redline | 20fed0270b728e9f1e59f3a13ae2341087f089ac274618739c1f2de4d3978512

General

Target

20fed0270b728e9f1e59f3a13ae2341087f089ac274618739c1f2de4d3978512.exe
Size

699KB
MD5

428b136f6c2f7cac893d1b08e36651a2
SHA1

681461648d6ebd29b6ad0fa2c8fb18148b304a23
SHA256

20fed0270b728e9f1e59f3a13ae2341087f089ac274618739c1f2de4d3978512
SHA512

11a8d1fb8f9d5b58c8354b750be59de30e619d724e727c12104dc00d90da762174c25468edfaf23918bccc0df30678c926e2bfa590b5d83e09fd467cba535929
SSDEEP

12288:EMrDy90JW7/U4FK7/irdxgXuh4CjSrGMFqfej7cxor7ic:fykAr+iTMtBrlCeHcxor7P

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pro2072.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro2072.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro2072.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro2072.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro2072.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro2072.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/376-176-0x0000000002550000-0x0000000002596000-memory.dmp	family_redline
behavioral1/memory/376-177-0x00000000027E0000-0x0000000002824000-memory.dmp	family_redline
behavioral1/memory/376-178-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-179-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-182-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-186-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-189-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-191-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-193-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-195-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-197-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-199-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-201-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-203-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-205-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-207-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-209-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-211-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-213-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline
behavioral1/memory/376-215-0x00000000027E0000-0x000000000281F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

un901488.exepro2072.exequ7650.exesi658509.exe

pid process

2264 un901488.exe
2504 pro2072.exe
376 qu7650.exe
3880 si658509.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2264	un901488.exe
2504	pro2072.exe
376	qu7650.exe
3880	si658509.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pro2072.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro2072.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro2072.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

20fed0270b728e9f1e59f3a13ae2341087f089ac274618739c1f2de4d3978512.exeun901488.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	20fed0270b728e9f1e59f3a13ae2341087f089ac274618739c1f2de4d3978512.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	20fed0270b728e9f1e59f3a13ae2341087f089ac274618739c1f2de4d3978512.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un901488.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un901488.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pro2072.exequ7650.exesi658509.exe

pid process

2504 pro2072.exe
2504 pro2072.exe
376 qu7650.exe
376 qu7650.exe
3880 si658509.exe
3880 si658509.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pro2072.exequ7650.exesi658509.exe

description pid process

Token: SeDebugPrivilege 2504 pro2072.exe
Token: SeDebugPrivilege 376 qu7650.exe
Token: SeDebugPrivilege 3880 si658509.exe

pid	process
2504	pro2072.exe
2504	pro2072.exe
376	qu7650.exe
376	qu7650.exe
3880	si658509.exe
3880	si658509.exe

description	pid	process
Token: SeDebugPrivilege	2504	pro2072.exe
Token: SeDebugPrivilege	376	qu7650.exe
Token: SeDebugPrivilege	3880	si658509.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

20fed0270b728e9f1e59f3a13ae2341087f089ac274618739c1f2de4d3978512.exeun901488.exe

description	pid	process	target process
PID 2064 wrote to memory of 2264	2064	20fed0270b728e9f1e59f3a13ae2341087f089ac274618739c1f2de4d3978512.exe	un901488.exe
PID 2064 wrote to memory of 2264	2064	20fed0270b728e9f1e59f3a13ae2341087f089ac274618739c1f2de4d3978512.exe	un901488.exe
PID 2064 wrote to memory of 2264	2064	20fed0270b728e9f1e59f3a13ae2341087f089ac274618739c1f2de4d3978512.exe	un901488.exe
PID 2264 wrote to memory of 2504	2264	un901488.exe	pro2072.exe
PID 2264 wrote to memory of 2504	2264	un901488.exe	pro2072.exe
PID 2264 wrote to memory of 2504	2264	un901488.exe	pro2072.exe
PID 2264 wrote to memory of 376	2264	un901488.exe	qu7650.exe
PID 2264 wrote to memory of 376	2264	un901488.exe	qu7650.exe
PID 2264 wrote to memory of 376	2264	un901488.exe	qu7650.exe
PID 2064 wrote to memory of 3880	2064	20fed0270b728e9f1e59f3a13ae2341087f089ac274618739c1f2de4d3978512.exe	si658509.exe
PID 2064 wrote to memory of 3880	2064	20fed0270b728e9f1e59f3a13ae2341087f089ac274618739c1f2de4d3978512.exe	si658509.exe
PID 2064 wrote to memory of 3880	2064	20fed0270b728e9f1e59f3a13ae2341087f089ac274618739c1f2de4d3978512.exe	si658509.exe

C:\Users\Admin\AppData\Local\Temp\20fed0270b728e9f1e59f3a13ae2341087f089ac274618739c1f2de4d3978512.exe
"C:\Users\Admin\AppData\Local\Temp\20fed0270b728e9f1e59f3a13ae2341087f089ac274618739c1f2de4d3978512.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un901488.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un901488.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2072.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2072.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7650.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7650.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si658509.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si658509.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si658509.exe
Filesize
175KB

MD5
d290a8179e666e9c40fafb2d9e632281

SHA1
8c5a8c429ca56f90f674d5309455115e2f012ad5

SHA256
d420a728a63a6369037d46fbff2a40fa52b2045e4a8ddf4a75257756038890f2

SHA512
76a6f4abd1b7ea626a33eb39bbe2047d6b29c78f19c93eee9bfe5ad4ca4d269dbf7055e07888f32317dc69e29ffe5f23af82b8f0b9b6e5990f385160d568db7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si658509.exe
Filesize
175KB

MD5
d290a8179e666e9c40fafb2d9e632281

SHA1
8c5a8c429ca56f90f674d5309455115e2f012ad5

SHA256
d420a728a63a6369037d46fbff2a40fa52b2045e4a8ddf4a75257756038890f2

SHA512
76a6f4abd1b7ea626a33eb39bbe2047d6b29c78f19c93eee9bfe5ad4ca4d269dbf7055e07888f32317dc69e29ffe5f23af82b8f0b9b6e5990f385160d568db7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un901488.exe
Filesize
557KB

MD5
255de320d6cad4722e0eabb2f92047b8

SHA1
8a277f54ba36dd907e81d513f2033090a42edf88

SHA256
cc0f1f8c28cdaa2cc982655cf858d8b19b843f176c2fdac8d5fd1ee820c5285e

SHA512
a6aa3431daa13ff3a092cdb6614b304f884289ecff50d8927413bef141bfb0b02da63970e702d2f2f221911d0de038cb4b62b4bd840763657539302287ac7581

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un901488.exe
Filesize
557KB

MD5
255de320d6cad4722e0eabb2f92047b8

SHA1
8a277f54ba36dd907e81d513f2033090a42edf88

SHA256
cc0f1f8c28cdaa2cc982655cf858d8b19b843f176c2fdac8d5fd1ee820c5285e

SHA512
a6aa3431daa13ff3a092cdb6614b304f884289ecff50d8927413bef141bfb0b02da63970e702d2f2f221911d0de038cb4b62b4bd840763657539302287ac7581

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2072.exe
Filesize
307KB

MD5
d7540529573170feb26fe106cc723e12

SHA1
0ef542a6c05aa4f49034b21b172f787383a610fe

SHA256
7803d47bab1a5f582f6c0b07cb2d41e049475d878e15006b02bfa90d10f57887

SHA512
035b73de7ae35bfe5018a626f795d79737d63217b7abdd3582b6b4014a143f08ffc621b8e4bbbef58170e48419d5cde49eff3bc99a964568be2022d8e33d607d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2072.exe
Filesize
307KB

MD5
d7540529573170feb26fe106cc723e12

SHA1
0ef542a6c05aa4f49034b21b172f787383a610fe

SHA256
7803d47bab1a5f582f6c0b07cb2d41e049475d878e15006b02bfa90d10f57887

SHA512
035b73de7ae35bfe5018a626f795d79737d63217b7abdd3582b6b4014a143f08ffc621b8e4bbbef58170e48419d5cde49eff3bc99a964568be2022d8e33d607d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7650.exe
Filesize
365KB

MD5
12415a60c751a10ec84b1d3c256eecdb

SHA1
120ea9985ca8c9c844254c37e014836263ea8f79

SHA256
6788ef9cc90c54d2549d8e552b23c11f9ec8094ce5aa2ec97c6e139d66236010

SHA512
97d448028faf480cd24ee44b97c1485f1502f200ea8c9f5544bcb55007bc6c17968f195d8c93327c1d7ed9edd505cd6597c9f4129ec10e956736b895c51adcae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7650.exe
Filesize
365KB

MD5
12415a60c751a10ec84b1d3c256eecdb

SHA1
120ea9985ca8c9c844254c37e014836263ea8f79

SHA256
6788ef9cc90c54d2549d8e552b23c11f9ec8094ce5aa2ec97c6e139d66236010

SHA512
97d448028faf480cd24ee44b97c1485f1502f200ea8c9f5544bcb55007bc6c17968f195d8c93327c1d7ed9edd505cd6597c9f4129ec10e956736b895c51adcae

Download Submit
memory/376-1091-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

Filesize
72KB

Download
memory/376-215-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-191-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-187-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/376-1103-0x0000000007100000-0x0000000007150000-memory.dmp

Filesize
320KB

Download
memory/376-1102-0x0000000007080000-0x00000000070F6000-memory.dmp

Filesize
472KB

Download
memory/376-1101-0x0000000006690000-0x0000000006BBC000-memory.dmp

Filesize
5.2MB

Download
memory/376-1100-0x00000000064A0000-0x0000000006662000-memory.dmp

Filesize
1.8MB

Download
memory/376-1099-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/376-1098-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/376-193-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-1097-0x0000000005D00000-0x0000000005D92000-memory.dmp

Filesize
584KB

Download
memory/376-1096-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/376-1095-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/376-1093-0x0000000005B70000-0x0000000005BBB000-memory.dmp

Filesize
300KB

Download
memory/376-1092-0x0000000005A20000-0x0000000005A5E000-memory.dmp

Filesize
248KB

Download
memory/376-1090-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/376-1089-0x0000000004DA0000-0x0000000004EAA000-memory.dmp

Filesize
1.0MB

Download
memory/376-1088-0x0000000005410000-0x0000000005A16000-memory.dmp

Filesize
6.0MB

Download
memory/376-207-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-176-0x0000000002550000-0x0000000002596000-memory.dmp

Filesize
280KB

Download
memory/376-177-0x00000000027E0000-0x0000000002824000-memory.dmp

Filesize
272KB

Download
memory/376-178-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-179-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-181-0x0000000000720000-0x000000000076B000-memory.dmp

Filesize
300KB

Download
memory/376-182-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-183-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/376-186-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-185-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/376-189-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-213-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-211-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-209-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-195-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-197-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-199-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-201-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-203-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/376-205-0x00000000027E0000-0x000000000281F000-memory.dmp

Filesize
252KB

Download
memory/2504-169-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2504-160-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2504-137-0x0000000000A20000-0x0000000000A3A000-memory.dmp

Filesize
104KB

Download
memory/2504-141-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2504-139-0x0000000004D50000-0x000000000524E000-memory.dmp

Filesize
5.0MB

Download
memory/2504-140-0x0000000000B00000-0x0000000000B18000-memory.dmp

Filesize
96KB

Download
memory/2504-171-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2504-138-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2504-142-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2504-168-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2504-166-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2504-164-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2504-162-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2504-158-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2504-156-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2504-154-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2504-152-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2504-150-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2504-148-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2504-146-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2504-144-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2504-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/3880-1109-0x00000000001E0000-0x0000000000212000-memory.dmp

Filesize
200KB

Download
memory/3880-1110-0x0000000004C20000-0x0000000004C6B000-memory.dmp

Filesize
300KB

Download
memory/3880-1111-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads