redline | a7e90548f89f37c67e4d4dbf19bd08aef7b9ccd396c88a51af57f511dcf83ada

Analysis

max time kernel
61s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7e90548f89f37c67e4d4dbf19bd08aef7b9ccd396c88a51af57f511dcf83ada.exe
Size

695KB
MD5

4c19150d459ba981120a4311d31368b8
SHA1

8e920063b955f027cc202cf30f5462d14476d834
SHA256

a7e90548f89f37c67e4d4dbf19bd08aef7b9ccd396c88a51af57f511dcf83ada
SHA512

b948c4099ba4e8c424e4940c692cbc33509b6529d563aa3cefddaa6626b2ede2ed99553f3941a2ff85d4e041e0966ae77b01db330570e1902fbf861cba829542
SSDEEP

12288:fMrPy90Js6SyhrnGbfGTRbFxMylueSK394eyvPSKzF9vJ6ay3X8/hu4zz:Ay8s67aGdbFxMylueJt4eyyGF53y3X81

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro3979.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro3979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro3979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro3979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro3979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro3979.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/2404-190-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-191-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-193-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-195-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-197-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-203-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-201-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-199-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-205-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-207-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-209-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-211-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-215-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-213-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-218-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-220-0x0000000004D90000-0x0000000004DA0000-memory.dmp	family_redline
behavioral1/memory/2404-221-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-225-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/2404-227-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4184	un422653.exe
4736	pro3979.exe
2404	qu5644.exe
3128	si149018.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro3979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro3979.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un422653.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un422653.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a7e90548f89f37c67e4d4dbf19bd08aef7b9ccd396c88a51af57f511dcf83ada.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a7e90548f89f37c67e4d4dbf19bd08aef7b9ccd396c88a51af57f511dcf83ada.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4736	pro3979.exe
4736	pro3979.exe
2404	qu5644.exe
2404	qu5644.exe
3128	si149018.exe
3128	si149018.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4736	pro3979.exe
Token: SeDebugPrivilege	2404	qu5644.exe
Token: SeDebugPrivilege	3128	si149018.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 4184	3080	a7e90548f89f37c67e4d4dbf19bd08aef7b9ccd396c88a51af57f511dcf83ada.exe	83
PID 3080 wrote to memory of 4184	3080	a7e90548f89f37c67e4d4dbf19bd08aef7b9ccd396c88a51af57f511dcf83ada.exe	83
PID 3080 wrote to memory of 4184	3080	a7e90548f89f37c67e4d4dbf19bd08aef7b9ccd396c88a51af57f511dcf83ada.exe	83
PID 4184 wrote to memory of 4736	4184	un422653.exe	84
PID 4184 wrote to memory of 4736	4184	un422653.exe	84
PID 4184 wrote to memory of 4736	4184	un422653.exe	84
PID 4184 wrote to memory of 2404	4184	un422653.exe	91
PID 4184 wrote to memory of 2404	4184	un422653.exe	91
PID 4184 wrote to memory of 2404	4184	un422653.exe	91
PID 3080 wrote to memory of 3128	3080	a7e90548f89f37c67e4d4dbf19bd08aef7b9ccd396c88a51af57f511dcf83ada.exe	93
PID 3080 wrote to memory of 3128	3080	a7e90548f89f37c67e4d4dbf19bd08aef7b9ccd396c88a51af57f511dcf83ada.exe	93
PID 3080 wrote to memory of 3128	3080	a7e90548f89f37c67e4d4dbf19bd08aef7b9ccd396c88a51af57f511dcf83ada.exe	93

C:\Users\Admin\AppData\Local\Temp\a7e90548f89f37c67e4d4dbf19bd08aef7b9ccd396c88a51af57f511dcf83ada.exe
"C:\Users\Admin\AppData\Local\Temp\a7e90548f89f37c67e4d4dbf19bd08aef7b9ccd396c88a51af57f511dcf83ada.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un422653.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un422653.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3979.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3979.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4736
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5644.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5644.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si149018.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si149018.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si149018.exe

Filesize
175KB

MD5
5602d77c09d5552f35dd13894c60bc1a

SHA1
56917fc4f2545c7cd94784c42fd8b9238f77f464

SHA256
98d82a44ab2d8f80eb5131ab58054aeebc63354e6afa5c9000a9f4aea759437a

SHA512
b8008bd28d49c32f98990c20f8fecea30ea15126f9c3cd32a81dbe693874d0fe570c9b744022840b59ecddafcdb187e03273c2100c2c76ac701b47601ebf7233

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si149018.exe

Filesize
175KB

MD5
5602d77c09d5552f35dd13894c60bc1a

SHA1
56917fc4f2545c7cd94784c42fd8b9238f77f464

SHA256
98d82a44ab2d8f80eb5131ab58054aeebc63354e6afa5c9000a9f4aea759437a

SHA512
b8008bd28d49c32f98990c20f8fecea30ea15126f9c3cd32a81dbe693874d0fe570c9b744022840b59ecddafcdb187e03273c2100c2c76ac701b47601ebf7233

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un422653.exe

Filesize
553KB

MD5
93d027b2b41ad1812b807704ec806278

SHA1
ebb33e55af06d3f18a8c7a7740b93c74380b9662

SHA256
a3ef4c17d9e03022524b94f9c72dd7beb6cb3fbde2e9deb53739b90e32450e38

SHA512
4191ef71da2054b51bb500a4b72d10bbc2c032a9fc81e16ab0c52c8ee80342147c86d378bca428a7e1171656721e63d4f4c030f62afc5578ce8abfb6f241d1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un422653.exe

Filesize
553KB

MD5
93d027b2b41ad1812b807704ec806278

SHA1
ebb33e55af06d3f18a8c7a7740b93c74380b9662

SHA256
a3ef4c17d9e03022524b94f9c72dd7beb6cb3fbde2e9deb53739b90e32450e38

SHA512
4191ef71da2054b51bb500a4b72d10bbc2c032a9fc81e16ab0c52c8ee80342147c86d378bca428a7e1171656721e63d4f4c030f62afc5578ce8abfb6f241d1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3979.exe

Filesize
308KB

MD5
703ea2e6b2655868482cf5405e1dfef2

SHA1
631f90dfd1ab3e52a965fef7e0557b50cf152b6e

SHA256
c479a38db9839ee37eabcf579d7756f93f31bf99fb8add8e2d01e948e9977578

SHA512
259688e4e28a6c67083f6f97b7e245c42a5e1967b20ee8d4186ce37bb5ed03696330c128128c86e769de682859be02d91259c4eb5091748ec239c0e4d68af437

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3979.exe

Filesize
308KB

MD5
703ea2e6b2655868482cf5405e1dfef2

SHA1
631f90dfd1ab3e52a965fef7e0557b50cf152b6e

SHA256
c479a38db9839ee37eabcf579d7756f93f31bf99fb8add8e2d01e948e9977578

SHA512
259688e4e28a6c67083f6f97b7e245c42a5e1967b20ee8d4186ce37bb5ed03696330c128128c86e769de682859be02d91259c4eb5091748ec239c0e4d68af437

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5644.exe

Filesize
366KB

MD5
90ca74c30e910508fa097488315b4863

SHA1
132566c0f7a6d483825366044ae334f94a86d01f

SHA256
b0a9020cea59bc62188c5721df273e5a05e1752a16d5d5e26fd2ac36e649cef4

SHA512
0e68cf0693916eff9b6ff4e1060a65eb632d3a5f9f8b4b93229c8823ed08269e4496fb4f58e4c2b53a314c8a5f5551db9905be991cb26bd4ac9acdee96ba07c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5644.exe

Filesize
366KB

MD5
90ca74c30e910508fa097488315b4863

SHA1
132566c0f7a6d483825366044ae334f94a86d01f

SHA256
b0a9020cea59bc62188c5721df273e5a05e1752a16d5d5e26fd2ac36e649cef4

SHA512
0e68cf0693916eff9b6ff4e1060a65eb632d3a5f9f8b4b93229c8823ed08269e4496fb4f58e4c2b53a314c8a5f5551db9905be991cb26bd4ac9acdee96ba07c8

Download Submit
memory/2404-223-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2404-1102-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/2404-1115-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2404-1114-0x0000000006FA0000-0x0000000006FF0000-memory.dmp

Filesize
320KB

Download
memory/2404-1113-0x0000000006F10000-0x0000000006F86000-memory.dmp

Filesize
472KB

Download
memory/2404-1112-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2404-1111-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2404-1110-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2404-1109-0x00000000068B0000-0x0000000006DDC000-memory.dmp

Filesize
5.2MB

Download
memory/2404-1108-0x00000000066D0000-0x0000000006892000-memory.dmp

Filesize
1.8MB

Download
memory/2404-1106-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/2404-1105-0x0000000005E10000-0x0000000005EA2000-memory.dmp

Filesize
584KB

Download
memory/2404-1104-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2404-1103-0x0000000005B60000-0x0000000005B9C000-memory.dmp

Filesize
240KB

Download
memory/2404-1101-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/2404-1100-0x0000000005350000-0x0000000005968000-memory.dmp

Filesize
6.1MB

Download
memory/2404-227-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-225-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-221-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-222-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2404-220-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2404-218-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-190-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-191-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-193-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-195-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-197-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-203-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-201-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-199-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-205-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-207-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-209-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-211-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-215-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-213-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/2404-217-0x0000000000850000-0x000000000089B000-memory.dmp

Filesize
300KB

Download
memory/3128-1121-0x00000000008E0000-0x0000000000912000-memory.dmp

Filesize
200KB

Download
memory/3128-1122-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/4736-172-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4736-148-0x0000000004C80000-0x0000000005224000-memory.dmp

Filesize
5.6MB

Download
memory/4736-182-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/4736-181-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4736-150-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/4736-180-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4736-178-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4736-154-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4736-176-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4736-174-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4736-152-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/4736-183-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/4736-164-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4736-166-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4736-168-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4736-162-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4736-160-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4736-158-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4736-156-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4736-153-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4736-149-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/4736-170-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4736-185-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4736-151-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download