redline | 86f6fe092085165c3bcf8514074d22ded445641ea33cc3a22a018819719eecbb

General

Target

86f6fe092085165c3bcf8514074d22ded445641ea33cc3a22a018819719eecbb.exe
Size

697KB
MD5

7aa2b85a1c85f1d54c81fc54c2703bae
SHA1

153c0fbf16cc1afc794c98bb97a306208189d62a
SHA256

86f6fe092085165c3bcf8514074d22ded445641ea33cc3a22a018819719eecbb
SHA512

70330026e3e152438753a47c07c45c3f76530b35b9855f101ff68e4d32c14ac95f46f00f80ade6fabe5c36ca1849b07203e4735ae5ac1caf865246269c331eeb
SSDEEP

12288:kMrky90CcA3VYH2KhR0jdZViGPHv88M3FgPL64jGjUAxI9gymv3Xg:QyTYHrqBZVNvv88QKrGjtI9hy3Q

Score

10^/10

redline rosn evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pro7955.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7955.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro7955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7955.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7955.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2400-191-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-193-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-198-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-200-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-202-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-204-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-206-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-208-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-210-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-214-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-212-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-216-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-218-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-220-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-222-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-224-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-226-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline
behavioral1/memory/2400-228-0x0000000007160000-0x000000000719F000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

un503702.exepro7955.exequ6712.exe

pid process

3184 un503702.exe
532 pro7955.exe
2400 qu6712.exe

pid	process
3184	un503702.exe
532	pro7955.exe
2400	qu6712.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

pro7955.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7955.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7955.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

86f6fe092085165c3bcf8514074d22ded445641ea33cc3a22a018819719eecbb.exeun503702.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	86f6fe092085165c3bcf8514074d22ded445641ea33cc3a22a018819719eecbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	86f6fe092085165c3bcf8514074d22ded445641ea33cc3a22a018819719eecbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un503702.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un503702.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3304 532 WerFault.exe pro7955.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro7955.exe

pid process

532 pro7955.exe
532 pro7955.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro7955.exequ6712.exe

description pid process

Token: SeDebugPrivilege 532 pro7955.exe
Token: SeDebugPrivilege 2400 qu6712.exe

pid	pid_target	process	target process
3304	532	WerFault.exe	pro7955.exe

pid	process
532	pro7955.exe
532	pro7955.exe

description	pid	process
Token: SeDebugPrivilege	532	pro7955.exe
Token: SeDebugPrivilege	2400	qu6712.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

86f6fe092085165c3bcf8514074d22ded445641ea33cc3a22a018819719eecbb.exeun503702.exe

description	pid	process	target process
PID 4752 wrote to memory of 3184	4752	86f6fe092085165c3bcf8514074d22ded445641ea33cc3a22a018819719eecbb.exe	un503702.exe
PID 4752 wrote to memory of 3184	4752	86f6fe092085165c3bcf8514074d22ded445641ea33cc3a22a018819719eecbb.exe	un503702.exe
PID 4752 wrote to memory of 3184	4752	86f6fe092085165c3bcf8514074d22ded445641ea33cc3a22a018819719eecbb.exe	un503702.exe
PID 3184 wrote to memory of 532	3184	un503702.exe	pro7955.exe
PID 3184 wrote to memory of 532	3184	un503702.exe	pro7955.exe
PID 3184 wrote to memory of 532	3184	un503702.exe	pro7955.exe
PID 3184 wrote to memory of 2400	3184	un503702.exe	qu6712.exe
PID 3184 wrote to memory of 2400	3184	un503702.exe	qu6712.exe
PID 3184 wrote to memory of 2400	3184	un503702.exe	qu6712.exe

C:\Users\Admin\AppData\Local\Temp\86f6fe092085165c3bcf8514074d22ded445641ea33cc3a22a018819719eecbb.exe
"C:\Users\Admin\AppData\Local\Temp\86f6fe092085165c3bcf8514074d22ded445641ea33cc3a22a018819719eecbb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4752

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un503702.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un503702.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3184

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7955.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7955.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 1064
4⤵
- Program crash
PID:3304

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6712.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6712.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 532 -ip 532
1⤵
PID:4652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un503702.exe
Filesize
555KB

MD5
93a4ffd7e724f7ca2cff6dbfa31b25dd

SHA1
0bcd0babd6a9cccb78840a2255004938c1fc3097

SHA256
d03f93e2ade1da3d1f20e2a971a0a2f6befd433f55309913a1c6996e53447271

SHA512
65ec550d9c797fb41b34da4a68a72ad24da853c562401b3d63a87e3529414de7f722b874c8292d82a1bbec3cea0d0b003bbd64a48e9faf9a243c1bd2347fe1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un503702.exe
Filesize
555KB

MD5
93a4ffd7e724f7ca2cff6dbfa31b25dd

SHA1
0bcd0babd6a9cccb78840a2255004938c1fc3097

SHA256
d03f93e2ade1da3d1f20e2a971a0a2f6befd433f55309913a1c6996e53447271

SHA512
65ec550d9c797fb41b34da4a68a72ad24da853c562401b3d63a87e3529414de7f722b874c8292d82a1bbec3cea0d0b003bbd64a48e9faf9a243c1bd2347fe1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7955.exe
Filesize
347KB

MD5
e38e423fffd41bd430b8a2ba8d4158a4

SHA1
1f2d051fab148869b5ce0e9c4c41560c9252ae19

SHA256
8ee0bee14c02e605b74b2643d1bbbe78ddedd3cb81d618fefa3179c2a45e95ff

SHA512
5bd668aabc2de8367d88f05c16d0ac0a89f6bf056f8910f91d432051bbff388a870baf8bab1e5f1573d2992928a6c69273c5a20c257412edb47d905468b7ddfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7955.exe
Filesize
347KB

MD5
e38e423fffd41bd430b8a2ba8d4158a4

SHA1
1f2d051fab148869b5ce0e9c4c41560c9252ae19

SHA256
8ee0bee14c02e605b74b2643d1bbbe78ddedd3cb81d618fefa3179c2a45e95ff

SHA512
5bd668aabc2de8367d88f05c16d0ac0a89f6bf056f8910f91d432051bbff388a870baf8bab1e5f1573d2992928a6c69273c5a20c257412edb47d905468b7ddfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6712.exe
Filesize
406KB

MD5
5ee9be8c8b1c0bbb39f7d6f254d6114c

SHA1
82078998a4e3b89581b60e71709af5b6fb917902

SHA256
c8e604a425673619528dd073808c3327cb536389468cb98feb3fbf70996dd75d

SHA512
d63052a403d98689adcb24a31180fcafd6fa507812685247b25f7ae643ae849be7fad8546a2ca2599b931766c551e738dc7c1396328b10c856d0379b08871770

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6712.exe
Filesize
406KB

MD5
5ee9be8c8b1c0bbb39f7d6f254d6114c

SHA1
82078998a4e3b89581b60e71709af5b6fb917902

SHA256
c8e604a425673619528dd073808c3327cb536389468cb98feb3fbf70996dd75d

SHA512
d63052a403d98689adcb24a31180fcafd6fa507812685247b25f7ae643ae849be7fad8546a2ca2599b931766c551e738dc7c1396328b10c856d0379b08871770

Download Submit
memory/532-149-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/532-148-0x0000000002D90000-0x0000000002DBD000-memory.dmp

Filesize
180KB

Download
memory/532-150-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/532-151-0x00000000073A0000-0x0000000007944000-memory.dmp

Filesize
5.6MB

Download
memory/532-152-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/532-153-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/532-155-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/532-157-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/532-159-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/532-161-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/532-163-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/532-165-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/532-167-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/532-169-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/532-171-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/532-173-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/532-175-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/532-177-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/532-179-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/532-180-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/532-181-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/532-182-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/532-183-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/532-185-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/532-186-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/2400-191-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-192-0x0000000002C70000-0x0000000002CBB000-memory.dmp

Filesize
300KB

Download
memory/2400-195-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2400-194-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2400-193-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-198-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-197-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2400-200-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-202-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-204-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-206-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-208-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-210-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-214-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-212-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-216-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-218-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-220-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-222-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-224-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-226-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download
memory/2400-228-0x0000000007160000-0x000000000719F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads