redline | ad2eea7932b3cddb6beae671d001535b51cebaec639be00a5aa4668789df1d7a

Analysis

max time kernel
131s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad2eea7932b3cddb6beae671d001535b51cebaec639be00a5aa4668789df1d7a.exe
Size

695KB
MD5

0cbea0c26ac17759f1f58dd1bf6abbaf
SHA1

2195f3f7a28d27485aa0e88a9ec29148297cd9f6
SHA256

ad2eea7932b3cddb6beae671d001535b51cebaec639be00a5aa4668789df1d7a
SHA512

58884cfbcddad7dd42f0f699a509094b7d5e7f8440e784a60126a82e433a68535da512596eb5a05689dfe6684dc2a4ecde1b2f24078d3910556d54eb86645fbb
SSDEEP

12288:JMrdy90RAm0qFjX0bKEmpeuN6RJ7AcPuPlhk+nuyX8rPdzR1TJigzZqHGT:cy/mwKEmY9AcPelhJvyPNRJhqmT

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro6512.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro6512.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro6512.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro6512.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro6512.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro6512.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/4208-195-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-196-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-198-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-200-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-202-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-204-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-206-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-208-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-210-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-212-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-214-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-216-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-218-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-220-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-222-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-224-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-226-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/4208-228-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3024	un872671.exe
1936	pro6512.exe
4208	qu7077.exe
1168	si311070.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro6512.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro6512.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ad2eea7932b3cddb6beae671d001535b51cebaec639be00a5aa4668789df1d7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ad2eea7932b3cddb6beae671d001535b51cebaec639be00a5aa4668789df1d7a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un872671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un872671.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1828	sc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1936	pro6512.exe
1936	pro6512.exe
4208	qu7077.exe
4208	qu7077.exe
1168	si311070.exe
1168	si311070.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	pro6512.exe
Token: SeDebugPrivilege	4208	qu7077.exe
Token: SeDebugPrivilege	1168	si311070.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 3024	1788	ad2eea7932b3cddb6beae671d001535b51cebaec639be00a5aa4668789df1d7a.exe	84
PID 1788 wrote to memory of 3024	1788	ad2eea7932b3cddb6beae671d001535b51cebaec639be00a5aa4668789df1d7a.exe	84
PID 1788 wrote to memory of 3024	1788	ad2eea7932b3cddb6beae671d001535b51cebaec639be00a5aa4668789df1d7a.exe	84
PID 3024 wrote to memory of 1936	3024	un872671.exe	85
PID 3024 wrote to memory of 1936	3024	un872671.exe	85
PID 3024 wrote to memory of 1936	3024	un872671.exe	85
PID 3024 wrote to memory of 4208	3024	un872671.exe	89
PID 3024 wrote to memory of 4208	3024	un872671.exe	89
PID 3024 wrote to memory of 4208	3024	un872671.exe	89
PID 1788 wrote to memory of 1168	1788	ad2eea7932b3cddb6beae671d001535b51cebaec639be00a5aa4668789df1d7a.exe	90
PID 1788 wrote to memory of 1168	1788	ad2eea7932b3cddb6beae671d001535b51cebaec639be00a5aa4668789df1d7a.exe	90
PID 1788 wrote to memory of 1168	1788	ad2eea7932b3cddb6beae671d001535b51cebaec639be00a5aa4668789df1d7a.exe	90

C:\Users\Admin\AppData\Local\Temp\ad2eea7932b3cddb6beae671d001535b51cebaec639be00a5aa4668789df1d7a.exe
"C:\Users\Admin\AppData\Local\Temp\ad2eea7932b3cddb6beae671d001535b51cebaec639be00a5aa4668789df1d7a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un872671.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un872671.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6512.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6512.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7077.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7077.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si311070.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si311070.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1168

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si311070.exe

Filesize
175KB

MD5
a03816e14155c18c398b3175dcd28ef3

SHA1
163c1c68c592e650f995298cb6de5cbaa23ac1a5

SHA256
ee8b09140d6df13d3e9cd9b2184249f99bd1e0942dc071f19c88d2dfc5dd71e7

SHA512
af26821582ed9a8254c6dcecdea79ef7746134263e515b1645c2223915148d37912284b9edfae6fdd95e7d2003699cb356ec8936fc917ffcdc666dee4c57eaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si311070.exe

Filesize
175KB

MD5
a03816e14155c18c398b3175dcd28ef3

SHA1
163c1c68c592e650f995298cb6de5cbaa23ac1a5

SHA256
ee8b09140d6df13d3e9cd9b2184249f99bd1e0942dc071f19c88d2dfc5dd71e7

SHA512
af26821582ed9a8254c6dcecdea79ef7746134263e515b1645c2223915148d37912284b9edfae6fdd95e7d2003699cb356ec8936fc917ffcdc666dee4c57eaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un872671.exe

Filesize
553KB

MD5
cd0c76867b67657f2e8b539d97833849

SHA1
d2e9a6e40b8c9d93e77ed2468d9a1b3bbce76b9f

SHA256
7a3b014e8c631a8b7d9e6fd2763cc33d0eb943c1fe3edde3bb92acd58cab0b67

SHA512
9a0ec72a98855451007facdc74a2fdb6b8bf27126bd9470e23f0525172d6422cd990429163f109a1a407eb75f3551ef147115ded98ef6a2c3fe129e61d9f613e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un872671.exe

Filesize
553KB

MD5
cd0c76867b67657f2e8b539d97833849

SHA1
d2e9a6e40b8c9d93e77ed2468d9a1b3bbce76b9f

SHA256
7a3b014e8c631a8b7d9e6fd2763cc33d0eb943c1fe3edde3bb92acd58cab0b67

SHA512
9a0ec72a98855451007facdc74a2fdb6b8bf27126bd9470e23f0525172d6422cd990429163f109a1a407eb75f3551ef147115ded98ef6a2c3fe129e61d9f613e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6512.exe

Filesize
308KB

MD5
226f3e610b90617415ee3caff4027068

SHA1
56be794bcaf6bfb211c2acac69a82979d335fe91

SHA256
0cac24e306267696457488369f861698b9040c32de4654461db2402bc934af1f

SHA512
982340cea7a9bc05e551c3df3e9b4ffa5144bdd8a6959da4f12d04f93c1c16cfddc96c0904c9219368de211542ca9bf7e7e8459f4765babd76e2f294e9373fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6512.exe

Filesize
308KB

MD5
226f3e610b90617415ee3caff4027068

SHA1
56be794bcaf6bfb211c2acac69a82979d335fe91

SHA256
0cac24e306267696457488369f861698b9040c32de4654461db2402bc934af1f

SHA512
982340cea7a9bc05e551c3df3e9b4ffa5144bdd8a6959da4f12d04f93c1c16cfddc96c0904c9219368de211542ca9bf7e7e8459f4765babd76e2f294e9373fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7077.exe

Filesize
366KB

MD5
e2e184501557fb275f3812b147373b04

SHA1
0ccdbbc5565c207804cda49ebfdb8cf44ef4a01b

SHA256
3894a0349eff02062fdd2bcfdae9499c96b76381ed7e2dbaaafadce4e66cdb4e

SHA512
5990f837b01eb5c118d8af910fec6d5ccf7b0df4baf4959b70758113dc5e83ce59e47c77fd33822e1fe98b70cdbc91a0c28ea3561cf803a57cbc3ad7680f7d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7077.exe

Filesize
366KB

MD5
e2e184501557fb275f3812b147373b04

SHA1
0ccdbbc5565c207804cda49ebfdb8cf44ef4a01b

SHA256
3894a0349eff02062fdd2bcfdae9499c96b76381ed7e2dbaaafadce4e66cdb4e

SHA512
5990f837b01eb5c118d8af910fec6d5ccf7b0df4baf4959b70758113dc5e83ce59e47c77fd33822e1fe98b70cdbc91a0c28ea3561cf803a57cbc3ad7680f7d2e

Download Submit
memory/1168-1122-0x00000000005A0000-0x00000000005D2000-memory.dmp

Filesize
200KB

Download
memory/1168-1123-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/1936-156-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1936-170-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1936-151-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1936-152-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1936-154-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1936-153-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1936-150-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1936-158-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1936-160-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1936-162-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1936-164-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1936-166-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1936-168-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1936-149-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/1936-172-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1936-174-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1936-176-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1936-178-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1936-180-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1936-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/1936-182-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1936-183-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1936-184-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1936-186-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/1936-148-0x0000000004ED0000-0x0000000005474000-memory.dmp

Filesize
5.6MB

Download
memory/4208-194-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4208-226-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-193-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4208-195-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-196-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-198-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-200-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-202-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-204-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-206-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-208-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-210-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-212-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-214-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-216-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-218-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-220-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-222-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-224-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-192-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4208-228-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/4208-1101-0x0000000005420000-0x0000000005A38000-memory.dmp

Filesize
6.1MB

Download
memory/4208-1102-0x0000000005A40000-0x0000000005B4A000-memory.dmp

Filesize
1.0MB

Download
memory/4208-1103-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/4208-1104-0x0000000005B50000-0x0000000005B8C000-memory.dmp

Filesize
240KB

Download
memory/4208-1105-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4208-1106-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/4208-1107-0x00000000064D0000-0x0000000006562000-memory.dmp

Filesize
584KB

Download
memory/4208-1109-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4208-1110-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4208-1111-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4208-1112-0x0000000006950000-0x00000000069C6000-memory.dmp

Filesize
472KB

Download
memory/4208-1113-0x00000000069F0000-0x0000000006A40000-memory.dmp

Filesize
320KB

Download
memory/4208-191-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/4208-1114-0x0000000006A50000-0x0000000006C12000-memory.dmp

Filesize
1.8MB

Download
memory/4208-1115-0x0000000006C20000-0x000000000714C000-memory.dmp

Filesize
5.2MB

Download
memory/4208-1116-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download