redline | 26aa0cb4f40f9533360870030aaf572ddb58a0455d80ff5fe90baae8b4a53860

Analysis

max time kernel
58s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26aa0cb4f40f9533360870030aaf572ddb58a0455d80ff5fe90baae8b4a53860.exe
Size

695KB
MD5

05667a524837d06c6a4312f1390b986d
SHA1

4416b2de3d1cde8f7ab00f12391171af38b966a9
SHA256

26aa0cb4f40f9533360870030aaf572ddb58a0455d80ff5fe90baae8b4a53860
SHA512

d20e0ce4c50aba6901710b0312d1eedd0fb63e9fcaa36e8d9b0fe784355b4c54d83fd13cde20b472c938ca464fa55dcf506dd314dd41903c8e02cd9552e7a385
SSDEEP

12288:dMrTy90U2e/ESPlq6oDpYh8deDuml0m0R4Km+cKDlzSFqJbEAz0n0ObPAG0:Cyb2e/ESPPh8deDHlT0R4KXTxSUvA3bQ

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7482.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7482.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro7482.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7482.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7482.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7482.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/1680-189-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-190-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-192-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-194-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-196-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-198-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-200-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-202-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-204-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-206-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-208-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-210-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-214-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-217-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-219-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-221-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-223-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-225-0x00000000052B0000-0x00000000052EF000-memory.dmp	family_redline
behavioral1/memory/1680-1109-0x00000000026B0000-0x00000000026C0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4768	un332912.exe
464	pro7482.exe
1680	qu3333.exe
448	si189581.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7482.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7482.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	26aa0cb4f40f9533360870030aaf572ddb58a0455d80ff5fe90baae8b4a53860.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un332912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un332912.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	26aa0cb4f40f9533360870030aaf572ddb58a0455d80ff5fe90baae8b4a53860.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
464	pro7482.exe
464	pro7482.exe
1680	qu3333.exe
1680	qu3333.exe
448	si189581.exe
448	si189581.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	464	pro7482.exe
Token: SeDebugPrivilege	1680	qu3333.exe
Token: SeDebugPrivilege	448	si189581.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4768	4896	26aa0cb4f40f9533360870030aaf572ddb58a0455d80ff5fe90baae8b4a53860.exe	85
PID 4896 wrote to memory of 4768	4896	26aa0cb4f40f9533360870030aaf572ddb58a0455d80ff5fe90baae8b4a53860.exe	85
PID 4896 wrote to memory of 4768	4896	26aa0cb4f40f9533360870030aaf572ddb58a0455d80ff5fe90baae8b4a53860.exe	85
PID 4768 wrote to memory of 464	4768	un332912.exe	86
PID 4768 wrote to memory of 464	4768	un332912.exe	86
PID 4768 wrote to memory of 464	4768	un332912.exe	86
PID 4768 wrote to memory of 1680	4768	un332912.exe	89
PID 4768 wrote to memory of 1680	4768	un332912.exe	89
PID 4768 wrote to memory of 1680	4768	un332912.exe	89
PID 4896 wrote to memory of 448	4896	26aa0cb4f40f9533360870030aaf572ddb58a0455d80ff5fe90baae8b4a53860.exe	90
PID 4896 wrote to memory of 448	4896	26aa0cb4f40f9533360870030aaf572ddb58a0455d80ff5fe90baae8b4a53860.exe	90
PID 4896 wrote to memory of 448	4896	26aa0cb4f40f9533360870030aaf572ddb58a0455d80ff5fe90baae8b4a53860.exe	90

C:\Users\Admin\AppData\Local\Temp\26aa0cb4f40f9533360870030aaf572ddb58a0455d80ff5fe90baae8b4a53860.exe
"C:\Users\Admin\AppData\Local\Temp\26aa0cb4f40f9533360870030aaf572ddb58a0455d80ff5fe90baae8b4a53860.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un332912.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un332912.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7482.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7482.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3333.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3333.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si189581.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si189581.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si189581.exe

Filesize
175KB

MD5
bc51c0add3ff144d7fc40dbb26cca0e7

SHA1
2fc0a8fcf8552720ea18e60dc6b56fb7f48ef4de

SHA256
60fa87a755f8c86598cb9e685598d0103ac5d4e7393d36185e2113aaea54c241

SHA512
348f3b5c0944327b6323fa2b61bf5caa9fafe33396ef1b7ba6ef3c9e333c6040edf7bf2c764fda39f49e1fab17bfead9977de11346d8f09d048aeb612dcd6e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si189581.exe

Filesize
175KB

MD5
bc51c0add3ff144d7fc40dbb26cca0e7

SHA1
2fc0a8fcf8552720ea18e60dc6b56fb7f48ef4de

SHA256
60fa87a755f8c86598cb9e685598d0103ac5d4e7393d36185e2113aaea54c241

SHA512
348f3b5c0944327b6323fa2b61bf5caa9fafe33396ef1b7ba6ef3c9e333c6040edf7bf2c764fda39f49e1fab17bfead9977de11346d8f09d048aeb612dcd6e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un332912.exe

Filesize
554KB

MD5
7bd089f480d1d391226b3da1ddaea006

SHA1
968457cf65db4d391e1a866f4830096de6eccdce

SHA256
539d5f768362d03845cd87b6dcc5a92a73426a2c07db77bcc722cbba0818b517

SHA512
59bee639c923efbf0d781e4ce7ce20a020b95d2072deeec8e9b1b466c9f26623745b54a0080221f6227aa4045e3fcf352ba364a68ccc258eed6c24f8b5d878d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un332912.exe

Filesize
554KB

MD5
7bd089f480d1d391226b3da1ddaea006

SHA1
968457cf65db4d391e1a866f4830096de6eccdce

SHA256
539d5f768362d03845cd87b6dcc5a92a73426a2c07db77bcc722cbba0818b517

SHA512
59bee639c923efbf0d781e4ce7ce20a020b95d2072deeec8e9b1b466c9f26623745b54a0080221f6227aa4045e3fcf352ba364a68ccc258eed6c24f8b5d878d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7482.exe

Filesize
308KB

MD5
91eddd2e4c55451086398bff3c7c3dfb

SHA1
948cf7edd2f7bd3488549256e352ccfb77a3a0fc

SHA256
25d2c1bbbc56434e4c17335c93529b5e87a116d313456e9faeb344de0cca7aa7

SHA512
63fd3410359f24a28cd110ea66944d57722effe4b7023eb62fc387048edf1b10d5b27c741a8fae55eb4bb8e26a618e93890512d470081857e788b69c6cd9753e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7482.exe

Filesize
308KB

MD5
91eddd2e4c55451086398bff3c7c3dfb

SHA1
948cf7edd2f7bd3488549256e352ccfb77a3a0fc

SHA256
25d2c1bbbc56434e4c17335c93529b5e87a116d313456e9faeb344de0cca7aa7

SHA512
63fd3410359f24a28cd110ea66944d57722effe4b7023eb62fc387048edf1b10d5b27c741a8fae55eb4bb8e26a618e93890512d470081857e788b69c6cd9753e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3333.exe

Filesize
366KB

MD5
f226b619bd44d93ef0589d183793495f

SHA1
a7a3c257e950835ac65f1eaad78584867ec6bdfa

SHA256
43a6aba63c700fa34070e73429b90f45ddb33394939bb82b3129fb4cdc666a5c

SHA512
89461083ec0080d100b83b2d4909573d4a4047845319b3a24eaec04a8ac2d02d01e621aec43ebb29f226dba73c82cf0e43a4027578784b1808c58947c8c1d21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3333.exe

Filesize
366KB

MD5
f226b619bd44d93ef0589d183793495f

SHA1
a7a3c257e950835ac65f1eaad78584867ec6bdfa

SHA256
43a6aba63c700fa34070e73429b90f45ddb33394939bb82b3129fb4cdc666a5c

SHA512
89461083ec0080d100b83b2d4909573d4a4047845319b3a24eaec04a8ac2d02d01e621aec43ebb29f226dba73c82cf0e43a4027578784b1808c58947c8c1d21f

Download Submit
memory/448-1119-0x00000000007E0000-0x0000000000812000-memory.dmp

Filesize
200KB

Download
memory/448-1120-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/464-157-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/464-167-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/464-151-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/464-152-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/464-153-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/464-155-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/464-149-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/464-159-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/464-161-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/464-163-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/464-165-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/464-150-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/464-169-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/464-171-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/464-173-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/464-175-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/464-177-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/464-179-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/464-180-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/464-181-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/464-182-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/464-184-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/464-148-0x0000000004DF0000-0x0000000005394000-memory.dmp

Filesize
5.6MB

Download
memory/1680-192-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-221-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-194-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-196-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-198-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-200-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-202-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-204-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-206-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-208-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-211-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/1680-210-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-214-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-215-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1680-212-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1680-217-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-219-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-190-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-223-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-225-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-1098-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/1680-1099-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/1680-1100-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/1680-1101-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/1680-1102-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1680-1103-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/1680-1104-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/1680-1105-0x00000000066E0000-0x0000000006756000-memory.dmp

Filesize
472KB

Download
memory/1680-1106-0x0000000006780000-0x00000000067D0000-memory.dmp

Filesize
320KB

Download
memory/1680-1108-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1680-1109-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1680-1110-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1680-189-0x00000000052B0000-0x00000000052EF000-memory.dmp

Filesize
252KB

Download
memory/1680-1111-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1680-1112-0x0000000006A70000-0x0000000006C32000-memory.dmp

Filesize
1.8MB

Download
memory/1680-1113-0x0000000006E40000-0x000000000736C000-memory.dmp

Filesize
5.2MB

Download