redline | 8fb89e7915630164ce388dcc48caff2fb425d93e570cc26b64b7a73d9aec19d4

General

Target

8fb89e7915630164ce388dcc48caff2fb425d93e570cc26b64b7a73d9aec19d4.exe
Size

690KB
MD5

18dd54cf38ed9d12d03073a8b29fa347
SHA1

3c646221303c3c258934796922a7aa2c18bb843d
SHA256

8fb89e7915630164ce388dcc48caff2fb425d93e570cc26b64b7a73d9aec19d4
SHA512

a741a6f3b2af66fcfee2361c83c05a301abeb85b9663b71d6995cf91cfdd23a7ae76400c8e7aedef02d856769ebf6dd1f8558d34b67a744324055cb1e626801d
SSDEEP

12288:VMrqy90wbFXE5f1n80ZR5bsrrIq0Ulj/e5mWXFHqbRfdNoUQhhTjgy:Hyble8C4rkqh7UmWCIBhhT8y

Score

10^/10

redline rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pro1418.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro1418.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro1418.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro1418.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro1418.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro1418.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro1418.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2180-194-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-195-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-199-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-197-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-201-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-203-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-205-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-207-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-209-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-211-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-213-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-217-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-215-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-219-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-221-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-223-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-225-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline
behavioral1/memory/2180-227-0x0000000002870000-0x00000000028AF000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

un958577.exepro1418.exequ1782.exe

pid process

1620 un958577.exe
4852 pro1418.exe
2180 qu1782.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1620	un958577.exe
4852	pro1418.exe
2180	qu1782.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pro1418.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro1418.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro1418.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8fb89e7915630164ce388dcc48caff2fb425d93e570cc26b64b7a73d9aec19d4.exeun958577.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8fb89e7915630164ce388dcc48caff2fb425d93e570cc26b64b7a73d9aec19d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8fb89e7915630164ce388dcc48caff2fb425d93e570cc26b64b7a73d9aec19d4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un958577.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un958577.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2832 4852 WerFault.exe pro1418.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

pro1418.exequ1782.exe

pid process

4852 pro1418.exe
4852 pro1418.exe
2180 qu1782.exe
2180 qu1782.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro1418.exequ1782.exe

description pid process

Token: SeDebugPrivilege 4852 pro1418.exe
Token: SeDebugPrivilege 2180 qu1782.exe

pid	pid_target	process	target process
2832	4852	WerFault.exe	pro1418.exe

pid	process
4852	pro1418.exe
4852	pro1418.exe
2180	qu1782.exe
2180	qu1782.exe

description	pid	process
Token: SeDebugPrivilege	4852	pro1418.exe
Token: SeDebugPrivilege	2180	qu1782.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8fb89e7915630164ce388dcc48caff2fb425d93e570cc26b64b7a73d9aec19d4.exeun958577.exe

description	pid	process	target process
PID 1760 wrote to memory of 1620	1760	8fb89e7915630164ce388dcc48caff2fb425d93e570cc26b64b7a73d9aec19d4.exe	un958577.exe
PID 1760 wrote to memory of 1620	1760	8fb89e7915630164ce388dcc48caff2fb425d93e570cc26b64b7a73d9aec19d4.exe	un958577.exe
PID 1760 wrote to memory of 1620	1760	8fb89e7915630164ce388dcc48caff2fb425d93e570cc26b64b7a73d9aec19d4.exe	un958577.exe
PID 1620 wrote to memory of 4852	1620	un958577.exe	pro1418.exe
PID 1620 wrote to memory of 4852	1620	un958577.exe	pro1418.exe
PID 1620 wrote to memory of 4852	1620	un958577.exe	pro1418.exe
PID 1620 wrote to memory of 2180	1620	un958577.exe	qu1782.exe
PID 1620 wrote to memory of 2180	1620	un958577.exe	qu1782.exe
PID 1620 wrote to memory of 2180	1620	un958577.exe	qu1782.exe

C:\Users\Admin\AppData\Local\Temp\8fb89e7915630164ce388dcc48caff2fb425d93e570cc26b64b7a73d9aec19d4.exe
"C:\Users\Admin\AppData\Local\Temp\8fb89e7915630164ce388dcc48caff2fb425d93e570cc26b64b7a73d9aec19d4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un958577.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un958577.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1418.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1418.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1084
4⤵
- Program crash
PID:2832

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1782.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1782.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4852 -ip 4852
1⤵
PID:3684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un958577.exe
Filesize
549KB

MD5
4482c075e8e3c8e1daae8386908235fc

SHA1
b1df800f4b56288ec65b4a6490156ec543ed67e8

SHA256
c6d0bfd8ed6f7724949ceb81c43b82eac3e47ce39693fc02629ce339c4540faf

SHA512
2905ea3dcfd85672489639ccfacbeafca980d91b8b5be74efdb239c6f7399377d4caaea7d2f7292a7de1654f2d3ec46030214e8e31d59c9757b882fc71911eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un958577.exe
Filesize
549KB

MD5
4482c075e8e3c8e1daae8386908235fc

SHA1
b1df800f4b56288ec65b4a6490156ec543ed67e8

SHA256
c6d0bfd8ed6f7724949ceb81c43b82eac3e47ce39693fc02629ce339c4540faf

SHA512
2905ea3dcfd85672489639ccfacbeafca980d91b8b5be74efdb239c6f7399377d4caaea7d2f7292a7de1654f2d3ec46030214e8e31d59c9757b882fc71911eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1418.exe
Filesize
291KB

MD5
34cd6b6387390489459fef85dc68e1ca

SHA1
66940014ee16bb59ac3598e00f31b284fd5c6198

SHA256
5acaeef4f31ac06a733563b4c6e1eed2337b850abdf54d11686c909073477221

SHA512
d98a80812f87bc669131ab628f0432c472e13b160f752a1bdb1dd0aa3bcee56dfa3dbb57343352d0c4aa95045f8094ab7345af19cc7bb4e1a30ad25c1cae0369

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1418.exe
Filesize
291KB

MD5
34cd6b6387390489459fef85dc68e1ca

SHA1
66940014ee16bb59ac3598e00f31b284fd5c6198

SHA256
5acaeef4f31ac06a733563b4c6e1eed2337b850abdf54d11686c909073477221

SHA512
d98a80812f87bc669131ab628f0432c472e13b160f752a1bdb1dd0aa3bcee56dfa3dbb57343352d0c4aa95045f8094ab7345af19cc7bb4e1a30ad25c1cae0369

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1782.exe
Filesize
350KB

MD5
37f79014c812d6796f6f65476ca2e45d

SHA1
f6f57930a12c73abb7b211bfd25f84dbb2abeb70

SHA256
7635ad0bf24f1a41eac13367e8451528e034de2399119694710365fcb15c94bf

SHA512
6e6b02fe1dbebe13fa8bedd2b2f45a093c48fc21f3fc1dae7d29f06ef1202f6a5d3b95984a2cecfe3b5bfa4f95f52a52af21b3cb73046cb532b9ad68b5fdc354

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1782.exe
Filesize
350KB

MD5
37f79014c812d6796f6f65476ca2e45d

SHA1
f6f57930a12c73abb7b211bfd25f84dbb2abeb70

SHA256
7635ad0bf24f1a41eac13367e8451528e034de2399119694710365fcb15c94bf

SHA512
6e6b02fe1dbebe13fa8bedd2b2f45a093c48fc21f3fc1dae7d29f06ef1202f6a5d3b95984a2cecfe3b5bfa4f95f52a52af21b3cb73046cb532b9ad68b5fdc354

Download Submit
memory/2180-227-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-437-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2180-199-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-1116-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2180-201-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-1115-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2180-1114-0x0000000006C00000-0x000000000712C000-memory.dmp

Filesize
5.2MB

Download
memory/2180-1111-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2180-197-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-1112-0x0000000006A30000-0x0000000006BF2000-memory.dmp

Filesize
1.8MB

Download
memory/2180-1109-0x00000000068C0000-0x0000000006910000-memory.dmp

Filesize
320KB

Download
memory/2180-1108-0x0000000006830000-0x00000000068A6000-memory.dmp

Filesize
472KB

Download
memory/2180-1107-0x0000000006740000-0x00000000067D2000-memory.dmp

Filesize
584KB

Download
memory/2180-1106-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/2180-1105-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/2180-1104-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2180-1103-0x0000000004E50000-0x0000000004E62000-memory.dmp

Filesize
72KB

Download
memory/2180-1102-0x0000000005B50000-0x0000000005C5A000-memory.dmp

Filesize
1.0MB

Download
memory/2180-1101-0x0000000005530000-0x0000000005B48000-memory.dmp

Filesize
6.1MB

Download
memory/2180-211-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-225-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-223-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-221-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-219-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-215-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-191-0x0000000000850000-0x000000000089B000-memory.dmp

Filesize
300KB

Download
memory/2180-192-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2180-193-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2180-194-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-195-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-217-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-1113-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2180-213-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-203-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-205-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-207-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/2180-209-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/4852-178-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4852-154-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4852-152-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4852-149-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/4852-150-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4852-186-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4852-184-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4852-183-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4852-148-0x0000000004D60000-0x0000000005304000-memory.dmp

Filesize
5.6MB

Download
memory/4852-182-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4852-181-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4852-180-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4852-151-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4852-176-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4852-174-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4852-172-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4852-170-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4852-168-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4852-166-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4852-164-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4852-162-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4852-160-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4852-158-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4852-156-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4852-153-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads