redline | 832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815

General

Target

832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815.exe
Size

690KB
MD5

8aa1d94b74a86eaa809756ca4d3863be
SHA1

2b6ee59b8ce62ec6147d84a4de3cc22ca9255f31
SHA256

832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815
SHA512

438c21694b576f9f7cee59d9610ee71394db5843af7b699627ccb392cf751d517ac28ac631b1099fd424337c8ed29b44a6f523b3c2696a2fca8deffcc704e3c1
SSDEEP

12288:TMrgy90stdF3CpFVA054Lk5Oqdq3KYmnFxp837RkLpRsq8e+81CNB:XyfXQA05r5Dqizp837Rk8q8eb1QB

Score

10^/10

redline rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pro2295.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro2295.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro2295.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro2295.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro2295.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro2295.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro2295.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4320-189-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-190-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-192-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-194-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-196-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-198-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-200-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-202-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-204-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-206-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-210-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-208-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-212-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-214-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-216-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-218-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-220-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-222-0x0000000004CD0000-0x0000000004D0F000-memory.dmp	family_redline
behavioral1/memory/4320-347-0x0000000004E20000-0x0000000004E30000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

un890303.exepro2295.exequ7693.exe

pid process

2360 un890303.exe
1852 pro2295.exe
4320 qu7693.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2360	un890303.exe
1852	pro2295.exe
4320	qu7693.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pro2295.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro2295.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro2295.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815.exeun890303.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un890303.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un890303.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1628 1852 WerFault.exe pro2295.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

pro2295.exequ7693.exe

pid process

1852 pro2295.exe
1852 pro2295.exe
4320 qu7693.exe
4320 qu7693.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro2295.exequ7693.exe

description pid process

Token: SeDebugPrivilege 1852 pro2295.exe
Token: SeDebugPrivilege 4320 qu7693.exe

pid	pid_target	process	target process
1628	1852	WerFault.exe	pro2295.exe

pid	process
1852	pro2295.exe
1852	pro2295.exe
4320	qu7693.exe
4320	qu7693.exe

description	pid	process
Token: SeDebugPrivilege	1852	pro2295.exe
Token: SeDebugPrivilege	4320	qu7693.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815.exeun890303.exe

description	pid	process	target process
PID 1660 wrote to memory of 2360	1660	832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815.exe	un890303.exe
PID 1660 wrote to memory of 2360	1660	832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815.exe	un890303.exe
PID 1660 wrote to memory of 2360	1660	832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815.exe	un890303.exe
PID 2360 wrote to memory of 1852	2360	un890303.exe	pro2295.exe
PID 2360 wrote to memory of 1852	2360	un890303.exe	pro2295.exe
PID 2360 wrote to memory of 1852	2360	un890303.exe	pro2295.exe
PID 2360 wrote to memory of 4320	2360	un890303.exe	qu7693.exe
PID 2360 wrote to memory of 4320	2360	un890303.exe	qu7693.exe
PID 2360 wrote to memory of 4320	2360	un890303.exe	qu7693.exe

C:\Users\Admin\AppData\Local\Temp\832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815.exe
"C:\Users\Admin\AppData\Local\Temp\832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890303.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890303.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2295.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2295.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1096
4⤵
- Program crash
PID:1628

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7693.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7693.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1852 -ip 1852
1⤵
PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890303.exe
Filesize
548KB

MD5
b37e393e99e497b58cf5dd7ac941d33c

SHA1
39b1eff1544dc71475f20f6e98901e187bc339c3

SHA256
9eeb4b1122fb4f901e31f6b8fdb74a3675a12ea723c9df13dadeafc8175ce2f9

SHA512
3d14c8f20617032f69d9776cde61c2de255e3f046b3e44cc2e9ce783a8fb1ad672ee2f6a32532050f4d84bc34678990cdc915b02ed0c54a5c2b44be8a5dca2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890303.exe
Filesize
548KB

MD5
b37e393e99e497b58cf5dd7ac941d33c

SHA1
39b1eff1544dc71475f20f6e98901e187bc339c3

SHA256
9eeb4b1122fb4f901e31f6b8fdb74a3675a12ea723c9df13dadeafc8175ce2f9

SHA512
3d14c8f20617032f69d9776cde61c2de255e3f046b3e44cc2e9ce783a8fb1ad672ee2f6a32532050f4d84bc34678990cdc915b02ed0c54a5c2b44be8a5dca2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2295.exe
Filesize
291KB

MD5
89b28cdff6e1cce40e9137abd1613ebc

SHA1
ba7ec22a9de57a52dbeea36dadd67e937a439ad4

SHA256
68f02ebbfd48fe7bdaf1b0cd946e5434c6388d6023d6017f1a34ac2d1d661284

SHA512
70ebfd243df0260d33e811fd9464f0d836f3cb2aa74f9b78bb1c2eaaa45ef80d039efd18b0cf85bb667b4f2d875b27c96b9c5b1cd84b4d1db72e0d71e7f53ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2295.exe
Filesize
291KB

MD5
89b28cdff6e1cce40e9137abd1613ebc

SHA1
ba7ec22a9de57a52dbeea36dadd67e937a439ad4

SHA256
68f02ebbfd48fe7bdaf1b0cd946e5434c6388d6023d6017f1a34ac2d1d661284

SHA512
70ebfd243df0260d33e811fd9464f0d836f3cb2aa74f9b78bb1c2eaaa45ef80d039efd18b0cf85bb667b4f2d875b27c96b9c5b1cd84b4d1db72e0d71e7f53ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7693.exe
Filesize
350KB

MD5
b6c3eaecac4fbe4ecbf85926f66d6d1f

SHA1
03b9eee841687288453c60853d0ad2b7579f9dec

SHA256
7e4fa8d832b74314b56f3ba1939ef9deae315c220e98a1fe7c7c56626153bc05

SHA512
066065b2e26fd1f8ce9a7af10205186e3096b128c50af9b7178f7f1ec527e784560d78b6cc3849b6f47ed02a798271eda1a9ae8a41a60ca0bb9ec549b603d2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7693.exe
Filesize
350KB

MD5
b6c3eaecac4fbe4ecbf85926f66d6d1f

SHA1
03b9eee841687288453c60853d0ad2b7579f9dec

SHA256
7e4fa8d832b74314b56f3ba1939ef9deae315c220e98a1fe7c7c56626153bc05

SHA512
066065b2e26fd1f8ce9a7af10205186e3096b128c50af9b7178f7f1ec527e784560d78b6cc3849b6f47ed02a798271eda1a9ae8a41a60ca0bb9ec549b603d2e3

Download Submit
memory/1852-149-0x0000000004ED0000-0x0000000005474000-memory.dmp

Filesize
5.6MB

Download
memory/1852-150-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1852-148-0x00000000007F0000-0x000000000081D000-memory.dmp

Filesize
180KB

Download
memory/1852-151-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1852-152-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1852-153-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1852-155-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1852-157-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1852-159-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1852-161-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1852-163-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1852-165-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1852-167-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1852-169-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1852-171-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1852-173-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1852-175-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1852-177-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1852-179-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/1852-180-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1852-181-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1852-182-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1852-184-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4320-189-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-190-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-192-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-194-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-196-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-198-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-200-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-202-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-204-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-206-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-210-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-208-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-212-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-214-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-216-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-218-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-220-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-222-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

Filesize
252KB

Download
memory/4320-343-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4320-341-0x0000000000810000-0x000000000085B000-memory.dmp

Filesize
300KB

Download
memory/4320-345-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4320-347-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4320-1099-0x00000000053E0000-0x00000000059F8000-memory.dmp

Filesize
6.1MB

Download
memory/4320-1100-0x0000000005A00000-0x0000000005B0A000-memory.dmp

Filesize
1.0MB

Download
memory/4320-1101-0x0000000005B10000-0x0000000005B22000-memory.dmp

Filesize
72KB

Download
memory/4320-1102-0x0000000005B30000-0x0000000005B6C000-memory.dmp

Filesize
240KB

Download
memory/4320-1103-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4320-1105-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/4320-1106-0x00000000065C0000-0x0000000006652000-memory.dmp

Filesize
584KB

Download
memory/4320-1107-0x00000000066B0000-0x0000000006726000-memory.dmp

Filesize
472KB

Download
memory/4320-1108-0x0000000006740000-0x0000000006790000-memory.dmp

Filesize
320KB

Download
memory/4320-1109-0x00000000067C0000-0x0000000006982000-memory.dmp

Filesize
1.8MB

Download
memory/4320-1111-0x0000000006990000-0x0000000006EBC000-memory.dmp

Filesize
5.2MB

Download
memory/4320-1112-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4320-1110-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4320-1113-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4320-1114-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads