize
1.8MB

Download
memory/1476-1112-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1476-208-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-1111-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1476-1110-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1476-1109-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1476-1107-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/1476-1106-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/1476-1105-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1476-1104-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/1476-1103-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/1476-222-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1476-228-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-225-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1476-226-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-191-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-192-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-194-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-196-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-198-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-200-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-202-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-221-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-1116-0x0000000008440000-0x0000000008490000-memory.dmp

Filesize
320KB

Download
memory/1476-223-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1476-210-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-212-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-214-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/1476-216-0x0000000002990000-0x00000000029CF000-memory.dmp

Filesize
252KB

Download
memory/3780-1122-0x0000000000100000-0x0000000000132000-memory.dmp

Filesize
200KB

Download
memory/3780-1123-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/3968-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3968-170-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/3968-148-0x0000000004D40000-0x00000000052E4000-memory.dmp

Filesize
5.6MB

Download
memory/3968-150-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/3968-152-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/3968-186-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3968-184-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/3968-151-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/3968-183-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/3968-182-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/3968-153-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/3968-180-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/3968-178-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/3968-176-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/3968-174-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/3968-172-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/3968-168-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/3968-166-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/3968-164-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/3968-162-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/3968-160-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/3968-149-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/3968-158-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/3968-156-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/3968-154-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download