redline | a9080f0199db1a28ac38fa06140d0aa393efab7876dcf7dda2314221f0677c72

Analysis

max time kernel
57s
max time network
61s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
28-03-2023 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9080f0199db1a28ac38fa06140d0aa393efab7876dcf7dda2314221f0677c72.exe
Size

689KB
MD5

8e889062c8e9a03bc25c6d513b5c580b
SHA1

fdaa82d861cc01757a0fc5bef2647fc6532b6b0f
SHA256

a9080f0199db1a28ac38fa06140d0aa393efab7876dcf7dda2314221f0677c72
SHA512

296d81fab479620105a33a190d4f8c4c27931acd62eacbc059b383bde89a22374151f89491cdf61b8a429297cf97cae32cee9cf43ccebcb5b9fa9221fa708c5b
SSDEEP

12288:dMrTy90qkCFBloLWRVzdrNDGgK34Fv4xsHvjFKlfigkl7qyxc5s/o/+Kz:6yRhbVVzvQav4x+5Klagiqyd/nKz

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro3219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro3219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro3219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro3219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro3219.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

resource	yara_rule
behavioral1/memory/3136-178-0x00000000036D0000-0x0000000003716000-memory.dmp	family_redline
behavioral1/memory/3136-179-0x00000000037C0000-0x0000000003804000-memory.dmp	family_redline
behavioral1/memory/3136-180-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-181-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-183-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-185-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-187-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-189-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-191-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-193-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-195-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-197-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-199-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-201-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-203-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-205-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-207-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-209-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-211-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-213-0x00000000037C0000-0x00000000037FF000-memory.dmp	family_redline
behavioral1/memory/3136-1097-0x0000000006210000-0x0000000006220000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2868	un775791.exe
3768	pro3219.exe
3136	qu7930.exe
3852	si142950.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro3219.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro3219.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a9080f0199db1a28ac38fa06140d0aa393efab7876dcf7dda2314221f0677c72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a9080f0199db1a28ac38fa06140d0aa393efab7876dcf7dda2314221f0677c72.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un775791.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un775791.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3768	pro3219.exe
3768	pro3219.exe
3136	qu7930.exe
3136	qu7930.exe
3852	si142950.exe
3852	si142950.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3768	pro3219.exe
Token: SeDebugPrivilege	3136	qu7930.exe
Token: SeDebugPrivilege	3852	si142950.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2868	2444	a9080f0199db1a28ac38fa06140d0aa393efab7876dcf7dda2314221f0677c72.exe	66
PID 2444 wrote to memory of 2868	2444	a9080f0199db1a28ac38fa06140d0aa393efab7876dcf7dda2314221f0677c72.exe	66
PID 2444 wrote to memory of 2868	2444	a9080f0199db1a28ac38fa06140d0aa393efab7876dcf7dda2314221f0677c72.exe	66
PID 2868 wrote to memory of 3768	2868	un775791.exe	67
PID 2868 wrote to memory of 3768	2868	un775791.exe	67
PID 2868 wrote to memory of 3768	2868	un775791.exe	67
PID 2868 wrote to memory of 3136	2868	un775791.exe	68
PID 2868 wrote to memory of 3136	2868	un775791.exe	68
PID 2868 wrote to memory of 3136	2868	un775791.exe	68
PID 2444 wrote to memory of 3852	2444	a9080f0199db1a28ac38fa06140d0aa393efab7876dcf7dda2314221f0677c72.exe	70
PID 2444 wrote to memory of 3852	2444	a9080f0199db1a28ac38fa06140d0aa393efab7876dcf7dda2314221f0677c72.exe	70
PID 2444 wrote to memory of 3852	2444	a9080f0199db1a28ac38fa06140d0aa393efab7876dcf7dda2314221f0677c72.exe	70

C:\Users\Admin\AppData\Local\Temp\a9080f0199db1a28ac38fa06140d0aa393efab7876dcf7dda2314221f0677c72.exe
"C:\Users\Admin\AppData\Local\Temp\a9080f0199db1a28ac38fa06140d0aa393efab7876dcf7dda2314221f0677c72.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un775791.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un775791.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3219.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3219.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7930.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7930.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142950.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142950.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142950.exe

Filesize
175KB

MD5
6ddf9a74a4d2665ab5e0fbeefd5e49f2

SHA1
94250ac9d459e1ac92157065f016951a0557c1d7

SHA256
01a46b7b5e28bfa0c36146b649535b94e8aaf72bb3804dbd2a798a503563e845

SHA512
367d3c39e498c68497cd301613a12d76aef44c1a2882f3b6779103e14c875b2bed798a570c2a012bdc1e0bfbfa52909c7aef353b7c2f9a76c8de7e3527af3991

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si142950.exe

Filesize
175KB

MD5
6ddf9a74a4d2665ab5e0fbeefd5e49f2

SHA1
94250ac9d459e1ac92157065f016951a0557c1d7

SHA256
01a46b7b5e28bfa0c36146b649535b94e8aaf72bb3804dbd2a798a503563e845

SHA512
367d3c39e498c68497cd301613a12d76aef44c1a2882f3b6779103e14c875b2bed798a570c2a012bdc1e0bfbfa52909c7aef353b7c2f9a76c8de7e3527af3991

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un775791.exe

Filesize
548KB

MD5
0cc94d6721308dd08445cefd33c92457

SHA1
ddb7170da68c7d050b8379a3443005d58c524333

SHA256
fc5dcb0bd2d1371909d34d6addee139bfb567d330c78cca9d6c7de0e781de582

SHA512
e2610f1eb70d27cf42f25a94ec10358c54b7d6a549aaae36e0fb672e7ef57037dd01b16d2a25b5b8df2abf47d84e7a974fc3017457850d5db6fd69ec98b9b97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un775791.exe

Filesize
548KB

MD5
0cc94d6721308dd08445cefd33c92457

SHA1
ddb7170da68c7d050b8379a3443005d58c524333

SHA256
fc5dcb0bd2d1371909d34d6addee139bfb567d330c78cca9d6c7de0e781de582

SHA512
e2610f1eb70d27cf42f25a94ec10358c54b7d6a549aaae36e0fb672e7ef57037dd01b16d2a25b5b8df2abf47d84e7a974fc3017457850d5db6fd69ec98b9b97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3219.exe

Filesize
291KB

MD5
9146d15f683ca67a05b437a99e3735b9

SHA1
fe27016979ed32ca8d8e6cdc5fc0f077d6475ccc

SHA256
cd144beada14dd6d07d175d297bf6092d52ee3bc6663faf211cb67e4b93ccb03

SHA512
7565f2558853e18292344b7825a0eb0d5efdc05c44b826713c32c5ff412e5bc8de5a87c3e7fa23f0a6e124b2829512dfb51b4a0df7a180491e31927e58fa0f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3219.exe

Filesize
291KB

MD5
9146d15f683ca67a05b437a99e3735b9

SHA1
fe27016979ed32ca8d8e6cdc5fc0f077d6475ccc

SHA256
cd144beada14dd6d07d175d297bf6092d52ee3bc6663faf211cb67e4b93ccb03

SHA512
7565f2558853e18292344b7825a0eb0d5efdc05c44b826713c32c5ff412e5bc8de5a87c3e7fa23f0a6e124b2829512dfb51b4a0df7a180491e31927e58fa0f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7930.exe

Filesize
345KB

MD5
7d9b6fca10b51b7e48b3b3df3eba8204

SHA1
5668aefebde25620d30d30cb419613f2164d75ff

SHA256
c746c13a29d776c35bdfb0bc57ee926955788f79644a63843a2f3097c689d10e

SHA512
4d7584404b55990b662a565c874c026334147744640b36bc4c745842c21099431572c3d640fe3ae63d24b8fbaa06e5e155734a632f1cc2d6820d9e6d6ac0dd4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7930.exe

Filesize
345KB

MD5
7d9b6fca10b51b7e48b3b3df3eba8204

SHA1
5668aefebde25620d30d30cb419613f2164d75ff

SHA256
c746c13a29d776c35bdfb0bc57ee926955788f79644a63843a2f3097c689d10e

SHA512
4d7584404b55990b662a565c874c026334147744640b36bc4c745842c21099431572c3d640fe3ae63d24b8fbaa06e5e155734a632f1cc2d6820d9e6d6ac0dd4d

Download Submit
memory/3136-1090-0x0000000006720000-0x0000000006D26000-memory.dmp

Filesize
6.0MB

Download
memory/3136-1091-0x00000000060B0000-0x00000000061BA000-memory.dmp

Filesize
1.0MB

Download
memory/3136-1106-0x0000000006210000-0x0000000006220000-memory.dmp

Filesize
64KB

Download
memory/3136-1105-0x0000000008070000-0x00000000080C0000-memory.dmp

Filesize
320KB

Download
memory/3136-1104-0x0000000007FE0000-0x0000000008056000-memory.dmp

Filesize
472KB

Download
memory/3136-1103-0x0000000007980000-0x0000000007EAC000-memory.dmp

Filesize
5.2MB

Download
memory/3136-1102-0x00000000077B0000-0x0000000007972000-memory.dmp

Filesize
1.8MB

Download
memory/3136-195-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-1101-0x00000000070B0000-0x0000000007116000-memory.dmp

Filesize
408KB

Download
memory/3136-1100-0x0000000007010000-0x00000000070A2000-memory.dmp

Filesize
584KB

Download
memory/3136-1099-0x0000000006210000-0x0000000006220000-memory.dmp

Filesize
64KB

Download
memory/3136-1098-0x0000000006210000-0x0000000006220000-memory.dmp

Filesize
64KB

Download
memory/3136-1097-0x0000000006210000-0x0000000006220000-memory.dmp

Filesize
64KB

Download
memory/3136-197-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-1095-0x0000000006E80000-0x0000000006ECB000-memory.dmp

Filesize
300KB

Download
memory/3136-1094-0x0000000006210000-0x0000000006220000-memory.dmp

Filesize
64KB

Download
memory/3136-1093-0x0000000006D30000-0x0000000006D6E000-memory.dmp

Filesize
248KB

Download
memory/3136-199-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-1092-0x00000000061F0000-0x0000000006202000-memory.dmp

Filesize
72KB

Download
memory/3136-211-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-302-0x0000000006210000-0x0000000006220000-memory.dmp

Filesize
64KB

Download
memory/3136-299-0x0000000006210000-0x0000000006220000-memory.dmp

Filesize
64KB

Download
memory/3136-178-0x00000000036D0000-0x0000000003716000-memory.dmp

Filesize
280KB

Download
memory/3136-179-0x00000000037C0000-0x0000000003804000-memory.dmp

Filesize
272KB

Download
memory/3136-180-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-181-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-183-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-185-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-187-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-189-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-191-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-193-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-297-0x0000000006210000-0x0000000006220000-memory.dmp

Filesize
64KB

Download
memory/3136-296-0x0000000001B40000-0x0000000001B8B000-memory.dmp

Filesize
300KB

Download
memory/3136-213-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-201-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-203-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-205-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-207-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3136-209-0x00000000037C0000-0x00000000037FF000-memory.dmp

Filesize
252KB

Download
memory/3768-169-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3768-170-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3768-163-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3768-151-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3768-139-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3768-140-0x0000000004E70000-0x000000000536E000-memory.dmp

Filesize
5.0MB

Download
memory/3768-138-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3768-173-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3768-171-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3768-141-0x0000000002420000-0x0000000002438000-memory.dmp

Filesize
96KB

Download
memory/3768-167-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3768-165-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3768-161-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3768-159-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3768-157-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3768-155-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3768-153-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3768-149-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3768-147-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3768-145-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3768-143-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3768-142-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3768-137-0x0000000002350000-0x000000000236A000-memory.dmp

Filesize
104KB

Download
memory/3768-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/3852-1113-0x0000000000B30000-0x0000000000B62000-memory.dmp

Filesize
200KB

Download
memory/3852-1114-0x0000000005570000-0x00000000055BB000-memory.dmp

Filesize
300KB

Download
memory/3852-1115-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download