redline | f77f9861e658ca8b07a80439861af436d2b7e2b852ed7f32c1ad0e5926585812

Analysis

max time kernel
18s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f77f9861e658ca8b07a80439861af436d2b7e2b852ed7f32c1ad0e5926585812.exe
Size

685KB
MD5

bc06d9a5ca6f8b1f80b0bd25eab15683
SHA1

4c5fd9b810eeb4b7da071a54a0f6bc8e5141b8b9
SHA256

f77f9861e658ca8b07a80439861af436d2b7e2b852ed7f32c1ad0e5926585812
SHA512

61fbcd003bb6f97abb9741e3195b85eb94d68ca2855970aeb9174b204ff59eb6db5b588d46cc61a7502991ffe46b0f126c044c86043680ad618ca0299fccdd0f
SSDEEP

12288:oMr0y90g4Q3OVLiSH6yjMGRwR5XQydUDtmiL3RG2KkN:8yTh3OVumjMcI5TsmiLsk

Score

10^/10

redline rosn evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pro1528.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro1528.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro1528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro1528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro1528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro1528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro1528.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4456-193-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-192-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-198-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-200-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-202-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-204-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-206-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-208-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-210-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-212-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-214-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-216-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-218-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-220-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-222-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-224-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-226-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline
behavioral1/memory/4456-228-0x0000000007710000-0x000000000774F000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

un382806.exepro1528.exequ5565.exe

pid process

2332 un382806.exe
1124 pro1528.exe
4456 qu5565.exe

pid	process
2332	un382806.exe
1124	pro1528.exe
4456	qu5565.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pro1528.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro1528.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro1528.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

un382806.exef77f9861e658ca8b07a80439861af436d2b7e2b852ed7f32c1ad0e5926585812.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un382806.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f77f9861e658ca8b07a80439861af436d2b7e2b852ed7f32c1ad0e5926585812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f77f9861e658ca8b07a80439861af436d2b7e2b852ed7f32c1ad0e5926585812.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un382806.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3976 1124 WerFault.exe pro1528.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro1528.exe

pid process

1124 pro1528.exe
1124 pro1528.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro1528.exequ5565.exe

description pid process

Token: SeDebugPrivilege 1124 pro1528.exe
Token: SeDebugPrivilege 4456 qu5565.exe

pid	pid_target	process	target process
3976	1124	WerFault.exe	pro1528.exe

pid	process
1124	pro1528.exe
1124	pro1528.exe

description	pid	process
Token: SeDebugPrivilege	1124	pro1528.exe
Token: SeDebugPrivilege	4456	qu5565.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f77f9861e658ca8b07a80439861af436d2b7e2b852ed7f32c1ad0e5926585812.exeun382806.exe

description	pid	process	target process
PID 3684 wrote to memory of 2332	3684	f77f9861e658ca8b07a80439861af436d2b7e2b852ed7f32c1ad0e5926585812.exe	un382806.exe
PID 3684 wrote to memory of 2332	3684	f77f9861e658ca8b07a80439861af436d2b7e2b852ed7f32c1ad0e5926585812.exe	un382806.exe
PID 3684 wrote to memory of 2332	3684	f77f9861e658ca8b07a80439861af436d2b7e2b852ed7f32c1ad0e5926585812.exe	un382806.exe
PID 2332 wrote to memory of 1124	2332	un382806.exe	pro1528.exe
PID 2332 wrote to memory of 1124	2332	un382806.exe	pro1528.exe
PID 2332 wrote to memory of 1124	2332	un382806.exe	pro1528.exe
PID 2332 wrote to memory of 4456	2332	un382806.exe	qu5565.exe
PID 2332 wrote to memory of 4456	2332	un382806.exe	qu5565.exe
PID 2332 wrote to memory of 4456	2332	un382806.exe	qu5565.exe

C:\Users\Admin\AppData\Local\Temp\f77f9861e658ca8b07a80439861af436d2b7e2b852ed7f32c1ad0e5926585812.exe
"C:\Users\Admin\AppData\Local\Temp\f77f9861e658ca8b07a80439861af436d2b7e2b852ed7f32c1ad0e5926585812.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382806.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382806.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1528.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1528.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1084
      4⤵
      Program crash
      PID:3976
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5565.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5565.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1124 -ip 1124
1⤵
PID:4796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382806.exe

Filesize
542KB

MD5
e813aae472d218d4514af02d91270634

SHA1
d545c6509e00f3c5c682f5c701e74aab79ee3e61

SHA256
ae280cd870dcff3b8bb2ddd8d6390b207b0e7789c2e27fa60b3a13b757c78dcf

SHA512
4fa1a2ed2d9a894cc575aee784b6d8a2b1f1205880cb2be333fcfaa5d321837e4f0384ebeb2cb60199f0c72a15bd108bf5b414543e006b18653bbfc620156d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un382806.exe

Filesize
542KB

MD5
e813aae472d218d4514af02d91270634

SHA1
d545c6509e00f3c5c682f5c701e74aab79ee3e61

SHA256
ae280cd870dcff3b8bb2ddd8d6390b207b0e7789c2e27fa60b3a13b757c78dcf

SHA512
4fa1a2ed2d9a894cc575aee784b6d8a2b1f1205880cb2be333fcfaa5d321837e4f0384ebeb2cb60199f0c72a15bd108bf5b414543e006b18653bbfc620156d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1528.exe

Filesize
321KB

MD5
058fdb2b697e34c4148ddeb2a1f81f13

SHA1
9b924f9a01dd6f7d7b775a458bee86c7b2c5f827

SHA256
8f2cdc8f05df0c0d836c763545a28e22df37e2dbf07e34427d8d9357fc7d9858

SHA512
c454d941dd7e0d30bfd7db0c07b3b5c17a8fff7b303edf08fce26be6fb988405ec14f09bcd6cfd23d7443d5d94fb8239c78ec66569f368ed9e86bc50e35f3e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1528.exe

Filesize
321KB

MD5
058fdb2b697e34c4148ddeb2a1f81f13

SHA1
9b924f9a01dd6f7d7b775a458bee86c7b2c5f827

SHA256
8f2cdc8f05df0c0d836c763545a28e22df37e2dbf07e34427d8d9357fc7d9858

SHA512
c454d941dd7e0d30bfd7db0c07b3b5c17a8fff7b303edf08fce26be6fb988405ec14f09bcd6cfd23d7443d5d94fb8239c78ec66569f368ed9e86bc50e35f3e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5565.exe

Filesize
380KB

MD5
9674c38a0ad81a9c57b267855f1c886f

SHA1
85a21a700226a3a05c49148df0d0f86e1300424e

SHA256
d4235c18730851ea003fb3facc2aa25790f4d807ffd1fc698787008564054545

SHA512
ba7c933fecb4d08378cf1b82bd619d2bb4ae1a7786236afba72a011b2afcedd256c82e1c71a537aae41e58d272f2c2dd97141ff09936439d6890c43758bf4c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5565.exe

Filesize
380KB

MD5
9674c38a0ad81a9c57b267855f1c886f

SHA1
85a21a700226a3a05c49148df0d0f86e1300424e

SHA256
d4235c18730851ea003fb3facc2aa25790f4d807ffd1fc698787008564054545

SHA512
ba7c933fecb4d08378cf1b82bd619d2bb4ae1a7786236afba72a011b2afcedd256c82e1c71a537aae41e58d272f2c2dd97141ff09936439d6890c43758bf4c12

Download Submit
memory/1124-148-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/1124-149-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/1124-150-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/1124-151-0x00000000070E0000-0x0000000007684000-memory.dmp

Filesize
5.6MB

Download
memory/1124-153-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1124-152-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1124-155-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1124-157-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1124-159-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1124-161-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1124-163-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1124-165-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1124-167-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1124-169-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1124-171-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1124-173-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1124-175-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1124-177-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1124-179-0x0000000004B70000-0x0000000004B82000-memory.dmp

Filesize
72KB

Download
memory/1124-180-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/1124-181-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1124-182-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/1124-183-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/1124-185-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/1124-186-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4456-193-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-192-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-191-0x0000000002C80000-0x0000000002CCB000-memory.dmp

Filesize
300KB

Download
memory/4456-194-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/4456-198-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-200-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-197-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/4456-195-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/4456-202-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-204-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-206-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-208-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-210-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-212-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-214-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-216-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-218-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-220-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-222-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-224-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-226-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download
memory/4456-228-0x0000000007710000-0x000000000774F000-memory.dmp

Filesize
252KB

Download