redline | 49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c

General

Target

49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c.exe
Size

690KB
MD5

2ed9f520c1d4d29c50ddbb7f142049ce
SHA1

80aa4fca4c979a38d1cd5b1bc6e3ea79503effda
SHA256

49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c
SHA512

7a7ce9a8002eba7158f0fc16e4eaade9feed5177439a0e63283fef67fd48ed1ad8f099fdcae5813c8a05dbb3fc28f90b67df3b50f3ca492b95b1f03002989324
SSDEEP

12288:qMrWy90V4c4Jk1ZF0KuH9UG8OM3KInzSM/8IzPL8rHXF5oLI4jwecU:Iych4Juox9UmMrSa8ILKF5oMucU

Score

10^/10

redline rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pro8899.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro8899.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8899.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8899.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8899.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8899.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8899.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1380-192-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-193-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-195-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-197-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-199-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-201-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-203-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-205-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-207-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-209-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-211-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-213-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-215-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-217-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-219-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-221-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-223-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-225-0x0000000004CC0000-0x0000000004CFF000-memory.dmp	family_redline
behavioral1/memory/1380-284-0x0000000004E30000-0x0000000004E40000-memory.dmp	family_redline
behavioral1/memory/1380-1110-0x0000000004E30000-0x0000000004E40000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

un201103.exepro8899.exequ2667.exe

pid process

4216 un201103.exe
1604 pro8899.exe
1380 qu2667.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4216	un201103.exe
1604	pro8899.exe
1380	qu2667.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pro8899.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8899.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8899.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c.exeun201103.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un201103.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un201103.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4116 1604 WerFault.exe pro8899.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

pro8899.exequ2667.exe

pid process

1604 pro8899.exe
1604 pro8899.exe
1380 qu2667.exe
1380 qu2667.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro8899.exequ2667.exe

description pid process

Token: SeDebugPrivilege 1604 pro8899.exe
Token: SeDebugPrivilege 1380 qu2667.exe

pid	pid_target	process	target process
4116	1604	WerFault.exe	pro8899.exe

pid	process
1604	pro8899.exe
1604	pro8899.exe
1380	qu2667.exe
1380	qu2667.exe

description	pid	process
Token: SeDebugPrivilege	1604	pro8899.exe
Token: SeDebugPrivilege	1380	qu2667.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c.exeun201103.exe

description	pid	process	target process
PID 800 wrote to memory of 4216	800	49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c.exe	un201103.exe
PID 800 wrote to memory of 4216	800	49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c.exe	un201103.exe
PID 800 wrote to memory of 4216	800	49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c.exe	un201103.exe
PID 4216 wrote to memory of 1604	4216	un201103.exe	pro8899.exe
PID 4216 wrote to memory of 1604	4216	un201103.exe	pro8899.exe
PID 4216 wrote to memory of 1604	4216	un201103.exe	pro8899.exe
PID 4216 wrote to memory of 1380	4216	un201103.exe	qu2667.exe
PID 4216 wrote to memory of 1380	4216	un201103.exe	qu2667.exe
PID 4216 wrote to memory of 1380	4216	un201103.exe	qu2667.exe

C:\Users\Admin\AppData\Local\Temp\49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c.exe
"C:\Users\Admin\AppData\Local\Temp\49c2e881052b93ba70e12008918cd3055f87fe7bdb1fab1ead89ec5d1302563c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un201103.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un201103.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8899.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8899.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 1076
4⤵
- Program crash
PID:4116

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2667.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2667.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1604 -ip 1604
1⤵
PID:3360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un201103.exe
Filesize
548KB

MD5
3e52cebbd65cae8b4f38bc280d82abcd

SHA1
c6c67c2bf6378b3ae2778a657f3b7116008b1bf4

SHA256
fd61391bf30cdcbbaacb2ac78658fe14b1e067f8cf1a66f7f989993af08c2a7e

SHA512
3466132e1334c0aa0d5b02f1f2477707b08ffd801d0f4669869d43e94eb6a787289d7533538acea3b16764061fdbac2ed5990b3396ff412697246ceec73d4271

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un201103.exe
Filesize
548KB

MD5
3e52cebbd65cae8b4f38bc280d82abcd

SHA1
c6c67c2bf6378b3ae2778a657f3b7116008b1bf4

SHA256
fd61391bf30cdcbbaacb2ac78658fe14b1e067f8cf1a66f7f989993af08c2a7e

SHA512
3466132e1334c0aa0d5b02f1f2477707b08ffd801d0f4669869d43e94eb6a787289d7533538acea3b16764061fdbac2ed5990b3396ff412697246ceec73d4271

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8899.exe
Filesize
291KB

MD5
628a4f7a047cc1c84725d2095ffb2d2d

SHA1
4709f38b6df551f42c6352cf73524aba51ec1649

SHA256
889806864dfc1c5d962cc064ac2ece81cf90d8912ff092cd22d89bbeac1429c8

SHA512
ce55c7be8f2e16e39e2ca5eb1e43a3236497d703938d0d96d7e6b9840ccf98dcf1d67446a4bc06a4b081a099a1408f0d7441b7adde33f28ef3d518154f9a014f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8899.exe
Filesize
291KB

MD5
628a4f7a047cc1c84725d2095ffb2d2d

SHA1
4709f38b6df551f42c6352cf73524aba51ec1649

SHA256
889806864dfc1c5d962cc064ac2ece81cf90d8912ff092cd22d89bbeac1429c8

SHA512
ce55c7be8f2e16e39e2ca5eb1e43a3236497d703938d0d96d7e6b9840ccf98dcf1d67446a4bc06a4b081a099a1408f0d7441b7adde33f28ef3d518154f9a014f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2667.exe
Filesize
350KB

MD5
1d100fe104af17211acea59264978bbc

SHA1
7dd0f277da14785b80744420264e497d9489bbcb

SHA256
7ca32b0fa90ff657528870048271675e62b21ec7cd32b29841723a5425646d97

SHA512
d7b0c62215c6aa81e419297976592d81571834820d6854b0de6fcd924f68b1aca07cfa394e5b65056c305a5420a56f4977206b14a1fd93ebe4102cc54649d91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2667.exe
Filesize
350KB

MD5
1d100fe104af17211acea59264978bbc

SHA1
7dd0f277da14785b80744420264e497d9489bbcb

SHA256
7ca32b0fa90ff657528870048271675e62b21ec7cd32b29841723a5425646d97

SHA512
d7b0c62215c6aa81e419297976592d81571834820d6854b0de6fcd924f68b1aca07cfa394e5b65056c305a5420a56f4977206b14a1fd93ebe4102cc54649d91c

Download Submit
memory/1380-279-0x00000000007F0000-0x000000000083B000-memory.dmp

Filesize
300KB

Download
memory/1380-1102-0x00000000053F0000-0x0000000005A08000-memory.dmp

Filesize
6.1MB

Download
memory/1380-199-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-1116-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1380-203-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-1115-0x0000000006C20000-0x000000000714C000-memory.dmp

Filesize
5.2MB

Download
memory/1380-1114-0x0000000006A50000-0x0000000006C12000-memory.dmp

Filesize
1.8MB

Download
memory/1380-1113-0x00000000068A0000-0x00000000068F0000-memory.dmp

Filesize
320KB

Download
memory/1380-201-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-1111-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1380-1110-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1380-1109-0x00000000064D0000-0x0000000006562000-memory.dmp

Filesize
584KB

Download
memory/1380-1108-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/1380-1105-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1380-1106-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/1380-1104-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/1380-1103-0x0000000005A10000-0x0000000005B1A000-memory.dmp

Filesize
1.0MB

Download
memory/1380-211-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-284-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1380-283-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1380-280-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/1380-225-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-223-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-221-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-219-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-217-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-192-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-193-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-195-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-197-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-215-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-1112-0x0000000006810000-0x0000000006886000-memory.dmp

Filesize
472KB

Download
memory/1380-213-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-205-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-207-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1380-209-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

Filesize
252KB

Download
memory/1604-178-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1604-154-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1604-152-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/1604-149-0x0000000004CB0000-0x0000000005254000-memory.dmp

Filesize
5.6MB

Download
memory/1604-150-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/1604-187-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1604-185-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/1604-184-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/1604-183-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/1604-148-0x0000000000960000-0x000000000098D000-memory.dmp

Filesize
180KB

Download
memory/1604-182-0x0000000000960000-0x000000000098D000-memory.dmp

Filesize
180KB

Download
memory/1604-181-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1604-180-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1604-151-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/1604-176-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1604-174-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1604-172-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1604-170-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1604-168-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1604-166-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1604-164-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1604-162-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1604-160-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1604-158-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1604-156-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/1604-153-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads