redline | 02c39595e0c4b2a9e37bea25bbe4dbafdc4bf8978217b18edbf8652b550616e9

Analysis

max time kernel
60s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2023, 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02c39595e0c4b2a9e37bea25bbe4dbafdc4bf8978217b18edbf8652b550616e9.exe
Size

690KB
MD5

dda2e29c4c3e859082cf5c09a9ded730
SHA1

b76302590fccf549dbc21fb96a301e4a163c04bd
SHA256

02c39595e0c4b2a9e37bea25bbe4dbafdc4bf8978217b18edbf8652b550616e9
SHA512

9c43feb420d22b35d58beaed85a8146a0c07eac571b7ebf2f0b199c8de2a316dc2833aa83ea3397e623609d57028e18505f9b24d9c5c37e4b38a7c35e862bd65
SSDEEP

12288:nMrgy901YicYgTFa13zEvfVyK65hLuXeaMSKx3PHXLihOuavBFd6figbjy/+PK7T:3y+TcYg0E85fauaLw3PHbGOuazd6ageT

Score

10^/10

redline from rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

176.113.115.145:4125

Attributes

auth_value
8633e283485822a4a48f0a41d5397566

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro7004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7004.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/2884-189-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-190-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-192-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-194-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-196-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-198-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-200-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-202-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-204-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-208-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-206-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-210-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-212-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-214-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-216-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-218-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-220-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2884-222-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1256	un682180.exe
4020	pro7004.exe
2884	qu5443.exe
3056	si884141.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7004.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7004.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	02c39595e0c4b2a9e37bea25bbe4dbafdc4bf8978217b18edbf8652b550616e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	02c39595e0c4b2a9e37bea25bbe4dbafdc4bf8978217b18edbf8652b550616e9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un682180.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un682180.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1272	4020	WerFault.exe	85
2640	2884	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4020	pro7004.exe
4020	pro7004.exe
2884	qu5443.exe
2884	qu5443.exe
3056	si884141.exe
3056	si884141.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4020	pro7004.exe
Token: SeDebugPrivilege	2884	qu5443.exe
Token: SeDebugPrivilege	3056	si884141.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 1256	4740	02c39595e0c4b2a9e37bea25bbe4dbafdc4bf8978217b18edbf8652b550616e9.exe	84
PID 4740 wrote to memory of 1256	4740	02c39595e0c4b2a9e37bea25bbe4dbafdc4bf8978217b18edbf8652b550616e9.exe	84
PID 4740 wrote to memory of 1256	4740	02c39595e0c4b2a9e37bea25bbe4dbafdc4bf8978217b18edbf8652b550616e9.exe	84
PID 1256 wrote to memory of 4020	1256	un682180.exe	85
PID 1256 wrote to memory of 4020	1256	un682180.exe	85
PID 1256 wrote to memory of 4020	1256	un682180.exe	85
PID 1256 wrote to memory of 2884	1256	un682180.exe	91
PID 1256 wrote to memory of 2884	1256	un682180.exe	91
PID 1256 wrote to memory of 2884	1256	un682180.exe	91
PID 4740 wrote to memory of 3056	4740	02c39595e0c4b2a9e37bea25bbe4dbafdc4bf8978217b18edbf8652b550616e9.exe	95
PID 4740 wrote to memory of 3056	4740	02c39595e0c4b2a9e37bea25bbe4dbafdc4bf8978217b18edbf8652b550616e9.exe	95
PID 4740 wrote to memory of 3056	4740	02c39595e0c4b2a9e37bea25bbe4dbafdc4bf8978217b18edbf8652b550616e9.exe	95

C:\Users\Admin\AppData\Local\Temp\02c39595e0c4b2a9e37bea25bbe4dbafdc4bf8978217b18edbf8652b550616e9.exe
"C:\Users\Admin\AppData\Local\Temp\02c39595e0c4b2a9e37bea25bbe4dbafdc4bf8978217b18edbf8652b550616e9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un682180.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un682180.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7004.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7004.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1088
      4⤵
      Program crash
      PID:1272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5443.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5443.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1332
      4⤵
      Program crash
      PID:2640
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si884141.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si884141.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4020 -ip 4020
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2884 -ip 2884
1⤵
PID:3220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si884141.exe

Filesize
175KB

MD5
ae26297715cc109c042d3231684aad5d

SHA1
d10de0e5131b08a9d5c7fa0cbbf90a89efec933b

SHA256
3639809dcb119d187afb980561235fa792cff97d8a770098a163ff8fdf761f1b

SHA512
0a3b2276766b074a599d21dea1acc7a63abbcdbcf2b91fe21220d2114c27f694abde338fecac1d64a8fbc46e1b3dcdd62bdd15ade5c2a2651135f57f35f69b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si884141.exe

Filesize
175KB

MD5
ae26297715cc109c042d3231684aad5d

SHA1
d10de0e5131b08a9d5c7fa0cbbf90a89efec933b

SHA256
3639809dcb119d187afb980561235fa792cff97d8a770098a163ff8fdf761f1b

SHA512
0a3b2276766b074a599d21dea1acc7a63abbcdbcf2b91fe21220d2114c27f694abde338fecac1d64a8fbc46e1b3dcdd62bdd15ade5c2a2651135f57f35f69b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un682180.exe

Filesize
548KB

MD5
bc7b536d732ec0063b3abfcb403296ab

SHA1
624e754ccbd150a85c537d776933813a07be4c3c

SHA256
ad45ee4d6aa8cc4d1c1ad316f788c881d2878e04113750c13075aa30f342224b

SHA512
da0577c42c258193e054fcef6db00661eb783449bc548b020cf20038eb5db786234170ffd7d2f88c2bbb1278fbbf9953ec07c73470d7b70418a6b70341f6cb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un682180.exe

Filesize
548KB

MD5
bc7b536d732ec0063b3abfcb403296ab

SHA1
624e754ccbd150a85c537d776933813a07be4c3c

SHA256
ad45ee4d6aa8cc4d1c1ad316f788c881d2878e04113750c13075aa30f342224b

SHA512
da0577c42c258193e054fcef6db00661eb783449bc548b020cf20038eb5db786234170ffd7d2f88c2bbb1278fbbf9953ec07c73470d7b70418a6b70341f6cb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7004.exe

Filesize
291KB

MD5
e6ad032d27965bf1fc2cb1c8df5b8e10

SHA1
18d44bf49843f10d2971bd0f295b65efaf0b9900

SHA256
bc6285748f5ef893271b53ecf20a497ea11c1f416a903238a5c365ae981acbae

SHA512
9403dadb73fe1298267669bdf298f9af7dc256fcd053f7775603ce3ef0e129560919940d087284ab8f54eb4b793edbd480ba39c596e7638017aba099e9fa8393

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7004.exe

Filesize
291KB

MD5
e6ad032d27965bf1fc2cb1c8df5b8e10

SHA1
18d44bf49843f10d2971bd0f295b65efaf0b9900

SHA256
bc6285748f5ef893271b53ecf20a497ea11c1f416a903238a5c365ae981acbae

SHA512
9403dadb73fe1298267669bdf298f9af7dc256fcd053f7775603ce3ef0e129560919940d087284ab8f54eb4b793edbd480ba39c596e7638017aba099e9fa8393

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5443.exe

Filesize
345KB

MD5
f7bced85fa9530e0bb3d0ac7c7248f86

SHA1
f57a175d61abb8eccf8fc0969bd67d1b79934696

SHA256
94693978c3d04df1591170b527c00346a684b746b5b551e564ff7584a2d2bb61

SHA512
c6ac6429868cf83246751457f823c70df46c2dd6e81f6d983b30a5f510db23969306e48a0ce97df5c08a97ab8d21695217863f3624bc6110167caac8810ffc7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5443.exe

Filesize
345KB

MD5
f7bced85fa9530e0bb3d0ac7c7248f86

SHA1
f57a175d61abb8eccf8fc0969bd67d1b79934696

SHA256
94693978c3d04df1591170b527c00346a684b746b5b551e564ff7584a2d2bb61

SHA512
c6ac6429868cf83246751457f823c70df46c2dd6e81f6d983b30a5f510db23969306e48a0ce97df5c08a97ab8d21695217863f3624bc6110167caac8810ffc7d

Download Submit
memory/2884-1099-0x0000000006E10000-0x0000000006F1A000-memory.dmp

Filesize
1.0MB

Download
memory/2884-1102-0x0000000006F70000-0x0000000006FAC000-memory.dmp

Filesize
240KB

Download
memory/2884-1113-0x00000000060F0000-0x0000000006100000-memory.dmp

Filesize
64KB

Download
memory/2884-1112-0x0000000008540000-0x0000000008590000-memory.dmp

Filesize
320KB

Download
memory/2884-1111-0x00000000084C0000-0x0000000008536000-memory.dmp

Filesize
472KB

Download
memory/2884-1110-0x00000000060F0000-0x0000000006100000-memory.dmp

Filesize
64KB

Download
memory/2884-1109-0x00000000060F0000-0x0000000006100000-memory.dmp

Filesize
64KB

Download
memory/2884-1108-0x00000000060F0000-0x0000000006100000-memory.dmp

Filesize
64KB

Download
memory/2884-1107-0x0000000007C00000-0x000000000812C000-memory.dmp

Filesize
5.2MB

Download
memory/2884-1106-0x0000000007A20000-0x0000000007BE2000-memory.dmp

Filesize
1.8MB

Download
memory/2884-1104-0x0000000007930000-0x00000000079C2000-memory.dmp

Filesize
584KB

Download
memory/2884-1103-0x0000000007260000-0x00000000072C6000-memory.dmp

Filesize
408KB

Download
memory/2884-1101-0x00000000060F0000-0x0000000006100000-memory.dmp

Filesize
64KB

Download
memory/2884-1100-0x0000000006F50000-0x0000000006F62000-memory.dmp

Filesize
72KB

Download
memory/2884-1098-0x00000000067B0000-0x0000000006DC8000-memory.dmp

Filesize
6.1MB

Download
memory/2884-265-0x00000000060F0000-0x0000000006100000-memory.dmp

Filesize
64KB

Download
memory/2884-263-0x00000000060F0000-0x0000000006100000-memory.dmp

Filesize
64KB

Download
memory/2884-262-0x0000000001B00000-0x0000000001B4B000-memory.dmp

Filesize
300KB

Download
memory/2884-222-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-220-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-218-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-189-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-190-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-192-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-194-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-196-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-198-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-200-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-202-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-204-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-208-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-206-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-210-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-212-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-214-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2884-216-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/3056-1119-0x0000000000E70000-0x0000000000EA2000-memory.dmp

Filesize
200KB

Download
memory/3056-1120-0x0000000005C20000-0x0000000005C30000-memory.dmp

Filesize
64KB

Download
memory/4020-171-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4020-153-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4020-181-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4020-180-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4020-179-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4020-151-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4020-177-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4020-167-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4020-169-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4020-173-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4020-182-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4020-150-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4020-175-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4020-165-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4020-163-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4020-161-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4020-159-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4020-157-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4020-155-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download
memory/4020-149-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/4020-148-0x0000000004F10000-0x00000000054B4000-memory.dmp

Filesize
5.6MB

Download
memory/4020-184-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4020-152-0x0000000002710000-0x0000000002722000-memory.dmp

Filesize
72KB

Download