redline | 503ba0174224929fc89facfb25050d0d39f0cc88f384ebd9d717ec7f45680d0d

Analysis

max time kernel
138s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c21487478306bb0e48ae27cab7c9465.exe
Size

695KB
MD5

3c21487478306bb0e48ae27cab7c9465
SHA1

5947976e655f52f6411d2022fef7fb9d03a901e1
SHA256

503ba0174224929fc89facfb25050d0d39f0cc88f384ebd9d717ec7f45680d0d
SHA512

00d733d46b96ebb9f21279a4a992fcd949963cd28b9dcd6e2e802a5395f6cec19ace2c828fe037cf5bd7f3f0395f94f2de944f81b100b680be01db2fb5382b86
SSDEEP

12288:+Mr7y90dAI5mSsIkP00dAbqGxIjfSCPO0gmRnhvATAChIger/CW:lyfIYCd0dyYjaQgmBhvAMCyPOW

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4158.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4158.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4158.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4158.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4158.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4158.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral2/memory/5072-189-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-190-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-192-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-194-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-196-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-198-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-200-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-202-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-204-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-206-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-208-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-210-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-212-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-214-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-216-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-218-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-220-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-222-0x00000000024B0000-0x00000000024EF000-memory.dmp	family_redline
behavioral2/memory/5072-1110-0x0000000004D90000-0x0000000004DA0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4768	un579524.exe
464	pro4158.exe
5072	qu8398.exe
2028	si499492.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4158.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4158.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3c21487478306bb0e48ae27cab7c9465.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3c21487478306bb0e48ae27cab7c9465.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un579524.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un579524.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4556	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4832	464	WerFault.exe	86
4296	5072	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
464	pro4158.exe
464	pro4158.exe
5072	qu8398.exe
5072	qu8398.exe
2028	si499492.exe
2028	si499492.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	464	pro4158.exe
Token: SeDebugPrivilege	5072	qu8398.exe
Token: SeDebugPrivilege	2028	si499492.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 4768	4432	3c21487478306bb0e48ae27cab7c9465.exe	85
PID 4432 wrote to memory of 4768	4432	3c21487478306bb0e48ae27cab7c9465.exe	85
PID 4432 wrote to memory of 4768	4432	3c21487478306bb0e48ae27cab7c9465.exe	85
PID 4768 wrote to memory of 464	4768	un579524.exe	86
PID 4768 wrote to memory of 464	4768	un579524.exe	86
PID 4768 wrote to memory of 464	4768	un579524.exe	86
PID 4768 wrote to memory of 5072	4768	un579524.exe	92
PID 4768 wrote to memory of 5072	4768	un579524.exe	92
PID 4768 wrote to memory of 5072	4768	un579524.exe	92
PID 4432 wrote to memory of 2028	4432	3c21487478306bb0e48ae27cab7c9465.exe	96
PID 4432 wrote to memory of 2028	4432	3c21487478306bb0e48ae27cab7c9465.exe	96
PID 4432 wrote to memory of 2028	4432	3c21487478306bb0e48ae27cab7c9465.exe	96

C:\Users\Admin\AppData\Local\Temp\3c21487478306bb0e48ae27cab7c9465.exe
"C:\Users\Admin\AppData\Local\Temp\3c21487478306bb0e48ae27cab7c9465.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un579524.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un579524.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4158.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4158.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1088
      4⤵
      Program crash
      PID:4832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8398.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8398.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1176
      4⤵
      Program crash
      PID:4296
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si499492.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si499492.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 464 -ip 464
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5072 -ip 5072
1⤵
PID:2080

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si499492.exe

Filesize
175KB

MD5
5e37764ee2b604cf15229e03bd48f598

SHA1
bfa4531d65c9518f46384c545b3fe6a6c8069ae3

SHA256
6619ae6f8095b57068069f5897dee10d36870985e6e537dc0c3b06c2db1958fe

SHA512
2cb84d50a1586d04df39e5a1f15247198fdd20a29a669160ff72c38650f67f3c52148ce9b301dba46b31fbcde46a24acf092931b3bfc77cedd7b4c573bf4715c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si499492.exe

Filesize
175KB

MD5
5e37764ee2b604cf15229e03bd48f598

SHA1
bfa4531d65c9518f46384c545b3fe6a6c8069ae3

SHA256
6619ae6f8095b57068069f5897dee10d36870985e6e537dc0c3b06c2db1958fe

SHA512
2cb84d50a1586d04df39e5a1f15247198fdd20a29a669160ff72c38650f67f3c52148ce9b301dba46b31fbcde46a24acf092931b3bfc77cedd7b4c573bf4715c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un579524.exe

Filesize
553KB

MD5
505c6141ae086dd6daf33dfdcaea42b3

SHA1
dde4229d50f07763a420c961ba0e623589c9e45e

SHA256
2c7a18d443c0916c55d88284043690ee41829286d7d8b6c8e753e639ca9567e1

SHA512
8225e1fb69c54dd8eb3660b94b63c4218aadb7640d4bf5c3485970da1f04344b52fc419623c9c99360d76c64cb762bafaea21a3a9c2f6c9caca730555bcce668

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un579524.exe

Filesize
553KB

MD5
505c6141ae086dd6daf33dfdcaea42b3

SHA1
dde4229d50f07763a420c961ba0e623589c9e45e

SHA256
2c7a18d443c0916c55d88284043690ee41829286d7d8b6c8e753e639ca9567e1

SHA512
8225e1fb69c54dd8eb3660b94b63c4218aadb7640d4bf5c3485970da1f04344b52fc419623c9c99360d76c64cb762bafaea21a3a9c2f6c9caca730555bcce668

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4158.exe

Filesize
308KB

MD5
66a02d46cf13dbd173bca54316979c0c

SHA1
ceb6d2d49ac8fba99812bb5f11c6b6008f7af53d

SHA256
dcbae1c022f80755f73c57da9bad0155b30456a22dc73092643dbcea7d8b714a

SHA512
db875977f4b1a20ff4a26afd4e22abeade53013d361d7e8f548b0c01f8bdfee8cba4c73f6a38a961c13ebf1d9ce8fd7414e964d0fb6e4ac6fd7e19f45611387b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4158.exe

Filesize
308KB

MD5
66a02d46cf13dbd173bca54316979c0c

SHA1
ceb6d2d49ac8fba99812bb5f11c6b6008f7af53d

SHA256
dcbae1c022f80755f73c57da9bad0155b30456a22dc73092643dbcea7d8b714a

SHA512
db875977f4b1a20ff4a26afd4e22abeade53013d361d7e8f548b0c01f8bdfee8cba4c73f6a38a961c13ebf1d9ce8fd7414e964d0fb6e4ac6fd7e19f45611387b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8398.exe

Filesize
366KB

MD5
22a808b7fa4620b6eb0a5259ebbf1c2a

SHA1
97c38e170060b2f8ad9b6177962577f20bc7fb8d

SHA256
54cc24f6b8c502560bc3ed2d448c55390be9698d857925322879ecdac6dccf62

SHA512
68bbe0732b2dd7689b8f02d7095734c2b64fdecf3772a6b7e6a56858be4412686f365d5fd97d1964bec84bbd5b3c72148a9ac567ea67133b0ff2af59841d5ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8398.exe

Filesize
366KB

MD5
22a808b7fa4620b6eb0a5259ebbf1c2a

SHA1
97c38e170060b2f8ad9b6177962577f20bc7fb8d

SHA256
54cc24f6b8c502560bc3ed2d448c55390be9698d857925322879ecdac6dccf62

SHA512
68bbe0732b2dd7689b8f02d7095734c2b64fdecf3772a6b7e6a56858be4412686f365d5fd97d1964bec84bbd5b3c72148a9ac567ea67133b0ff2af59841d5ee8

Download Submit
memory/464-148-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/464-149-0x0000000004F00000-0x00000000054A4000-memory.dmp

Filesize
5.6MB

Download
memory/464-150-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/464-151-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/464-153-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/464-155-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/464-157-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/464-159-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/464-161-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/464-163-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/464-165-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/464-167-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/464-169-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/464-171-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/464-173-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/464-175-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/464-174-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/464-177-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/464-179-0x0000000002820000-0x0000000002832000-memory.dmp

Filesize
72KB

Download
memory/464-180-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/464-182-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/464-183-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/464-184-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2028-1120-0x0000000000E80000-0x0000000000EB2000-memory.dmp

Filesize
200KB

Download
memory/2028-1121-0x0000000005BE0000-0x0000000005BF0000-memory.dmp

Filesize
64KB

Download
memory/5072-192-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-228-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/5072-194-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-196-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-198-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-200-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-202-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-204-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-206-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-208-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-210-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-212-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-214-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-216-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-218-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-220-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-223-0x0000000000870000-0x00000000008BB000-memory.dmp

Filesize
300KB

Download
memory/5072-222-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-225-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/5072-190-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-226-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/5072-1099-0x0000000005350000-0x0000000005968000-memory.dmp

Filesize
6.1MB

Download
memory/5072-1100-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/5072-1101-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/5072-1102-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/5072-1103-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/5072-1104-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/5072-1105-0x00000000064D0000-0x0000000006562000-memory.dmp

Filesize
584KB

Download
memory/5072-1107-0x00000000066D0000-0x0000000006892000-memory.dmp

Filesize
1.8MB

Download
memory/5072-1108-0x00000000068B0000-0x0000000006DDC000-memory.dmp

Filesize
5.2MB

Download
memory/5072-1109-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/5072-1110-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/5072-1111-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/5072-189-0x00000000024B0000-0x00000000024EF000-memory.dmp

Filesize
252KB

Download
memory/5072-1112-0x0000000006F10000-0x0000000006F86000-memory.dmp

Filesize
472KB

Download
memory/5072-1113-0x0000000006FA0000-0x0000000006FF0000-memory.dmp

Filesize
320KB

Download
memory/5072-1114-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download